The government has published its Product Security and Telecommunications Infrastructure Bill, split into two parts:
- Part 1 creates a new regulatory scheme to make consumer connectable products more secure against cyber attacks; and
- Part 2 contains provisions intended to accelerate the deployment and expansion of mobile, full fibre and gigabit capable networks across the UK.
The key points of Part 1 are:
- Products in scope
Most of the obligations apply to UK consumer connectable products. While the Bill itself provides a complex definition, the Explanatory Notes states that consumer connectable products are consumer products which can connect to the internet or other networks, and can transmit and receive digital data. Examples of these products include smartphones, smart TVs, smart speakers, connected baby monitors and connected alarm systems.
- Product security requirements
The Bill includes a power for ministers to specify security requirements relating to relevant connectable products and imposes compliance obligations on relevant persons, i.e. manufacturers, importers and distributors in respect of those requirements. While these security requirements will be set out in regulations, the Bill's accompanying product security factsheet states that these will include:
- banning default passwords;
- requiring products to have a vulnerability disclosure policy; and
- requiring transparency about the length of time for which the product will receive important security updates.
- Compliance obligations
The obligations for manufacturers, importers and distributors differ, but broadly they include:
- a duty to comply with security requirements;
- a duty to investigate and take action in relation to compliance failures; and
- a duty to maintain records.
The Secretary of State will have enforcement powers, which include issuing:
- enforcement notices;
- stop notices;
- recall notices; and
- fines up to the greater of £10 million and 4% of an organisation's worldwide turnover.
The Bill had its first reading in the House of Commons on 24 November. We will of course monitor the Bill's progress and provide updates in future issues of DWF Data Protection Insights. The factsheet states that once the Bill receives Royal Assent, the government will provide at least 12 months' notice to enable manufacturers, importers and distributors to adjust their business practices before the legislative framework comes fully into force.
If you have any enquiries, please get in touch with Sam Morrow and JP Buckley.