On May 1, 2019, the UK’s Department for Digital, Culture, Media and Sport (“DCMS”) launched a public consultation (“Consultation”) regarding plans to pursue new laws aimed at securing internet connected devices. The Consultation follows the UK’s publication of its final Code of Practice for Consumer IoT Security (“Code of Practice”) last October (the subject of another Covington blog available here) and is targeted at device manufacturers, IoT service providers, mobile application developers, retailers and those with a direct or indirect interest in the field of consumer IoT security.

Despite a stated preference for industry self-regulation to address IoT cybersecurity, DCMS noted “significant shortcomings in many products on the market.” As a result, DCMS seeks to ensure security by design through new laws, primarily through mandating the top three security requirements outlined in the Code of Practice: (i) that devices’ passwords are unique and are not resettable to any universal factory setting; (ii) the implementation of a vulnerability disclosure policy; and (iii) explicit statements regarding the minimum length of time (month and year) for which the device will receive security updates.

To this end, three key proposals are considered in the Consultation:

  • Option A: Mandate retailers to only sell consumer IoT products that have an IoT security label, with manufacturers to self-declare and implement a security label on their consumer IoT products.
  • Option B: Mandate retailers to only sell consumer IoT products that adhere to the top three guidelines of the Code of Practice, with the burden on manufacturers to self-declare that their consumer IoT products adhere to guidelines as well as certain technical specifications.
  • Option C: Mandate that retailers only sell consumer IoT products with a label that proves compliance with all 13 guidelines of the Code of Practice, with manufacturers expected to self-declare and to ensure that a label is on the appropriate packaging.

Option A: The “Preferred Option”

Option A has been identified by DCMS as the “preferred option.” Consistent with this preference, DCMS has noted that it will implement voluntary labeling for IoT later this year. The voluntary labeling scheme will remain in effect until Parliament implements governing regulations.

As part of the current consultation period, DCMS is also welcoming feedback on its proposed labeling design, which was developed in conjunction with a working group and feedback from a consumer survey. The draft designs are featured below:

To acquire a “positive label,” device manufacturers would have to self-certify that they comply with the top three guidelines in the Code of Practice.

Options B and C

Option B is in line with DCMS’s stated ambition to require mandatory adherence to the top three guidelines of the Code of Practice in the UK. As portions of the top three guidelines run through Option A, it would not be surprising if the end result of the Consultation was support for legislation invoking some hybrid of Option A and B.

Option C is the most rigorous of the options and its requirements may be considered overly burdensome for certain devices and by industry requiring to comply. Accordingly, it seems least likely to gain support, at least at this stage.

What’s Next?

The consultation period is open until 11:59 pm on June 5, 2019, with DCMS hoping to receive feedback from a range of stakeholders, as it evaluates which measures to pursue legislatively. Comments can be sent by email to securebydesign@culture.gov.uk or mailed to Department for Digital, Culture, Media and Sport, 4th Floor, 100 Parliament Street, London, SW1A 2BQ.

Following the consultation period, the government will decide which option(s) to pursue as legislation. DCMS aims to produce both primary and secondary legislation: primary legislation to authorize the Secretary of State for DCMS “to set requirements for a mandated labelling scheme and/or to set security requirements for devices on sale in the UK”; and secondary legislation to provide for specific device requirements. DCMS also intends to publish a “final impact assessment” with the ultimate decision after the close of the consultation period. Should you wish to discuss a consultation response, please get in touch with:

Mark Young +44 20 7067 2101 myoung@cov.com

The team at Covington will continue to monitor for updates related to this IoT Consultation and will post on future developments.