The UK government has recently published an invitation to take part in its consultation on proposals for the regulation of the Internet of Things (IoT).
The consultation, to be run by the Department for Digital, Culture, Media and Sport, seeks input into future regulation aimed at improving IoT security. This invitation follows the recent publication of a Code of Practice (the Code) for IoT, which is among the first of its kind. The Code sets out 13 guidelines that the UK government considers essential to the security of IoT devices. It aims to ensure that security features are built into IoT devices by design and that consumers are informed of how secure the devices are. To this end, the invitation identifies three mandatory security requirements:
- all IoT device passwords must be unique and not resettable to a universal factory setting;
- manufacturers of IoT devices must provide a public point of contact as part of a vulnerability disclosure policy; and
- manufacturers of IoT devices are to explicitly state the minimum length of time for which their devices will receive security updates through an end of life policy.
As well as these security requirements, the UK government also proposes a mandatory labelling system. This labelling system will indicate how secure an IoT device is so consumers are better informed when making a decision on whether to purchase the product. It is proposed that this labelling system will be rolled out incrementally, initially as a voluntary scheme before being implemented across all IoT devices.
The security challenges around IoT have been under increasing scrutiny by regulators recently. As well as the Code, the UK government has also published guidance for consumers and a mapping document for manufacturers of IoT devices. If you would like to take part in the consultation, it is open until 5 June 2019 and can be accessed here. We expect further developments in this area so keep an eye on our blog for upcoming alerts.