November 16, 2018

November 16, 2018

Subscribe to Latest Legal News and Analysis

November 15, 2018

Subscribe to Latest Legal News and Analysis

November 14, 2018

Subscribe to Latest Legal News and Analysis

IoT Update: The UK publishes a final version of its Code of Practice for Consumer IoT Security

Following an informal consultation earlier this year – as covered by our previous IoT Update here – the UK’s Department for Digital, Culture, Media and Sport (“DCMS”) published the final version of its Code of Practice for Consumer IoT Security(“Code”) on October 14, 2018. This was developed by the DCMS in conjunction with the National Cyber Security Centre, and follows engagement with industry, consumer associations, and academia. The aim of the Code is to provide guidelines on how to achieve a “secure by design” approach, to all organizations involved in developing, manufacturing, and retailing consumer Internet of Things (“IoT”) products. Each of the thirteen guidelines are marked as primarily applying to one or more of device manufacturers, IoT service providers, mobile application developers and/or retailers categories.

The Code brings together what is widely considered good practice in IoT security. At the moment, participation in the Code is voluntary, but it has the aim of initiating and facilitating security change through the entire supply chain and compliance with applicable data protection laws. The Code is supported by a supplementary mapping document, and an open data JSON file which refers to the other main industry standards, recommendations and guidance.  Ultimately, the Government’s ambition is for appropriate aspects of the Code to become legally enforceable and has commenced a mapping exercise to identify the impact of regulatory intervention and necessary changes.

The Code highlights the first three Guidelines as quick wins – bringing about the greatest security benefits in the short term – and urges IoT stakeholders to prioritize them. These are:

  • Unique passwords: avoid the use of IoT device default passwords (e.g., avoid universal default usernames and passwords, or leaving it up to the consumer to change them);
  • Vulnerability disclosure: all IoT device and services suppliers should implement a vulnerability disclosure policy (e.g., provide a public point of contact so that security researchers and others can report issues, which should be acted upon in a timely manner); and
  • Secure, updated software: keep software up to date in IoT devices (e.g., regularly issue or install software patches).

While there are no significant substantive changes from the earlier consultation version, all of the guidelines have been changed from imposing the measure as a ‘must’, instead to the lesser form of a ‘shall’ or ‘should’ in its present form.

The thirteen Guidelines are summarized below:

No. Guidelines Primarily applies to:
Device Manufacturers IoT Service Providers Mobile App Developers Retailers
1 No default passwords

X

     
2 Implement a vulnerability disclosure policy

X

X

X

 
3 Keep software updated

X

X

X

 
4 Securely store credentials and security-sensitive data

X

X

X

 
5 Communicate securely

X

X

X

 
6 Minimize exposed attack surfaces

X

X

   
7 Ensure software integrity

X

     
8 Ensure the personal data is protected

X

X

X

X

9 Make systems resilient to outages

X

X

   
10 Monitor system telemetry data  

X

   
11 Make it easy for consumers to delete personal data

X

X

X

 
12 Make installation and maintenance of devices easy

X

X

X

 
13 Validate input data

X

X

X

 

The Code is again accompanied by additional explanatory notes, which expand on some of the Guidelines. In particular, the note on Guideline 2 discusses Coordinated Vulnerability Disclosure and the security benefits of disclosing vulnerabilities in IoT devices, putting companies ahead of the threat of malicious exploitation and giving them an opportunity to resolve vulnerabilities in advance of a public disclosure (both in individual and systemic circumstances). The note on Guideline 3 provides additional detail in comparison to the earlier consultation version, and explains the importance of timely software updates, even where the patching process may involve multiple dependencies on other organizations, such as manufacturers of subcomponents.

Leading IoT manufacturers have already signed up to the Code, and the UK Government has encouraged other manufacturers and retailers to do so as well. You can find the full text of the Code on the DCMS website here and a pdf version here. You can find the Code translated into French, German, Japanese, Korean, Mandarin, Portuguese and Spanish here. The DCMS will periodically review the Code and publish updates at least every two years. Our team at Covington will continue to monitor progress and will post on future developments.

Post by Grace Kim and Siobhan Kahmann

© 2018 Covington & Burling LLP

TRENDING LEGAL ANALYSIS


About this Author

Repeatedly ranked as having one of the best privacy practices in the world, Covington combines exceptional substantive expertise with an unrivaled understanding of the IT industry, and of e-commerce and digital media business models in particular.  Our practice provides exceptional coverage of all of the substantive areas of privacy, including IT/technology, data security, financial privacy, health privacy, employment privacy, litigation and transactions.  One of our core strengths is the ability to advise clients on relevant privacy and data security rules worldwide,...

202.662.5519