Risks and opportunities in smart buildings
There is an increasing awareness of the huge potential that the "internet of things" offers to building management practices, from monitoring and controlling energy consumption for ESG purposes, tracking performance in operation and lighting systems and pro-actively alerting maintenance teams about anomalies that might require repair. However, there is also a growing awareness of the digital risks that these technologies can pose to building occupiers and owners, including:
- Technology failure: it is essential that there are back-up systems to recover building functions such as heating, lighting, door opening/ closing) if the hi-tech systems crash.
- Cyber-security: attackers can use phishing emails to gain illegal access and entry into building operational systems (such as heating, ventilation and air conditioning systems); and vice versa can use those operational systems as entry points into data centres and corporate IT networks.
- Data protection: building owners need to be transparent about the data that they collect in their buildings.
Part 1 of the Product Security and Telecommunications Infrastructure Act 2022
As we discuss here, the new regulations, which came into force on 29 April 2024, impose obligations on various supply chain actors with the intent of making all UK consumer connectable products (which includes most "smart building" devices) more secure in the face of cyber threats. The measures include requirements to prevent the use of vulnerable default passwords, an obligation to provide the means to report vulnerabilities, and ensuring transparency around security updates. Whilst certain obligations appear relatively straightforward, other features of the regime are striking and quite onerous - including adopting the position that all existing stock held in the supply chain had to be compliant as of 29 April 2024 (unlike other product regimes, there is no ability to 'sell through' such stock) and providing for penalties of up to 4% of worldwide qualifying revenue.
Parties involved in the supply chain (including manufacturers, importers and distributors) of any products which are or could be sold to consumers in the UK and which involve an element of internet connectivity or other network connectivity must consider the application of the regime and ensure that they are compliant.
For those who develop, occupy, manage or own buildings with any embedded 'connectable' devices, consideration should be given to the impact of the new regulations – which can apply to products in business premises as well as dwellings, where the product is something which is also available on the wider market to consumers. While the regulations broadly exclude those individual products that have already been supplied prior to 29 April 2024 (e.g. a device that has already been installed), reconditioned goods may be caught and other identical products that have yet to be installed or purchased may also be caught. It is therefore well worth confirming with your suppliers that they are taking steps to comply with the regulations. There may also be some cost implications, as manufacturers seek to recoup some of the costs associated with complying with the new regime, noting that many of the technical requirements have been embedded within well-known industry standards for several years – so it is hoped that these will not be material. It should also be noted that the regime imposes obligations on distributors – who are defined to be any person making products available to consumers. It is conceivable that this could include, for example, developers of buildings to be used by consumers. That said, there are a number of carve-outs that apply to construction and the sale of land which will often mean they will be exempt.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.