Informing on Cyber Risks during Sale of IoT Products
IoT products are fraught with risks when it comes to privacy, personal data, and cyberattacks, and consumers must be informed of these risks before purchasing.
A new draft directive published by the Israeli Consumer Protection Authority in collaboration with the National Cyber Directorate within the Prime Minister’s Office clarifies that the Authority considers the risks inherent in the features or modes of maintenance of IoT products to be material. Such risks, therefore, require special disclosure. In light of this, the Authority is ordering importers, merchants, and manufacturers of products and services in the field of “the Internet of Things” (IoT) to comply with a new disclosure obligation regarding the cyber risks involved in the use of these products.
Publication of the draft follows a multitude of hacking incidents of these smart devices, since their use requires an internet connection. IoT devices encompass many types of products, including smart TVs, air conditioners, streamers, home security cameras, smart home systems, remote controls, speakers, and more.
In the absence of appropriate security measures, these products expose their users to risks of privacy, data leaks, physical damage to the product and even to the user, and even wider scale cyberattacks.
The Draft Directive
According to the draft, it will be mandatory to inform purchasers about the aforesaid risks in general, as well as about the characteristics of these risks in a specific product, before execution of the transaction and throughout all stages, i.e., already at the marketing and advertising stage.
This derives from the Consumer Protection Law that prohibits misleading consumers about any material detail of a transaction and imposes specific disclosure obligations. Pursuant to the law, “any feature of the commodity that necessitates a special manner of maintenance or use in order to avoid injury to the user or to another person or to property, during ordinary use or handling.” Requires a specific disclosure.
The draft specifically addresses a number of security characteristics of IoT products that require disclosure:
1. Any product or service not enabling a change of the access password, or when the manufacturer does not plan to publish security updates for its use, will be considered a product that may be exploited by malicious cyber hackers, and this must be explicitly disclosed to the purchaser before execution of the transaction.
2. Potential purchasers must receive an explanation about the importance of replacing the initial password of a product, as well as instructions on how to change the product’s password.
3. Potential purchasers must learn about the product’s security updates, whether the manufacturer plans to release such updates and how long the manufacturer will continue issuing security updates (i.e., what is the product’s lifespan in terms of cybersecurity). Potential purchasers must also receive instruction on how to install security updates if they do not update automatically.
It is important to note the draft does not define the nature of the security measures the manufacturer must implement, but only the obligation to disclose them.
In addition, the draft specifies additional security measures that can be added to products, depending on their nature and the degree of risk inherent in their use.
Manufacturers, importers, marketers and sellers of IoT products should prepare for regulatory amendments in this regard.
The deadline for public responses to the draft is September 4, 2022.
***
Barnea Jaffa Lande’s Regulation Department is at your service if you have any specific questions about the upcoming directive, or any general queries about cybersecurity, privacy, and information security regulations.