Paul Scully pledges that provisions are being made for imminent implementation of act
New laws on consumer tech security requirements will make the UK the first country in the world to offer such legal protections to the likes of smart doorbells, a minister has claimed.
The Product Security and Telecommunications Infrastructure Act – which received royal assent and passed into law in December – sets out measures that manufacturers of connected devices must adhere to. This includes a requirement that all devices must be sold with a unique password, and offer users no option to then reset this to a standard generic option.
Firms that sell internet-connected devices – which now encompasses products such as televisions and fridges, as well as phones and smart speakers – will also be required to provide clear information at the point of sale about the length of time for which products will receive patches and other security updates. Buyers must be kept informed of any subsequent changes to this policy.
The regulatory enforcement regime for the law – through which breaches could be punished with multimillion-pound fines, according to the government – has yet to be put in place.
But, according to Paul Scully, a minister at the recently created Department for Science innovation and Technology, such regulations will be passed imminently. After which, this country will offer world-leading protections to “consumer connectable products – including smart doorbells – sold to UK customers”.
“The government is committed to ensuring that the benefits that connectable technologies offer to individuals and the economy, are not at the expense of consumer security,” he said, in answer to a written parliamentary question from Labour shadow digital minister Stephanie Peacock.
Scully added: “Regulations will be made shortly to implement the new act, making the UK market the first in the world to benefit from these new protections. Manufacturers of consumer connectable products sold to UK consumers will be required to stop using universal default and easily guessable default passwords. Regulations will also require these manufacturers to publish a vulnerability disclosure policy on how security issues affecting their products can be reported to them, as well as information on the minimum length of time for which the manufacturer will provide security updates covering the product.”