what's in the news

The Article 29 (A29) Working Party has recently published their opinion paper on the rise of facial recognition technology and the concerns that this brings for the protection of personal data online. This note looks at the issues of online privacy and the concerns for data privacy as facial recognition software becomes more widely available.

The A29 Working Party is the European body which comprises leading representatives from each data protection supervisory authority in the EU (in the UK, this is the Information Commissioner’s Office); its opinions are therefore particularly influential, if not binding.

Last year Pitmans published a briefing explaining the issues of privacy at the time Facebook changed their ‘tagging’ service for photographs to incorporate facial recognition technology. For further information, click here.

Since then, the availability and application of the technology has grown exponentially; as its accuracy and deployment expands, this technology could be used for the most routine events in every day life – but also by advertising companies, collecting market information based on attendance monitoring and profiling to tailor targeted advertising messages.

The A29 Working Party has identified facial recognition technology as being used for authentication or verification for devices or online services. However, the application of this technology may be naturally extended from the online to the offline world. From a defence and security perspective, retinal scans and other biometric data access are already in use at a number of airports and conditional access facilities; in addition, full facial recognition systems are reportedly already used by security agencies to identify known criminals at sporting and live events by using the technology to identify particular faces amongst the crowd (e.g. known hooligans at a football match or members of the public at the London Olympics).

Similarly, access to live events, venues and concerts has become more sophisticated than merely paper tickets – organisers continue to explore ways in which they may combat the growing grey market in second hand ticket sales which diverts income, and brand value, away from events and the artists. Methods include tickets containing photographs, bar codes or employing near field communication (NFC) technology. Fully automated facial recognition technology is a natural technological progression for those industries where secure access is an essential requirement.

But such applications raise data privacy concerns and consequently companies controlling or processing the data may be in breach of data privacy laws, unless such measures and new technologies are balanced against an individual’s right to privacy. While the A29 Working Party’s opinion on facial recognition focuses on online and mobile, the principles apply equally to anyone collecting and using data for facial recognition services.

The A29 Working Party consider that where a digital image contains an individual’s face, which is clearly visible and allows identification of the individual then such an image would be considered personal data. Therefore, where a reference template is created from an individual’s image, this template will also be personal data if it contains a set of distinctive features of an individual’s face which can be linked to the specific individual and stored for later use. The only instance where a template is likely not to be considered personal data, would be where it was not associated with an individual’s record, profile or original image – but clearly this would limit the application of the technology. Importantly, the template and corresponding profile (or personal details) of the data subject in question do not need to be held by the same entity – it may still constitute personal data where a data controller has the means to access the corresponding information needed to identify that individual (even where held by a third party supplier).

Directive 95/46/EC states the conditions by which the processing of personal data must comply. Article 6 states that images and templates must be relevant, and not excessive, for the purposes of facial recognition processing. As the images constitute biometric data, the processing of the personal data may only be performed if the informed consent of the individual is obtained prior to commencing processing or if another exception is satisfied under the Directive (e.g. for legitimate purposes pursued by the data controller – such as security for the venue in the light of perceived terrorist threats – provided it does not prejudice the rights of the individual concerned). The A29 Working Party note that some elements of processing may be necessary before consent is obtained, i.e. to verify existing records, but this should only be for the strictly limited purpose, and the information deleted immediately.

The digital images or templates stored must be used only for the specified purpose for which the have been provided – and for which consent has been sought or where another relevant exemption applies (as, for instance, in the case of the legitimate use exemption described above). The greater the sensitivity of the personal data concerned the more likely explicit consent will be required.

The A29 Working Party considers that technical controls should be implemented to ensure that third parties do not gain access to the data and use it in an unauthorised manner. As trials of cashless technology grow for events, it may be that this technology is used by individuals to purchase items using credit stored against their profile, for instance drinks or merchandise. Controllers should be aware of the parameters of consent and that data stored against a user’s profile, including data used for, or available from, facial recognition data, can be valuable information for advertising or marketing agencies profiling consumers.

Similarly, controllers and processors will need to guard against security breaches which may result in unauthorised access to the data. The A29 Working Party advises that technical measures such as encryption will need to be used for data storage and data transit. One method suggested by the A29 Working Party is for biometric encryption techniques themselves to be used so that the cryptographic key is directly bound to biometric data and is only re-created where correct live biometric sample is presented on verification.

To reduce such concerns the Working Party recommends minimising the data so that the images or templates stored do not contain more data than necessary to perform the specified purpose. Similarly, templates should not be transferable between facial recognition systems. Organisations developing or deploying such technology should also carry out Privacy Impact Assessments (PIA) and follow development methodologies based on Privacy by Design (PbD).

The everyday use of facial recognition software in society to improve security checks for employees, visitors or customers may soon become common place when using even the simplest of access control systems.

Data controllers and data processors should be aware of the law in this area as the technology becomes more prevalent. But consequently it appears the law may also need to keep abreast of various ways in which the software can be exploited to monitor and profile individuals using a range of services and ensure adequate protection for data subjects as the technology advances.

For further information please contact Philip James or a member of Pitmans’ Data Privacy & Information Law team.

Philip James
Partner, Digital Media, Technology and Data
T: 0207 634 4655
E: pjames@pitmans.com

On 25 November, the government published its cyber security plan setting out in greater detail how it intends to work with the private sector in countering cyber risk. What is becomingly increasingly clear is that responding to this risk is something that is best tackled by a public-private partnership. Given the austere economic climate, this approach may present both public and private concerns alike with new opportunities.

The Minister for the Cabinet Office and Paymaster General, Francis Maude, explained in a written statement that the purpose of “…this strategy [is to] outline how we will cement a real and meaningful partnership between the Government and private sector in the fight against cyber attacks”. She also emphasises that the private sector “has a crucial role to play” in carrying out the government’s plans since it “owns, maintains and creates most of the very spaces [the government] are seeking to defend”.

The plans include a new national cyber security ‘hub’ that will allow the Government and businesses to exchange information on threats and responses with the private sector. A pilot will commence in December and will involve five business sectors: defence, finance, telecommunication, pharmaceuticals, and energy.

Other highlights of the government’s anti-cyber crime strategy include:

• Creation of a new national cyber crime capability as part of the new National Crime Agency by 2013, and enhancing the work of the Metropolitan Police’s eCrime Unit by expanding the deployment of ‘cyber-specials’;

• By the end of 2011, building a single reporting system for citizens and small businesses to report cyber crime so that action can be taken and law enforcement agencies can establish the extent of cyber crime (including how it affects individuals and the economy);

• Promoting greater levels of international cooperation and shared understanding on cyber crime as part of the process begun by the London Conference on Cyberspace, in addition to promoting the Council of Europe’s Convention on Cybercrime (the Budapest Convention) and building on the new EU Directive on attacks on information systems, as well as contributing to the review of security provisions of the EU Data Protection Directive and the proposed EU Strategy on Information Security;

• Working with domestic, European, global and commercial standards organisations to stimulate the development of industry-led standards and guidance that help customers to navigate the market and differentiate good cyber security products;

• Creating and building a dedicated and integrated civilian and military capability within the MoD, mainstreaming cyber within the organisation and setting up a Defence Cyber Operations Group (DCOG). An interim DCOG will be in place by April 2012 and will achieve full operational capability by April 2014;

• Undertaking a review of policy and regulation of the UK communication sector, with a view to publishing a Green Paper early in 2012 followed by a White Paper and a draft Bill by 2013;

• Supporting net neutrality and the open internet by working with the Broadband Stakeholder Group to develop industry-wide principles on traffic management and non-discrimination and reviewing its transparency code of practice in early 2012;

• Establishing a certification scheme for certifying the competence of information assurance and cyber security professionals by March 2012, and a scheme for certifying specialist training in 2012. Continuing to support the Cyber Security Challenge as a way of bringing new talent into the profession; and

• Identifying Centres of Excellence in cyber research to locate existing strengths and providing focused investment to address gaps, with the first focused investment occurring by March 2012.

It seems this strategy will require responses at a national level as well as greater international collaboration, not to mention the orchestration of resources within and outside the traditional defence communities. This raises its own challenges, but if ever there was a common cause, this is it. Or is it? Some nations may prefer to allow cyber strikes to be launched from its shores in the hope of receiving the benefit of any stolen assets. Watch this space. There may also be opportunities for employers to engage cyber poachers turned gamekeepers to assist defence and IT security. The level of support that government can lend to such employment opportunities will undoubtedly determine its success.

This is one of a series of articles on cyber security. To read the last article in this series, on protecting your business from cyber security threats, please click here. Pitmans will be hosting an evening seminar on Cyber Asset Protection on 1 February 2011 in London. For further discussion of these and other issues, please join us. Click here for more information on this seminar, or if you would like to register your interest now, please email poppy@pitmans.com.

Carolyn Butler
Solicitor
T: +44 (0)118 957 0234
E: cbutler@pitmans.com

Philip James
Partner
T: +44 (0)207 634 4655
E: pjames@pitmans.com

Cyber attacks targeted at the UK are once again in the news. The director of the government’s communications intelligence agency, GCHQ, Iain Lobban, reported in The Times (31 October 2011) this week that the country has been subject to a “disturbing” number of cyber threats. However, Mr Lobban observes in his report that the challenges faced by cyber security are “not for the government alone”.

Since the government announced this time last year that it had allocated £650 million to cyber security and resilience as part of its Strategic Defence and Security Review, it has started to endorse a collaborative approach between the public and private sectors to cyber security. Although the government is keen to demonstrate that the issue is a top priority, it has acknowledged that it can’t manage the challenges posed by cyber threats single-handed – not least because the majority of providers of Critical National Infrastructure (CNI), such as energy, water, finance, transport and telecommunications, are in the private sector. The foreign secretary William Hague will host a two-day conference on cyber security in London this week, to advance the dialogue with the business community in that respect.

As a consequence, the government has highlighted to the private sector what it has to lose (and in fact has already lost) in playing down the importance of cyber security. Last week, Major General Jonathan Shaw, head of the Ministry of Defence’s cyber security programme, told the Daily Telegraph (24 October 2011) that hacking by foreign governments and organisations had already cost the UK economy £27 billion and that “the biggest threat to this country by cyber is not military, it is economic”. Mr Lobban reinforced this view in his report, stating that the theft of British ideas and designs in the IT, technology, defence, engineering and energy sectors “doesn’t just cost the companies concerned; it represents an attack on the UK’s continuing economic wellbeing”. In other words, there seems to be an overwhelming opportunity for continued public private partnerships in this sector, as well as reciprocal arrangements between the defence and non-defence sectors to counter this threat.

So what can businesses do to safeguard their economic interests? Chatham House, a leading independent think tank on international affairs, has made a number of recommendations for businesses in its report entitled Cyber Security and the UK’s Critical National Infrastructure which it published last month. While the report is primarily aimed at corporations active in CNI sectors, it is also essential reading material for any board member. In particular, examples of good, improving and poor cyber security practice are explored in pages 23 to 26 of the report.

Below, we highlight and comment upon some of the key recommendations from the report and some practical suggestions for board members to enhance an organisation’s resilience to cyber threats.

1.   Vulnerabilities: Senior management need to acquire (if they haven’t done so already) a good understanding of the vulnerabilities and dependencies of their business, and the implications for budgets and reputation management that they may entail. First, examine the dependencies of your business and consider, in particular, those that may be ‘hidden’ in the other businesses on which it depends (as well as any ongoing chains of supply). Identify both existing and emerging risks.

2.   Risk Assessment and Response: Once you have a better understanding of your business’ and its suppliers’ vulnerabilities, look at the processes and mechanisms that are already in place to asses the risks posed by cyber attacks and to respond to such attacks if and when they occur, and consider how they work in practice. If there is a disparity between policy and practice, one or the other must change. If appropriate, consider engaging a penetration (PEN) or vulnerability testing consultant to stress-test and evaluate your IT security measures. Such a consultant can also propose a number of options to repair any gaps or improve security in line with your requirements. Assess the adequacy of the response measures and contingency plans you have in place to cope when any element of the chain of dependency fails.

3.   Investment: Cyber security is often under-funded despite the economic damage that a breach may entail. In order to work well, the planning and implementation of cyber security measures must be underpinned by appropriate resource allocation, in terms of both human resources and financial investment. In the current economic climate, this remains one of the key challenges. However, carefully well-allocated resource can result in significant improvements to security which can materially reduce the business impact and remedial costs should an incident occur.

4.   Know-how: The training and development of all staff that may encounter cyber threats must be viewed as an integral part of your organisation’s risk management strategies. Is everyone aware of the risk assessment mechanisms and security procedures?  Your organisation will therefore need to decide whether to adopt best practice depending upon the viability and sensitivity of your systems and the information contained within. Mechanisms that allow for the reporting, and onward dissemination, of know-how gained from experience (in particular “lessons learned” from cyber security incidents) are also essential.

5.   Board-level Buy-in: Cyber security can no longer be delegated to the IT team to deal with on its own. According to the Chatham House report, “the potential for damage, both economic and reputational, from complacency over matters of cyber dependency and vulnerability is too high to be ignored” and deserves the regular attention of senior management. Ensure it regularly appears on your agenda.

6.   Communication: The Chatham House report suggests that the issues connected with communicating technical ideas to non-technical people are intimately linked to the issue of board-level buy-in, since in its research it often found that “an organisation’s cyber security policy is not delegated (in a constructive managerial way) but is deliberately pushed below the boardroom level in order to remove a complex and baffling problem from sight”. Chatham House wants to see more chief information security officers from non-technical backgrounds appointed, and advises that “IT security departments [need] to develop a deeper understanding of how value is created in the organisations they endeavour to protect” to meet the business’s needs. However, communication flows both ways, and it is equally important for the board to grasp the nettle of cyber security with both hands to develop a coherent, strategic response.

In addition to these recommendations, organisations should also consider the following: -

Insurance

Review your insurance policies to ensure you are adequately protected against risks that cannot be mitigated. If you discover any uninsured risks that need to be covered, discuss with your insurer what they can do for you. Given the diversity of risks faced by different businesses, corporations are increasingly finding a ‘one-size-fits all’ approach to IT-related policies, such as network security insurance and business continuity insurance, is impractical at best and, at worst, leaves them perilously exposed. Many insurers now offer a flexible, or even bespoke, range of policies to meet this emerging need.

Reputation Management

As part of your contingency and disaster recovery planning, consider whether and in what circumstances you would need to engage an agency experienced in ICT reputation management in order to minimise any long-term damage to your business and/or its brand. If this could be necessary, investigate the available options now, and ensure a protocol is in place so that assistance is sought where appropriate. Some insurers also offer policies to cover the costs of retaining public relations assistance in the event of a crisis.

Pitmans will be hosting an evening seminar on Cyber Asset Protection on 1 February 2011 in London. For further discussion of these and other issues, please join us. Click here for more information on this seminar, or if you would like to register your interest now, please email poppy@pitmans.com.

Carolyn Butler, Solicitor
T: +44 (0)118 957 0234
E: cbutler@pitmans.com

Philip James, Partner
T: +44 (0)207 634 4655
E: pjames@pitmans.com

Jonathan Durrant, Director
T: +44 (0)118 957 0270
E: jdurrant@pitmans.com

For more information, please see:

Pitmans’ Defence and Security legal services

Pitmans’ Data Privacy & Information Law legal services

‘Initiatives Against Cyber Crime – Recent Developments’

‘Cyberspace – Industry and the Cyber Armoury’

Retailers Take Note: Data Privacy Trends and Actions for the coming year: Highlights of the Information Commissioner’s Annual Report 2010/11

If the idea of digesting the Information Commissioner’s 86-page long annual report in full doesn’t really appeal to you, then why not let us do the hard work? Below, we highlight not only the key changes to the policy and enforcement objectives of the Information Commissioner’s Office (“ICO”) over the past year, and the likely indications from the report of the developments to come, but also our suggested actions and comment to help you avoid falling foul of data privacy compliance, risking damage to your reputation and incurring unnecessary cost and resource further down the line.

New powers

The ICO’s enforcement arsenal was enhanced significantly in April 2010 when it was granted the power to fine organisations up to £500,000 for serious breaches of the Data Protection Act. Four monetary penalties have been issued since then, as well as five prosecutions brought in the last year. However, the ICO has been keen to stress that such tactics are a means of last resort, and seeks to resolve cases informally where there is opportunity to do so.

Pitmans Comment; it is worth noting that since May 2011 the ICO now also has the power to fine organisations up to £500,000 for serious breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the previous power to fine only extended to serious data breaches, not breaches of the laws relating to electronic marketing and privacy).

In addition, the ICO also has a new power to audit measures taken by a public electronic communications service provider (service provider) to:

• safeguard the security of its service; and
 
• comply with a new personal data breach notification and recording requirement.

This second requirement is a significant development and, where a breach may adversely affect the personal data or privacy of a user, a service provider is not only obliged to notify the ICO, but also the user concerned. This has a significant cost and PR implication.

The ICO favours prevention over cure; it tends to accept undertakings (where an organisation commits to making specific improvements) as a precursor to more formal action. The number of instances where the ICO has approached organisations to offer good practice audits has increased dramatically over the past year, although take-up in the private sector has been poor. Nevertheless, the ICO issued 26 audits in 2009/10, 60% more than in 2009/10. It also released several codes of practice last year to help businesses stay on the straight and narrow, including a Code of Practice on Personal Information Online which was launched in June.

Pitmans Suggested Action: ensure you have a paper trail evidencing compliance and training. Refresh staff by periodic training and regular security reviews and conduct vulnerability testing to public accessing applications. It is clear that audits are becoming more popular. Always be prepared.

Emerging enforcement trends

The hot topics

Subject access requests were the most popular topic of complaint, accounting for nearly a third (28%) of all issues reported to the ICO. Since this is the area where, statistically, data controllers tend to slip up, companies are well advised to ensure they have appropriate systems in place to deal with subject access requests within the applicable time limits. Inaccurate data (15%), inappropriate disclosure of data (12%), and automated and live marketing calls (9% each) are the cause of the next most numerous complaints. There has also been an increase of 17% in the number of freedom of information cases referred to the ICO over the past year.

The ICO has earmarked the challenges perpetuated by (or, indeed, in spite of) technological advances as a priority. The ICO is concerned that a significant amount of highly sensitive personal data is still sent by fax, despite the securer alternatives offered by newer technology. Failures by organisations to encrypt personal data in appropriate circumstances remain also remain a key concern.

The new rules in relation to cookies are also firmly on the agenda. Although the lead-in period for the new rules expires in May 2012; the ICO has indicated that it will intervene in the meantime in certain circumstances: “we shall hold our enforcement powers in reserve, intervening in the first year only where it is clear that a website owner is doing little to attempt to comply”.

Pitmans Suggested Action: review what technical and operational security measures your organisation currently employs in relation to sending personal data and keeping data secure. If your staff are using mobile devices and laptops, review and implement encryption software solutions.

Companies would also be well advised, if they have not already done so, to conduct a digital marketing audit and review their data processing and collecting practises in the e-commerce environment. Please let us know if you would like assistance with such an audit.

The targeted organisations

Essentially, the ICO targets those organisations about which it receives the most complaints. The ICO affirmed that it also uses a risk-based process to identify and contact organisations that handle personal information, which takes into account a number of factors such as volume and type of data an organisation holds, complaints received by the ICO and cases where enforcement action was considered. It then uses the information from individual cases to build a picture of how seriously data controllers take the issue of handling personal data or providing information the public has a right to see.

The ICO has declared that it now expects more from data controllers when complaints are reported – as well as asking them to explain the circumstances of individual complaints, it now asks for information about how the data controller intends to put things right and how they adhere to general information rights obligations.

Pitmans Suggested Action: respond to complaints and proactively manage any inappropriate use of personal data carefully. Consider preparing a contingency response plan to any complaints, with a pre-prepared response to customers, the ICO and the press.

The targeted sectors

Over the past year, the ICO launched campaigns aimed at estate agents and private medical practitioners to remind them of their obligations to notify the ICO if they handle personal data. Accordingly, we should probably expect similar campaigns in the future directed at other industries in the private sector that routinely handle personal data, e.g. education and training providers, telecoms companies, and online retailers.

Pitmans Suggested Action: retailers, in particular, take note. The ICO issued a statement on 9 August in the light of a security breach suffered by Lush, the cosmetics retailer, making it clear that etailers must ensure they keep customers’ personal data secure. An extract of the statement is reproduced below: -

Acting Head of Enforcement at the ICO, Sally Anne Poole said:

“With over 31 million people having shopped online last year, retailers must recognise the value of the information they hold and that their websites are a potential target for criminals.
 
“Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security. Had they done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back. This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times.”

In the meantime, the ICO will be consulting on a revised Information Rights Strategy showing how it prioritises the different sectors and subjects for regulatory attention, which is definitely a development to watch out for!

The likely consequences

The ICO’s report contains a selection of salutary tales demonstrating exactly how not to deal with a data protection breach. These case studies indicate the circumstances that the ICO is likely to consider as “aggravating factors” when determining whether to issue monetary penalties. As well as the impact and severity of breach the ICO will consider a number of factors, such as whether:

• a risk assessment was made;
• alternative means of storing/transmitting data were considered/devised;
• other measures were employed to minimise risks (e.g. by using a ‘ring ahead’ system to increase security of fax transmissions);
• the organisation followed its own policies;
• effective remedial action was taken following the breach (such as the re-training of staff);
• the organisation’s officers and staff understand the cause and significance of the breach.

Pitmans Suggested Action: conduct Privacy Impact Assessments (PIA) and employ Privacy by Design (PbD) into concept and new product design to ensure that any privacy implications of new technologies are considered at an early stage. This may reduce the likelihood of incurring substantial re-development costs at a later stage, as well as the risk of complaint, adverse PR and enforcement.

Improved efficiencies

The number of decision notices issued by the ICO increased significantly from 628 in 2009/10 to 817 in 2010/11, However, the appeal rate has remained constant at around 25%, meaning, effectively, that there has been no corresponding deterioration in the quality of decision making. The ICO has put this dramatic improvement down to the introduction of new structures and processes that has allowed it to deal more quickly with complaints.

There has also been a blitz on freedom of information complaints. Over the last 12 months, the number of complaints that have been in the ICO’s in-tray for more than a year has reduced from 117 complaints to just three.

Involvement in law making

In terms of the ICO’s contributions to UK legal policy, it has had a busy year. The ICO issued responses in December 2010 and February 2011 to the Protection of Freedoms Bill, and provided evidence to the Public Bill Committee in March 2011. Also in December last year, the ICO issued a statement welcoming proposals set out by the government to expand the scope of the Freedom of Information Act.

At present, the ICO is engaged in the review of the OECD’s Privacy Framework and modernisation of the Council of Europe’s Data Protection Convention, and, through its membership of the Article 29 Working Party, the ICO is also reviewing the EU Data Protection Directive. The ICO will also be contributing to the post-legislative scrutiny of the Freedom of Information Act by the House of Commons Justice Committee.

This year, the ICO appointed Simon Rice, who has a background in delivering databases, software tools and data analyses for a government research agency, as the ICO’s first technology policy advisor to assist with the work on policy development, investigations and complaints handling. Simon’s appointment is complemented by the creation of a Technology Adviser Panel, whose role is to assist the ICO in producing up-to-date, relevant guidance on technical innovation and up-and-coming issues.

Pitmans Suggested Action: technology providers and organisations using new technologies to gather and analyse and mine user profiling data beware. The ICO is investing more in analysing new technologies and is likely to be more savvy in its enforcement of non-compliant data repositories and applications. Again, consider privacy at an early stage of design and development and, before licensing a new CRM system or data tool, ask the relevant supplier to confirm what steps it has taken to ensure that it complies with data privacy laws (whether it be at home or abroad).

For further information regarding Pitmans Intellectual Property  team, please contact:

Philip James
Partner
+44 (0)207 634 4655
pjames@pitmans.com

Carolyn Butler
Solicitor
+44 (0)118 957 0234
cbutler@pitmans.com

The past few months have seen a number of cyber attacks in the headlines, including (and by no means limited to):

• an attack on the International Monetary Fund (which installed software designed to give a nation state a “digital insider presence”);
• Citigroup Inc was assailed by hackers using a customer-facing website to bypass conventional safeguards and steal the account details of more than 200,000 customers;
• Google was targeted by hackers attempting to break into the personal Gmail accounts of hundreds of top US officials, military personnel and journalists last month;
• an attempted attack on the security networks of US military contractor Lockheed Martin;
• in April, the Sony Playstation network was disabled after hackers stole the personal data of around 100 million accounts; and
• an attack in March on the e-mail systems of the European Commission, which followed the hacking in January of the EU Emissions Trading Scheme resulting in the theft of €30 million of carbon allowances from national registries.

In response to the recent spate of attacks, governments around the world have voiced proposals to enhance cyber security for their own systems as part of their national defence strategies, and to introduce legislation to protect the systems of others.

Direct government action
As part of its strategic defence and security review, the UK government has set aside a fund of £650 million to improve cyber security. Part of this fund is being used by the Ministry of Defence to recruit cyber experts to reduce the UK’s vulnerability to cyber attacks and espionage, as well as to bolster the UK’s critical infrastructure and vital government networks.

In addition, the UK military is developing a toolbox of “cyberweapons” to be used offensively in response to cyber attacks or threats, although the nature of the weapons under development can not be disclosed at present.

The European Commission is also currently setting up a Computer Emergency Response Team (CERT) of IT security experts to review the Commission’s systems and assess how a full-scale CERT should be set up for European Union institutions.

Legislation in the pipeline
Last September, the European Commission put forward a proposal for a Directive on Attacks against Information Systems. The draft legislation (i) lists crimes such as illegal access to, or unauthorised interference with, IT systems, the theft or deletion of data and the interception of non-public data transfers and (ii) introduces longer criminal sanctions for transgressors. The UK took the decision to opt into the directive in February this year.

This month, the UK also ratified the Budapest Convention on Cybercrime, which it signed in 2001. The international treaty seeks to harmonise national laws, improve investigative techniques and increase cooperation among signatory countries on issues such as hacking, online fraud and infringement of intellectual property rights, and will come into force in the UK on 1 September 2011.

Responses worldwide
In the US, meanwhile, the Pentagon is expected to release the unclassified sections of its first formal cyber strategy next month. As widely reported in the press, the Pentagon has taken the view that a cyber attack originating from another country could constitute a use of force synonymous with an act of war, permitting the US to respond with military force. The strategy’s object therefore, at least in part, is to act as a warning to potential saboteurs.

Similarly, the Australian government announced last week that it will begin work on a major new whitepaper to provide clarity on cyber security issues, which is expected in the first half of 2012.

Opportunities for the cyber security sector
What is increasingly evident is that there are numerous opportunities for technology companies to cater to the mounting need for cyber security, and for individuals to do well in this burgeoning industry.

To encourage more people to consider entering the cyber security profession, the Cyber Security Challenge 2011, a competition sponsored by the Cabinet Office, The Open University and numerous industry leaders, was launched last month. Prizes include bursaries to undertake university courses, internships and access to professional expertise in the cyber security sector.

Legal advisors to the defence industry need to get to grips with the cross-departmental nature of the challenge, as well as the variety of tactics used by cyber—criminals.

If you would like further information on the above article, please contact Carolyn Butler or Rustam Roy.

In this, the second in Pitmans’ Defence & Security industry briefing papers following on from A Call to Economic Arms by Jonathan Durrant, we examine the issues posed by the emergence of Cyberspace as an increasing risk to national security, business activity and personal property. The  largely positive transformation in the delivery of public services, commercial activity and personal communications enabled by the internet has however been mirrored by the emergence of cyber attacks on nation states’ critical national services and infrastructure, attacks on business to defraud and steal intellectual property and criminal activity targeted at individual users. The threat to cyberspace is now acknowledged by Government as one of the UK’s top four risks identified within the National Security Strategy. What action is the UK Government taking? How can industry assist Government to protect our public services and critical infrastructure? What effective measures can business take to safeguard itself and its employees against the threats?

Introduction

There has been much exposure given to the cyberspace domain recently in the news and press.  It attracts extensive attention from the Government, at all levels.  The Foreign Secretary, William Hague, in his recent speech to the Munich Security Conference  noted both the geo-political threats from cyberspace as a ‘new means of repression, enabling undemocratic governments to violate the human rights of their citizens’ as well as the staggering threat to businesses and individuals from cyber crime -  ‘over 40,000 pieces of sensitive information and financial data are traded on the online black market every day, amounting to 13.2 million criminal transactions every year’.

Many commentators consider that references to ‘cyberwarfare’, apocalyptic scenarios of the shutdown of national infrastructures and conflicts fought purely in cyberspace are unrealistic hyperbole.  Even so, cyberspace is unavoidably relevant to the private sector and the way businesses manage risk. 

Read the complete report: Cyberspace- Industry and the Cyber Armoury

Members of Pitmans’ Defence and Security sector team take an active role in understanding the strategic drivers and engaging with the defence and security environment in order to provide informed legal advice to those operating in this domain.  As well as advising in the areas outlined above, Pitmans’ legal advice extends to a full range of services, including Information Technology, Intellectual Property, Corporate services, Employment Law and Dispute Resolution.

Jonathan Durrant
Director
+44 (0)118 957 0270
jdurrant@pitmans.com

Introduction

The new Bribery Act, passed by parliament in 2010, was due to be implemented in April 2011.  However, at the end of January, a government spokesman said that the act would not come into force until three months after guidance to the act had been made available, which will be published “in due course”.

The Act is intended as a wholesale reform of the old bribery laws which were a complicated and confusing combination of statutory and common law offences from more than 100 years development of law in this area. The need for reform was widely acknowledged, however, the final result may have alarming consequences for corporate entities operating in the UK as many law abiding businesses could inadvertently break the new law if they are not careful.

Offences Under the Act

The Act re-classifies the basic bribery offences of bribing another person and receiving a bribe whilst also introducing two new offences. The first of these is in respect of bribery of a foreign public official. Additionally the Act also creates an offence for corporate entities of failing to prevent bribery occurring within their organisation. The only defence to this is if the corporate entity has put in place “adequate procedures” designed to stop incidences of corruption. This offence applies to any corporate entity that carries on its business, or even part of its business, within the U.K.

The penalties can be extremely severe.  Individuals could face a maximum penalty of ten years imprisonment and/or an unlimited fine if found guilty. Corporate entities may face an unlimited fine in respect of an offence under the Act.

Facilitation Payments and Corporate Hospitality

A facilitation payment is usually a payment to a government official to speed up a routine bureaucratic action. These are illegal under the Act. However the decision to prosecute will be at the prosecutor’s discretion and he/she will consider various factors including whether it is in the public interest to prosecute.

Most concerning however is that prosecutorial discretion will also have to be relied on in respect of corporate hospitality, which may fall foul of the Act. It has at present been stated that “routine and inexpensive hospitality” will be permitted however “lavish or extraordinary hospitality” will not. What remains unclear is where this distinction will be drawn. Will a box of chocolates and a bottle of wine be acceptable? Will tickets to a football match? The result is that corporate entities in the UK find themselves in the awkward position of having to guess what level of advantage provided by way of corporate hospitality is reasonable and what may result in prosecution.

Conclusion

In light of the Act, the need is now more urgent than ever for corporate entities to either commit to implementing systems to counter bribery or review their current anti- bribery procedures to ensure they will be effective in preventing bribery being committed on their behalf and to be able to rely on the “adequate procedures” defence in appropriate circumstances.

All corporate entities may wish to put in place staff training programmes and ensure they have written procedures that are readily available. It may additionally be worthwhile to incorporate such policies into employment contracts and allow the employer to terminate employment in the case of breach.

With such severe penalties under the Act, it has become crucial that the action that is taken does not merely have the effect of prohibiting bribery but that it actively seeks to prevent it where it might arise. For some businesses this will involve nothing more radical than an assessment of their existing policies however for others it could mean a complete overhaul.

If you would like further information on the Bribery Act 2010 from Pitmans please visit the Pitmans Corporate website, or contact our team direct.

Adam Dowdney
adowdney@pitmans.com
+44 (0) 118 957 0574

In this briefing we examine the implications for business arising from the Government’s recently published Green Paper on Equipment, Support and Technology for UK Defence and Security. The Green Paper follows the publication in autumn 2010 of the Government’s National Security Strategy (NSS) and the Strategic Defence and Security Review (SDSR).  The UK is now perceived to be facing “a different and more complex range of threats”,  against the backdrop of constrained public finances due to the budget deficit.  The Government has placed the focus on the private sector to harness technology, skills and job creation to lead the economic recovery. How should business in the Defence, Security and Technology sectors interpret these policies and respond to the opportunities created? What are the issues and risks and how can they be mitigated?  

Introduction:

The UK Government is addressing the budget deficit and is relying in large part on the private sector successfully creating and sustaining jobs and being in the vanguard of the economic recovery.  With the decline in public sector jobs and public spending, there is renewed emphasis on the importance of exports and of domestic private enterprise. 

The Coalition appears to anticipate a response from the private sector, playing to the private sector’s strengths – a “can do” attitude coupled with agility in offering solutions.   This sense of Government expectation of the private sector’s willingness to join in a mission with the state to secure financial recovery will however only successfully turn into reality if, i.) the Government’s objectives are sufficiently defined, ii.) there exists greater transparency of Government’s future intentions, and iii.) the Government properly recognises businesses’ need to be competitive and profitable.  Only then will industry have the confidence to invest its money, time and resources in projects which will further the Government’s objectives.  If the Government can engender that trust then this ‘period of austerity’ in fact presents exciting opportunities for those businesses which take up the challenge of meeting the Government’s ‘call to economic arms’. 

Read the complete report: Commercial and Legal Considerations for the Defence & Security Sector

Members of Pitmans’ Defence and Security sector team take an active role in understanding the strategic drivers and engaging with the defence and security environment in order to provide informed legal advice to those operating in this domain.  As well as advising in the areas outlined above, Pitmans’ legal advice extends to a full range of services, including Information Technology, Intellectual Property, Corporate services, Employment Law and Dispute Resolution.

Jonathan Durrant
Director
T: +44 (0)118 957 0270
E: jdurrant@pitmans.com
W: www.pitmans.com/defence-security

Over recent weeks there has been a surge of press and public interest in the cyber threat to the UK. The stuxnet worm attack on Iran initially caught the public imagination, but the focus has been sustained by Government comments highlighting this area as requiring major attention and expenditure over coming years. The fact that this public debate has been going on alongside the Strategic Defence and Security Review, and the more general Spending Review, is no coincidence, given the competition for funds. But it is clear that this is a major area of threat to government, the national infrastructure, companies and individuals which has been neglected until recently.

There is no need to reiterate here the wide-ranging nature of the threat from cyber attack, whether originating with a lone hacker with limited intent, or at the opposite end of the scale the suggestion that some national governments have been involved in attacking parts of other nations’ IT infrastructure. It is important that in the UK we appreciate the significance of this threat and guard against it, and as individuals we obtain what protection we can against identity fraud and similar attacks via our home computers or similar networked devices. UK Government may have been a little slow to turn its full resources to the cyber threat to our infrastructure and military defences, but recent initiatives including the establishment of the Office of Cyber Security and the Cyber Security Operations Centre, and more recently the confirmation in the strategic and spending review that cyber defence will receive significant funding, show that it is now well up the agenda and being addressed. Equally, individuals may have varying levels of appreciation of their exposure via home electronics but at least this is an individual threat for the most part rather than systemic.

What is more difficult to be sure of is the extent to which UK companies are doing what they need to in this context. As well as it being a governmental and individual responsibility, protection from cyber attack is a corporate responsibility and failure to grapple with that could have significance for companies around the UK, both in terms of their legal duties and the practical significance of a major interruption in their ability to trade normally resulting from cyber attack.

We are fortunate in this country that our role in the development of information technology over the last few decades, both for corporate and consumer use, means that we have a range of companies which can provide or supplement the ICT systems required to protect the country and its national infrastructure against cyber threats. It is not those companies that are likely to be the problem here. It is companies in other sectors, financial services, utilities, transport and energy particularly that need to ensure they have focused on all aspects of the cyber attack risk. Many of them will be well prepared, but others will not have realised the extent of the risks they are exposed to.

This is unlikely to be a problem that UK Government will be able to deal with alone, and some of the largest international ICT providers are fully engaged in partnering with governments and industry in this context to develop the protective infrastructure. There will need to be various lines of defence. At a national level it is clear that there are increasing efforts to identify generic threats that are appearing in the form of malicious software, but companies from multinationals to smaller local enterprises will be involved in the process of developing the protective programmes to enable companies and individuals to safeguard their ICT. And it is for all companies in whatever sectors to ensure that they are using the most up to date protective systems.

For companies, failure to do so will mean vulnerability across a whole range of activities. If as individuals we are realising how much of our lives are conducted online, through the web or the telecoms networks, then this is even more the case for companies delivering essential goods and services to the UK and internationally. If the Iranian nuclear industry can be specifically targeted and rendered inoperable as a result of an attack on its ICT systems, then this can happen to any UK company’s functions unless adequately protected.

For company boards and management, this is a matter of immediate concern. Many UK companies will have statutory duties to deliver services, and the inability to do so is likely to result in costs (over and above the simple loss of revenues) in the nature of damages or indemnity obligations which could be crippling. Force majeure provisions in contracts may in some circumstances come to their assistance but the process of arguing that through would itself be costly and potentially damaging. Turning to the financial services industry, it is immediately obvious how damaging to a major bank it would be if widespread fraud, or collapse of operations, resulted from a significant cyber attack. As well as the potentially catastrophic effect on the normal function of the bank in terms of borrowing to meet its funding needs (we have seen in recent years how much all banks rely on the inter-bank market) there is the reputational damage that would flow from even a less systemic problem.

Public listed companies have duties under their regulatory regime to ensure their systems are robust, and in the specific financial services arena the FSA also imposes further layers of obligation. There are also duties arising for all companies to their employees in terms of providing a safe working environment in the widest sense, and to customers in terms of the data protection. All of these obligations may come into the equation in the event of a major cyber penetration which brings operations and normal functioning to a halt. The threat is that fundamental.

So, individual directors need to ensure they are taking the best advice from ICT providers about the nature of current threats and the ways to protect against them, and from their other advisers on how to ensure their internal governance structures are robust (and clearly set out) so as to manage these risks. We may find as a result that corporate life becomes less accommodating for employees in terms of free and easy access to external connectivity over time. It already has for those engaged in defence related contracting in the UK, where the MOD’s information assurance policies impact on all suppliers. The effectiveness of protective systems may improve so as to help management in this area (but so may the cost) and it is essential that the effectiveness of that protection is kept under regular review in the context of general risk management planning.

However it is achieved, companies need to be sure they are doing everything reasonably practicable to protect themselves, and by extension their ability to provide continuity of service to their customers and the public at large. Failure to do so will not only expose them to the cyber threat itself but to the potentially serious knock-on liabilities and other consequential effects, whether for the organisation as a whole, or for the individuals responsible for those failures.

Andrew Peddie
apeddie@pitmans.com
+44 (0) 118 957 0321