Firms that breach guidelines could face multimillion-pound fines

Credit: Gerd Altmann from Pixabay

The government has claimed that new laws designed to increase protection for connected devices will “put a firewall around” smartphones and internet-enabled consumer products including televisions, doorbells and thermostats.

As well as increasing protective measures for devices, the legislation also makes provisions for a tough new regulatory environment, in which companies in breach of the law could face multimillion-pound fines.

Put before parliament this week, the Product Security and Telecommunications (PSTI) Bill proposes a requirement for the makers of phones and other smart devices to implement a number of security measures, including the clear provision of a point of contact to whom security researchers and consumers can report product bugs or flaws.

The laws will also introduce a ban on default generic passwords being pre-installed; each individual device will need to be equipped with its own unique password – which cannot then be reset to a standard factory setting. 

All products will also need to provide consumers with clear information – at point of sale – about the minimum length of time for which a device will receive patches and other security updates. If a product will receive no such updates after the point of purchase, this must be made clear at the outset, and buyers must also be kept updated with any changes in policy.

Related content

• Digital minister says government will pass law to make smart devices safer ‘as soon as we can’
• Does the UK need an IoT regulator?
• Labour MP: If a device is called ‘smart’ – don’t buy it

This proposal is particularly apposite, the government claimed, as about 80% of firms currently have no such measures in place.

Businesses in scope of the laws will include the manufacturers and retailers – both online and in shops – of any devices that can access the internet. As well as smartphones and computers, this will also include a comprehensive range of smart devices, such as security cameras, fridges, voice-activated virtual assistants, and baby monitors. Also covered by the bill are “products that can connect to multiple other devices but not directly to the internet… [such as] smart light bulbs, smart thermostats and wearable fitness trackers”, the government said.

The legislation will be enforced by a regulator – to be designated once the bill passes into law – that will have to power hit firms that contravene the law with fines of £10m or 4% of global turnover. Ongoing breaches of the rules could be punished with penalties of £20,000 a day.

Minister for media, data and digital infrastructure Julia Lopez said: “Every day hackers attempt to break into people’s smart devices. Most of us assume if a product is for sale, it’s safe and secure. Yet many are not, putting too many of us at risk of fraud and theft. Our bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards.”

Dr Ian Levy, technical director of the National Cyber Security Centre, added: “I am delighted by the introduction of this bill which will ensure the security of connected consumer devices and hold device manufacturers to account for upholding basic cybersecurity. The requirements this bill introduces – which were developed jointly by DCMS and the NCSC with industry consultation – mark the start of the journey to ensure that connected devices on the market meet a security standard that’s recognised as good practice.”

In addition to the smart-device measures, the PSTI bill also includes provisions intended to expedite to rollout of broadband and mobile networks. According to the government, the legislation proposes “reforms [that] will encourage quicker and more collaborative negotiations with landowners hosting the equipment, to reduce instances of lengthy court action which are holding up improvements in digital connectivity”.