January 20, 2019

January 18, 2019

Subscribe to Latest Legal News and Analysis

January 17, 2019

Subscribe to Latest Legal News and Analysis

Securing the Internet of Things

The ‘Internet of Things’ (‘IoT‘) – a rather vague collective term for the random mix of new technology which has now infiltrated our lives. In simple terms, it is the group of devices that are connected to the Internet. From the fridge which tells its owner that the milk is running low, the interrupting virtual digital assistants, to the latest generation of baby monitor which enables you to watch your off spring from the pub. The list and scope of ‘things’ falling in this definition arguably justifies the rather random collective noun. And the rapid growth of this area is predicted to increase exponentially.

Whilst these devices do unquestionably enhance the convenience of our busy lives, there is a worry about the potential invasion to the privacy of homes, the security implications and the unquantifiable levels of data that must be accumulated somewhere.

The UK Department for Digital, Culture, Media and Sport together with the National Cyber Security Centre have developed a Code of Practice for Consumer IoT Security (Code) to implement some controls to protect consumer security around how these devices and technology should operate in homes. Not surprisingly, the Code has identified that a significant number of devices on the market today lack basic security measures.

The Code sets out 13 guidelines, which are aimed at manufacturers and other security stakeholders to improve the security of consumer IoT practices. The guidelines include practical steps and requirements which aim to implement security change throughout the supply chain. The first three guidelines are prioritised as these are envisaged to bring the largest security benefits in the short term. In the top spot is a requirement that all IoT device passwords should be unique and not resettable to any universal factory default setting. Currently most devices rely on the consumer to change the password, which predictably does not always happen, leading to avoidable security issues.

Second, all applicable companies should operate a vulnerability disclosure policy which includes a public point of contact to enable issues to be reported directly. The idea here is to enable the centralised monitoring and collation of security issues that will not only help the individual consumer but in the event of any vulnerabilities in a device that may have widespread implications this information can be shared throughout the industry.

The third guideline requires that the software components of these devices should be securely updatable to enable regular software security updates. Upon purchase the consumer should be informed of the period of software update support and an end of life policy should be published for end-point devices. Software patches should be delivered over a secure channel and the device should be operational during the update.

The remainder of the Code sets out a number of guidelines to help ensure the security of the data stored on the devices, and resilience of the devices to any outages of data networks and power. The Code confirms that all personal data processed on these devices may only be processed in accordance with GDPR and so consumers are given clear and transparent information about how their data is to be used, by whom and for what purpose. Consumers must also be given clear instructions on how they may delete their personal data from a device upon transfer to a third party or on disposal.

Whilst the Code may not be revolutionary nor enable the use of such devices to be risk-free, it does formalise a number of minimum standards which must help to focus the role of manufacturers and other stakeholders in protecting consumer security and data in this fast growing sector.

© Copyright 2019 Squire Patton Boggs (US) LLP

TRENDING LEGAL ANALYSIS


About this Author

Tanya L. Theobald, Squire PB, IP Lawyer
Director

Tanya Theobald’s practice covers a wide range of commercial and non-contentious intellectual property work and the drafting and negotiation of commercial, IT and intellectual property agreements.

Tanya has more than 10 years of experience of advising clients in relation to the protection and exploitation of their intellectual property rights. She has considerable experience in advising clients in the media, advertising and marketing services sector in relation to client contracts, advertising content, production issues and branding advice.

Tanya advises...

+44 207 655 1677
Andrew Wilkinson, Squire Patton, Commercial Disputes Lawyer, information technology matters Attorney
Partner

Andrew Wilkinson is a general commercial lawyer with a particular focus on information technology matters.

As a member of the firm’s Intellectual Property & Technology practice, Andrew advises both suppliers and users of hardware, software, systems integration services, managed services, cloud service arrangements and technology consultancy services in relation to technology outsourcing and general systems procurement. He counsels extensively in relation to technology research and development, intellectual property rights protection and exploitation of technology and intellectual property rights, including through strategic alliances, joint ventures and reseller and partnering arrangements. Andrew also advises UK and international businesses in a range of different sectors in relation to general commercial matters, including procurement, agency and distribution arrangements, joint ventures, dispute resolution and many other day-to-day business requirements. He regularly provides the commercial, intellectual property rights and technology advice required in mergers and acquisitions and privatisations.

44-20-7655-1783