November 28, 2020

Volume X, Number 333


United Kingdom Establishes IoT Security Principles

The UK government recently released a policy paper outlining proposed requirements for makers of Internet of Things (IoT) devices to take certain actions to better protect IoT devices from growing cybersecurity threats. Secure by Design: Improving the cyber security of consumer Internet of Things Report was released by the UK’s Department for Digital, Culture, Media & Sport and contains a draft Code of Practice for manufacturers of consumer IoT devices and services.

Some of the actions suggested by the draft Code of Practice include the following:

  • No default passwords. All IoT device passwords must be unique and follow best practices on passwords and other authentication methods.

  • All companies providing IoT devices and services must have a public point of contact for reporting issues. In addition, companies should act promptly on remedying any reported issues and are encouraged to share information with relevant industry bodies.

  • Companies must keep all IoT software updated. Updates should not impact the functionality of the IoT device and companies must publish an end-of-life policy stating the minimum length of time that a device will receive software updates. Any update should be accompanied with the reason for the update.

  • Personal data should be processed in accordance with applicable data protection laws. IoT device manufacturers need to communicate with customers about how their personal data is being used, by whom, and for what purposes. Any consent to processing personal data must be obtained lawfully. Manufacturers should provide information on how to securely set up and dispose of IoT devices.

  • Customers should be able to delete their personal data easily. IoT devices should be configured so that personal information can be easily deleted whenever the customer wishes to do so.

The public may comment on the draft Code of Practice through April 25, 2018. The report makes clear that its recommendations are in draft form and are part of a continuing effort to address cybersecurity concerns in connection with new technologies, which may result in new guidelines or, if necessary, new laws or regulations.

Copyright © 2020 by Morgan, Lewis & Bockius LLP. All Rights Reserved.National Law Review, Volume VIII, Number 81



About this Author

Doneld Shelkey, Technology attorney, Morgan Lewis

Doneld G. Shelkey represents clients in global outsourcing, commercial contracts, and licensing matters, with a particular focus on the e-commerce and electronics entertainment industries. Doneld assists in the negotiation of commercial transactions for domestic and international manufacturers, technology innovators, and retailers, and counsels clients in the e-commerce and electronics entertainment industries on consumer licensing and virtual property matters.

617 341 7599
Katherine B. O'Keefe, Morgan Lewis, Technology Lawyer

Katherine B. O’Keefe is part of a team that handles critical commercial transactions that enable our clients to run their business operations effectively. The team is focused on technology transactions, including licensing, services, and alliance deals that involve emerging technologies such as cloud computing, software as a service (SaaS), and data analytics. Our technology, outsourcing, and commercial transactions lawyers assist clients in managing their online presence, from website development, hosting, and maintenance; to privacy and use policies; to data breach and...