Proposed U.K. IoT law offers greater privacy, security
The U.K.'s move to regulate consumer-facing IoT devices could have global implications.
Recently, the IoT has garnered negative attention over the dangers it presents in the areas of security and privacy. As new U.S. regulations place greater scrutiny on organizations that collect personal data, the IoT will undoubtedly play a controversial role in how data is collected and compliance moving forward.
Now, the U.K. is set to reign in the Internet of Things (IoT) with new regulation, and lawyers say it could usher in more third-party responsibility. As an international insurance hub, global insurers should take note of developments happening across the pond that could impact organizations operating in the U.K.
On Jan. 27, the U.K. government published its response to the regulatory proposals for IoT security consultation announced in May 2019.
Though the Department for Digital, Culture, Media and Sport noted it would address respondent’s comments, it seems poised to keep its proposed mandatory baseline cybersecurity requirements for IoT devices.
The proposed law requires unique passwords that aren’t resettable to a universal factory setting, which echoes California’s IoT law that was enacted earlier this year.
However, while the U.K.’s proposed law shares similarities with industry best practices and California’s IoT law, it is unique. Notably, the U.K.’s proposed law also requires a point of contact for consumers to report a security vulnerability. Such a requirement could become difficult as more IoT devices go to market.
“The administrative burden of setting unique passwords for each device (and then tracking them and dealing with requests and troubleshooting questions from end-users about those passwords) could be administratively challenging, particularly with the exponential growth of [IoT] production,” wrote Balch & Bingham partner Brandon Robinson in an email.
Also unique to the U.K. is the proposed requirement for IoT manufacturers to explicitly state how long its product will receive security updates, which is “a trickier requirement,” noted Baker & Hostetler partner and Comcast’s former vice president, deputy general counsel and deputy privacy officer Daniel Pepper.
A manufacturer’s security support can be influenced by how popular the product is, Pepper explained, which could make it difficult to predict how long it will offer security updates.
In turn, many IoT manufacturers that ship to the U.K. may “low ball” their estimate to comply with the law, Robinson said. “Unless the IoT law establishes a floor, I would expect manufacturers to ‘lowball’ this preliminary estimate in order to maintain compliance and preserve flexibility.”
Pepper agreed, but he noted companies may face a marketing conundrum if consumers question why a product’s security life cycle is so short or differs from other regions.
The U.K.’s proposed IoT law may also place more contractual obligations on service providers, Pepper added. In an effort to abide to the U.K. law, product manufacturers may negotiate with suppliers to provide the support for the required updates, he said.
To be sure, despite the U.K.’s proposed regulation, it may not fully please consumer groups or manufacturers. Consumer groups may argue it doesn’t go far enough to protect consumers, while manufacturers could claim “it’s a difficult and challenging set of obligations, especially for devices that are very low-cost,” Pepper said.
But IoT makers should prepare for IoT laws to spread in varying jurisdictions, Pepper and Robinson agreed.
“Having to tailor the design or production of IoT devices to multiple jurisdictions to maintain compliance could slow the growth of IoT devices globally and disincentivize businesses from offering IoT devices in certain areas because of such conflicts,” Robinson added.
Related: