what's in the news

Former Nottingham cricketer Chris Cairns has prevailed in his libel claim against Lalit Modi, former chairman of the Indian Twenty20 franchise IPL, yesterday. The conduct of Modi’s case is an object lesson in how not to deal with allegations of internet libel, and the consequences of that approach have been proportionately severe.
 
The original allegation, posted on Twitter in January 2010, suggested in clear terms that Mr Cairns was involved in match-fixing, an allegation which Mr Justice Bean has now found Mr Modi to have “singularly failed” to substantiate. So, rule 1: Do not make allegations you can’t prove.
 
The importance of the allegation to an individual’s private or professional reputation will also have an impact on how the Court will view the defamatory statements. In this instance, the Judge found that the allegation was “as serious an allegation as anyone could make against a professional sportsman” and this was reflected in the damages that he awarded. Rule 2: if the allegation is going to have serious professional or personal repercussions for the person referred to, really make sure you can prove it.
 
Mr Modi, according to various reports this morning, had still not apologised for the tweet at the point at which the judgment was handed down. For internet defamation, a prompt retraction of, and apology for, a defamatory comment will often be the end of the matter, and may indeed provide a defence for the party who originally published the libel. Rule 3, therefore is: if you have published an allegation you can’t prove, retract it quickly and apologise.
 
Mr Modi, however, went rather further. At the trial Mr Modi’s barrister (presumably on his instructions) made further allegations in his closing submissions that Mr Cairns was being dishonest. According to the BBC website, the barrister used the terms “lie”, “liar” and “lies” 24 times during his closing speech. In circumstances where the judge indicated that he would in any event have awarded substantial damages of £75,000 to Mr Cairns to reflect the very serious nature of the allegations made, those damages was increased by 20% to £90,000 to reflect the conduct of the case in Mr Modi’s defence. Rule 4: if you are already in a potentially bad situation by having ignored Rules 1 to 3, don’t make it worse!
 
As is so often the case in libel disputes, however, the damages represent a fairly small percentage of the overall cost to Mr Modi to having defended this action all the way to trial. He has also been ordered to pay Mr Cairn’s legal costs, which are said to be in the region of £400,000, and once his own costs (of a likely similar amount) are taken into account, the case as a whole is likely to have cost him almost £1 million. Rule 5: if you ignore the rules – it is going to cost you.
 
Needless to say Mr Modi is looking to appeal. In the absence of a third official and an instant replay, he is likely to be in for something of a wait, and significant further costs, before the matter is finally concluded.”

Will Richmond-Coggan
Director, Solicitor Advocate
T: 0118 957 0369
E: wrcoggan@pitmans.com

European Union Justice Commissioner Viviane Reding has stated that Google’s new privacy policy, launched yesterday, contravenes European law.

The new policy, announced by Google in January, consolidates 70 plus privacy policies into one main document to govern the majority of its products. The aim by Google is to explain what information is collected and how it is used in a much more readable way, with less “legal gloop to wade through”. Google have cited that the multiple policies were over complicated, and at odds with their efforts to integrate its different products more closely.

In practice, according to Google, users signed in to Google Accounts will be treated as a single user across all the products, meaning Google is able to combine information provided from one service with information from other services. Essentially, private information collected from browsing data and web history by one Google service can be shared with its other platforms, including YouTube, Gmail, Google+ and Blogger. This is to allow it to offer better targeted advertising to users, and customise search results more efficiently.

Google stated it was confident that its “new simple, clear and transparent privacy policy respects all European data protection laws and principle”. EU data protection agencies beg to differ however, concluding that the new policy does not meet the requirements of the European Directive on Data Protection. Following an investigation by France’s privacy watchdog CNIL (Commission national de l’informatique et des libertes) Reding announced “they have come to the conclusion that they are deeply concerned, and that the new rules are not in accordance with the European law, and that the transparency rules have not been applied”.

Despite being warned of CNIL’s concerns, Google proceeded with the launch, and defended the policy stating that it will not change any existing privacy settings or how information is shared outside of Google, with no additional information being collected.

Google has sparked further outrage with its Android users, after it emerged that they must accept the new policy. It has advised that any users concerned about the impact of the changes should choose not to login to the Google Account on their smartphones, but this means certain applications will be inaccessible. The news has prompted one privacy campaigner to sue Google for the cost of his handset.

To add to its woes, Google has received more widespread criticism of its new policy. The National Association of Attorneys General (NAAG) last week sent a letter signed by 36 state and territorial Attorneys General detailing their “strong concern” with the policy. It highlighted that the policy fails to provide users with an “opt-in” or “opt-out” option. The letter further cited that that the automatic sharing of personal information and the ability to learn the whereabouts of users, without their authority, amounts to an invasion of privacy.

Philip James, a Partner who leads Pitmans’ Data Privacy & Information Law team, comments, ‘Viviane Reding’s statement is a clear indication of the EU’s determination to protect consumer privacy and reflects the importance it places on Privacy by Default. The aggregation of a multitude of sites storing users’ profile data, coupled with Google’s increasingly dominant Android mobile platform places Google in a privacy predicament; it will need to be seen to be doing more than others to achieve compliance and prevent successful challenges to its approach. Its recent move is a direct result of its need to maintain market position in the light of Facebook’s continued success’.

CNIL has said it will send Google questions on the changes by mid-March. It remains to be seen how Google will deal with such criticism and probing, but it is safe to say that such scrutiny should be taken seriously.

If you would like further information about Google’s new privacy policy, and how it will affect you, please contact Pitmans’ Data Privacy & Information Law team.

Philip James
Partner, Head of Data Privacy & Information Law
T: 0207 634 4655
E: pjames@pitmans.com

Thanks to the media and public figures speaking out the awareness of cyberbullying is ever increasing. Due to the rise of the internet, the use of smart phones and the increasing popularity of social media sites such as Twitter and Facebook cyberbullying is widespread. It doesn’t just occur during work time or school time it can occur 24 hours a day, 7 days a week. Cyberbullying may be virtual but this does not mean it is not happening or that it should be ignored. 

Cyberbullying can take on many forms, through text messaging, phone calls, pictures and emails through to posts on social network sites and account hacking. This bullying is now becoming a form of serious harassment. The main problem with cyber bullying is that it is incredibly hard to monitor and prevent. Social media sites provide people with anonymity and so tracking down the culprits can be an impossible challenge. People can assume a fake profile or assume many identities.

Currently the law in place is reactive rather than proactive. Instead of providing people with steps they can take to protect themselves from cyberbullying the law instead only provides for compensation once the cyberbullying has taken place. Often people are unaware of their legal rights and what steps they can take.  People who are subject to cyberbullying should speak out and record everything, keep texts, take screenshots etc.

Cyberbullying can have a significant impact on a person’s mental and physical health, it can affect self esteem, confidence and mental health. It may be possible for someone to bring a personal injury claim against their bullies as a result of this.

The Workplace

Employers should take a clear stance on all types of bullying and make it clear it is not acceptable. It is standard practice to have anti-harassment and bullying policy in force.

If an employer fails to take action to stop bullying then there could be a breach of their implied duty of trust and confidence which could result in an employee bringing a claim. At present an employee cannot bring a claim for cyberbullying alone in the Employment Tribunal. It has to be brought along with discrimination or harassment, yet this is likely to go hand in hand with cyberbullying.

An employer may be vicariously liable for the actions of their employees. If an employee is cyberbullying their colleague then an employer may find themselves included as party to a legal claim. An employer is unlikely to be able to argue successfully they were not responsible because the bullying took place outside of work time especially if they were made aware and failed to take steps to reprimand the bully in question.

The Law

Cyberbullies are potentially breaching many laws with their actions, a summary of which is set out below:

Protection from Harassment Act 1997
A person is not allow to behave in such a way which will amount to harassment of another and which he knows or ought to know amounts to harassment. The individual can obtain an injunction against the person causing the harassment. It is also a criminal offence so a person can be guilty of harassment if they have harassed the person causing distress and harm on more than one separate occasion. By making it criminal the police can be involved and they can investigate the harassment and use their powers to identify the harasser if they are not known. It is also a separate offence if the person’s actions cause another to fear violence will be used against him on at least two different occasions.

Communications Act 2003
A person will be guilty if they send an offensive or grossly offensive message or an obscene indecent image through a public electronic communications network or cause such communications to be sent. Likewise someone will also be liable if they send a message which they know to be false and it is sent for the purpose of causing annoyance, inconvenience or anxiety. It is also an offence to improperly use a public electronic communications network.

Defamation Act 1996
If comments are damaging someone reputation, then they are potentially defaming them. Internet hosts should be notified about this to put them on notice and they should remove the allegedly defamatory material quickly. By putting them on notice they will lose the benefit of the innocent dissemination defence afforded to them if they fail to act.

Malicious Communications Act 1988
It is an offence to for one person to send to another any communication or article which coveys a threat, false information or an indecent or grossly offensive message and the result of such communications causes the recipient distress or anxiety. Communication covers hard form communication and also electronic communications.

The penalty for falling foul of the Communications Act and the Malicious Communications Act is imprisonment for up to six months, a fine or both.

What can you do?

If you are experiencing cyberbullying through social media sites such as Facebook and Twitter then such sites will have policies in place which mean you can report such incidents. Facebook and Twitter, for example, allow you to report abusive content along with fake profiles. As well as reporting such incidents you can block people from being able to contact you. The sites will often offer advice on what you should do if you are experiencing bullying, for example Facebook gives tips on what to do.

An individual should also review the privacy settings on their Facebook account to ensure it can only be viewed by certain people, for example your friends. Individuals should also be wary of how much information they detail about themselves. If personal information is revealed it could lead to someone being able to impersonate you. Be wary of accepting a stranger’s friend request as this could have undesirable consequences, as highlighted by Cher Lloyd.

If an individual is receiving abusive texts, pictures or phone calls then they can contact their mobile network operator to get a number barred. This means the person will no longer be able to communicate with the individual.  This may not stop the bullying entirely but by taking positive steps the bully will be stopped in their tracks to an extent.

People do not need to stand back and tolerate such behaviour; there are steps an individual can take against their bullies.

Schools

Despite the age restrictions imposed on social media sites, more and more children are having profiles online. Children are often the most vulnerable to cyberbullying and as highlighted in recent media stories, they are often reluctant to speak out and seek help which can have serious consequences. Children should be educated in schools about cyberbullying and what actions can amount to cyberbullying and the implications cyberbullying can have. By raising awareness children will know what to look out for and should be more willing to speak out.

As you will see there are many steps an individual can take against cyberbullies and we are here to help assist.

If you would like to discuss any of the legal issues raised in this article further please contact:

Mark Symons
Partner, Employment, Cyber Risk Management
T: 0118 957 0340
E: msymons@pitmans.com

The surge in global internet usage in recent years has resulted in domain names becoming precious and sought after commodities. “Cybersquatters” have inevitably sought to take advantage of this. In order to ensure the success, protection and promotion of your brand, it is paramount to take steps to prevent cybersquatting activities. If the opportunity for prevention has been lost, and a domain name dispute does arise, it is important to resolve any potential disputes effectively and efficiently.

Cybersquatting is the registering, selling or using of a domain name in bad faith with the intent of profiting from the goodwill of someone else’s trade mark. It generally refers to the practice of buying up domain names that use the names of existing businesses and trying to sell them back to a party for an inflated price. It is also commonly used to direct traffic to the cybersquatter’s website or the website of a competitor of the trade mark holder in return for payment of a commission.

Prevention is always better than cure. There are a number of steps that can be taken to protect domain names and reduce the risk of disputes arising:

1. Search prior to registration – A search of unregistered and registered trade marks in territories of interest will assist you in identify whether there are likely to be issues in using and/or registering a domain name.

2. Strategy - Registering every available domain name extension is not always possible or necessary. Registrations of Country Code Top Level Domains (“ccTLDs”) and Generic Top Level Domains (“gTLDs”) should be targeted according to your business interests and the territory you operate in.

3. Register the domain name as a trade mark – If it is worthwhile considering registering your domain name as a trade mark. Having a registered trade mark could assist in the event of a dispute over rights in a domain name.

4. Register common misspellings - If a name is commonly spelt incorrectly it may be advisable to register misspellings in order to prevent “typosquatters”.

5. Identify new ccTLDs and gTLDs – New extensions are continually being introduced.  Make sure you are up to date and consider including them in your domain name portfolio. 

6. Monitor – Regularly check and actively monitor if any similar domain names have been registered.  There are services available which will actively monitor all new registrations and services which purchase domain names as soon as they become available for registration.

7. Manage - Be aware that your domain name requires renewal and may be registered by a third party if you forget. Work with a registrar, and ensure that contact details are kept up to date.

If a dispute cannot be avoided, there are various ways for resolution:

As an initial step, a Cease and Desist letter (asking the other party to stop using and to transfer the domain name) may be enough to prompt them to transfer it avoid further legal action. Negotiating a price for the acquisition of the domain name may be the commercially prudent solution.

There are Domain Name Dispute Resolution Services directly applicable to domain names, which are incorporated in the terms of registration. The most widely used is Uniform Dispute for Domain Names Resolution Policy (“UDRP”) which allows complaints to be filed with the World Intellectual Property Organisation (“WIPO”) and other national bodies.  These services have been developed to allow for a timelier and cost effective resolution of disputes without the need to resort to court proceedings.

Domain name recovery can also be dealt with via traditional Dispute Resolution techniques and options, including mediation, can be explored. 

To be successful in a UDRP complaint, a complainant must establish that:

i. The domain name registered by the respondent is identical or confusingly similar to a trade mark or service mark in which the complainant has rights;
ii. The respondent has no rights or legitimate interests in respect of the domain name; and
iii. The domain name has been registered and is being used in bad faith. 

To avoid failures, here are some UDRP filing tips to ensure a cost effective success:

1. Research, research, research – The importance of research cannot be underestimated. Research case law, research the registrant, research the provider you want to use, research your panellist.

2. Include similar domain names under the same defendant -  It is always recommended to include other domain names with your marks to a complaint. Use a service that will allow you to search a registrant name and identify their domain portfolio. If there are similar domains (typos or phonetically similar) owned by the same registrant, it would be worth adding these domains to the complaint so you can maximise your return.

3. Check the panellist appointed to your case – You have the right to object to any appointed panellist. Once named, it is advisable to review the biography of your panellist to ensure that there is no potential conflict of interest which could arise and provide you with the best chances of a favourable decision.

4. Use three-person panels only for complex cases -  If your case is clear, supported with ample evidence and fulfils all three requirements outlined above, a one-person panel is likely to be sufficient

5. Shorter is sweeter – A limit of 5000 words is placed on the UDRP assertions and arguments, but in all likelihood you should never need to use the maximum word length in your filing. You will find more success if your arguments are succinct and supported by relevant case law.

10. Don’t just settle – It may be worth proceeding with the case establish a record of documented evidence that may be used by yourself and others filing against them. Additionally, your company will be on record as an organisation that takes a proactive stance against cybersquatters.

For further information on domain name filing, domain name protection strategies and Domain Name Dispute Resolution, please do not hesitate to contact Pitmans’ Intellectual Property team.

Stacey Jones
Solicitor
T: +44 (0)118 957 0235
E: staceyjones@pitmans.com

Sally Britton
Partner
T: +44 (0)20 7634 4623
E: sbritton@pitmans.com

The ECJ has held that an order imposed by a Belgian court, which required an internet service provider (“ISP”) to filter and block access by its customers to files containing infringing copies of musical works, was incompatible with EU law. (Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL, Case C-70/10, 24 November 2011.)

The case concerned questions referred by the Brussels Court of Appeal to the ECJ regarding Scarlet, an ISP. Scarlet was ordered by a Belgian court to make it impossible for its customers to share files that infringe rights held by members of SABAM, the Belgian Society of Authors, Composers and Publishers.

In 2004, SABAM established that users of Scarlet’s services were downloading works in SABAM’s catalogue from the Internet, without authorisation and without paying royalties, by means of peer-to-peer networks (a transparent method of file sharing which is independent, decentralised and features advanced search and download functions).
 
Upon application by SABAM, the President of the Brussels Court of First Instance ordered Scarlet, in its capacity as an ISP, to bring those copyright infringements to an end by making it impossible for its customers to send or receive in any way electronic files containing a musical work in SABAM’s repertoire by means of peer-to-peer software.

On appeal to the ECJ, it held that EU law precludes the imposition of an injunction by a national court which requires an ISP to install a filtering system with a view to preventing the illegal downloading of files. It concluded that such an injunction does not comply with the prohibition on imposing a general monitoring obligation on such a provider. The filtering system would mean that the ISP was required to monitor data relating to its customers, which is explicitly prohibited by Art 15 of the E-Commerce Directive.

The ECJ also ruled that the injunction did not comply with the requirement to strike a fair balance between, on the one hand, the right to intellectual property, and, on the other, the freedom to conduct business, the right to protection of personal data and the freedom to receive or impart information – fundamental rights safeguarded by the Charter of Fundamental Rights of the EU.

The case follows an earlier UK ruling where BT became the first ISP to be forced by a court order to block its customers from accessing a website on grounds of copyright infringement. The site in question, www.newzbin.com, allowed users to share data files, predominantly pirate films, TV show downloads and music. The case was brought by six major film studios.

Scarlet was held distinguishable in that the film studios were not asking for an unlimited filtering system for all customers, but rather for a clear and precise injunction requiring BT to implement an existing technical solution which BT itself had accepted would be technically feasible and the costs would not be excessive. Therefore, it was not in breach of Article 10 of the European Convention of Human Rights.

It is clear the scope of the injunction sought and the technical feasibility of achieving it will be relevant in each case. This also does not bode well for any orders which the Secretary of State may make under the Digital Economy Act (DEA), as any such orders to prevent unlawful file sharing may be unenforceable under EU law for similar reasons.

The online infringement provisions of the DEA oblige ISPs to assist in identifying copyright infringers and allow enhanced measures to be taken against copyright infringers, including an ability to require ISPs to suspend internet connection to persistent offenders. Following a recent Judicial Review (JR) by BT and Talk Talk, the High Court has held that the provisions of the DEA are compatible with EU law; so, whilst copyright owners and the government are relieved by the JR decision, the issue still very much remains open in light of Scarlet.

For more information, please do not hesitate to contact Pitmans’ Intellectual Property Team.

Philip James
Partner
T: +44 (0)207 634 4655
E: pjames@pitmans.com

On 25 November, the government published its cyber security plan setting out in greater detail how it intends to work with the private sector in countering cyber risk. What is becomingly increasingly clear is that responding to this risk is something that is best tackled by a public-private partnership. Given the austere economic climate, this approach may present both public and private concerns alike with new opportunities.

The Minister for the Cabinet Office and Paymaster General, Francis Maude, explained in a written statement that the purpose of “…this strategy [is to] outline how we will cement a real and meaningful partnership between the Government and private sector in the fight against cyber attacks”. She also emphasises that the private sector “has a crucial role to play” in carrying out the government’s plans since it “owns, maintains and creates most of the very spaces [the government] are seeking to defend”.

The plans include a new national cyber security ‘hub’ that will allow the Government and businesses to exchange information on threats and responses with the private sector. A pilot will commence in December and will involve five business sectors: defence, finance, telecommunication, pharmaceuticals, and energy.

Other highlights of the government’s anti-cyber crime strategy include:

• Creation of a new national cyber crime capability as part of the new National Crime Agency by 2013, and enhancing the work of the Metropolitan Police’s eCrime Unit by expanding the deployment of ‘cyber-specials’;

• By the end of 2011, building a single reporting system for citizens and small businesses to report cyber crime so that action can be taken and law enforcement agencies can establish the extent of cyber crime (including how it affects individuals and the economy);

• Promoting greater levels of international cooperation and shared understanding on cyber crime as part of the process begun by the London Conference on Cyberspace, in addition to promoting the Council of Europe’s Convention on Cybercrime (the Budapest Convention) and building on the new EU Directive on attacks on information systems, as well as contributing to the review of security provisions of the EU Data Protection Directive and the proposed EU Strategy on Information Security;

• Working with domestic, European, global and commercial standards organisations to stimulate the development of industry-led standards and guidance that help customers to navigate the market and differentiate good cyber security products;

• Creating and building a dedicated and integrated civilian and military capability within the MoD, mainstreaming cyber within the organisation and setting up a Defence Cyber Operations Group (DCOG). An interim DCOG will be in place by April 2012 and will achieve full operational capability by April 2014;

• Undertaking a review of policy and regulation of the UK communication sector, with a view to publishing a Green Paper early in 2012 followed by a White Paper and a draft Bill by 2013;

• Supporting net neutrality and the open internet by working with the Broadband Stakeholder Group to develop industry-wide principles on traffic management and non-discrimination and reviewing its transparency code of practice in early 2012;

• Establishing a certification scheme for certifying the competence of information assurance and cyber security professionals by March 2012, and a scheme for certifying specialist training in 2012. Continuing to support the Cyber Security Challenge as a way of bringing new talent into the profession; and

• Identifying Centres of Excellence in cyber research to locate existing strengths and providing focused investment to address gaps, with the first focused investment occurring by March 2012.

It seems this strategy will require responses at a national level as well as greater international collaboration, not to mention the orchestration of resources within and outside the traditional defence communities. This raises its own challenges, but if ever there was a common cause, this is it. Or is it? Some nations may prefer to allow cyber strikes to be launched from its shores in the hope of receiving the benefit of any stolen assets. Watch this space. There may also be opportunities for employers to engage cyber poachers turned gamekeepers to assist defence and IT security. The level of support that government can lend to such employment opportunities will undoubtedly determine its success.

This is one of a series of articles on cyber security. To read the last article in this series, on protecting your business from cyber security threats, please click here. Pitmans will be hosting an evening seminar on Cyber Asset Protection on 1 February 2011 in London. For further discussion of these and other issues, please join us. Click here for more information on this seminar, or if you would like to register your interest now, please email poppy@pitmans.com.

Carolyn Butler
Solicitor
T: +44 (0)118 957 0234
E: cbutler@pitmans.com

Philip James
Partner
T: +44 (0)207 634 4655
E: pjames@pitmans.com

Cyber attacks targeted at the UK are once again in the news. The director of the government’s communications intelligence agency, GCHQ, Iain Lobban, reported in The Times (31 October 2011) this week that the country has been subject to a “disturbing” number of cyber threats. However, Mr Lobban observes in his report that the challenges faced by cyber security are “not for the government alone”.

Since the government announced this time last year that it had allocated £650 million to cyber security and resilience as part of its Strategic Defence and Security Review, it has started to endorse a collaborative approach between the public and private sectors to cyber security. Although the government is keen to demonstrate that the issue is a top priority, it has acknowledged that it can’t manage the challenges posed by cyber threats single-handed – not least because the majority of providers of Critical National Infrastructure (CNI), such as energy, water, finance, transport and telecommunications, are in the private sector. The foreign secretary William Hague will host a two-day conference on cyber security in London this week, to advance the dialogue with the business community in that respect.

As a consequence, the government has highlighted to the private sector what it has to lose (and in fact has already lost) in playing down the importance of cyber security. Last week, Major General Jonathan Shaw, head of the Ministry of Defence’s cyber security programme, told the Daily Telegraph (24 October 2011) that hacking by foreign governments and organisations had already cost the UK economy £27 billion and that “the biggest threat to this country by cyber is not military, it is economic”. Mr Lobban reinforced this view in his report, stating that the theft of British ideas and designs in the IT, technology, defence, engineering and energy sectors “doesn’t just cost the companies concerned; it represents an attack on the UK’s continuing economic wellbeing”. In other words, there seems to be an overwhelming opportunity for continued public private partnerships in this sector, as well as reciprocal arrangements between the defence and non-defence sectors to counter this threat.

So what can businesses do to safeguard their economic interests? Chatham House, a leading independent think tank on international affairs, has made a number of recommendations for businesses in its report entitled Cyber Security and the UK’s Critical National Infrastructure which it published last month. While the report is primarily aimed at corporations active in CNI sectors, it is also essential reading material for any board member. In particular, examples of good, improving and poor cyber security practice are explored in pages 23 to 26 of the report.

Below, we highlight and comment upon some of the key recommendations from the report and some practical suggestions for board members to enhance an organisation’s resilience to cyber threats.

1.   Vulnerabilities: Senior management need to acquire (if they haven’t done so already) a good understanding of the vulnerabilities and dependencies of their business, and the implications for budgets and reputation management that they may entail. First, examine the dependencies of your business and consider, in particular, those that may be ‘hidden’ in the other businesses on which it depends (as well as any ongoing chains of supply). Identify both existing and emerging risks.

2.   Risk Assessment and Response: Once you have a better understanding of your business’ and its suppliers’ vulnerabilities, look at the processes and mechanisms that are already in place to asses the risks posed by cyber attacks and to respond to such attacks if and when they occur, and consider how they work in practice. If there is a disparity between policy and practice, one or the other must change. If appropriate, consider engaging a penetration (PEN) or vulnerability testing consultant to stress-test and evaluate your IT security measures. Such a consultant can also propose a number of options to repair any gaps or improve security in line with your requirements. Assess the adequacy of the response measures and contingency plans you have in place to cope when any element of the chain of dependency fails.

3.   Investment: Cyber security is often under-funded despite the economic damage that a breach may entail. In order to work well, the planning and implementation of cyber security measures must be underpinned by appropriate resource allocation, in terms of both human resources and financial investment. In the current economic climate, this remains one of the key challenges. However, carefully well-allocated resource can result in significant improvements to security which can materially reduce the business impact and remedial costs should an incident occur.

4.   Know-how: The training and development of all staff that may encounter cyber threats must be viewed as an integral part of your organisation’s risk management strategies. Is everyone aware of the risk assessment mechanisms and security procedures?  Your organisation will therefore need to decide whether to adopt best practice depending upon the viability and sensitivity of your systems and the information contained within. Mechanisms that allow for the reporting, and onward dissemination, of know-how gained from experience (in particular “lessons learned” from cyber security incidents) are also essential.

5.   Board-level Buy-in: Cyber security can no longer be delegated to the IT team to deal with on its own. According to the Chatham House report, “the potential for damage, both economic and reputational, from complacency over matters of cyber dependency and vulnerability is too high to be ignored” and deserves the regular attention of senior management. Ensure it regularly appears on your agenda.

6.   Communication: The Chatham House report suggests that the issues connected with communicating technical ideas to non-technical people are intimately linked to the issue of board-level buy-in, since in its research it often found that “an organisation’s cyber security policy is not delegated (in a constructive managerial way) but is deliberately pushed below the boardroom level in order to remove a complex and baffling problem from sight”. Chatham House wants to see more chief information security officers from non-technical backgrounds appointed, and advises that “IT security departments [need] to develop a deeper understanding of how value is created in the organisations they endeavour to protect” to meet the business’s needs. However, communication flows both ways, and it is equally important for the board to grasp the nettle of cyber security with both hands to develop a coherent, strategic response.

In addition to these recommendations, organisations should also consider the following: -

Insurance

Review your insurance policies to ensure you are adequately protected against risks that cannot be mitigated. If you discover any uninsured risks that need to be covered, discuss with your insurer what they can do for you. Given the diversity of risks faced by different businesses, corporations are increasingly finding a ‘one-size-fits all’ approach to IT-related policies, such as network security insurance and business continuity insurance, is impractical at best and, at worst, leaves them perilously exposed. Many insurers now offer a flexible, or even bespoke, range of policies to meet this emerging need.

Reputation Management

As part of your contingency and disaster recovery planning, consider whether and in what circumstances you would need to engage an agency experienced in ICT reputation management in order to minimise any long-term damage to your business and/or its brand. If this could be necessary, investigate the available options now, and ensure a protocol is in place so that assistance is sought where appropriate. Some insurers also offer policies to cover the costs of retaining public relations assistance in the event of a crisis.

Pitmans will be hosting an evening seminar on Cyber Asset Protection on 1 February 2011 in London. For further discussion of these and other issues, please join us. Click here for more information on this seminar, or if you would like to register your interest now, please email poppy@pitmans.com.

Carolyn Butler, Solicitor
T: +44 (0)118 957 0234
E: cbutler@pitmans.com

Philip James, Partner
T: +44 (0)207 634 4655
E: pjames@pitmans.com

Jonathan Durrant, Director
T: +44 (0)118 957 0270
E: jdurrant@pitmans.com

For more information, please see:

Pitmans’ Defence and Security legal services

Pitmans’ Data Privacy & Information Law legal services

‘Initiatives Against Cyber Crime – Recent Developments’

‘Cyberspace – Industry and the Cyber Armoury’

What’s the news and the current trend?

The Advertising Standards Agency (ASA) has recorded a huge surge in complaints made about companies’ digital marketing communications, with figures exceeding 5,500.

5,531 complaints were recorded about brands’ online marketing communications since March, when the ASA’s remit was extended to cover the area.

The ASA now covers non-paid for online marketing communications under the marketer’s control, including social media such as Facebook, as well as companies’ own websites. A marketing communication is a type of communication for a good, service, opportunity or gift that primarily sets out to sell something. Marketing communications may set out to sell in a myriad of different ways, and may not necessarily include a price or seek an immediate financial transaction. Also included are direct solicitations for donations as part of a company’s own fund-raising activities.

In the seven months since the remit was extended, the total number of complaints received across all channels reached 18,369. This is an increase of 30% on the same period in 2010.

No one business sector was primarily responsible, with blame being spread equally across the retail, leisure and telecoms sectors, amongst others. The type of complaints matched the typical spread for broadcast and non-broadcast adverts, and concerned issues with price and availability. Complaints regarding misleading alternative health sites were also notable.

To deal with the increase in complaints, the ASA has increased staff numbers by 10%.The ASA has commented that people cannot expect all to be immediately compliant, and that many companies do not yet know about the changes.

Online marketing communications are governed by the UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing (the CAP code). If a marketing communication breaks the Code, the organisation/individual responsible is told to amend or withdraw it. If they do not, the Compliance team will consider the sanctions available to it.

Non-compliance may result in removal of paid-for advertising, adverse publicity as a result of ASA adjudications, denial of access to advertising space, and the withdrawal of recognition and trading privileges, such as discounts. The company in question may also face action for breach of the Consumer Protection Regulations.

How can Pitmans help?

Pitmans Digital Brands Team can carry out a digital marketing and brand audit of your digital channels (Twitter, Apps, Facebook pages, Company website) at an agreed fixed cost.

We can identify any risks, whether they be regulatory or legal, and provide a clearance risk assessment. We can also advise on ways in which you can protect and manage your digital brand portfolio, as well as advise on any IP rights and data comprised in your digital channels. All sectors are affected but clients in the Media & Entertainment, Automotive, Hospitality and Retail sectors may find this of particular interest.

For further details please contact:

Philip James
Partner
T: 0207 634 4655
E: pjames@pitmans.com

Sally Britton
Partner
T: 0207 634 4623
E: sbritton@pitmans.com

Retailers Take Note: Data Privacy Trends and Actions for the coming year: Highlights of the Information Commissioner’s Annual Report 2010/11

If the idea of digesting the Information Commissioner’s 86-page long annual report in full doesn’t really appeal to you, then why not let us do the hard work? Below, we highlight not only the key changes to the policy and enforcement objectives of the Information Commissioner’s Office (“ICO”) over the past year, and the likely indications from the report of the developments to come, but also our suggested actions and comment to help you avoid falling foul of data privacy compliance, risking damage to your reputation and incurring unnecessary cost and resource further down the line.

New powers

The ICO’s enforcement arsenal was enhanced significantly in April 2010 when it was granted the power to fine organisations up to £500,000 for serious breaches of the Data Protection Act. Four monetary penalties have been issued since then, as well as five prosecutions brought in the last year. However, the ICO has been keen to stress that such tactics are a means of last resort, and seeks to resolve cases informally where there is opportunity to do so.

Pitmans Comment; it is worth noting that since May 2011 the ICO now also has the power to fine organisations up to £500,000 for serious breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the previous power to fine only extended to serious data breaches, not breaches of the laws relating to electronic marketing and privacy).

In addition, the ICO also has a new power to audit measures taken by a public electronic communications service provider (service provider) to:

• safeguard the security of its service; and
 
• comply with a new personal data breach notification and recording requirement.

This second requirement is a significant development and, where a breach may adversely affect the personal data or privacy of a user, a service provider is not only obliged to notify the ICO, but also the user concerned. This has a significant cost and PR implication.

The ICO favours prevention over cure; it tends to accept undertakings (where an organisation commits to making specific improvements) as a precursor to more formal action. The number of instances where the ICO has approached organisations to offer good practice audits has increased dramatically over the past year, although take-up in the private sector has been poor. Nevertheless, the ICO issued 26 audits in 2009/10, 60% more than in 2009/10. It also released several codes of practice last year to help businesses stay on the straight and narrow, including a Code of Practice on Personal Information Online which was launched in June.

Pitmans Suggested Action: ensure you have a paper trail evidencing compliance and training. Refresh staff by periodic training and regular security reviews and conduct vulnerability testing to public accessing applications. It is clear that audits are becoming more popular. Always be prepared.

Emerging enforcement trends

The hot topics

Subject access requests were the most popular topic of complaint, accounting for nearly a third (28%) of all issues reported to the ICO. Since this is the area where, statistically, data controllers tend to slip up, companies are well advised to ensure they have appropriate systems in place to deal with subject access requests within the applicable time limits. Inaccurate data (15%), inappropriate disclosure of data (12%), and automated and live marketing calls (9% each) are the cause of the next most numerous complaints. There has also been an increase of 17% in the number of freedom of information cases referred to the ICO over the past year.

The ICO has earmarked the challenges perpetuated by (or, indeed, in spite of) technological advances as a priority. The ICO is concerned that a significant amount of highly sensitive personal data is still sent by fax, despite the securer alternatives offered by newer technology. Failures by organisations to encrypt personal data in appropriate circumstances remain also remain a key concern.

The new rules in relation to cookies are also firmly on the agenda. Although the lead-in period for the new rules expires in May 2012; the ICO has indicated that it will intervene in the meantime in certain circumstances: “we shall hold our enforcement powers in reserve, intervening in the first year only where it is clear that a website owner is doing little to attempt to comply”.

Pitmans Suggested Action: review what technical and operational security measures your organisation currently employs in relation to sending personal data and keeping data secure. If your staff are using mobile devices and laptops, review and implement encryption software solutions.

Companies would also be well advised, if they have not already done so, to conduct a digital marketing audit and review their data processing and collecting practises in the e-commerce environment. Please let us know if you would like assistance with such an audit.

The targeted organisations

Essentially, the ICO targets those organisations about which it receives the most complaints. The ICO affirmed that it also uses a risk-based process to identify and contact organisations that handle personal information, which takes into account a number of factors such as volume and type of data an organisation holds, complaints received by the ICO and cases where enforcement action was considered. It then uses the information from individual cases to build a picture of how seriously data controllers take the issue of handling personal data or providing information the public has a right to see.

The ICO has declared that it now expects more from data controllers when complaints are reported – as well as asking them to explain the circumstances of individual complaints, it now asks for information about how the data controller intends to put things right and how they adhere to general information rights obligations.

Pitmans Suggested Action: respond to complaints and proactively manage any inappropriate use of personal data carefully. Consider preparing a contingency response plan to any complaints, with a pre-prepared response to customers, the ICO and the press.

The targeted sectors

Over the past year, the ICO launched campaigns aimed at estate agents and private medical practitioners to remind them of their obligations to notify the ICO if they handle personal data. Accordingly, we should probably expect similar campaigns in the future directed at other industries in the private sector that routinely handle personal data, e.g. education and training providers, telecoms companies, and online retailers.

Pitmans Suggested Action: retailers, in particular, take note. The ICO issued a statement on 9 August in the light of a security breach suffered by Lush, the cosmetics retailer, making it clear that etailers must ensure they keep customers’ personal data secure. An extract of the statement is reproduced below: -

Acting Head of Enforcement at the ICO, Sally Anne Poole said:

“With over 31 million people having shopped online last year, retailers must recognise the value of the information they hold and that their websites are a potential target for criminals.
 
“Lush took some steps to protect their customers’ data but failed to do regular security checks and did not fully meet industry standards relating to card payment security. Had they done this, it may have prevented the fraud taking place and could have saved the victims a great deal of worry and time invested in claiming their money back. This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times.”

In the meantime, the ICO will be consulting on a revised Information Rights Strategy showing how it prioritises the different sectors and subjects for regulatory attention, which is definitely a development to watch out for!

The likely consequences

The ICO’s report contains a selection of salutary tales demonstrating exactly how not to deal with a data protection breach. These case studies indicate the circumstances that the ICO is likely to consider as “aggravating factors” when determining whether to issue monetary penalties. As well as the impact and severity of breach the ICO will consider a number of factors, such as whether:

• a risk assessment was made;
• alternative means of storing/transmitting data were considered/devised;
• other measures were employed to minimise risks (e.g. by using a ‘ring ahead’ system to increase security of fax transmissions);
• the organisation followed its own policies;
• effective remedial action was taken following the breach (such as the re-training of staff);
• the organisation’s officers and staff understand the cause and significance of the breach.

Pitmans Suggested Action: conduct Privacy Impact Assessments (PIA) and employ Privacy by Design (PbD) into concept and new product design to ensure that any privacy implications of new technologies are considered at an early stage. This may reduce the likelihood of incurring substantial re-development costs at a later stage, as well as the risk of complaint, adverse PR and enforcement.

Improved efficiencies

The number of decision notices issued by the ICO increased significantly from 628 in 2009/10 to 817 in 2010/11, However, the appeal rate has remained constant at around 25%, meaning, effectively, that there has been no corresponding deterioration in the quality of decision making. The ICO has put this dramatic improvement down to the introduction of new structures and processes that has allowed it to deal more quickly with complaints.

There has also been a blitz on freedom of information complaints. Over the last 12 months, the number of complaints that have been in the ICO’s in-tray for more than a year has reduced from 117 complaints to just three.

Involvement in law making

In terms of the ICO’s contributions to UK legal policy, it has had a busy year. The ICO issued responses in December 2010 and February 2011 to the Protection of Freedoms Bill, and provided evidence to the Public Bill Committee in March 2011. Also in December last year, the ICO issued a statement welcoming proposals set out by the government to expand the scope of the Freedom of Information Act.

At present, the ICO is engaged in the review of the OECD’s Privacy Framework and modernisation of the Council of Europe’s Data Protection Convention, and, through its membership of the Article 29 Working Party, the ICO is also reviewing the EU Data Protection Directive. The ICO will also be contributing to the post-legislative scrutiny of the Freedom of Information Act by the House of Commons Justice Committee.

This year, the ICO appointed Simon Rice, who has a background in delivering databases, software tools and data analyses for a government research agency, as the ICO’s first technology policy advisor to assist with the work on policy development, investigations and complaints handling. Simon’s appointment is complemented by the creation of a Technology Adviser Panel, whose role is to assist the ICO in producing up-to-date, relevant guidance on technical innovation and up-and-coming issues.

Pitmans Suggested Action: technology providers and organisations using new technologies to gather and analyse and mine user profiling data beware. The ICO is investing more in analysing new technologies and is likely to be more savvy in its enforcement of non-compliant data repositories and applications. Again, consider privacy at an early stage of design and development and, before licensing a new CRM system or data tool, ask the relevant supplier to confirm what steps it has taken to ensure that it complies with data privacy laws (whether it be at home or abroad).

For further information regarding Pitmans Intellectual Property  team, please contact:

Philip James
Partner
+44 (0)207 634 4655
pjames@pitmans.com

Carolyn Butler
Solicitor
+44 (0)118 957 0234
cbutler@pitmans.com

In the rapidly developing arena of internet regulation, law-makers and industry leaders the world over are grappling with the issue of “net neutrality” whether internet service providers (ISPs) should be permitted (or, indeed, required) to manage internet traffic according to its type and size, or whether all networks should be “neutral”.  While some governments, such as the Dutch and Chilean governments, have passed regulations that mandate net neutrality, other countries believe that heavy-handed regulation will stifle innovation and growth. This article examines some of the arguments from both sides and looks at the status of this issue in the UK – in particular whether the UK is likely to legislate on this issue or not.

What are the arguments?

The “pro-neutrality” side of the debate believes that all internet traffic, from bandwidth-heavy high-definition videos to basic emails, should be treated equally by ISPs and permitted to travel across the internet at equal speed. The primary concern is that any attempt to disrupt the free flow of traffic (by authorising ISPs to block or otherwise manage content) would harm what they see as the primary characteristics of the internet. This could ultimately lead to “big-brother” censorship, where ISPs prioritise content from heavyweight service providers offering video on demand services, such as Sky Anytime, or online gaming, such as Nintendo or Sony, who may have the resources, and be prepared, to pay ISPs for special treatment.

The alternative view is that the internet services to which consumers have grown accustomed can only continue to be delivered with effective “traffic management” that necessarily favours some content over others. It is claimed that the extra bandwidth consumed by increasingly sophisticated services (for example, online multiplayer gaming and voice-over-internet services), has congested networks and intensified the strain on the internet’s infrastructure, resulting in lower transmission speeds for all. Proponents of this view, generally the ISPs themselves, argue that the prohibition on differentiating between types of network traffic will make it harder for them to cater to what they perceive as a genuine consumer need for such services, for instance, for uninterrupted, high-definition video and music streaming and effective security measures (such as parental controls). 

International policy developments

Last month, the Netherlands became the first EU member state to introduce laws to protect the neutrality of its networks (following Chile’s introduction of similar measures in May).  In the United States, the Federal Communications Commission (FCC) will shortly publish net neutrality rules in the Federal Register, which are likely to take effect in the autumn. The FCC’s view is that while, in the past, “broadband providers endanger the Internet’s openness by blocking or degrading content and applications without disclosing their practices to end users”, basic standards for conduct by ISPs are necessary to ensure the internet’s continued openness.

The Council of Europe agrees, and has drafted a set of Internet Governance Principles stating that “openness, interoperability and end-to-end nature [of the internet] should be preserved [and] should guide all stakeholders in their decisions related to internet governance”. The Council is firmly of the view that “any traffic management measure or privilege should be non-discriminatory, justified by overriding public interest, and must meet the requirements of international law on the protection of freedom of expression and access to information”.

In the UK, the Communications Minister, Ed Vaizey, has stated his preference for industry to lead the way in developing the UK’s policy on net neutrality, and for a light-touch approach to regulation. Speaking at the Intellect 2011 Consumer Electronics Conference this month, he argued that any regulatory framework implemented “must be dynamic and flexible enough to keep up with the pace of change we are seeing in these markets”.

In order to determine what such a regulatory framework may look like, the UK communications regulator, Ofcom, launched a public consultation on traffic management and net neutrality last summer, which led to spirited responses from industry leaders and interest groups alike on both sides of the discussion. Further details on the consultation may be found here.

Consumer Interests

The main themes to emerge from Ofcom’s consultation were the need to (i) protect consumers and (ii) promote and maintain effective competition in the market for broadband service providers.

Consumers are best served by transparency and the appropriate disclosure of information relating to the services provided. Consumers must have sufficient, comparable information to make informed choices when selecting an ISP and to vote with their feet if they wish to change ISPs (e.g. if their current ISP interferes with or downgrades their broadband service to an unacceptable degree). Where ISPs are not willing to disclose information about the performance of their services to their users, some content providers (especially those that may be disadvantaged if forced to pay a premium for network priority) have indicated that they will. For instance, in November the BBC suggested adding software to the BBC iPlayer to indicate to users whether the user’s ISP had degraded their service leading to poor-quality video streaming, the idea being to pressurise ISPs into foregoing the prioritisation of traffic.  

The presence of a number of suppliers in the market does not necessarily guarantee effective competition at the consumer’s level. The US broadband market, for example, is effectively a relatively uncompetitive oligopoly and in those circumstances it is easier to justify regulation to protect consumers, since there is very little that consumers can do to either drive down prices or raise the quality of services offered to them. While consumers have greater choice of suppliers in the UK, a lack of information may make it challenging for consumers to distinguish between the services offered by different ISPs and to switch ISPs if they are not satisfied with the level of service – thereby reducing the beneficial effects of having, technically, a price-competitive market.

However, in its response to the consultation, the Communications Consumer Panel, an independent advisory body established under the Communications Act 2003, pointed out that very little research is available (from the UK or elsewhere) that analyses consumers’  decision-making about broadband services or the extent to which consumers understand the information provided to them by the relevant ISPs about such services. In order to identify what the regulatory framework hopes to achieve, it will first be necessary to identify, by undertaking research into consumers’ understanding of traffic management and their behaviour surrounding the selection of broadband services, the issues that need to be addressed by it.

UK: is regulation on the way?

The prevailing mood in the UK seems to be in favour of light-touch or self regulation, where ISPs govern themselves, to ensure the fair application of net neutrality principles as a pragmatic alternative to introducing proscriptive regulations that the industry is likely to rapidly outgrow.

There is a clear commercial incentive for ISPs to prioritise certain content in exchange for fees from the provider in question. If voluntary codes and competitive forces are not sufficient to check practices such as prioritising content transmission from certain sources, regulation may be the only answer.

If you would like further information on the above article, please contact Carolyn Butler or Rustam Roy.