what's in the news

The Article 29 (A29) Working Party has recently published their opinion paper on the rise of facial recognition technology and the concerns that this brings for the protection of personal data online. This note looks at the issues of online privacy and the concerns for data privacy as facial recognition software becomes more widely available.

The A29 Working Party is the European body which comprises leading representatives from each data protection supervisory authority in the EU (in the UK, this is the Information Commissioner’s Office); its opinions are therefore particularly influential, if not binding.

Last year Pitmans published a briefing explaining the issues of privacy at the time Facebook changed their ‘tagging’ service for photographs to incorporate facial recognition technology. For further information, click here.

Since then, the availability and application of the technology has grown exponentially; as its accuracy and deployment expands, this technology could be used for the most routine events in every day life – but also by advertising companies, collecting market information based on attendance monitoring and profiling to tailor targeted advertising messages.

The A29 Working Party has identified facial recognition technology as being used for authentication or verification for devices or online services. However, the application of this technology may be naturally extended from the online to the offline world. From a defence and security perspective, retinal scans and other biometric data access are already in use at a number of airports and conditional access facilities; in addition, full facial recognition systems are reportedly already used by security agencies to identify known criminals at sporting and live events by using the technology to identify particular faces amongst the crowd (e.g. known hooligans at a football match or members of the public at the London Olympics).

Similarly, access to live events, venues and concerts has become more sophisticated than merely paper tickets – organisers continue to explore ways in which they may combat the growing grey market in second hand ticket sales which diverts income, and brand value, away from events and the artists. Methods include tickets containing photographs, bar codes or employing near field communication (NFC) technology. Fully automated facial recognition technology is a natural technological progression for those industries where secure access is an essential requirement.

But such applications raise data privacy concerns and consequently companies controlling or processing the data may be in breach of data privacy laws, unless such measures and new technologies are balanced against an individual’s right to privacy. While the A29 Working Party’s opinion on facial recognition focuses on online and mobile, the principles apply equally to anyone collecting and using data for facial recognition services.

The A29 Working Party consider that where a digital image contains an individual’s face, which is clearly visible and allows identification of the individual then such an image would be considered personal data. Therefore, where a reference template is created from an individual’s image, this template will also be personal data if it contains a set of distinctive features of an individual’s face which can be linked to the specific individual and stored for later use. The only instance where a template is likely not to be considered personal data, would be where it was not associated with an individual’s record, profile or original image – but clearly this would limit the application of the technology. Importantly, the template and corresponding profile (or personal details) of the data subject in question do not need to be held by the same entity – it may still constitute personal data where a data controller has the means to access the corresponding information needed to identify that individual (even where held by a third party supplier).

Directive 95/46/EC states the conditions by which the processing of personal data must comply. Article 6 states that images and templates must be relevant, and not excessive, for the purposes of facial recognition processing. As the images constitute biometric data, the processing of the personal data may only be performed if the informed consent of the individual is obtained prior to commencing processing or if another exception is satisfied under the Directive (e.g. for legitimate purposes pursued by the data controller – such as security for the venue in the light of perceived terrorist threats – provided it does not prejudice the rights of the individual concerned). The A29 Working Party note that some elements of processing may be necessary before consent is obtained, i.e. to verify existing records, but this should only be for the strictly limited purpose, and the information deleted immediately.

The digital images or templates stored must be used only for the specified purpose for which the have been provided – and for which consent has been sought or where another relevant exemption applies (as, for instance, in the case of the legitimate use exemption described above). The greater the sensitivity of the personal data concerned the more likely explicit consent will be required.

The A29 Working Party considers that technical controls should be implemented to ensure that third parties do not gain access to the data and use it in an unauthorised manner. As trials of cashless technology grow for events, it may be that this technology is used by individuals to purchase items using credit stored against their profile, for instance drinks or merchandise. Controllers should be aware of the parameters of consent and that data stored against a user’s profile, including data used for, or available from, facial recognition data, can be valuable information for advertising or marketing agencies profiling consumers.

Similarly, controllers and processors will need to guard against security breaches which may result in unauthorised access to the data. The A29 Working Party advises that technical measures such as encryption will need to be used for data storage and data transit. One method suggested by the A29 Working Party is for biometric encryption techniques themselves to be used so that the cryptographic key is directly bound to biometric data and is only re-created where correct live biometric sample is presented on verification.

To reduce such concerns the Working Party recommends minimising the data so that the images or templates stored do not contain more data than necessary to perform the specified purpose. Similarly, templates should not be transferable between facial recognition systems. Organisations developing or deploying such technology should also carry out Privacy Impact Assessments (PIA) and follow development methodologies based on Privacy by Design (PbD).

The everyday use of facial recognition software in society to improve security checks for employees, visitors or customers may soon become common place when using even the simplest of access control systems.

Data controllers and data processors should be aware of the law in this area as the technology becomes more prevalent. But consequently it appears the law may also need to keep abreast of various ways in which the software can be exploited to monitor and profile individuals using a range of services and ensure adequate protection for data subjects as the technology advances.

For further information please contact Philip James or a member of Pitmans’ Data Privacy & Information Law team.

Philip James
Partner, Digital Media, Technology and Data
T: 0207 634 4655
E: pjames@pitmans.com

Former Nottingham cricketer Chris Cairns has prevailed in his libel claim against Lalit Modi, former chairman of the Indian Twenty20 franchise IPL, yesterday. The conduct of Modi’s case is an object lesson in how not to deal with allegations of internet libel, and the consequences of that approach have been proportionately severe.
 
The original allegation, posted on Twitter in January 2010, suggested in clear terms that Mr Cairns was involved in match-fixing, an allegation which Mr Justice Bean has now found Mr Modi to have “singularly failed” to substantiate. So, rule 1: Do not make allegations you can’t prove.
 
The importance of the allegation to an individual’s private or professional reputation will also have an impact on how the Court will view the defamatory statements. In this instance, the Judge found that the allegation was “as serious an allegation as anyone could make against a professional sportsman” and this was reflected in the damages that he awarded. Rule 2: if the allegation is going to have serious professional or personal repercussions for the person referred to, really make sure you can prove it.
 
Mr Modi, according to various reports this morning, had still not apologised for the tweet at the point at which the judgment was handed down. For internet defamation, a prompt retraction of, and apology for, a defamatory comment will often be the end of the matter, and may indeed provide a defence for the party who originally published the libel. Rule 3, therefore is: if you have published an allegation you can’t prove, retract it quickly and apologise.
 
Mr Modi, however, went rather further. At the trial Mr Modi’s barrister (presumably on his instructions) made further allegations in his closing submissions that Mr Cairns was being dishonest. According to the BBC website, the barrister used the terms “lie”, “liar” and “lies” 24 times during his closing speech. In circumstances where the judge indicated that he would in any event have awarded substantial damages of £75,000 to Mr Cairns to reflect the very serious nature of the allegations made, those damages was increased by 20% to £90,000 to reflect the conduct of the case in Mr Modi’s defence. Rule 4: if you are already in a potentially bad situation by having ignored Rules 1 to 3, don’t make it worse!
 
As is so often the case in libel disputes, however, the damages represent a fairly small percentage of the overall cost to Mr Modi to having defended this action all the way to trial. He has also been ordered to pay Mr Cairn’s legal costs, which are said to be in the region of £400,000, and once his own costs (of a likely similar amount) are taken into account, the case as a whole is likely to have cost him almost £1 million. Rule 5: if you ignore the rules – it is going to cost you.
 
Needless to say Mr Modi is looking to appeal. In the absence of a third official and an instant replay, he is likely to be in for something of a wait, and significant further costs, before the matter is finally concluded.”

Will Richmond-Coggan
Director, Solicitor Advocate
T: 0118 957 0369
E: wrcoggan@pitmans.com

European Union Justice Commissioner Viviane Reding has stated that Google’s new privacy policy, launched yesterday, contravenes European law.

The new policy, announced by Google in January, consolidates 70 plus privacy policies into one main document to govern the majority of its products. The aim by Google is to explain what information is collected and how it is used in a much more readable way, with less “legal gloop to wade through”. Google have cited that the multiple policies were over complicated, and at odds with their efforts to integrate its different products more closely.

In practice, according to Google, users signed in to Google Accounts will be treated as a single user across all the products, meaning Google is able to combine information provided from one service with information from other services. Essentially, private information collected from browsing data and web history by one Google service can be shared with its other platforms, including YouTube, Gmail, Google+ and Blogger. This is to allow it to offer better targeted advertising to users, and customise search results more efficiently.

Google stated it was confident that its “new simple, clear and transparent privacy policy respects all European data protection laws and principle”. EU data protection agencies beg to differ however, concluding that the new policy does not meet the requirements of the European Directive on Data Protection. Following an investigation by France’s privacy watchdog CNIL (Commission national de l’informatique et des libertes) Reding announced “they have come to the conclusion that they are deeply concerned, and that the new rules are not in accordance with the European law, and that the transparency rules have not been applied”.

Despite being warned of CNIL’s concerns, Google proceeded with the launch, and defended the policy stating that it will not change any existing privacy settings or how information is shared outside of Google, with no additional information being collected.

Google has sparked further outrage with its Android users, after it emerged that they must accept the new policy. It has advised that any users concerned about the impact of the changes should choose not to login to the Google Account on their smartphones, but this means certain applications will be inaccessible. The news has prompted one privacy campaigner to sue Google for the cost of his handset.

To add to its woes, Google has received more widespread criticism of its new policy. The National Association of Attorneys General (NAAG) last week sent a letter signed by 36 state and territorial Attorneys General detailing their “strong concern” with the policy. It highlighted that the policy fails to provide users with an “opt-in” or “opt-out” option. The letter further cited that that the automatic sharing of personal information and the ability to learn the whereabouts of users, without their authority, amounts to an invasion of privacy.

Philip James, a Partner who leads Pitmans’ Data Privacy & Information Law team, comments, ‘Viviane Reding’s statement is a clear indication of the EU’s determination to protect consumer privacy and reflects the importance it places on Privacy by Default. The aggregation of a multitude of sites storing users’ profile data, coupled with Google’s increasingly dominant Android mobile platform places Google in a privacy predicament; it will need to be seen to be doing more than others to achieve compliance and prevent successful challenges to its approach. Its recent move is a direct result of its need to maintain market position in the light of Facebook’s continued success’.

CNIL has said it will send Google questions on the changes by mid-March. It remains to be seen how Google will deal with such criticism and probing, but it is safe to say that such scrutiny should be taken seriously.

If you would like further information about Google’s new privacy policy, and how it will affect you, please contact Pitmans’ Data Privacy & Information Law team.

Philip James
Partner, Head of Data Privacy & Information Law
T: 0207 634 4655
E: pjames@pitmans.com

According to a recent study carried out at a University in America employers’ may look favourably on an individual based on their social network page. The study showed that an employer is able to tell how good an individual will be just from looking at their Facebook page. Pictures showing drunken nights out, travels etc suggests that the individual is personable and social, an attractive quality for employers. However as positive as the results suggests, this is clearly only one side of the story.

A Facebook page may actually discourage some employers from recruiting an individual and there has in fact been evidence which supports this argument and understandably so. If an individual has made comments about their previous employer then this is a cause for concern. Likewise if they have been making derogatory comments, voicing extreme opinions or there are compromising pictures employers may not want to be associated with such an individual. Social media carries risk for an employer as comments and pictures can go viral. An employer will not want to risk hiring someone who freely shares all information and pictures no matter how damning or personal they may be as their actions could end up damaging the employer’s reputation.

Some employers do vet potential employee’s Facebook pages so individuals would be wise to keep their profiles clean and professional, thus maintaining their credibility. Although you can restrict who views your profile privacy only extends so far.  An employer does not have to seek an individual’s permission before checking profiles.

Likewise an employer also needs to be careful, if they choose to reject an individual for a job on the basis of what they have seen on a Facebook page and the individual in question discovers this then the employer is potentially at risk of a discrimination claim. You should make it clear from the outset what the job process involves and what you do. Any vetting of people’s pages should be proportionate and only carried out when necessary. An employer must be fair to all applicants; some people won’t have a Facebook page and those that do, if you view their page, view them with an open mind. Broadly speaking an employer should not make a judgement based on what they see, remember this is an individual’s right to express themselves. It is not necessarily an indication of how they will be in their professional life.

Viewing social media pages may be a useful tool but one should take care not to rely on what these pages contain. Yes a profile may make someone more attractive to employers but there will be cases when this is not so. Remember there are two sides to every story.

For further information on this article, please contact Pitmans’ Employment Team.

Mark Symons
Partner, Head of Employment
T: 0118 957 0340
E: msymons@pitmans.com

Thanks to the media and public figures speaking out the awareness of cyberbullying is ever increasing. Due to the rise of the internet, the use of smart phones and the increasing popularity of social media sites such as Twitter and Facebook cyberbullying is widespread. It doesn’t just occur during work time or school time it can occur 24 hours a day, 7 days a week. Cyberbullying may be virtual but this does not mean it is not happening or that it should be ignored. 

Cyberbullying can take on many forms, through text messaging, phone calls, pictures and emails through to posts on social network sites and account hacking. This bullying is now becoming a form of serious harassment. The main problem with cyber bullying is that it is incredibly hard to monitor and prevent. Social media sites provide people with anonymity and so tracking down the culprits can be an impossible challenge. People can assume a fake profile or assume many identities.

Currently the law in place is reactive rather than proactive. Instead of providing people with steps they can take to protect themselves from cyberbullying the law instead only provides for compensation once the cyberbullying has taken place. Often people are unaware of their legal rights and what steps they can take.  People who are subject to cyberbullying should speak out and record everything, keep texts, take screenshots etc.

Cyberbullying can have a significant impact on a person’s mental and physical health, it can affect self esteem, confidence and mental health. It may be possible for someone to bring a personal injury claim against their bullies as a result of this.

The Workplace

Employers should take a clear stance on all types of bullying and make it clear it is not acceptable. It is standard practice to have anti-harassment and bullying policy in force.

If an employer fails to take action to stop bullying then there could be a breach of their implied duty of trust and confidence which could result in an employee bringing a claim. At present an employee cannot bring a claim for cyberbullying alone in the Employment Tribunal. It has to be brought along with discrimination or harassment, yet this is likely to go hand in hand with cyberbullying.

An employer may be vicariously liable for the actions of their employees. If an employee is cyberbullying their colleague then an employer may find themselves included as party to a legal claim. An employer is unlikely to be able to argue successfully they were not responsible because the bullying took place outside of work time especially if they were made aware and failed to take steps to reprimand the bully in question.

The Law

Cyberbullies are potentially breaching many laws with their actions, a summary of which is set out below:

Protection from Harassment Act 1997
A person is not allow to behave in such a way which will amount to harassment of another and which he knows or ought to know amounts to harassment. The individual can obtain an injunction against the person causing the harassment. It is also a criminal offence so a person can be guilty of harassment if they have harassed the person causing distress and harm on more than one separate occasion. By making it criminal the police can be involved and they can investigate the harassment and use their powers to identify the harasser if they are not known. It is also a separate offence if the person’s actions cause another to fear violence will be used against him on at least two different occasions.

Communications Act 2003
A person will be guilty if they send an offensive or grossly offensive message or an obscene indecent image through a public electronic communications network or cause such communications to be sent. Likewise someone will also be liable if they send a message which they know to be false and it is sent for the purpose of causing annoyance, inconvenience or anxiety. It is also an offence to improperly use a public electronic communications network.

Defamation Act 1996
If comments are damaging someone reputation, then they are potentially defaming them. Internet hosts should be notified about this to put them on notice and they should remove the allegedly defamatory material quickly. By putting them on notice they will lose the benefit of the innocent dissemination defence afforded to them if they fail to act.

Malicious Communications Act 1988
It is an offence to for one person to send to another any communication or article which coveys a threat, false information or an indecent or grossly offensive message and the result of such communications causes the recipient distress or anxiety. Communication covers hard form communication and also electronic communications.

The penalty for falling foul of the Communications Act and the Malicious Communications Act is imprisonment for up to six months, a fine or both.

What can you do?

If you are experiencing cyberbullying through social media sites such as Facebook and Twitter then such sites will have policies in place which mean you can report such incidents. Facebook and Twitter, for example, allow you to report abusive content along with fake profiles. As well as reporting such incidents you can block people from being able to contact you. The sites will often offer advice on what you should do if you are experiencing bullying, for example Facebook gives tips on what to do.

An individual should also review the privacy settings on their Facebook account to ensure it can only be viewed by certain people, for example your friends. Individuals should also be wary of how much information they detail about themselves. If personal information is revealed it could lead to someone being able to impersonate you. Be wary of accepting a stranger’s friend request as this could have undesirable consequences, as highlighted by Cher Lloyd.

If an individual is receiving abusive texts, pictures or phone calls then they can contact their mobile network operator to get a number barred. This means the person will no longer be able to communicate with the individual.  This may not stop the bullying entirely but by taking positive steps the bully will be stopped in their tracks to an extent.

People do not need to stand back and tolerate such behaviour; there are steps an individual can take against their bullies.

Schools

Despite the age restrictions imposed on social media sites, more and more children are having profiles online. Children are often the most vulnerable to cyberbullying and as highlighted in recent media stories, they are often reluctant to speak out and seek help which can have serious consequences. Children should be educated in schools about cyberbullying and what actions can amount to cyberbullying and the implications cyberbullying can have. By raising awareness children will know what to look out for and should be more willing to speak out.

As you will see there are many steps an individual can take against cyberbullies and we are here to help assist.

If you would like to discuss any of the legal issues raised in this article further please contact:

Mark Symons
Partner, Employment, Cyber Risk Management
T: 0118 957 0340
E: msymons@pitmans.com

The surge in global internet usage in recent years has resulted in domain names becoming precious and sought after commodities. “Cybersquatters” have inevitably sought to take advantage of this. In order to ensure the success, protection and promotion of your brand, it is paramount to take steps to prevent cybersquatting activities. If the opportunity for prevention has been lost, and a domain name dispute does arise, it is important to resolve any potential disputes effectively and efficiently.

Cybersquatting is the registering, selling or using of a domain name in bad faith with the intent of profiting from the goodwill of someone else’s trade mark. It generally refers to the practice of buying up domain names that use the names of existing businesses and trying to sell them back to a party for an inflated price. It is also commonly used to direct traffic to the cybersquatter’s website or the website of a competitor of the trade mark holder in return for payment of a commission.

Prevention is always better than cure. There are a number of steps that can be taken to protect domain names and reduce the risk of disputes arising:

1. Search prior to registration – A search of unregistered and registered trade marks in territories of interest will assist you in identify whether there are likely to be issues in using and/or registering a domain name.

2. Strategy - Registering every available domain name extension is not always possible or necessary. Registrations of Country Code Top Level Domains (“ccTLDs”) and Generic Top Level Domains (“gTLDs”) should be targeted according to your business interests and the territory you operate in.

3. Register the domain name as a trade mark – If it is worthwhile considering registering your domain name as a trade mark. Having a registered trade mark could assist in the event of a dispute over rights in a domain name.

4. Register common misspellings - If a name is commonly spelt incorrectly it may be advisable to register misspellings in order to prevent “typosquatters”.

5. Identify new ccTLDs and gTLDs – New extensions are continually being introduced.  Make sure you are up to date and consider including them in your domain name portfolio. 

6. Monitor – Regularly check and actively monitor if any similar domain names have been registered.  There are services available which will actively monitor all new registrations and services which purchase domain names as soon as they become available for registration.

7. Manage - Be aware that your domain name requires renewal and may be registered by a third party if you forget. Work with a registrar, and ensure that contact details are kept up to date.

If a dispute cannot be avoided, there are various ways for resolution:

As an initial step, a Cease and Desist letter (asking the other party to stop using and to transfer the domain name) may be enough to prompt them to transfer it avoid further legal action. Negotiating a price for the acquisition of the domain name may be the commercially prudent solution.

There are Domain Name Dispute Resolution Services directly applicable to domain names, which are incorporated in the terms of registration. The most widely used is Uniform Dispute for Domain Names Resolution Policy (“UDRP”) which allows complaints to be filed with the World Intellectual Property Organisation (“WIPO”) and other national bodies.  These services have been developed to allow for a timelier and cost effective resolution of disputes without the need to resort to court proceedings.

Domain name recovery can also be dealt with via traditional Dispute Resolution techniques and options, including mediation, can be explored. 

To be successful in a UDRP complaint, a complainant must establish that:

i. The domain name registered by the respondent is identical or confusingly similar to a trade mark or service mark in which the complainant has rights;
ii. The respondent has no rights or legitimate interests in respect of the domain name; and
iii. The domain name has been registered and is being used in bad faith. 

To avoid failures, here are some UDRP filing tips to ensure a cost effective success:

1. Research, research, research – The importance of research cannot be underestimated. Research case law, research the registrant, research the provider you want to use, research your panellist.

2. Include similar domain names under the same defendant -  It is always recommended to include other domain names with your marks to a complaint. Use a service that will allow you to search a registrant name and identify their domain portfolio. If there are similar domains (typos or phonetically similar) owned by the same registrant, it would be worth adding these domains to the complaint so you can maximise your return.

3. Check the panellist appointed to your case – You have the right to object to any appointed panellist. Once named, it is advisable to review the biography of your panellist to ensure that there is no potential conflict of interest which could arise and provide you with the best chances of a favourable decision.

4. Use three-person panels only for complex cases -  If your case is clear, supported with ample evidence and fulfils all three requirements outlined above, a one-person panel is likely to be sufficient

5. Shorter is sweeter – A limit of 5000 words is placed on the UDRP assertions and arguments, but in all likelihood you should never need to use the maximum word length in your filing. You will find more success if your arguments are succinct and supported by relevant case law.

10. Don’t just settle – It may be worth proceeding with the case establish a record of documented evidence that may be used by yourself and others filing against them. Additionally, your company will be on record as an organisation that takes a proactive stance against cybersquatters.

For further information on domain name filing, domain name protection strategies and Domain Name Dispute Resolution, please do not hesitate to contact Pitmans’ Intellectual Property team.

Stacey Jones
Solicitor
T: +44 (0)118 957 0235
E: staceyjones@pitmans.com

Sally Britton
Partner
T: +44 (0)20 7634 4623
E: sbritton@pitmans.com

The ECJ has held that an order imposed by a Belgian court, which required an internet service provider (“ISP”) to filter and block access by its customers to files containing infringing copies of musical works, was incompatible with EU law. (Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL, Case C-70/10, 24 November 2011.)

The case concerned questions referred by the Brussels Court of Appeal to the ECJ regarding Scarlet, an ISP. Scarlet was ordered by a Belgian court to make it impossible for its customers to share files that infringe rights held by members of SABAM, the Belgian Society of Authors, Composers and Publishers.

In 2004, SABAM established that users of Scarlet’s services were downloading works in SABAM’s catalogue from the Internet, without authorisation and without paying royalties, by means of peer-to-peer networks (a transparent method of file sharing which is independent, decentralised and features advanced search and download functions).
 
Upon application by SABAM, the President of the Brussels Court of First Instance ordered Scarlet, in its capacity as an ISP, to bring those copyright infringements to an end by making it impossible for its customers to send or receive in any way electronic files containing a musical work in SABAM’s repertoire by means of peer-to-peer software.

On appeal to the ECJ, it held that EU law precludes the imposition of an injunction by a national court which requires an ISP to install a filtering system with a view to preventing the illegal downloading of files. It concluded that such an injunction does not comply with the prohibition on imposing a general monitoring obligation on such a provider. The filtering system would mean that the ISP was required to monitor data relating to its customers, which is explicitly prohibited by Art 15 of the E-Commerce Directive.

The ECJ also ruled that the injunction did not comply with the requirement to strike a fair balance between, on the one hand, the right to intellectual property, and, on the other, the freedom to conduct business, the right to protection of personal data and the freedom to receive or impart information – fundamental rights safeguarded by the Charter of Fundamental Rights of the EU.

The case follows an earlier UK ruling where BT became the first ISP to be forced by a court order to block its customers from accessing a website on grounds of copyright infringement. The site in question, www.newzbin.com, allowed users to share data files, predominantly pirate films, TV show downloads and music. The case was brought by six major film studios.

Scarlet was held distinguishable in that the film studios were not asking for an unlimited filtering system for all customers, but rather for a clear and precise injunction requiring BT to implement an existing technical solution which BT itself had accepted would be technically feasible and the costs would not be excessive. Therefore, it was not in breach of Article 10 of the European Convention of Human Rights.

It is clear the scope of the injunction sought and the technical feasibility of achieving it will be relevant in each case. This also does not bode well for any orders which the Secretary of State may make under the Digital Economy Act (DEA), as any such orders to prevent unlawful file sharing may be unenforceable under EU law for similar reasons.

The online infringement provisions of the DEA oblige ISPs to assist in identifying copyright infringers and allow enhanced measures to be taken against copyright infringers, including an ability to require ISPs to suspend internet connection to persistent offenders. Following a recent Judicial Review (JR) by BT and Talk Talk, the High Court has held that the provisions of the DEA are compatible with EU law; so, whilst copyright owners and the government are relieved by the JR decision, the issue still very much remains open in light of Scarlet.

For more information, please do not hesitate to contact Pitmans’ Intellectual Property Team.

Philip James
Partner
T: +44 (0)207 634 4655
E: pjames@pitmans.com

On 25 November, the government published its cyber security plan setting out in greater detail how it intends to work with the private sector in countering cyber risk. What is becomingly increasingly clear is that responding to this risk is something that is best tackled by a public-private partnership. Given the austere economic climate, this approach may present both public and private concerns alike with new opportunities.

The Minister for the Cabinet Office and Paymaster General, Francis Maude, explained in a written statement that the purpose of “…this strategy [is to] outline how we will cement a real and meaningful partnership between the Government and private sector in the fight against cyber attacks”. She also emphasises that the private sector “has a crucial role to play” in carrying out the government’s plans since it “owns, maintains and creates most of the very spaces [the government] are seeking to defend”.

The plans include a new national cyber security ‘hub’ that will allow the Government and businesses to exchange information on threats and responses with the private sector. A pilot will commence in December and will involve five business sectors: defence, finance, telecommunication, pharmaceuticals, and energy.

Other highlights of the government’s anti-cyber crime strategy include:

• Creation of a new national cyber crime capability as part of the new National Crime Agency by 2013, and enhancing the work of the Metropolitan Police’s eCrime Unit by expanding the deployment of ‘cyber-specials’;

• By the end of 2011, building a single reporting system for citizens and small businesses to report cyber crime so that action can be taken and law enforcement agencies can establish the extent of cyber crime (including how it affects individuals and the economy);

• Promoting greater levels of international cooperation and shared understanding on cyber crime as part of the process begun by the London Conference on Cyberspace, in addition to promoting the Council of Europe’s Convention on Cybercrime (the Budapest Convention) and building on the new EU Directive on attacks on information systems, as well as contributing to the review of security provisions of the EU Data Protection Directive and the proposed EU Strategy on Information Security;

• Working with domestic, European, global and commercial standards organisations to stimulate the development of industry-led standards and guidance that help customers to navigate the market and differentiate good cyber security products;

• Creating and building a dedicated and integrated civilian and military capability within the MoD, mainstreaming cyber within the organisation and setting up a Defence Cyber Operations Group (DCOG). An interim DCOG will be in place by April 2012 and will achieve full operational capability by April 2014;

• Undertaking a review of policy and regulation of the UK communication sector, with a view to publishing a Green Paper early in 2012 followed by a White Paper and a draft Bill by 2013;

• Supporting net neutrality and the open internet by working with the Broadband Stakeholder Group to develop industry-wide principles on traffic management and non-discrimination and reviewing its transparency code of practice in early 2012;

• Establishing a certification scheme for certifying the competence of information assurance and cyber security professionals by March 2012, and a scheme for certifying specialist training in 2012. Continuing to support the Cyber Security Challenge as a way of bringing new talent into the profession; and

• Identifying Centres of Excellence in cyber research to locate existing strengths and providing focused investment to address gaps, with the first focused investment occurring by March 2012.

It seems this strategy will require responses at a national level as well as greater international collaboration, not to mention the orchestration of resources within and outside the traditional defence communities. This raises its own challenges, but if ever there was a common cause, this is it. Or is it? Some nations may prefer to allow cyber strikes to be launched from its shores in the hope of receiving the benefit of any stolen assets. Watch this space. There may also be opportunities for employers to engage cyber poachers turned gamekeepers to assist defence and IT security. The level of support that government can lend to such employment opportunities will undoubtedly determine its success.

This is one of a series of articles on cyber security. To read the last article in this series, on protecting your business from cyber security threats, please click here. Pitmans will be hosting an evening seminar on Cyber Asset Protection on 1 February 2011 in London. For further discussion of these and other issues, please join us. Click here for more information on this seminar, or if you would like to register your interest now, please email poppy@pitmans.com.

Carolyn Butler
Solicitor
T: +44 (0)118 957 0234
E: cbutler@pitmans.com

Philip James
Partner
T: +44 (0)207 634 4655
E: pjames@pitmans.com

Cyber attacks targeted at the UK are once again in the news. The director of the government’s communications intelligence agency, GCHQ, Iain Lobban, reported in The Times (31 October 2011) this week that the country has been subject to a “disturbing” number of cyber threats. However, Mr Lobban observes in his report that the challenges faced by cyber security are “not for the government alone”.

Since the government announced this time last year that it had allocated £650 million to cyber security and resilience as part of its Strategic Defence and Security Review, it has started to endorse a collaborative approach between the public and private sectors to cyber security. Although the government is keen to demonstrate that the issue is a top priority, it has acknowledged that it can’t manage the challenges posed by cyber threats single-handed – not least because the majority of providers of Critical National Infrastructure (CNI), such as energy, water, finance, transport and telecommunications, are in the private sector. The foreign secretary William Hague will host a two-day conference on cyber security in London this week, to advance the dialogue with the business community in that respect.

As a consequence, the government has highlighted to the private sector what it has to lose (and in fact has already lost) in playing down the importance of cyber security. Last week, Major General Jonathan Shaw, head of the Ministry of Defence’s cyber security programme, told the Daily Telegraph (24 October 2011) that hacking by foreign governments and organisations had already cost the UK economy £27 billion and that “the biggest threat to this country by cyber is not military, it is economic”. Mr Lobban reinforced this view in his report, stating that the theft of British ideas and designs in the IT, technology, defence, engineering and energy sectors “doesn’t just cost the companies concerned; it represents an attack on the UK’s continuing economic wellbeing”. In other words, there seems to be an overwhelming opportunity for continued public private partnerships in this sector, as well as reciprocal arrangements between the defence and non-defence sectors to counter this threat.

So what can businesses do to safeguard their economic interests? Chatham House, a leading independent think tank on international affairs, has made a number of recommendations for businesses in its report entitled Cyber Security and the UK’s Critical National Infrastructure which it published last month. While the report is primarily aimed at corporations active in CNI sectors, it is also essential reading material for any board member. In particular, examples of good, improving and poor cyber security practice are explored in pages 23 to 26 of the report.

Below, we highlight and comment upon some of the key recommendations from the report and some practical suggestions for board members to enhance an organisation’s resilience to cyber threats.

1.   Vulnerabilities: Senior management need to acquire (if they haven’t done so already) a good understanding of the vulnerabilities and dependencies of their business, and the implications for budgets and reputation management that they may entail. First, examine the dependencies of your business and consider, in particular, those that may be ‘hidden’ in the other businesses on which it depends (as well as any ongoing chains of supply). Identify both existing and emerging risks.

2.   Risk Assessment and Response: Once you have a better understanding of your business’ and its suppliers’ vulnerabilities, look at the processes and mechanisms that are already in place to asses the risks posed by cyber attacks and to respond to such attacks if and when they occur, and consider how they work in practice. If there is a disparity between policy and practice, one or the other must change. If appropriate, consider engaging a penetration (PEN) or vulnerability testing consultant to stress-test and evaluate your IT security measures. Such a consultant can also propose a number of options to repair any gaps or improve security in line with your requirements. Assess the adequacy of the response measures and contingency plans you have in place to cope when any element of the chain of dependency fails.

3.   Investment: Cyber security is often under-funded despite the economic damage that a breach may entail. In order to work well, the planning and implementation of cyber security measures must be underpinned by appropriate resource allocation, in terms of both human resources and financial investment. In the current economic climate, this remains one of the key challenges. However, carefully well-allocated resource can result in significant improvements to security which can materially reduce the business impact and remedial costs should an incident occur.

4.   Know-how: The training and development of all staff that may encounter cyber threats must be viewed as an integral part of your organisation’s risk management strategies. Is everyone aware of the risk assessment mechanisms and security procedures?  Your organisation will therefore need to decide whether to adopt best practice depending upon the viability and sensitivity of your systems and the information contained within. Mechanisms that allow for the reporting, and onward dissemination, of know-how gained from experience (in particular “lessons learned” from cyber security incidents) are also essential.

5.   Board-level Buy-in: Cyber security can no longer be delegated to the IT team to deal with on its own. According to the Chatham House report, “the potential for damage, both economic and reputational, from complacency over matters of cyber dependency and vulnerability is too high to be ignored” and deserves the regular attention of senior management. Ensure it regularly appears on your agenda.

6.   Communication: The Chatham House report suggests that the issues connected with communicating technical ideas to non-technical people are intimately linked to the issue of board-level buy-in, since in its research it often found that “an organisation’s cyber security policy is not delegated (in a constructive managerial way) but is deliberately pushed below the boardroom level in order to remove a complex and baffling problem from sight”. Chatham House wants to see more chief information security officers from non-technical backgrounds appointed, and advises that “IT security departments [need] to develop a deeper understanding of how value is created in the organisations they endeavour to protect” to meet the business’s needs. However, communication flows both ways, and it is equally important for the board to grasp the nettle of cyber security with both hands to develop a coherent, strategic response.

In addition to these recommendations, organisations should also consider the following: -

Insurance

Review your insurance policies to ensure you are adequately protected against risks that cannot be mitigated. If you discover any uninsured risks that need to be covered, discuss with your insurer what they can do for you. Given the diversity of risks faced by different businesses, corporations are increasingly finding a ‘one-size-fits all’ approach to IT-related policies, such as network security insurance and business continuity insurance, is impractical at best and, at worst, leaves them perilously exposed. Many insurers now offer a flexible, or even bespoke, range of policies to meet this emerging need.

Reputation Management

As part of your contingency and disaster recovery planning, consider whether and in what circumstances you would need to engage an agency experienced in ICT reputation management in order to minimise any long-term damage to your business and/or its brand. If this could be necessary, investigate the available options now, and ensure a protocol is in place so that assistance is sought where appropriate. Some insurers also offer policies to cover the costs of retaining public relations assistance in the event of a crisis.

Pitmans will be hosting an evening seminar on Cyber Asset Protection on 1 February 2011 in London. For further discussion of these and other issues, please join us. Click here for more information on this seminar, or if you would like to register your interest now, please email poppy@pitmans.com.

Carolyn Butler, Solicitor
T: +44 (0)118 957 0234
E: cbutler@pitmans.com

Philip James, Partner
T: +44 (0)207 634 4655
E: pjames@pitmans.com

Jonathan Durrant, Director
T: +44 (0)118 957 0270
E: jdurrant@pitmans.com

For more information, please see:

Pitmans’ Defence and Security legal services

Pitmans’ Data Privacy & Information Law legal services

‘Initiatives Against Cyber Crime – Recent Developments’

‘Cyberspace – Industry and the Cyber Armoury’

What’s the news and the current trend?

The Advertising Standards Agency (ASA) has recorded a huge surge in complaints made about companies’ digital marketing communications, with figures exceeding 5,500.

5,531 complaints were recorded about brands’ online marketing communications since March, when the ASA’s remit was extended to cover the area.

The ASA now covers non-paid for online marketing communications under the marketer’s control, including social media such as Facebook, as well as companies’ own websites. A marketing communication is a type of communication for a good, service, opportunity or gift that primarily sets out to sell something. Marketing communications may set out to sell in a myriad of different ways, and may not necessarily include a price or seek an immediate financial transaction. Also included are direct solicitations for donations as part of a company’s own fund-raising activities.

In the seven months since the remit was extended, the total number of complaints received across all channels reached 18,369. This is an increase of 30% on the same period in 2010.

No one business sector was primarily responsible, with blame being spread equally across the retail, leisure and telecoms sectors, amongst others. The type of complaints matched the typical spread for broadcast and non-broadcast adverts, and concerned issues with price and availability. Complaints regarding misleading alternative health sites were also notable.

To deal with the increase in complaints, the ASA has increased staff numbers by 10%.The ASA has commented that people cannot expect all to be immediately compliant, and that many companies do not yet know about the changes.

Online marketing communications are governed by the UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing (the CAP code). If a marketing communication breaks the Code, the organisation/individual responsible is told to amend or withdraw it. If they do not, the Compliance team will consider the sanctions available to it.

Non-compliance may result in removal of paid-for advertising, adverse publicity as a result of ASA adjudications, denial of access to advertising space, and the withdrawal of recognition and trading privileges, such as discounts. The company in question may also face action for breach of the Consumer Protection Regulations.

How can Pitmans help?

Pitmans Digital Brands Team can carry out a digital marketing and brand audit of your digital channels (Twitter, Apps, Facebook pages, Company website) at an agreed fixed cost.

We can identify any risks, whether they be regulatory or legal, and provide a clearance risk assessment. We can also advise on ways in which you can protect and manage your digital brand portfolio, as well as advise on any IP rights and data comprised in your digital channels. All sectors are affected but clients in the Media & Entertainment, Automotive, Hospitality and Retail sectors may find this of particular interest.

For further details please contact:

Philip James
Partner
T: 0207 634 4655
E: pjames@pitmans.com

Sally Britton
Partner
T: 0207 634 4623
E: sbritton@pitmans.com