Beyond security obligations and liabilities for controllers and processors under the EU and U.K. General Data Protection Regulations and the U.S. Federal Trade Commission's reasonable security measures requirements, other security-related laws are being enacted. Privacy professionals must be aware of the overlaps between data protection and other security-related laws, not just because of their relevance to liability for security under privacy laws but because compliance with these laws will likely require the same skills. As an IAPP white paper noted, roles in privacy and cybersecurity are becoming increasingly interdependent.
One key area is the expansion of security requirements to bind, not just controllers and processors under the EU GDPR, but those who manufacture, import or distribute products with inadequate security measures, particularly following the many instances of insecure connected nanny cams and the like. In this area, the U.K. has beaten the EU's proposed Cyber Resilience Act to the punch, although the General Product Safety Regulation will apply later in 2024.
For anyone who makes, imports or distributes smart products, like smartphones, smartwatches, or other Internet of Things products in the U.K., security-related obligations and liability under theProduct Security and Telecommunications Infrastructure Act 2022 will kick in 29 April 2024. Organizations have less than 12 months to comply with new obligations required by Part 1 of this act or face a maximum of 4% fines, plus GBP20,000 maximum daily fines, by the enforcement authority. The enforcement authority is the Secretary of State or whoever it authorizes for this purpose. These new product security obligations were outlined in an earlier article.
The U.K. Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 sets out detailed security requirements for manufacturers that will apply from 29 April 2024. It also outlines a "statement of compliance" required for connected products. According to written statements, the final regulations, currently in draft form, will be introduced to Parliament after the "notification requirements of international bodies, including the World Trade Organisation, have been complied with."
What about importers or distributors, like retailers? Detailed security requirements for these categories have not yet been issued, but the U.K. government will keep the effectiveness of the regulations' baseline requirements under review. However, importers/distributors of internet and network-connectable products in the U.K., like smartphones, smart watches or other IoT products, will still be subject to more general obligations and liability under the act from 29 April 2024 as outlined below.
Security requirements for manufacturers
Under the draft regulations, manufacturers will be deemed compliant with certain obligations if their products comply with equivalent requirements under the European Telecommunications Standards Institute standard EN 303 645 regarding device passwords, information on how to report security issues and minimum security update periods, or the International Organization for Standardization standard ISO/IEC 29147:2018 Information technology — Security techniques — Vulnerability disclosure, regarding giving information on how to report security issues.
Under the draft regulations, by 29 April 2024 manufactures must:
- Ensure unique per-product or user-defined passwords for both hardware and software, with specific detailed requirements intended to prevent the use of universal default or easily guessed default passwords.
- Provide publicly available information on how to report security issues and publish in English at least one point of contact for security issues relating to their products (hardware or software), including when notifiers will receive acknowledgments and status updates, in an accessible, clear and transparent way, without any prior request.
- Provide the minimum period, including the end date, after which products will no longer receive security updates, again without prior request, in a clear, transparent and understandable way to someone without prior technical knowledge. Display the required information prominently. If the manufacturer's website or a nonpaid website it controls contains an invitation to purchase a connectable product, the minimum security update period information must be published alongside or given equal prominence to that material information.
Exemptions for manufacturers
Under the draft regulations, there will be some exemptions for "excepted products" for manufacturers:
- Electric vehicle charge points.
- Medical devices to which the Medical Devices Regulations 2000 apply. However, if those regulations apply to software, then internet and network-connectable products on which that software is installed or operable are not exempt.
- Certain smart-meter products.
- Desktop, laptop and tablet computers, unless designed exclusively for children under the age of 14 according to "the manufacturer's intended purpose."
The necessity for these exemptions illustrates the wide breadth of the concept of "relevant connectable products" caught by this act. Note smartphones, smart TVs and other connected products will be subject to the act and regulations.
Obligations on importers, distributors
The draft regulations directly affect only manufacturers, not importers or distributors. However, importers' and distributors' general duties and liability under the act will still kick in 29 April 2024.
Key practical action points
Before the regulations go into effect, manufacturers who make any relevant connectable products available in the U.K. must:
- Check and update their manufacturing, distribution systems and processes to ensure such products satisfy the regulations' detailed security requirements.
- Ensure each product available in the U.K. is accompanied by a statement of compliance containing the information prescribed by the regulations or a summary with content prescribed in further regulations, and ensure copies of those statements are retained and can be found for at least ten years or, if longer, the security update period.
- Vulnerability disclosures and actions must set up systems and procedures to:
- Publish the required security-reporting information for all relevant products, including deciding how and when to publish it.
- Handle vulnerability reports in compliance with the act and regulations, i.e., take all reasonable steps to investigate potential compliance failures, upon establishing a failure, notify certain minimum information "as soon as possible" to the "enforcement authority," other manufacturers, any importer/distributor and, if conditions to be specified in yet-to-be-seen regulations are met, even U.K. customers. This halts the product's U.K. availability and remedies the failure.
- Maintain records of such investigations and compliance failures containing certain minimum information, with a retention period of at least ten years.
Those familiar with privacy notices, security measures and personal data breach notifications under the GDPR will notice the parallels with compliance notices, vulnerability-reporting information, product security requirements and (although more detailed here) breach reporting and record-keeping. There are also issues regarding "authorised representatives" of manufacturers not established in the U.K., including liability, which are not discussed in this article.
Importers and distributors of any relevant connectable products in the U.K. must, by 29 April 2024, check and, if necessary, amend importing and distribution systems and processes to ensure they do not make any such products available in the U.K. unless accompanied by a statement of compliance or summary. Importers are required by the regulations to retain statements for at least ten years or longer due to the security update period.
For noncompliant products, importers and distributors must check and, if necessary, amend their processes to ensure awareness of compliance failures by manufacturers.
- Actions. They can contact the manufacturer "as soon as possible" or, if not possible, distributors must contact their importers. If it appears unlikely the manufacturer will remedy the noncompliance, that they can, as soon as is practical, take all reasonable steps to prevent the product from being made available to U.K. customers and, "as soon as possible" after contacting or attempting to contact the manufacturer, notify, with certain minimum information, the enforcement authority, any distributor supplied by the importer/distributor, the importer (in the case of the distributor) and (if conditions specified in regulations are met) U.K. customers to whom they supplied the product.
- Records. Importers, but not distributors, must maintain records of their investigations, including into manufacturers' actual and suspected compliance failures) with certain minimum information for at least ten years.
It does not appear that importers and distributors must verify the accuracy of statements of compliance, only to ensure they accompany the relevant products before allowing U.K. import and distribution.
April 2024 is not far off, so manufacturers, importers and distributors of smartphones and other smart/IoT products in the U.K. should start preparations soon.