Shoosmiths LLP
  June 14, 2024 - Milton Keynes, England

Protecting the UK's internet connected devices from cyber-attacks
  by Shoosmiths LLP

Manufacturers of internet or network connectable products for the UK market are now required to implement minimum security standards to protect such products from cyber-attacks. Importers and distributors are also impacted by these requirements.

“Relevant Persons”

“Relevant Persons”4 include:

Manufacturers

Importers

Distributors

Duties of “Relevant Persons”

The new duties depend on a person’s role in the sale5 if the product is or is intended to be a UK consumer connectable product or they are, or should be aware, it will be such a product.

Manufacturers must:

Importers must:

Distributors duties mirror those of importers, but they have no duty to investigate non-compliance.

Products caught by the PSTI

Products, including those sold online, with WiFi and Bluetooth technology and wireless/no wire products will be subject to the new requirements. Smartphones, Bluetooth earbuds/ headphones, wearable connected technology like fitness trackers and smart watches, voice-activated assistants/ home control systems, smart TVs/ speakers and smart appliances, games consoles, connected baby monitors and connected alarm systems will also be caught by the PSTI. 

Products excepted from the PSTI

These include6:

Non-compliance

Enforcement notices

The enforcement authority has wide ranging powers to enforce compliance including issuing:

It is a criminal offence to fail to comply with such notices which can be appealed. Showing all reasonable steps have been taken to comply with the notice is a defence.

Financial penalties

Those who fail to comply with their duties may face a specified financial penalty of up to £10 million or 4% of their qualifying worldwide revenue for their most recent complete accounting period, whichever is greater7. Additionally, a daily penalty of a specified amount of up to £20,000, for each day for which the breach continues after the end of the payment period of the fixed penalty, can be imposed.

The penalty amount must be appropriate and proportionate to the duty breached. The effects of the breach and remedial steps taken by the Relevant Person must be considered when deciding the amount.

Representations can be made by those facing a financial penalty following notification of the intention to impose a penalty. The imposition itself, the amount and the payment period can be appealed.

Other enforcement

The enforcement authority may seek forfeiture orders and can publish information about compliance failures and enforcement action taken.

Finally...

Those involved in the sale of consumer connectable products will wish to avoid the costs and reputational damage resulting from enforcement by ensuring they understand and comply with their duties.

 

1 Viscount Camber, Minister for Cyber
2 Schedule 1 The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023
3 Schedule 2 The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023
4 s.7 PSTI
5 ss. 8-25 PSTI
6 Schedule 3 The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023
7 s.38 PSTI




Read full article at: https://www.shoosmiths.com/insights/articles/protecting-uks-internet-connected-devices-from-cyber-attacks