The UK's Department for Digital, Culture, Media and Sport ("DCMS") has released a voluntary code of practice to help Internet of Things companies to achieve a "secure by design" approach, including to comply with applicable data protection laws, such as the GDPR, from the earliest stages of the design process. This publication comes after the announcement of a new law in California regarding the security requirement in IoT devices (see our previous report here).
The Code of Practice contains thirteen outcome focused guidelines which are aimed to help companies protect their customers' privacy and safety. The most important guidelines, according to the DCMS, are the following:
- Device Manufacturers are responsible for ensuring that IoT devices must have unique passwords, which cannot be restored to any universal factory default value;
- Device Manufacturers, IoT Service Providers and Mobile Application Developers shall have a vulnerability disclosure policy in order that security researchers and others are able to report them; and
- Device Manufacturers, IoT Service Providers, Mobile Application Developers are responsible for software updates, which should be easy to implement. In addition, the period of software update support shall be made clear to a consumer when purchasing the product.
Some of the other guidelines concern the credentials applicable to storing, encryption of security-sensitive data, the "principle of least privilege" and making installation and maintenance of devices more straightforward. The UK government has also published a mapping document in order to make it easier for other manufacturers to sign up to the new code, and a document for consumers with guidance on securing IoT devices in the home.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.