On May 1, 2019, the UK’s Department for Digital, Culture, Media and Sport (“DCMS”) launched a public consultation (“Consultation”) regarding plans to pursue new laws aimed at securing internet connected devices. The Consultation follows the UK’s publication of its final Code of Practice for Consumer IoT Security (“Code of Practice”) last October (the subject of another Covington blog available here) and is targeted at device manufacturers, IoT service providers, mobile application developers, retailers and those with a direct or indirect interest in the field of consumer IoT security.

Despite a stated preference for industry self-regulation to address IoT cybersecurity, DCMS noted “significant shortcomings in many products on the market.” As a result, DCMS seeks to ensure security by design through new laws, primarily through mandating the top three security requirements outlined in the Code of Practice: (i) that devices’ passwords are unique and are not resettable to any universal factory setting; (ii) the implementation of a vulnerability disclosure policy; and (iii) explicit statements regarding the minimum length of time (month and year) for which the device will receive security updates.

To this end, three key proposals are considered in the Consultation:

  • Option A: Mandate retailers to only sell consumer IoT products that have an IoT security label, with manufacturers to self-declare and implement a security label on their consumer IoT products.
  • Option B: Mandate retailers to only sell consumer IoT products that adhere to the top three guidelines of the Code of Practice, with the burden on manufacturers to self-declare that their consumer IoT products adhere to guidelines as well as certain technical specifications.
  • Option C: Mandate that retailers only sell consumer IoT products with a label that proves compliance with all 13 guidelines of the Code of Practice, with manufacturers expected to self-declare and to ensure that a label is on the appropriate packaging.

Option A: The “Preferred Option”

Option A has been identified by DCMS as the “preferred option.” Consistent with this preference, DCMS has noted that it will implement voluntary labeling for IoT later this year. The voluntary labeling scheme will remain in effect until Parliament implements governing regulations.

As part of the current consultation period, DCMS is also welcoming feedback on its proposed labeling design, which was developed in conjunction with a working group and feedback from a consumer survey. The draft designs are featured below:

To acquire a “positive label,” device manufacturers would have to self-certify that they comply with the top three guidelines in the Code of Practice.

Options B and C

Option B is in line with DCMS’s stated ambition to require mandatory adherence to the top three guidelines of the Code of Practice in the UK. As portions of the top three guidelines run through Option A, it would not be surprising if the end result of the Consultation was support for legislation invoking some hybrid of Option A and B.

Option C is the most rigorous of the options and its requirements may be considered overly burdensome for certain devices and by industry requiring to comply. Accordingly, it seems least likely to gain support, at least at this stage.

What’s Next?

The consultation period is open until 11:59 pm on June 5, 2019, with DCMS hoping to receive feedback from a range of stakeholders, as it evaluates which measures to pursue legislatively. Comments can be sent by email to securebydesign@culture.gov.uk or mailed to Department for Digital, Culture, Media and Sport, 4th Floor, 100 Parliament Street, London, SW1A 2BQ.

Following the consultation period, the government will decide which option(s) to pursue as legislation. DCMS aims to produce both primary and secondary legislation: primary legislation to authorize the Secretary of State for DCMS “to set requirements for a mandated labelling scheme and/or to set security requirements for devices on sale in the UK”; and secondary legislation to provide for specific device requirements. DCMS also intends to publish a “final impact assessment” with the ultimate decision after the close of the consultation period. Should you wish to discuss a consultation response, please get in touch with:

Mark Young +44 20 7067 2101 myoung@cov.com

The team at Covington will continue to monitor for updates related to this IoT Consultation and will post on future developments.

Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.