Consumer Reports to rate cybersecurity in product reviews

Consumer Reports®, the world’s largest non-profit consumer group, announced last week that it will start factoring in cybersecurity and privacy safeguards when reviewing products.

The group, which conducts reviews of everything from cars to kitchen appliances and electronics, has joined forces with a number of security and consumer rights groups, as well as the infamous white hat hacker Peter Zatko.

Product reviews are proven to influence customers’ choices, so this could have a big effect on the way companies design and market the security of their products. An American Lifestyles survey found that 69% of Americans seek advice and opinions on goods and services before making a purchase.

Protecting personal data

Consumer Reports has produced a draft standard to measure products’ cybersecurity. It includes requirements for reviewing whether software is built using best security practices, studying how much information is collected about a consumer, and checking whether companies delete all user data when an account is terminated.

Craig Newmark, the founder of Craigslist and board member at Consumer Reports, told Reuters: “Personal cybersecurity and privacy is a big deal for everyone. This is urgently needed.”

Newmark’s comments follow a series of high-profile breaches in which personal data or privacy has been compromised. The latest headline hit less than a day after Consumer Reports’ press statement, with WikiLeaks reporting that Samsung smart TVs had been hacked by the CIA.

Changes to the law

An assessment model will be a “great incentive” to make sure manufacturers take appropriate measures to ensure their products are secure, Ryan Lester, director of IoT strategy at Xively by LogMeIn, said in response to the announcement.

Manufacturers have often focused on product functionality at the expense of cybersecurity measures. With Consumer Reports now set to rank security, and the EU General Data Protection Regulation (GDPR) to be enforced from 25 May 2018, there could be a shift in emphasis.

Any company that processes or shares EU residents’ personal data must comply with the GDPR. Organizations that fail to do so could face a fine of up to 4% of its annual global turnover or €20 million (US$21.3 million), whichever is greater.

Organizations looking to meet the GDPR’s conditions for international data transfers are encouraged to take advantage of IT Governance’s distance learning.

The Certified EU General Data Protection Regulation (GDPR) Foundation Distance Learning Training Course and Exam let’s you learn in your own time and at your own pace, while enjoying considerable savings over classroom and Live Online sessions. This course will provide you with a practical understanding of the implications and legal requirements for organizations of any size.