Companies could be fined up to £10 million or 4% of their global turnover if they sell digital products that fail to protect consumers from being hacked.
Manufacturers, importers, and distributors of digital tech will be required to make sure the devices meet new security standards under a new law proposed by the UK government - with heavy fines for those who fail to comply.
The Product Security and Telecommunications Infrastructure (PSTI) Bill, introduced to Parliament on Wednesday, will allow the government to ban universal default passwords, force firms to be transparent to customers about what they are doing to fix security flaws in connectable products, and create a better public reporting system for vulnerabilities found in those products.
At present, digital device manufacturers must comply with rules to stop them from causing people physical harm from issues such as overheating, sharp components, or electric shock. But there is no regulation to protect consumers from harm caused by cyber breaches, which can include fraud and theft of personal data.
The bill will give the government new powers to bring in tougher security standards for device makers.
The tougher standards include a ban on easy-to-guess default passports that come preloaded on devices - such as ‘password’ or ‘admin’ - which are a target for hackers. All passwords that come with new devices will need to be unique and immune to resets from universal factory settings.
The new law will also require connectable product manufacturers to tell customers at the point of sale, and keep them updated, about the minimum amount of time a product will receive vital security updates and patches. If a product does not come with security updates, that must be disclosed to the customer.
This will increase people’s awareness about when the products they buy could become vulnerable so they can make better-informed purchasing decisions, according to the government. It's believed nearly 80% of the firms targeted by the bill do not have any such system in place, the government said.
There will also be new rules that require manufacturers to provide a public point of contact to make it simpler for security researchers and others to report when they discover flaws and bugs in products.
This new cyber security regime will be overseen by a regulator, which will be designated once the bill comes into force, and will have the power to fine companies for non-compliance up to £10 million or 4% of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention.
The regulator will also be able to issue notices to companies requiring that they comply with the security requirements, recall their products, or stop selling or supplying them altogether. As new threats emerge or standards develop, ministers will have the power to mandate further security requirements for companies to follow via secondary legislation.
NCSC technical director Dr. Ian Levy said the bill would “ensure the security of connected consumer devices and hold device manufacturers to account for upholding basic cyber security”.
“The requirements this bill introduces – which were developed jointly by DCMS and the NCSC with industry consultation – mark the start of the journey to ensure that connected devices on the market meet a security standard that’s recognised as good practice,” he added.
