The rapidly expanding Internet of Things (IoT) is connecting up previously offline, non-digital, ordinary things. Apps are available for a vast variety of tasks. But every connection that we make creates a potential digital doorway and so cybersecurity is becoming a correspondingly ubiquitous issue. The UK Department for Digital, Culture, Media and Sport (DCMS) has issued a "Code of Practice for Consumer IoT Security". This "Secure by Design" initiative is intended to address the risk that poor cybersecurity in consumer devices leaves people exposed to cyber-attacks and hacking, by shifting the onus for secure internet-connected devices and apps from consumers to manufacturers, designers and suppliers.
It is presented as a voluntary code, but its potential impact on the interpretation of product safety law and consumer rights means that it merits close attention. In our view, device manufacturers, IoT service providers and app developers should review the Code and consider whether changes are needed to the set-up of their products and the contents of the corresponding user guides.
13 guidelines for more secure consumer devices
The Code of Practice takes a principles-based approach, setting outcomes to be achieved rather than dictating action to be taken. The 13 principles are expressed briefly and the document is a digestible read. It is primary concerned with device manufacturers, service providers for IoT products and app developers (there is one provision which is addressed to retailers, but it basically emphasises data protection requirements).
The first three principles in the code are given priority, because DCMS considers that adherence will generate the largest security benefits in the short term.
- No default passwords – a failure by consumers to change easily discoverable factory default password settings has been cited as the reason for many security weaknesses.
- Implement a vulnerability disclosure policy – the Code emphasises that it should be simple for security researchers and others to report security vulnerabilities to the device provider. Once known about, the vulnerability can be dealt with.
- Keep software updated – software in connected devices should be capable of being securely updated, which should happen in a timely way. Consumers should be given information about updates and about the minimum length of time for which the device will continue to be supported and updated.
Of the remaining ten principles, numbers 10, 11 and 12 merit particular attention since they could necessitate changes to user guides supplied with products. The code requires suppliers to monitor telemetry data being sent back from the devices for security anomalies – customers will need to be informed that such monitoring is taking place. The code further requires that it should be easy for consumers to delete personal data, for example when the device is given to someone else or when it is discarded – user manuals will need to include information about how to do this. Finally, principle 12 recommends that installation and maintenance of devices should be easy, following security best practice and with clear instructions for consumers – again it is important to check whether user guidelines meets this expectation.
Although "voluntary", the code may have shifted expectations around cybersecurity
The DCMS Secure by Design Code is voluntary in the sense that there is no express requirement to adhere to it and no associated enforcement regime. However, its impact is broader that that might suggest. The UK's EU-derived product safety law and consumer law are expressed broadly and Courts will often look to voluntary guidelines to determine what forms best practice. The publication of the Code has potentially shifted the benchmark.
More particularly, the New Approach Directives, which are most likely to apply to IoT devices, require that all products must meet certain "essential requirements" before they can be placed on the market, including that the device and any embedded software are constructed to ensure the protection of health and safety and the protection of property. A device can meet the "essential requirements" by being manufactured and tested against recognised harmonised technical standards, but the law also recognises that other technical specifications may be applicable.
There is currently no comprehensive harmonised standard either internationally or at EU level around cybersecurity for connected consumer devices or apps (although DCMS has helpfully mapped the code against other relevant norms, standards or recommendations, including emerging ones). In the event, therefore, that there is a dispute about whether the cybersecurity on a connected consumer device, or in an app, meets the relevant essential requirements, the court would be very likely to treat the Secure by Design Code as a strong steer for what the consumer claimant is entitled to expect.
Similar analysis applies in relation to the consumer rights regime around defective products. Again, there is no established standard regarding cybersecurity: is a connected device defective because it was vulnerable to a cyber-attack? Under the Product Liability Directive, implemented into UK law in the Consumer Protection Act 1987, a producer is not liable for a defect if the scientific and technical knowledge available at the time the product was put on to the market did not enable the existence of the defect to be discovered. Therefore a manufacturer might be able to argue that, at the moment the product was placed on the market, the software vulnerability was not known. But going forward, it may well be difficult to argue that a weakness such as a factory default password was not known about, now that the Code presents unique passwords as a key element of good practice.
Osborne Clarke comment
In summary, although this Code is voluntary, manufacturers of connected consumer devices, IoT service providers and mobile app developers supplying into the UK market are likely to find that this is a standard against which they will be measured if something goes wrong and a claim is brought against them. They should therefore take note of the expectations which DCMS has set out, and consider whether the cybersecurity of their products and services requires updating, in line with this new benchmark for what consumers are entitled to expect.