On May 1, 2019, the United Kingdom (UK) government announced plans to introduce a new Internet of Things (IoT) cyber-security law. The legislation, which is now open for consultation, could affect IoT device manufacturers, IoT service-providers, mobile app developers and retailers.

The new law is based on the UK’s voluntary Code of Practice for Consumer IoT Security (Code) which sets out a set of guidelines for IoT manufacturers and other industry stakeholders to follow in order to improve the security of consumer IoT products and associated services. It now seeks to make the Code, at least in part, legally binding.

Plans for the new law include requiring compliance with the “top three” guidelines found in the Code, namely that:

  • all IoT devices must have unique passwords and are not resettable to a universal factory default;
  • manufacturers must provide a public point of contact as part of a “vulnerability disclosure policy”; and
  • manufacturers must explicitly state the minimum length of time for which a product will receive security updates.

According to the UK government, meeting these practical and implementable measures would protect consumers from the most significant IoT security risks. If implemented, the new law would require device-makers to self-certify compliance with the top three guidelines and label their products accordingly. Retailers would only be permitted sell these labelled devices. This is the UK government’s preferred implementation for the law. However, the additional schemes have been proposed and the UK government is seeking feedback from stakeholders on the proposed options.

For more information please see the UK government’s consultation webpage here.

Summary By: Jae S. Morris

E-TIPS® ISSUE

19 05 15