On May 1, 2019, the UK’s Department for Digital, Culture, Media and Sport (“DCMS”) launched a public consultation (“Consultation”) regarding plans to pursue new laws aimed at securing internet connected devices. The Consultation follows the UK’s publication of its final Code of Practice for Consumer IoT Security (“Code of Practice”) last October (the subject of another Covington blog available here) and is targeted at device manufacturers, IoT service providers, mobile application developers, retailers and those with a direct or indirect interest in the field of consumer IoT security.

Despite a stated preference for industry self-regulation to address IoT cybersecurity, DCMS noted “significant shortcomings in many products on the market.” As a result, DCMS seeks to ensure security by design through new laws, primarily through mandating the top three security requirements outlined in the Code of Practice: (i) that devices’ passwords are unique and are not resettable to any universal factory setting; (ii) the implementation of a vulnerability disclosure policy; and (iii) explicit statements regarding the minimum length of time (month and year) for which the device will receive security updates.

To this end, three key proposals are considered in the Consultation:

  • Option A: Mandate retailers to only sell consumer IoT products that have an IoT security label, with manufacturers to self-declare and implement a security label on their consumer IoT products.
  • Option B: Mandate retailers to only sell consumer IoT products that adhere to the top three guidelines of the Code of Practice, with the burden on manufacturers to self-declare that their consumer IoT products adhere to guidelines as well as certain technical specifications.
  • Option C: Mandate that retailers only sell consumer IoT products with a label that proves compliance with all 13 guidelines of the Code of Practice, with manufacturers expected to self-declare and to ensure that a label is on the appropriate packaging.

Option A: The “Preferred Option”

Option A has been identified by DCMS as the “preferred option.” Consistent with this preference, DCMS has noted that it will implement voluntary labeling for IoT later this year. The voluntary labeling scheme will remain in effect until Parliament implements governing regulations.

As part of the current consultation period, DCMS is also welcoming feedback on its proposed labeling design, which was developed in conjunction with a working group and feedback from a consumer survey. The draft designs are featured below:

To acquire a “positive label,” device manufacturers would have to self-certify that they comply with the top three guidelines in the Code of Practice.

Options B and C

Option B is in line with DCMS’s stated ambition to require mandatory adherence to the top three guidelines of the Code of Practice in the UK. As portions of the top three guidelines run through Option A, it would not be surprising if the end result of the Consultation was support for legislation invoking some hybrid of Option A and B.

Option C is the most rigorous of the options and its requirements may be considered overly burdensome for certain devices and by industry requiring to comply. Accordingly, it seems least likely to gain support, at least at this stage.

What’s Next?

The consultation period is open until 11:59 pm on June 5, 2019, with DCMS hoping to receive feedback from a range of stakeholders, as it evaluates which measures to pursue legislatively. Comments can be sent by email to securebydesign@culture.gov.uk or mailed to Department for Digital, Culture, Media and Sport, 4th Floor, 100 Parliament Street, London, SW1A 2BQ.

Following the consultation period, the government will decide which option(s) to pursue as legislation. DCMS aims to produce both primary and secondary legislation: primary legislation to authorize the Secretary of State for DCMS “to set requirements for a mandated labelling scheme and/or to set security requirements for devices on sale in the UK”; and secondary legislation to provide for specific device requirements. DCMS also intends to publish a “final impact assessment” with the ultimate decision after the close of the consultation period. Should you wish to discuss a consultation response, please get in touch with:

Mark Young +44 20 7067 2101 myoung@cov.com

The team at Covington will continue to monitor for updates related to this IoT Consultation and will post on future developments.

Tags: Government, Internet of Things (IoT), Public Consultation, United Kingdom
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” has “great insight into the regulators;” and “is technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 20 years of experience, Mark specializes in:

Providing practical guidance and advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services.
Handling complex regulatory investigations and enforcement actions involving data privacy regulators in the UK, EU and globally, and advising on follow-on litigation risk.
Helping clients respond to cybersecurity incidents, including ransomware, supply chain incidents, state-sponsored attacks, insider threats, personal data breaches, and IP and trade secret theft.
Advising various clients on the EU NIS2 Directive, Cyber Resilience Act (CRA), and other emerging EU, UK, and global cybersecurity laws and regulations.
Advising life sciences companies on industry-specific data privacy issues, including clinical trials, pharmacovigilance, and digital health products and services.
Advising on data privacy compliance in relation to employees and international transfers of data in connection with white collar investigations.
Providing strategic advice and advocacy on a range of UK and EU technology law reform issues relating to data privacy, cybersecurity, eIDs, and software.
Representing clients in connection with references to the Court of Justice of the EU.

Read more about Mark YoungEmail
Show more Show less