Disclosure of cyber risks when selling IoT products | Barnea Jaffa Lande & Co.

IoT products carry many privacy, personal data, and cyber-attack risks, and consumers should be aware of these risks before purchasing. A new draft guideline issued by the Israel Consumer Protection Authority in conjunction with the National Cybersecurity Directorate within the Prime Minister’s Office clarifies that the Authority considers risks inherent in product features or maintenance methods IoT are important. Such risks therefore require special disclosure. In this context, the Autorité orders importers, traders and manufacturers of products and services in the field of the “Internet of Things” (IoT) to comply with a new information obligation concerning the cyber risks linked to the use of these products. .

The release of the draft follows a slew of incidents of these smart devices being hacked, since using them requires an internet connection. IoT devices encompass many types of products, including smart TVs, air conditioners, streamers, home security cameras, smart home systems, remote controls, speakers, and more.

Without proper security measures, these products expose their users to privacy risks, data leaks, physical damage to the product and even the user, and even larger-scale cyberattacks.

The draft directive

According to the draft, it will be mandatory to inform buyers about the above-mentioned risks in general, as well as about the characteristics of these risks in a specific product, before the execution of the transaction and at all stages, i.e. say right from the marketing and advertising scene.

This stems from consumer protection law which prohibits misleading consumers about any material details of a transaction and imposes specific disclosure obligations. According to the law, “any characteristic of the goods which requires a special mode of maintenance or use in order to avoid injury to the user or to another person or to property, during use or normal handling”. Requires specific disclosure.

The draft specifically addresses a number of IoT product security features that must be disclosed:

1. Any product or service that does not allow changing the access password, or where the manufacturer does not plan to release security updates for its use, will be considered a product that can be exploited by cyber – malicious hackers, and this must be explicitly disclosed to the acquirer prior to the execution of the transaction.

2. Potential buyers should receive an explanation of the importance of replacing the initial product password, as well as instructions on how to change the product password.

3. Potential buyers should be aware of product security updates, whether the manufacturer plans to release these updates, and how long the manufacturer will continue to release security updates (i.e. what is the lifespan of the product in terms of cybersecurity). Potential buyers should also receive instructions on how to install security updates if they do not update automatically.

It is important to note that the project does not define the nature of the security measures that the manufacturer must implement, only the obligation to disclose them.
In addition, the project specifies the additional security measures that can be added to the products, depending on their nature and the degree of risk inherent in their use.
Manufacturers, importers, distributors and sellers of IoT products should prepare for regulatory changes in this regard.

The deadline for public responses to the project is September 4, 2022.

[View source.]

Comments are closed.