What is the PSTI?

It is a new UK legislation which aims to regulate cyber security for home networks and IoT devices. It applies together with The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (“The Regulations”).

When does the PSTI enter into force?

29 April 2024.

What products does the PSTI apply to?

The PSTI applies to all “internet connectable products” and “network connectable products” (together “relevant connectable products”), unless exempted in Schedule 3 of The Regulations. The definition of relevant connectable products (contained in section 5 of the PSTI) is broad and complex. However, it is safer to assume that all M2M, IoT products, including connected vehicles and smart TV as well as home Wi-Fi routers may be included in the scope of these definitions.

What are the PSTI requirements?

The PSTI requires manufacturers of relevant connectable products to be sold in the UK to meet the following security by design features:

  • Easy-to-guess default passwords preloaded on devices are banned. All products now need unique passwords that cannot be reset to factory default.
  • Customers must be told when they buy a device the minimum time it will receive vital security updates and patches. If a product doesn’t get either, that must also be disclosed.
  • Security researchers will be given a public point of contact to point out flaws and bugs.
  • Devices must come with a compliance statement.

What are the sanctions for non-compliance with the PSTI?

Manufacturers found in breach of this new legislation will face fines of up to £10m or 4% of their global turnover, as well as up to £20,000 a day for ongoing contraventions.

Who is the watchdog?

The Office for Product Safety and Standards (OPSS) will be responsible for enforcing the PSTI Act 2022 and the 2023 Regulations from 29 April 2024. OPSS is part of the Department for Business and Trade and already enforce the UK’s existing product safety regulations.

What is the baseline technical standard for ensuring security by design? ETSI EN 303 645: Cyber Security for Consumer Internet of Things: Baseline Requirements.

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Connecticut Attorney General Report: CTDPA Enforcement Insights & Takeaways | Privacy World

California Attorney General Announces Industry Investigative Sweep into CCPA Compliance | Privacy World

President Biden Prepares Executive Order to Prohibit Foreign Adversaries’ Access to US Data | Privacy World

New Jersey and New Hampshire Pass Consumer Privacy Laws – and 11 Other States Are Considering Similar Laws | Privacy World

2023 Cybersecurity Year In Review | Privacy World

FTC Consumer Protection and Data Protection Insights for 2024 | Privacy World

Singapore Invites International Feedback on Model Governance Framework for Generative AI | Privacy World

The Spanish Antitrust Authority (CNMC) Follows the Spanish Data Protection Authority (AEPD) and Joins Forces with Other National and International Institutions to Protect Minors on the Internet and in Social Networks | Privacy World

AEPD’s Position Regarding Transparency (AIA vs. GDPR) | Privacy World

Adequate One Day Keeps Personal Data Transfer Problems (Forever) Away? Let’s See What the EU Doctor Just Said | Privacy World

Government access to personal data in bank accounts: a compliance challenge for banks, and a threat to EU adequacy? | Privacy World

New Jersey’s Consumer Privacy Law Signed by Governor Murphy | Privacy World

Charting the Course: Congress Progresses Towards Meaningful Action on AI | Privacy World

FBI and DOJ Issue Guidance on SEC Incident Reporting Delay Requests | Privacy World

2023 Privacy Compliance Year in Review | Privacy World

Hot on the tail of California Attorney General Rob Bonta’s announcement of an investigative sweep targeting streamlining services (see our blog post here), Connecticut’s Office of the Attorney General (“OAG”) is making headlines with its recent report covering its preliminary enforcement actions under the Connecticut Data Privacy Act (“CTDPA”). We’ve previously covered Colorado and California enforcement activity here.

Continue Reading Connecticut Attorney General Report: CTDPA Enforcement Insights & Takeaways

Last week, California Attorney General Rob Bonta announced an investigative sweep of providers of streaming services to determine whether these businesses are complying with California Consumer Privacy Act (“CCPA”) opt-out requirements for businesses that sell or share consumer personal information.

“From watching live sporting events to blockbuster movies, families increasingly use streaming platforms for entertainment, and we must make sure that their personal information is protected. Today, we are taking a close look at how these streaming services are complying with requirements that have been in place since 2020,” said Attorney General Bonta.

Continue Reading California Attorney General Announces Industry Investigative Sweep into CCPA Compliance

Originally posted on Squire Patton Boggs’ Capital Thinking blog by by Dominic BraithwaiteDavid Stewart and Ludmilla Kasulke.

According to reports originally from Bloomberg News, President Joe Biden is preparing to issue an executive order (EO) aimed at prohibiting US adversaries from accessing US personal data. While the draft is subject to change, the draft EO reportedly targets “highly sensitive” data, including genetic and location information, and would bar foreign adversaries from obtaining this data through legal means such as intermediaries, data brokers, third-party vendors, employment agreements, or investment agreements. Further, the EO would reportedly require that entities owned, controlled, or operated by countries of concern turn over data to the US government when requested. Significantly, the draft EO would restrict US entities and individuals from conducting data transactions that would provide adversarial countries with government-related or sensitive personal data, in addition to data that could jeopardize US national security. 

Continue Reading President Biden Prepares Executive Order to Prohibit Foreign Adversaries’ Access to US Data

The first month of 2024 brought two new state privacy laws. On January 18, the New Hampshire legislature passed the 15th US state consumer privacy law (notably, still subject to some procedural requirements and signature by Governor Chris Sununu before it is officially law). The New Hampshire law was passed a few days after New Jersey’s new consumer privacy law (Approved P.L.2023, c.266) was signed into law on January 16. 

Both new state consumer privacy laws follow the now-familiar format, offering consumer privacy rights and requiring role-based data processing agreements, but with a few notable differences. A more detailed comparison follows.

Continue Reading New Jersey and New Hampshire Pass Consumer Privacy Laws – and 11 Other States Are Considering Similar Laws

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

2023 Cybersecurity Year In Review | Privacy World

FTC Consumer Protection and Data Protection Insights for 2024 | Privacy World

Singapore Invites International Feedback on Model Governance Framework for Generative AI | Privacy World

The Spanish Antitrust Authority (CNMC) Follows the Spanish Data Protection Authority (AEPD) and Joins Forces with Other National and International Institutions to Protect Minors on the Internet and in Social Networks | Privacy World

AEPD’s Position Regarding Transparency (AIA vs. GDPR) | Privacy World

Adequate One Day Keeps Personal Data Transfer Problems (Forever) Away? Let’s See What the EU Doctor Just Said | Privacy World

Government access to personal data in bank accounts: a compliance challenge for banks, and a threat to EU adequacy? | Privacy World

New Jersey’s Consumer Privacy Law Signed by Governor Murphy | Privacy World

Charting the Course: Congress Progresses Towards Meaningful Action on AI | Privacy World

FBI and DOJ Issue Guidance on SEC Incident Reporting Delay Requests | Privacy World

2023 Privacy Compliance Year in Review | Privacy World

New Jersey Legislature Passes Consumer Privacy Bill | Privacy World

2023 was another busy year in the realm of data event and cybersecurity litigations, with several noteworthy developments in the realm of disputes and regulator activity.  Privacy World has been tracking these developments throughout the year.  Read on for key trends and what to expect going into the 2024.

Growth in Data Events Leads to Accompanying Increase in Claims

The number of reportable data events in the U.S. in 2023 reached an all-time high, surpassing the prior record set in 2021.  At bottom, threat actors continued to target entities across industries, with litigation frequently following disclosure of data events.  On the dispute front, 2023 saw several notable cybersecurity consumer class actions concerning the alleged unauthorized disclosure of sensitive personal information, including healthcare, genetic, and banking information.  Large putative class actions in these areas included, among others, lawsuits against the hospital system HCA Healthcare (estimated 11 million individuals involved in the underlying data event), DNA testing provider 23andMe (estimated 6.9 million individuals involved in the underlying data event), and mortgage business Mr. Cooper (estimated 14.6 million individuals involved in the underlying data event). 

Continue Reading 2023 Cybersecurity Year In Review

On January 18, during a luncheon fireside chat at the California Lawyers Association’s UCL Institute event in Los Angeles, Federal Trade Commission (“FTC”) Bureau of Consumer Protection Director Samuel Levine shared his insights on what data practices are of concern to him and to the FTC.  Companies should take heed of his comments, the highlights of which include:

For FTC watchers, none of this should come as any surprise.  While the upcoming election could usher in a FTC with very different perspectives and priorities, it is a sure bet that the current FTC will look to advance its agenda this year.  For more information contact the authors or your usual firm contact.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

On 16 January 2024, Singapore published a consultation paper[1] to elicit feedback from the public, and internationally, on a proposed Model AI Governance Framework for Generative AI.

The paper addresses nine “dimensions” pertaining to generative AI, namely:

  • Accountability

This involves laying down responsibilities, including to end users, from across all stacks within the AI development chain.

  • Data

As a core element to AI model development, issues pertaining to the quality of data, including copyright infringement and privacy, are relevant and important.

  • Trusted Development and Deployment

From model development to application deployment, standards should be put in place for safe and trustworthy development, evaluation and “food label”-type transparency and disclosure.

  • Incident Reporting

Establishing regulatory notification practices can help facilitate timely remediation of any incidents.

  • Testing and Assurance

Third-party testing and assurance can serve to develop common and consistent standards around AI, and ultimately demonstrate trust with end users.

  • Security

Existing frameworks for information security need to be adapted, and new testing tools developed, to address risks posed by generative AI.

  • Content Provenance

Transparency about where and how content is generated is necessary, to avoid misinformation and fraud. Use of technical solutions like digital watermarking and cryptographic provenance must be considered in the right context.

  • Safety and Alignment Research & Development (R&D)

Accelerated R&D investment is required to improve model alignment with human intention and values. Singapore hopes to achieve this alongside global cooperation among AI safety R&D institutes.

  • AI for Public Good

Democratising AI access, improving public sector adoption, and upskilling workers and developing systems sustainably, will steer AI towards outcomes for the public good.

While earlier versions of the Model AI Governance Framework released by Singapore back in in 2019, and updated in 2020[2], explained certain risks associated with AI, such as bias, misuse and the lack of explainability, the surge of interest in generative AI specifically in more recent times has warranted the need to examine other aspects of risks more closely, such as hallucination, copyright infringement, and value alignment. These concerns were flagged in a white paper titled Discussion Paper on Generative AI: Implications for Trust and Governance[3] issued in June 2023.

The consultation closes on 15 March 2024.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

[1] Proposed Model AI Governance Framework for Generative AI – Fostering a Trusted Ecosystem, AI Verify Foundation

[2] Artificial Intelligence Governance Framework Model Second Edition, Personal Data Protection Commission, Singapore

[3] Generative AI: Implications for Trust and Governance, Infocomm Media Development Authority