[co-author: Matt Steven]*

Following the UK Government's announcement in January 2020 that it would be moving forwards with regulation on consumer IoT device security, the Government has now published its legislative proposals and is seeking feedback from interested parties by 6 September 2020.

The Government's proposals impose new requirements on manufacturers for the manufacture and sale of consumer smart devices, and also introduce the appointment of a new designated body to oversee compliance and enforcement.

What do you need to know?

The proposed legislation sets out three baseline security requirements, which are derived from and align with several of the key provisions in the recently launched standard ETSI EN 303 645:

1. A ban on default passwords: universal default usernames and passwords installed by manufacturers (such as "admin" or "123456") are to be banned. Passwords should be ‘unique per device’ or user defined and should not revert to a factory setting.
2. The implementation of a robust method of vulnerability reporting: manufacturers should prepare a clear and transparent vulnerability disclosure policy, publish contact information for the reporting of flaws or vulnerabilities with IoT device security, and provide a high-level indication of expected timescales for responses. This should be supplemented by a defined and coordinated process across all levels of the supply chain for the reporting of and response to such issues.
3. Transparency of software updates: the minimum length of time during which IoT devices will be supported by security updates should be provided to consumers in an accessible, clear and transparent manner, and disclosed at or before the point of sale.

What do the proposals mean for businesses?

• Manufacturers and importers will be prohibited from making a consumer smart device available on the market unless the product meets the three key security requirements mentioned above. These security requirements will need to be built in as standard to all consumer smart products in scope that are placed on the UK market, including smart TVs and speakers, wearable health trackers and smart home assistants.
• A duty of care will be placed on distributors (i.e. retailers and online marketplaces) of consumer IoT devices to only supply or make available products that meet the relevant security requirements.
• A regulatory body will be designated by the UK Government as responsible for monitoring and enforcing compliance. Following a report of non-compliance with the key security requirements and an investigation, the appointed enforcement body will be empowered to take enforcement action including (temporary or permanent) bans on supply or sale of products, the serving of recall notices, the confiscation or destruction of products, and fines directly imposed on a business in breach.

What next?

Stakeholders are now being asked to share their views on the UK Government's legislative proposals and enforcement approach. The deadline for providing this feedback is 6 September 2020 and the input gathered will be used to inform the debate around, and the further development of, the proposed legislative changes.

You can find further information on the Government's proposals here, and can make direct submissions here.

* Trainee

[View source.]