Government Introduces New Cyber Laws
The UK government introduced the Product Security and Telecommunications Infrastructure Bill (PSTI) at the end of November, requiring manufacturers, distributors and importers of digital tech products which connect to the internet or other products to ensure they meet new cyber security standards. Heavy fines will fall on those who fail to comply.
The Bill aims to protect consumers’ phones, tablets, smart TVs, fitness trackers and other internet-connectable devices from attacks by hackers. It gives the government the power to ban all default passwords, force companies to be transparent about their measures to fix security flaws in connectable products, and create better systems for reporting issues found in those products.
According to research, four in five manufacturers of connectable products don’t implement the correct security measures; the Bill will outlaw the sale of connectable products in the UK that don’t adhere to these baseline security requirements. For companies that don’t comply, the Bill includes fines up to £10 million, or up to 4% of global revenue.
The Bill will propel the production of more reliable and faster broadband and mobile networks, making it easier for operators to share infrastructure and upgrade. In addition, the reforms will promote more efficient, collaborative negotiations with landowners hosting the equipment to reduce lengthy court cases that prevent digital connectivity from advancing.
Julia Lopez, Minister for Media, Data and Digital Infrastructure, said:
“Every day hackers attempt to break into people’s smart devices. Most of us assume if a product is for sale, it’s safe and secure. Yet many are not, putting too many of us at risk of fraud and theft.
“Our Bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards.”
The use and ownership of connected tech products have increased in recent years; on average, there are nine in every UK household. However, although people assume these products are secure, only one in five manufacturers have correct security measures installed within their connectable products.
Cybercriminals are targeting these products in increasing numbers; in the first half of 2021, there were 1.5 billion attempted breaches of the Internet of Things.
Although the makers of digital tech products must adhere to rules stopping them from causing people physical harm, i.e. by electric shock and overheating, there is no regulation to protect consumers from the damage caused by cyber breaches, including theft of personal data and fraud.
The PSTI gives ministers the power to introduce more stringent security measures for device makers. For example:
- Easy-to-guess default passwords that come preloaded on devices are outlawed, i.e. ‘admin’ or ‘password’, which hackers target. All preloaded passwords must be unique and not resettable to any universal password.
- Connectable product manufacturers must tell customers at the point of sale and provide them with updates about the minimum amount of time a product receives patches and essential security updates. If a product does not have security updates, the customer must be made aware. This will increase customer awareness about potentially vulnerable purchases, helping them make better-informed decisions.
- Manufacturers have to provide a public point of contact. This new rule will make it easier for security researchers to report when they find bugs and flaws in products.
The government will designate a regulator once the Bill comes into action. The regulator will coordinate this new cyber security regime and have the power to fine companies up to £10 million of four per cent of their global turnover for non-compliance and up to £20,000 per day in cases of ongoing contravention.
The regulator will also have the power to issue notices to companies stating their requirement to comply with the new security requirements, recall their products or stop their sale altogether.
The new laws won’t just apply to manufacturers but also physical shops and online retailers.
Retailers won’t be able to sell products to UK customers unless they meet the security requirements and will have to disclose information about their security updates to their customers.
The Bill applies to ‘connectable’ products; all devices with access to the internet, inducing smartphones, smart TVs and games consoles; it also applies to products that can connect to multiple devices but not directly to the internet; i.e. smart light bulbs and fitness trackers.
NCSC Technical Director Dr Ian Levy, said:
“I am delighted by the introduction of this bill which will ensure the security of connected consumer devices and hold device manufacturers to account for upholding basic cyber security.
“The requirements this bill introduces – which were developed jointly by DCMS and the NCSC with industry consultation – mark the start of the journey to ensure that connected devices on the market meet a security standard that’s recognised as good practice.”
Stone Rowe Brewer LLP provides high-quality legal services for individuals and businesses. Our employment lawyers are practical, proactive and user friendly. If you want to learn more about the new statutory right for carer’s leave or have any general employment law queries, please call us on 020 8891 6141.