The Government published its response to a consultation on the improvement of security standards for interconnected household devices.
Background: In May 2019, the UK Government launched a consultation on regulatory proposals for consumer IoT security. The consultation set out the need to restore transparency within the market, particularly between manufacturers and consumers by ensuring that manufacturers communicate more clearly which security requirements are built into products. The proposal was to mandate the top three security requirements included in the current ‘Secure by Design’ Code of Practice, adopted by the Government in October 2018. Options considered by the Government included a mandatory new labelling scheme, which would tell consumers how secure their products are, and would require retailers to only sell products with an IoT security label.
Three safeguards will become mandatory: On 27 January 2020, the Government published its response to the consultation, and announced its intention to legislate and introduce mandatory safeguards, in line with those suggested in the consultation. These are: to make IoT devices passwords unique, and not resettable to any universal setting; to provide a public point of contact as part of a vulnerability disclosure policy; and to explicitly state the minimum length of time for which a device will receive security updates. The Government notes that mandating the top three guidelines is “the start of the journey” and that they will look to increase the baseline as and when appropriate.
The labelling scheme is scrapped: The consultation highlighted widespread concern about the adoption of a labelling scheme, whereby customers only purchase products which bear the security label. On the one hand, manufacturers would be unlikely to willingly place a negative label on their products; on the other hand, retailers would face difficulties in validating manufacturers’ claims. This led the Government not to go ahead with the voluntary labelling scheme it had planned to launch after the consultation.
Next steps: The Government will now conduct further stakeholder engagement to develop its regulatory options based on the top three guidelines in the Code of Practice and ETSI Technical Specifications. It will also do further work to determine the most appropriate way to communicate security information to consumers. This will involve examining an alternative option to the labelling scheme whereby retailers would be responsible for providing information to the consumer at the point of sale (both online and in stores). The Government committed to publishing a final impact assessment later in 2020, and to review the existing Code of Practice for Consumer IoT security every two years.