Enormous Fines for not abiding by New UK IoT Laws
“If a product is for sale, it’s safe and secure” is probably one of the biggest myths of the modern world. It has been a prevalent belief amongst consumers that if something is available for sale, it is safe to use, the government ensures that it is secure. That, however, cannot be further from the truth. At the same time, specific regulatory requirements need to be fulfilled in certain sectors, such as medical devices. They certainly do not cover every aspect of the device. Cyber-security is a parameter that has often been ignored by most regulators when approving network-enabled products.
The United Kingdom government is the first government to introduce new legislation designed to improve security standards of “smart” internet-connected devices used by consumers.
The Product Security and Telecommunications Infrastructure (PSTI) Bill requires IoT device manufacturers and sellers to meet new cybersecurity standards to protect customers’ privacy and security better.
The bill will force IoT manufacturers to be more transparent regarding various security flaws of their design and how the companies will be fixing them. In addition, companies will need to create and maintain better public reporting systems for vulnerabilities.
IoT manufacturers will also be forced to provide information regarding how long the devices will be receiving supported with vital security patches, thereby providing greater clarity to the customers to make informed decisions before buying the product.
The legislation will also ban universal default passwords in their devices, improving devices’ overall security.
Once the bill comes into effect, IoT manufacturers could be fined up to £10 million or 4% of their global turnover and up to £20,000 a day should they fail to abide by the rules. Companies will also be forced to recall products or stop selling or supplying them altogether should they fail to comply with security requirements.
The following devices that fall within the remit of the bill are:
- Smartphones
- Wearable connected fitness trackers like smart bands and smartwatches
- Connected baby monitors and children’s toys
- Connected safety products such as alarm systems, door locks and smoke detectors
- Connected cameras, speakers and TVs
- Smart appliances such as coffee machines, fridges and televisions.
- Smart home assistants and home automation
Devices such as desktop and laptop computers — do not appear to fall within the bill’s remit.
While this bill is nowhere enough to stop IoT devices from being hacked, it is an essential first step towards handling the ever more complex world of security flaws. As Julia Lopez, the UK minister for media, data and digital infrastructure, quoted, “Our bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards.”
