The Product Security and Telecommunications Infrastructure Act 2022
The Product Security and Telecommunications Infrastructure Act 2022 (PSTIA) took effect on April 29, 2024, and requires manufacturers, importers, and distributors of UK consumer connected (or “smart”) products to ensure such products meet a number of security requirements intended to make them more resilient against cyberattacks. In particular, common or easily guessed passwords cannot be used as default settings or when users set up their new devices, and manufacturers must provide consumers with information on security issues and security updates. The PSTIA is part of the UK government’s commitment to improve connectivity as a means to drive economic growth. However, increased connectivity through the growing use of connected devices increases the risk of cyberattacks by criminals and hostile nations, threatening individuals’ security and privacy. The PSTIA takes a step towards addressing this threat.
Background
The UK government is committed to improving connectivity and ensuring good broadband speed throughout the UK as a means to stimulate economic growth. It cites the Covid pandemic as demonstrating that being connected helped businesses to run, families to stay in touch, children to continue their education, and supported society in a time of crisis. The government takes the view that greater connectivity will increase demand for consumer connectable products, such as smart speakers, smart TVs, wearable technology, and the digital services they enable.
It is estimated that the average UK household has nine connected devices, yet many smart devices lack basic cybersecurity protection. According to government statistics, only one in five consumer connected devices incorporate embedded basic security requirements. However, the majority of consumers assume that these products are secure, making them more likely to become victims of cyberattacks. A study carried out by University College London in 2020 of 270 common consumer connectable products found that consumers were not given sufficient information explaining how long their connected product would be supported with security software updates.
Vulnerable connected devices threaten individuals’ security, their privacy, and their safety. On a wider scale, security flaws in consumer smart products can result in large scale cyberattacks, such as distributed denial of service or “botnet” attacks, which can have repercussions not just across the UK, but also in the global economy. For instance, in 2016, cyber criminals compromised 300,000 products with the Mirai malware and used the collective computing power to disrupt news and media websites including the BBC and Netflix. The Mirai malware was able to penetrate so many devices because of weak security measures, such as default passwords. The government estimates that over £1 billion is lost each year in the UK as a result of cyberattacks. The PSTIA aims to improve connectivity and consumer-facing cybersecurity.
Overview of the PSTIA
The PSTIA received Royal Assent on December 6, 2022 and took effect on April 29, 2024. It is split into two parts:
- Part 1 imposes a number of obligations upon manufacturers, importers, and distributors of connectable (i.e., “smart”) consumer products to enhance their resilience against cyberattacks.
- Part 2 aims to speed up UK digital connectivity by accelerating the deployment and expansion of gigabit-capable broadband across the UK to support digital growth and innovation. The requirements of Part 2 of the PSTIA are beyond the scope of this Advisory.
Part 1 of the PSTIA requires manufacturers, importers, and distributors in the supply chain of “relevant connectable products” to comply with a number of security obligations intended to make such products more resilient against cyberattacks. The security obligations vary depending on whether the organization concerned is a manufacturer, an importer, or a distributor. The PSTIA may apply in unexpected ways — for instance, a developer of homes that incorporate smart technology could potentially fall under the scope of the PSTIA.
“Relevant connectable products” are consumer products that can connect to the internet or other networks and can transmit and receive digital data, for instance, smartphones, smart TVs, smart speakers, connected baby monitors, and connected alarm systems (also known as consumer “internet of things,” “IoT,” or “smart” devices). A number of categories of products are expressly exempted from the definition, including charge points for electric vehicles, medical devices, certain smart meters, and computers.
The security requirements are actions that relevant businesses in the supply chain must take, or requirements that a product must meet, to address a security problem or eliminate a potential security vulnerability. The specific security requirements are found in the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023/1007 (Security Regulations), secondary legislation made under the PSTIA which also took effect on April 29, 2024. The Security Regulations impose a number of security requirements on manufacturers, which include the following:
- Passwords: The PSTIA prohibits weak, easily guessable default passwords (such as “password” or “123456”). Default passwords must be unique to each product or capable of being defined by the user of the product; must not be based on incremental counters; must not be based on or derived from publicly available information; must not be based on or derived from unique product identifiers, such as a serial number (unless this is done using an encryption method) or keyed hashing algorithm that is accepted as part of good industry practice; or otherwise easy to guess.
- Information on how to report security issues: Manufacturers must provide information on how to report security issues about their products. Manufacturers must also provide information on the timescales within which an acknowledgment of the receipt of the report is received by the person making the report and status updates until the issue is resolved. The information must be made available without prior request in English, free of charge, in an accessible, clear, and transparent manner.
- Information on minimum security update periods: Information on minimum security update periods must be published and made available to the consumer in a clear, accessible, and transparent manner. The information must specify the minimum length of time security updates will be provided, along with an end date. This information should be made available without prior request in English, free of charge, and in such a way that is understandable for a reader without prior technical knowledge.
Manufacturers must ensure that their connected consumer products conform to a specified standard and provide a statement of compliance, which must be retained for the longer of the period of the relevant support or 10 years. Manufacturers must also investigate compliance failures and take remedial action. Importers and distributors are also subject to a number of obligations, which include not making products available if there is a compliance failure and ensuring that their products are accompanied by a statement of compliance.
The maximum penalty for failing to comply with the PSTIA is £10 million or 4% of the supply chain organization’s worldwide annual revenue for a single, relevant breach.
Summary
Manufacturers, importers, and distributors of connected consumer products must comply with their obligations under the PSTIA. The specific security requirements are set out in secondary legislation and currently only apply to manufacturers. However, future secondary legislation could impose obligations on importers and/or distributors, so supply chain organizations should ensure they keep up to date with the PSTIA. Because of the potentially high penalties, companies should set out a process for (1) ensuring security by design of connected consumer products, which incorporates all of the required security elements; (2) have mechanisms in place to ensure the transparency requirements are met in product guides; and (3) create a compliance program with respect to the PSTIA that includes certifications of compliance, auditing, and monitoring, and investigations in the event of failures.
Please contact the author of this Advisory for more information or to discuss your obligations under the PSTIA.
© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.