Connected devices could be regulated for security compliance - PwC

European moves to force connected hardware makers to make their devices more secure

The growing number of poorly secured Internet of Things (IoT) devices could lead to legislation making device makers responsible for security. That was one of the warnings that arose from a roundtable discussion today, led by PwC and identity management software supplier ForgeRock.

Stewart Room, head of PwC legal's cyber security and data protection practice, warned that action could happen either at a formal regulatory level via directives passed in Brussels, or via judicial activism.

"Will the law get to a state of controlling manufacturers, coders, producers of systems? That is actually one of the proposals that the European Parliament put on the table. European law has never regulated the creators of code or the builders of machines. The problem is, if you think of most of the vulnerabilities exposed in security breaches, leaving aside insider threats, it's the fact that the code is rubbish or that there are connection shortcomings," said Room.

The European Parliament, he continued, wants to regulate device makers and software vendors in order to force them to improve the security of connected devices.

"It wants to put a legal duty on the tech industry to police itself to make sure that what it produces and sells is fit for purpose. The problem with that argument is that the tech industry is such a powerful lobby, that it's difficult to do. But what's happening is that because of the absence of a political appetite to have that fight with the tech industry, the judiciary is expressing its concern instead," said Room.

This increasing judicial activism at the European level is reflected in, for example, action against companies such as Facebook and Google over alleged infractions of privacy laws, such as Google's subversion of "do not track" settings in web browsers.

"Privacy law is seeking to solve the question of flaws and vulnerabilities created by producers," warned Room.

However, he also noted, the European Union sought to regulate the market for digital signatures - and killed it stone dead, helping to take European tech firms such as Baltimore Technologies with it.

"When the law is 'designed', its potential impact on innovation should be addressed at the same time," advised Room.