Over recent months, the number of smart devices purchased by UK consumers has increased significantly, with the Department for Digital, Culture, Media and Sport, reporting around 49% of UK residents have purchased such a device since March 2020.
However, whether these devices employ sufficiently robust security measures to prevent cyber attacks is a long-standing question and something that the government is attempting to rectify through the introduction of legislation on the matter.
What is the Internet of Things?
The Internet of Things (IoT) is the term given to the interconnection of everyday objects, such as smart TVs, fitness trackers and smartphones, via the internet, resulting in the ability for them to send and receive data.
For example, the connection between your smartphone and fitness tracker allows you to receive messages, control your music streaming app and then provide you with data regarding your heart rate, calories burned and average pace.
According to the government, the primary aim of any proposed legislation is to ensure devices are secure and that technological advancement does not come at the cost of consumer security, currently one of the most frequently cited barriers to growth in this sector.
Examples of cyber attacks against IoT products, such as Amazon’s Ring home security camera, when hacked devices resulted in owners being harassed through the two-way communication functions, demonstrate consumers’ concerns are justified.
What will the legislation say?
The legislation seeks to prohibit the sale of certain connected devices that do not meet three security requirements:
- Using universal and easily guessed passwords such as ‘password’ by default will be banned. This will apply to the device itself and also to pre-installed apps, irrespective of whether they were produced in-house by the device manufacturer or a third party.
- Providing a public point of contact for customers to report vulnerabilities to the manufacturer, ensuring they are resolved more quickly. The Internet of Things Security Foundation demonstrated in 2018 that less than 10% of global consumer companies offered such a facility.
- Informing consumers at the time of purchase, about the minimum period for which security updates will be provided for the device, which is currently around two years, despite research showing that 33% of consumers kept their last mobile phone for around four years.
The code has been designed to expand on the UK Government’s existing Code of Practice for Consumer IoT Security, published in 2018, and align with international standards including EN 303 645, which was adopted in 2020.
Who and what does it apply to?
At present there is a non-exhaustive list of the products that come within the scope of the legislation, including smartphones, connected cameras, TVs and speakers, wearable connected fitness trackers and smart home assistants.
Notably, devices used in industrial and business settings are not within scope and nor are second-hand smart products and devices such as laptop and desktop PCs that do not have cellular connection capabilities.
The legislation will apply to those within the consumer smart device supply chain, including manufacturers, representatives, importers and distributors. Manufacturers will be required to publish a publicly accessible declaration of conformity on their website, take action if a product reaches the market that falls foul of the security requirements and also to cooperate with enforcement authorities when this happens.
Where the manufacturer is based in another jurisdiction, the obligations that they would ordinarily be subject to, will be passed on to the authorised representative (if applicable) or the importer of the products (if not).
Finally, distributors such as wholesalers and retailers will fall within the remit of the legislation and be expected to verify the presence of the required declaration of conformity and to comply with enforcement activities.
Enforcement and non-compliance
The government has stated that the enforcement body will have the ability to ‘investigate allegations of non-compliance and to take steps to ensure compliance’.
Specifically, the powers will include the powers of search and entry, information sharing, the ability to serve corrective measures, sanctions and, should a case be deemed serious enough, the power to bring criminal proceedings.
However, it has also confirmed that there will be a grace period between the legislation receiving royal assent and coming into force, giving businesses an opportunity to adapt.
Key considerations
The above will only be a starting point and through the use of secondary legislation, is likely to become broader in scope as time passes. Therefore, early compliance is not only likely to assist in convincing consumers their cyber security is a priority, but also as the scope broadens, in ongoing compliance due to the foundations already being in place.
Although there is no official start date for the legislation, it is expected to be introduced ‘when parliamentary time allows’, so those likely to be affected by it should remain
vigilant and begin considering the impact on their business accordingly.
Peter Kouwenberg is an Associate Solicitor in the Corporate and Commercial department of Taylor Walton Solicitors and specialises in providing data protection advice.
He also deals with all types of commercial contract including terms and conditions of business, distribution agreements and subcontracting.
For more information call Taylor Walton Solicitors on 01582 731161 or visit
Peter Kouwenberg
Associate Solicitor
