The UK’s consumer connected product security regime is now in effect, but what exactly is it and how can the electrical retail industry make changes for the future? Product law expert and Director at Fieldfisher, Aonghus Heatley, explains…
The consumer connected product security regime came into effect in the UK last month (29 April). The law impacts consumer products connected to the Internet, such as smartphones, speakers, fridges, doorbells, printers… the list goes on. It imposes obligations on manufacturers, importers and distributors (including retailers), no matter their location, if their product is for sale in the UK.
What is the new law?
The Product Security and Telecommunications Infrastructure Act 2022 (the PSTI Act) aims to ensure that UK consumers are not put at risk by insecure technology products. While smart devices have in the past been compromised at scale by cybercriminals, the objective of the new requirements is to prevent such security breaches, for example by strengthening default passwords.
Other requirements (and more will be added in future) include providing information to the public on how to report security issues and on minimum security update periods (such as in an End-of-Life policy).
If you are selling a product, it’s your responsibility to make sure that product complies with the new requirements. While many retailers were actively driving compliance along their supply chains in anticipation of the 29 April deadline, we are speaking with a number of retailers who were either unaware that the products they sell, even those already on their shelves or in their warehouses, must be in compliance with the regime’s requirements or who were unable to get their supply-chain partners – such as importers or manufacturers – to engage with them. Non-compliance could result in those retailers being criminally liable.
Retailers are also having to take practical steps themselves; the regime requires that products are accompanied by a ‘Statement of Compliance’ which retailers will need to enclose or affix to products which they currently hold.
The new regulations mandate that Internet-connected smart devices meet minimum-security standards by law
Based abroad?
If the product you are shipping is going to go on sale in the UK and you are responsible for importing it, the regulation does affect you. You could be committing a criminal act by shipping a non-compliant product to the UK.
The PSTI requirements apply to products already in the supply chain; for example, if you have stock in a warehouse awaiting distribution, it needs to be brought into compliance.
It remains to be seen what enforcement posture the relevant regulator, the Office for Product Safety and Standards (OPSS), will take; it has been reasonable and pragmatic in the past, enhancing cybersecurity against malicious actors is a nationally important issue for the UK. This may result in the OPSS taking a harder line than might otherwise be expected, even where it is clear that a company made all reasonable efforts to ensure compliance before last month’s deadline.
Some retailers will likely accept the risk of committing an offence by continuing to sell non-compliant products. Others will want to avoid the commission of an offence at all costs. We expect that there will be a large number of retailers which will try to take a middle-ground – trying to do what they can to ensure compliance, but without taking non-compliant products off the shelves.
What are the penalties?
The regulator is, we think, more likely to use the carrot than the stick; that’s not to say they won’t show that they mean business now the changes have come into place. If, for example, you were selling a webcam for a child’s bedroom that could easily be hacked – because it uses an easily guessable default password – you could find yourself facing criminal penalties.
Companies can be landed with fines of up to £10 million, or four per cent of qualifying worldwide revenue, whichever is higher.
The PSTI Act will be enhanced as technology evolves. If you consider that three-quarters of UK homes now contain some sort of smart device or appliance there can be no doubt that further regulations will be coming down the line.
