July 20, 2020

The Government plans to change the law to make “smart” products, such as TVs, cameras and household appliances that connect to the internet, safer and more secure for people to use. The proposals, drawn up by the Department for Digital, Culture, Media and Sport and supported by the technical expertise of the National Cyber Security Centre (NCSC), detail the Government’s plans to raise the security standard for all consumer smart products sold in the UK.

As a first step the standard will make sure these products adhere to three important requirements, which may be expanded on over time in consultation with stakeholders. The three requirements are:

• device passwords must be unique and not resettable to any universal factory setting;
• manufacturers must provide a public point of contact so anyone can report a vulnerability; and
• information stating the minimum length of time for which the device will receive security updates must be provided to customers.

The call for views also sets out the scope of the rules, what industry will need to do to comply with the new laws and an overview of industry guidance to be produced, as well as information on potential powers granted to the enforcement body. These could include powers to:

• temporarily ban the supply or sale of the product while tests are undertaken;
• permanently ban insecure products, if a breach of the regulations is identified;
• serve a recall notice, compelling manufacturers or retailers to take steps to organise the return of the insecure product from consumers;
• apply to the court for an order for the confiscation or destruction of a dangerous product; and
• issue a penalty notice imposing a fine directly on a business.

The proposals will also aim to future-proof legislation in an age of rapid technological change and innovation, and the Government will be looking for industry, academics and consumer groups to feed back on the plans.

The government welcomes input from all interested parties, including individual organisations impacted by the proposed regulation, trade associations, consumer groups and cyber security subject-matter experts. The deadline for response is 6 September 2020. To access the call for views, click here.