Outside view of RPC's transparent glass building.

The new Product Security and Telecommunications Infrastructure Bill

Published on 10 October 2022

The question

What will the proposed Product Security and Telecommunications Infrastructure Bill (Bill) mean for manufacturers, importers and distributors of connectable consumer products?

The key takeaway

The Bill seeks to strengthen the cyber resilience of connectable consumer devices, such as smart speakers and smart TVs, and thereby help prevent attackers from gaining a point of entry to consumer networks by which they can exfiltrate data as part of a ransomware attack.

The background

The Bill follows the UK government’s Code of Practice 2018 and is a key development in the Government’s ongoing commitment to improving cybersecurity in a diverse range of smart products.

Currently, connectable consumer products, such as smart TVs, smartphones and internet connected speakers, must comply with existing regulation to ensure that they will not directly cause physical harm from issues such as overheating, environmental damage or electrical interference. They are not, however, specifically regulated to protect consumers from cyber harm such as loss of privacy and personal data. With the increase in smart devices across the UK, the Government’s rationale with the Bill is to increase the adequacy of cybersecurity in smart devices now, in order to prevent a future onslaught of cyber incidents in the future.

The Bill is currently at the Report Stage in the House of Lords.

The development

According to research, the average UK household has nine consumer connectable products, a number which is continuing to grow. The argument has been made that currently, the consumer connectable product market disincentivises the adoption of basic security features, since consumers overwhelmingly assume that products are already secure.

The proposed Bill will be split into two parts: Part 1, which will focus on the cybersecurity of products, while Part 2 will focus on telecommunications infrastructure with regard to mobile and broadband network expansion. With the range of consumer connectable products fast evolving and to ensure security requirements remain effective, up to date and consistent with international best practice, the Bill provides for three main security requirements for businesses to adhere to: 

7. No longer using default passwords. This requirement, in turn, would trigger an obligation to ensure that all passwords within a connected device are unique and strong to avoid granting hackers easy access to millions of products once a default password has been cracked.
8. Confirming how long security updates will be provided after the device is launched. This requirement seeks to enhance consumers’ awareness which will enable the consumer to consider the security of products before they purchase them.
9. Maintaining an accessible vulnerability disclosure policy. This requirement will oblige manufacturers as a minimum, to receive and respond to reports of security issues in their products. This is important to ensure that they are made aware of, and quickly address, any shortcomings in their products. In addition to the above, it will foster good practice to protect society as a whole.

Fine for non-compliance are very steep, the maximum penalty in respect of a single breach of duties under the Bill being up to the greater of £10million or 4% of an organisation’s qualifying worldwide revenue. This puts financial penalties on a par with those available for a breach of the UK GDPR.

Why is this important?

The new legislation will have a significant impact on device manufacturers, importers and distributors who will all have to guarantee that their products meet minimum security standards during the initial design stages and at all subsequent stages. The law will further introduce duties on businesses to investigate and take action in circumstances of non-compliance.

Any practical tips?

Following Royal Assent of the Bill, the government will provide at least 12 months’ notice to enable manufacturers, importers and distributors to adjust their business practices before the legislative framework fully comes into force. This is to ensure that businesses are given an appropriate amount of time to adjust their business practices before instances of non-compliance are actively enforced against.

Even at this preparatory stage, businesses should engage thoroughly with the Bill in order to ensure that they have the infrastructure in place to deal with the proposed changes. Importers and distributors should think about how the Bill will impact them and in turn, what support they will require from their manufacturers.

Autumn 2022