UK DCMS Publishes Product Security and Telecommunications Infrastructure Bill
What is the Bill?
The UK DCMS has published its Product Security and Telecommunications Infrastructure Bill to ensure that consumer connectable products are more secure against cyber attacks.
Who does the Bill place obligations on?
This Bill is far reaching, placing obligations not only on manufacturers and their representatives, but also on importers and distributors of connectable products.
What are Connectable Products?
Connectable products are consumer internet-connectable or network-connectable products. According to the factsheet, examples include:
- Connected cameras, TVs and speakers
- Connected children’s toys and baby monitors
- Connected safety-relevant products such as smoke detectors and door locks
- Internet of Things base stations and hubs to which multiple devices connect
- Wearable connected fitness trackers
- Outdoor leisure products, such as handheld connected GPS devices that are not wearables
- Connected home automation and alarm systems
- Connected appliances, such as washing machines and fridges
- Smart home assistants
What obligations does it impose?
Obligations on manufacturers, importers and distributors include:
- The need to comply with security requirements (to be set out in regulation)
- Statements of compliance
- The need to investigate compliance failures
- Take action against failures
- A duty to maintain records, including those of investigations
Importers and distributors also have an additional duty to not to supply products where there is a compliance failure by manufacturer .
In other words, everyone in the chain is accountable.
What powers does this bill introduce?
The Bill introduces enforcement and stop powers, as well as monetary penalties comparable to GDPR.
When will businesses have to comply?
The Bill had a first reading in November 2021 and following Royal Assent of the Bill, the government will provide at least 12 months notice to enable manufacturers, importers and distributors to implement the requirements before legislative framework fully comes into force.
This is a really bold Bill and one to keep an eye on for Security and Privacy professionals.
With so many connected devices from virtual assistants, to doorbells, connected cars and wearable devices, smart fridges and cookers -it is clear that more needs to be done to maintain the security of the vast amounts of data these products are transmitting.
Consumers clearly need to understand how secure their data is and also the limits of how long security will be maintained for the products they are sold.
It will be really fascinating to see how the UK Government thinks it can manage to monitor and enforce this Bill, when it seems that almost everyone in the supply chain will be liable for failures.
My initial opinion is that this Bill is desperately needed, but it is overly ambitious given the UK’s current record with enforcement of security and data protection standards.
I will be very interested to see how this evolves and hear the opinion of others in the field.