On November 19, 2019, the Australian government released a draft code of practice (Code) for securing the Internet of Things for consumers (IoT).  The Code will undergo a period of public consultation before coming into force on March 1, 2020.

The Code is intended to provide industry with best practice advice and follows similar legislation in California and the United Kingdom, as reported by the E-TIPS® Newsletter here and here. The Code is applicable to all IoT devices available in Australia, including "everyday smart devices that connect to the internet, such as smart TVs, watches, and home speakers."

The Code is based on 13 principles. According to the draft, the first three are of the highest priority and require that all:

  • devices must have unique passwords and are not resettable to a universal factory default;
  • device manufacturers, service providers and mobile application developers provide a public point of contact as part of a vulnerability disclosure policy; and
  • software, including any third party and open source software, be securely updatable.

The Code also requires that any credentials and security-sensitive data be securely stored, personal data be protected, exposed attack surfaces be minimised, data be encrypted in transit, software be verified with secure boot mechanisms, systems be resilient to outages, user input data be validated, and telemetry data be monitored for cyber anomalies. Additionally, the Code recommends that consumers be given clear instructions on how to delete personal data and that devices be easy to install and maintain securely.

The full version of the Code can be found here.

Summary By: Jae S. Morris


19 12 11

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.