UK: Amended Product Security and Telecommunications Infrastructure Bill introduced to House of Commons
The amended Product Security and Telecommunications Infrastructure Bill ('the PSTI Bill') was introduced, on 11 May 2022, to the House of Commons, alongside its explanatory notes, prepared by the Department for Digital, Culture, Media and Sport ('DCMS'). In particular, the PSTI Bill was originally introduced on 24 November 2021 and provides, in Part 1, that the Secretary of State has the power to specify security requirements for internet and network connectable products which would apply to relevant persons, namely manufacturers, importers, and distributors of connectable products. More specifically, the explanatory notes outline that the security requirements will be technical in nature and will set out details, such as the products and software relevant to (and excluded from) each individual security requirement, adding that the initial security requirements are intended to align with the intent to ban default passwords, to implement a means to manage reports of vulnerabilities, and to provide transparency on for how long, at a minimum, the product will receive security updates. Additionally, the PSTI Bill outlines the duties of relevant persons, including the duty to:
- prepare a statement of compliance, or a summary of the statement of compliance, stating that, in their opinion, they have complied with the applicable security requirements, prior to making a consumer connectable product available in the UK;
- take all reasonable steps to investigate a compliance failure in relation to a product; and
- keep records and information on compliance failures and investigations for a minimum of 10 years.
Furthermore, Chapter 3 of Part 1 of the PSTI Bill outlines which enforcement actions may be taken by the Secretary of State in cases of non-compliance with the obligations stipulated in the PSTI Bill. For instance, such enforcement actions may include issuing a compliance notice, stop notice, and recall notice, or issuing monetary penalty notices, requiring the relevant person to pay the penalty within 28 days. In this regard, the PSTI Bill highlights that, where a breach continues beyond the period set in the penalty notice, a daily penalty may be imposed requiring the person to pay up to £20,000 for each additional day a breach takes place. Moreover, the PSTI Bill specifies that the maximum penalty for breaches is £10 million or 4% of the person's qualifying worldwide revenue for the person's most recent complete accounting period.
Further to this, the explanatory notes provide various examples to describe different provisions, including with regards to the meaning of a 'UK consumer connectable product' and 'supply'. Lastly, the DCMS published, on 11 May 2022, documents relating to the PSTI Bill, including an impact assessment explaining that such government intervention was necessary because of the insufficient security practices relating to consumer connectable products, such as having universal default passwords that are not updated against known security flaws, resulting in a serious threat to individual privacy and security.
UPDATE (26 May 2022)
PSTI Bill has its first reading in the House of Lords
The UK Parliament announced, on 26 May 2022, that the first reading of the PSTI Bill by the House of Lords ('HL'), took place on the same day. Specifically, the UK Parliament noted that this stage is a formality that signals the start of the bill's journey through the HL, and that the second reading which will constitute the general debate on all aspects of the bill is yet to be scheduled.
You can track the progress of the bill here.