Back in March 2018, Cooley published a post about the UK’s leading step towards codifying security of consumer internet of things (IoT) products through its draft Code of Practice. It’s time for an update!

The UK department for Digital, Culture, Media and Sport (DCMS) has now launched the final version of the Code of Practice for consumer IoT security. Being voluntary, the Code is meant to guide manufacturers towards improvement of the security of more than 420 million connected devices predicted to be active in the UK alone in the next three years. The Code follows the same Guidelines set out in the original draft and include practical guidance for IoT manufacturers and stakeholders as they create products for the connected world.

Despite the UK Government’s hopes to achieve the best possible industry uptake, the reality remains that many IoT components and even the entire product can come from so-called ‘white label’ makers, often manufacturers based outside the UK. The question then arises… how could a UK-based, voluntary code have any teeth? For that reason, the Code has been translated into French, German, Spanish, Korean, Japanese and Mandarin. In parallel, the UK government has initiated global outreach and collaboration with counterparts and standards institutions in countries such as the US, Canada, France, New Zealand and Australia.

The UK has submitted a proposal to the European Telecommunications Standards Institute (ETSI) with the goal of developing international standards and regulation for consumer IoT security, based on its own Code. According to the ETSI website, the standard should be available around 17 February 2019, but the date has already been delayed once.  ETSI’s Technical Committee on Cybersecurity though, has already released two encryption specifications that cover access control in widely used systems, namely 5G and IoT. The Commonwealth Cyber Declaration, agreed by 53 nations in April 2018, also focuses on boosting user security by default, which is another milestone that signals worldwide commitment towards the convergence of approaches.

Overall, the idea of standardisation is not new but one that is increasingly relevant. Standardised solutions can aid ensure quality, credibility, interoperability and global scalability leading to an overall successful digital transformation journey. At the same time, however, as technology advances, security breaches of IoT devices shift from digital inconvenience to physical safety threats. This is demonstrated by the recent announcement of a product recall of a connected device due to the risk of a safety issued caused by a data breach (see article here) – a first for the European Commission’s regime for product safety.  Regulators are alert to the development and the global industry is bound to fall within the scope of market alignment sooner or later.

IoT industry watch this space…

For more information:

The Code of Practice can be found here.

Interactive mapping of the Code of Practice can be found here.

Updates on the status of the ETSI Standard are published here.

Posted by Jamie Humphreys

Jamie Humphreys is a litigation and regulatory lawyer. He is a strategic advisor to clients who face critical threats to their business at all stages of the product life-cycle, working with them to ensure the most favourable outcome and manage any reputational impact. He also provides policy advice to clients on proposed legislation and regulations that may introduce profound changes to their business. He has acted on high profile litigation across a range of different industries, internal investigations into allegations of fraud by global products manufacturers, major corruption investigations for Governments, and B2B product liability disputes, international recalls and consumer claims for well-known global brands. He is passionate about the impact that new technologies such as 3D printing, AI and Internet of Things will have in the products space and works with clients to ensure they prosper within a dynamic regulatory environment.