‘Smart’ product makers could face £10m fines for cybersecurity breaches

Out-Law News | 30 Nov 2021 | 10:02 am | 2 min. read

Manufacturers of internet-connected ‘smart’ products could be fined up to £10 million for cybersecurity breaches under the terms of a new bill presented to the UK parliament.

Currently, regulations do not include consumer protections against cyber attacks, which can include fraud and theft of personal data.

Instead, manufacturers of smart products including mobile phones, connectable speakers and smart TVs only have to comply with rules preventing physical harm from issues like electric shock.

The government said the Product Security and Telecommunications Infrastructure Bill (PSTI) would help prevent the sale of ‘consumer connectable’ products that do not meet baseline security requirements.

Retailers would be forbidden from selling products to UK customers unless they meet the latest security standards.

The new bill would also ban easy-to-guess default passwords that come preloaded on some devices, and require firms to tell customers at the point of sale how long their products will be protected by ongoing security updates.

If a product does not come with security updates, customers must be told.

The new rules would also require manufacturers to provide a public point of contact for security researchers and others to report when they discover security flaws in their devices.

It comes as a report from the UK’s National Cyber Security Centre (NCSC) revealed that, in the first half of 2021, there were 1.5 billion attempted compromises of smart devices - double the figure recorded in 2020.

The PSTI Bill would allow ministers to create a regulator with the power to fine companies for non-compliance up to £10m - or four per cent of their global turnover - as well as up to £20,000 per day during ongoing breaches.

The new regulator could also compel firms to recall their products or stop selling them altogether.

The law would apply to home appliances such as washing machines and fridges that can access the internet, as well as more traditional smart products, like mobiles, smart TVs, games consoles, security cameras and alarm systems, smart toys and baby monitors.

It would also cover products that can connect to multiple other devices but not directly to the internet, like smart light bulbs and wearable fitness trackers.

The government, however, said it intended to exempt some products, including cars and medical devices, in cases where it would subject them to double regulation.

Desktop and laptop computers do not fall within the scope of PSTI either because their operating systems already include a range of security features, while second-hand smart products will likely remain exempt too.

Digital infrastructure minister Julia Lopez said: “Every day hackers attempt to break into people’s smart devices. Most of us assume if a product is for sale, it’s safe and secure. Yet many are not, putting too many of us at risk of fraud and theft.”

“Our bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards,” she added.