New Clause 4 - Requirement to consult on imposition of minimum periods of time for which products would need to receive security updates

Part of Product Security and Telecommunications Infrastructure Bill – in a Public Bill Committee am 9:25 am ar 22 Mawrth 2022.

Danfonwch hysbysiad imi am ddadleuon fel hyn

Photo of Julia Lopez Julia Lopez Parliamentary Secretary (Cabinet Office), Minister of State 9:25, 22 Mawrth 2022

Again, I thank the hon. Member for his suggestions, and I always appreciate the intention behind what he is trying to do. On this matter, we have been consulting with experts throughout the development of the legislation. As he will be aware, a lot of the details about how we shall regulate these products will come in secondary legislation. Here, we are taking broad powers so that, as the technology develops, we can tweak them as things change. We are also considering a wide number of products that will be in scope.

We do not want to take specific powers at this stage, and, as I mentioned in relation to the hon. Gentleman’s amendment 6, which we debated last week, it is important that the legislation retain the flexibility to adapt to and reflect the changing threat and technological landscapes. We have consulted widely on the legislation, and will continue to do so where new requirements are appropriate, but committing the Government to working on requirements framed using terminology that may seem appropriate today could limit the security benefits of such a requirement in the future.

As I reassured the hon. Member last Thursday, we are committed to introducing security requirements based on the first three guidelines of the internationally recognised code of practice for consumer internet of things security. Those will include a requirement for manufacturers to be transparent about the time for which products will be supported with security updates. At its core, that approach demonstrates a shift towards clear transparency that can inform the consumer when purchasing a relevant device. We know that many consumers are security conscious, but, as things stand, not enough manufacturers make that information readily available to them.

Data from Which?, which the Committee heard from last week, highlights that less than 2% of assessed products had clear information on the length of time for which they would receive security updates. We are using legislation to increase the availability of information to UK consumers, so that they can make their own purchasing choices with a clear understanding of security. As consumers learn more, they will expect more, and we hope that that will drive the market approach to embedding minimum periods for security updates. Last week, the Committee heard from Which? that some consumers might be continuing to pay for their devices even after security updates are available to them. That is exactly the kind of thing we want to avoid, and we think that transparency is the key to raising consumer awareness.

As manufacturers raise the bar to the appropriate level, we anticipate that more and more will do the same as a result of that shift to transparency. Should manufacturers fail to respond in that way, the Government may, in the future, consider that there is a case for setting out a requirement for certain products to be covered by minimum security periods. That is all part of the flexible approach we are keen to take to legislation to ensure that our requirements reflect the realities of technologies and the wider market.

Additionally, I have concerns that the new clause would commit the Government to unnecessary work that would only need to be repeated following the implementation of the initial requirements, before a substantiated case for this additional requirement could be made.

For those reasons, I am not able to accept the new clause. We are taking broad powers and a lot of details will be looked at when we consider secondary legislation. We will be looking at this issue as these products develop. If we think that a requirement for the hon. Member’s minimum period comes about, we will look at the issue again. At this stage, though, I hope he will consider withdrawing his new clause.