Cyber security affects all businesses and industries and is a Board level agenda item.
This article provides a round-up of best practice, news and legislative developments concerning cyber security in Europe, Asia, Australia and the USA.
The EU General Data Protection Regulation has finally been approved and published in the Official Journal. The countdown to its application date of 25 May 2018 has therefore begun.
The European Commission published its first draft of the EU General Data Protection Regulation (the "GDPR") in January 2012, a comprehensive reform of the current EU regime. In April 2016, after over four years of debate, the final text of the GDPR was formally approved.
The GDPR has now been published in the Official Journal (on 4 May 2016) and entered into force on the 20th day following that publication (i.e. on 25 May 2016). There is now a two year implementation period, meaning that it will apply across Europe from 25 May 2018.
However, please see below for details of the possible implications for data protection and the GDPR of the UK's vote to leave the EU.
The EU Network and Information Security Directive (otherwise known as the Cyber Security Directive) has finally been published in the Official Journal. Member States will now have until 9 May 2018 to adopt appropriate national legislation to comply with the Directive, with such legislation to apply from 10 May 2018.
The Cyber Security Directive requires certain "operators of essential services" to adopt risk management practices and report major security incidents on their core services to the appropriate national authority.
By 9 November 2018, for each sector and subsector referred to in Annex II to the Directive, Member States are required to identify the operators of essential services with an establishment on their territory. The sectors listed in the Directive are: energy, transport, banking, financial market infrastructures, health sector, drinking water supply and distribution and digital infrastructure. The criteria for the identification of the operators of essential services are that:
- an entity provides a service which is essential for the maintenance of critical societal and/or economic activities;
- the provision of that service depends on network and information systems; and
- an incident would have significant disruptive effects on the provision of that service.
Digital service providers, being providers of online marketplaces, online search engines and cloud computing services are also subject to security requirements.
The "in-out" Referendum on the question of the UK's membership of the EU has resulted in a majority of voters (on a turnout of approximately 72%) preferring the UK to leave the EU. The vote was 51.9% in favour of leaving, with 48.1% voting to remain. Under the terms of Article 50 of the Treaty on European Union, which governs the process, the UK must first inform the European Council of its intention to leave the EU. This notification triggers the two-year period specified by the Treaty for the negotiation of the terms of a Member State's withdrawal.
In the sphere of data protection, the referendum results leaves a number of questions unanswered about whether and when organisations in the UK will have to comply with the requirements in the upcoming General Data Protection Regulation ("GDPR").
The GDPR is due to come into force on 25 May 2018. If the UK does not actually exit from Europe until, say, November 2018 (because of the two year negotiation period under Article 50), that would leave organisations with the difficult scenario of having to comply with the GDPR for a short period of time before potentially having then to move to comply with a new UK law.
However, when putting in place any new UK data protection law post-Brexit, it is in practice unlikely that the UK will want or be able to stray far from the principles of data protection set out in the GDPR. Depending upon the form of Brexit undertaken, the UK may be required to adopt certain EU laws anyway, including data protection laws. Also, the UK Government will want to ensure that the transfer of data to and from the UK is not restricted, as this could have a negative effect on UK business. The GDPR includes a provision prohibiting the transfer of personal data outside of the EEA unless adequate protections are in place. If the UK were no longer part of the EEA, to avoid administratively burdensome measures to overcome this prohibition, the Government would be likely to seek an "adequacy decision" from the European Commission, declaring that the UK is "adequate" for data protection purposes. However, this is likely to only be possible if the UK has in place data protection regulation that is essentially equivalent to the GDPR.
In relation to specific cyber security legislation, the timing of the Network and Information Security Directive (the "NIS Directive") may also have an impact on the UK's implementation and compliance with such legislation. As described above, Member States have until 9 May 2018 to transpose the NIS Directive into national law, and until 9 November 2018 to identify operators of essential services who will be subject to some of the requirements of the Directive. This timing could be similar to the timing of the UK's exit from the EU, meaning that the UK Government may take the decision not to implement the NIS Directive into national law at all. However, given that the Government has already taken steps in anticipation of the NIS Directive (such as the new National Cyber Security Centre – see below), and the importance of international cooperation on cyber security issues, we would anticipate that something similar might be implemented instead.
The European Commission adopted an adequacy decision on 12 July 2016 allowing for the transatlantic transfer of personal data from the EU to the US in accordance with the framework and principles of the EU-US Privacy Shield (the "Privacy Shield").
The Privacy Shield was proposed earlier this year following the decision of the Court of Justice of the European Union in October 2015 finding the previous transatlantic compliance mechanism, the US Safe Harbor, invalid.
The "adequacy decision" was notified to Member States on 12 July 2016 and entered into force immediately. On the US side, the Privacy Shield framework will be published in the Federal Register, the equivalent to the EU Official Journal. The US Department of Commerce will then start operating the Privacy Shield. Once companies have had an opportunity to review the framework and update their compliance, they will be able to certify with the Commerce Department from 1 August 2016. In parallel, the European Commission will publish a short guide for citizens explaining the available remedies in case an individual considers that his or her personal data has been used in the US without taking into account the data protection rules.
The Culture, Media and Sport Committee (the "Committee") of the House of Commons has published a report in the wake of the TalkTalk cyber attack of 21 October 2015, recommending, amongst other things, that a part of CEO compensation be linked to effective cyber security.
On 21 October 2015, there was a cyber attack on UK telecommunications and internet provider TalkTalk. A House of Commons inquiry was launched on 3 November 2015 and, on 20 June 2016, the inquiry committee published its report. Key findings and recommendations of the report included, at an organisational level:
- That organisations handling large quantities of personal data should submit annual reports to the ICO on data protection/cyber security matters, including cyber training for staff; details of security audits; and details of guidance provided to customers (both current and prospective) relating to cyber attacks.
- That security by design should be a core principle for new systems and app development and a mandatory part of developer training.
- That responsibility for cyber security should sit with someone able to take full day-to-day responsibility, with Board oversight, and who can be fully sanctioned if the organisation has not taken sufficient steps to protect itself from a cyber attack.
- That, to ensure the issue receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security, in a way to be decided by the Board.
The committee also made a number of recommendations in relation to regulation and regulatory sanctions, including:
- That the ICO should introduce a series of escalating fines, based on the lack of attention to threats and vulnerabilities which have led to previous breaches. Greater fines should also be available for any delay in notifying a breach to the regulator.
- That the process for consumers to claim compensation for data breaches should be made easier.
- That the Committee supported the availability of custodial sentences in cases of unlawful possession and sale of personal data. Strong support was also expressed for the ICO's decision to create a privacy seal, to be awarded to organisations with a strong privacy practice and data protection standards.
To view a copy of the House of Commons report, please click here.
The UK government has recently confirmed that its National Cyber Security Centre ("NCSC") will begin operations in October 2016. This newest body to be established as part of the UK's continuing fight against Cybercrime will be headquartered in London and is to be "the authoritative voice on information security in the UK".
However, it will be interesting to see what role the NCSC might play under the regime to be introduced by the NIS Directive. The NIS Directive will impose new network and information security requirements on digital service providers and operators of essential services. Amongst other things, they will be required to report certain security incidents to either a "competent authority" or a "Computer Security Incident Response Team" ("CSIRT"). It seems possible that CERT-UK, the National Computer Emergency Response Team formed in March 2014, would be designated as a "CSIRT" in the UK. However, it is not clear at this stage who the designated "competent authorities" would be in the UK, although it is likely that these would be the existing sectoral regulators such as the FCA/PRA in the financial services sector.
The NIS Directive then envisages that the reports that are received by CSIRTs and competent authorities will be funnelled up to a designated national "single point of contact", responsible for coordinating network and information security issues and taking charge of cross-border cooperation at EU level. The NCSC would seem be an obvious choice to act as the UK's national single point of contact given that it is already being positioned as the authoritative voice on information security in the UK. However, to the extent that the NCSC is designated for this role, regulated entities will be dealing with an authority that acts as a regulator on the one hand and a national security and intelligence organisation on the other - a first for many industries.
Who will take on the various roles in the UK envisaged by the NIS Directive remains to be seen. As mentioned above, post the Brexit referendum, it may even be the case that the UK never ends up implementing the NIS Directive into local law, because the timing of required implementation could mean that the UK has exited or is about to exit the EU at the same time as it is required to implement the Directive.
The European Banking Federation ("EBF"), the Global Financial Markets Association ("GFMA") and the International Swaps and Derivatives Association ("ISDA") have announced their intention to begin negotiations on common global cyber security, data and technology policies through a new set of common principles (the "Principles").
The Principles will be submitted to the Financial Stability Board ("FSB") and the International Organisation of Securities Commissions ("IOSCO") for their views and comments, since they are the international organisations responsible for setting and maintaining standards.
The Principles set out two key issues that must be recognised before effective policymaking can be established. First, cyber security, data protection and technological advancement are international issues requiring global solutions. Second, cyber security threats, risks, and the technology that mitigate them shift faster than regulations and standards can respond.
The purpose of the Principles is therefore to capture and proactively share the considerations that should be taken into account when a nation or one of its agencies or standard-setting bodies creates laws, regulations, or standards that affect the technology infrastructure of financial services firms operating globally. The EBF, GFMA and ISDA urge IOSCO and FSB to take the Principles into account when engaging in policymaking, and standard-setting activities, to ensure that financial systems around the world better address the risks that may cause the most harm and are as secure as possible.
On 11 April 2016, the High Court of England and Wales issued its judgment in the case of Axon v Ministry of Defence  EWHC 787 (QB), finding that an employer could be held vicariously liable for data protection breaches by its employees. The case involved the leaking of data to the Sun newspaper by an employee of the Ministry of Defence. The commentary around vicarious liability was not directly applicable, as the court had already found that there was no actionable claim in the case at hand. However, the judge nonetheless considered the question as to whether, in the event that the Claimant had had an actionable claim, the Ministry of Defence (as the employer in the case) could have been held vicariously liable for the actions of its employee.
Two earlier decisions of the Supreme Court were considered where the standard of vicarious liability required: (a) a relationship between the wrongdoer and the defendant; and (b) a connection between that relationship and the wrongdoer's default. In the Axon case, there was a pre-existing relationship of employment between the employee and the MOD, thus satisfying the first criteria. Moreover, the employment involved working with sensitive data. The employee had access to Top Secret information and had contractually agreed to maintain the confidentiality of such data. Having accessed the information relating to the Claimant in the course of her employment, the employee had a contractual duty to maintain its confidentiality, which she failed to do by disclosing it to the Sun. Thus, her employment relationship was directly connected to her act of committing data breach, since she would not have had access to such information if not for the nature of her employment relationship. Therefore, the court held that if the Claimant had had an actionable claim, the Ministry of Defence would have been held responsible for the conduct of its employee.
Although, as mentioned above, the discussion on vicarious liability was obiter, it is certainly relevant for its potential impact on employers in the area of data protection and effective employee training with respect to the same.
One of the big challenges for the cyber insurance industry is assessing systemic aggregation risks. But the market is not standing still. For example, a leading international reinsurance broker and a major cyber security firm announced in May 2016 that they are collaborating on a model of cyber aggregation.
Assessing cyber aggregation risk is difficult for two main reasons. Firstly, there are challenges in identifying and assessing the underlying risks. Data regarding risks such as fire, flood and earthquakes has been around for centuries, with the result that insurers have a wealth of statistics and experience to draw on. In the cyber insurance industry, the bank of data available is far more limited. Secondly, there are aggregation difficulties. Other risks can have clearly established boundaries to limit aggregation: for example, terrorist events, fires and floods can all be limited by geography or by duration. Cyber risk means different things to different people, and such risks are not necessarily confined by bright line boundaries. For example, one cyber attack on a cloud-based payment system could lead to a wide range of international individual claims by disparate policyholders in different jurisdictions.
Greater understanding of the mechanism and effect of aggregation in cyber events will allow the cyber insurance industry to offer appropriate limits to policyholders without unduly exposing themselves to systemic risks.
A cyber attack, resulting in the loss of the equivalent of USD 50 million in cryptocurrency Ether, has highlighted the vulnerabilities of blockchain technologies and so-called smart contracts. Decentralised Autonomous Organisation ("DAO") is an investment fund based on the Ethereum blockchain technology. DAO enables people to buy in to the fund by exchanging paper currency for virtual currency, known as Ether. The virtual currency can be further exchanged for tokens, which are then spent on various investments. The idea is that anyone who invests has a say in which companies to fund.
Blockchains are believed to be extremely secure as, when implemented properly, the computing power that would be required fraudulently to manipulate the blockchain is greater than any one perpetrator could possess. Ethereum is built in such a way as to allow for decentralised organisations to be built on top of its blockchain and to provide for smart contracts that can execute themselves automatically if certain conditions are met. While the blockchain itself might be secure, vulnerabilities can lie in the surrounding software. For example, according to the Ethereum website, the vulnerability in this case lay in DAO's software rather than the Ethereum blockchain. This software vulnerability allowed a hacker to syphon millions of Ether into a "clone" DAO.
Following the attack, the DAO community has been working to come up with a solution. One possible such solution is essentially to wind back the currency to a point before the attack happened, erasing subsequent transactions including not only the fraudulent ones but legitimate transactions too. The decentralised nature of the DAO means that decisions have to be reached by consensus and there is some resistance to the idea of rolling back the clock.
In the meantime, the nature of the DAO and Ethereum means that the funds cannot be "spent" for a period of 27 days, giving the community some time to decide what to do.
The Hong Kong Monetary Authority ("HKMA") issued a press release on 18 May 2016 on the launch of a "Cyber Security Fortification Initiative" ("CFI"), which is aimed at raising the level of cyber security of banks in Hong Kong. The HKMA also released a formal circular on 24 May 2016 setting out that it is a supervisory requirement for banks to implement the CFI.
Following the announcement of this initiative, the HKMA further issued a circular on 26 May 2016 reiterating the requirement for Authorised Institutions providing Internet banking services to strengthen further their security controls, in light of recent incidents involving unauthorised share trading transactions.
This initiative follows a previous circular issued by the HKMA on 15 September 2015 where it had made clear its expectations on the board and senior management of Authorised Institutions to strengthen their oversight of cyber security controls, as summarised in our earlier bulletin dated 5 November 2015 and available here.
These recent developments emphasise the need for banks to enhance their internal cyber security controls to protect against cyber attacks and adhere to these increased regulatory obligations and expectations.
The Singapore government is expected to table legislation in Parliament in 2017 for a new, standalone Cyber Security Act.
It is expected that the new Cyber Security Act will ensure that operators take proactive steps to secure critical information infrastructure and report incidents. It will also empower Singapore's Cyber Security Agency ("CSA") to manage cyber incidents and raise the standards of cyber security providers in Singapore, by providing the CSA with broader powers than those currently available under the Computer Misuse and Cyber Security Act (Cap. 50A), which gives law enforcement agencies powers to investigate cyber crimes and arrest criminals.
It is expected that the legislation will contain provisions relating to the protection of personal data in particular, and will provide an extra layer of regulation to be considered in the data protection and information security context.
On 21 April 2016, Australia’s federal government released its Cyber Security Strategy ("CSS").
The CSS is founded on the notion that strong cyber security is a fundamental aspect of the growth and prosperity of the global economy and is vital to Australia’s national security. Many of the measures outlined in the CSS envisage their realisation through partnership between Australian federal, State and Territory governments, the private sector, and the wider community.
The CSS, which will involve government investment of $230 million, establishes a number of key initiatives, including the following:
- the government will appoint Australia’s first Cyber Ambassador, publish an international cyber engagement strategy, and partner internationally to shut down safe havens for cyber attackers, with a particular focus on the Indo-Pacific region;
- the government will host an annual cyber security leaders’ meeting, where the Prime Minister and business leaders will set the strategic cyber security agenda and drive the implementation of the CSS;
- cyber threat information sharing will be facilitated through the implementation of a layered approach involving the Australian Cyber Security Centre, Joint Cyber Threat Centres, and an online cyber threat sharing portal;
- national voluntary Cyber Security Guidelines will be co-designed by government and the private sector to specify good practice, and the Strategies to Mitigate Targeted Cyber Intrusions publication will be updated by the Australian Signals Directorate;
- a Cyber Security Growth Centre ("CSGC") will be established by the government in collaboration with the private sector. The CSGC will coordinate a national cyber security innovation network that pioneers cutting edge cyber security research and innovation; and
- the government will address the shortage of cyber security professionals in the workforce, including by establishing centres of cyber security excellence in Australian universities.
To view a copy of the CSS, please click here.
In July 2015 we reported that the Australian Companies and Securities Commission ("ASIC") had released “Report 429: Cyber Resilience: Health Check” which recommended that businesses manage their cyber security by ensuring they are able to adapt to change, reduce exposure to risks and learn from incidents when they occur.
ASIC has now followed that Report with the release in March 2016 of its first formal assessment of the cyber resilience of Australia’s major domestic financial market infrastructure providers – ASX Group and Chi-X Australia Pty Ltd (Chi-X). The financial services sector was selected for initial review given the central role that financial markets play in our economy.
The report concluded that ASX and Chi-X had, up to this point in time, met their statutory obligations to have sufficient resources for the management of cyber resilience. However, the report emphasised the need for ongoing review of plans, given the dynamic and changing nature of cyber threats.
The report also highlighted emerging good practices being implemented by a wider sample of organisations within the financial sector. As in the earlier report, the need for board level engagement and response was again highlighted, as was the need for agile governance processes as part of a wider organisational strategy to manage cyber risks. The report includes some suggested questions that board members and senior management of financial organisations should ask when considering their cyber resilience.
The report also emphasised the need for information sharing, both within organisations and at an industry level and with security agencies and law enforcement, as well as cyber awareness and training.
In November 2015, CPMI–IOSCO published draft cyber resilience guidance for consultation in “Consultative paper: Guidance on cyber resilience for financial market infrastructures”. The ASIC report includes discussion on this proposed Cyber Guidance, which will apply directly to market providers once finalised.
A US federal appeals court handed a major win to Microsoft when it ruled that US authorities cannot compel US tech companies to disclose email content they store on servers located outside the United States.
The highly anticipated ruling (issued 14 July 2016) arises out of Microsoft's refusal to comply with a warrant obtained by US law enforcement authorities seeking production of Microsoft customer emails stored on servers maintained by Microsoft's affiliate in Ireland. The appellate court ruled that the long-standing limitation of US warrants to searches and seizures of information located in the United States applies equally to data stored in the "cloud", and thus, the data stored in Ireland was beyond the reach of US law enforcement.
Though still subject to further review, the decision is a significant victory for Microsoft and other US technology companies, which have been increasingly active in challenging the US government's efforts to obtain confidential customer data, especially when the production of such data would raise privacy issues in jurisdictions outside the United States whose laws may restrict such disclosures. The ruling also may help ease the concerns of privacy advocates and regulators, especially in Europe, regarding the reach of US law into email communications. See In re Warrant to Search a Certain Email Account Controlled & Maintained by Microsoft Corp., Case No. 14-2985 (2d Circuit 14 July 2016).
In a case that potentially could alter the way US law enforcement seeks to obtain stored electronic data, Microsoft has challenged the constitutionality of a provision of US federal law that authorises US courts to issue gag orders forbidding it, and similar companies, from advising their customers about search warrants, court orders or subpoenas that the government employs to obtain the stored electronic communications of those customers.
At issue in this federal court action is the Electronic Communications Privacy Act ("ECPA"), a US statute enacted well before the advent of email traffic and cloud storage. The ECPA provision challenged here enables a federal court, upon application by the government, to prevent a cloud provider from notifying a customer of any governmental demand for that customer's emails and other stored documents. Microsoft alleges that the "secrecy orders" issued pursuant to this provision often forbid notification to the customer for "unreasonably long", and in many cases "unlimited" time periods, whenever the government can convince the court that such notice would result in adverse consequences to the investigation. While Microsoft does not dispute that in some cases, the needs of a criminal investigation warrant secrecy, it asserts that the government is exploiting the transition to cloud computing to expand its power to conduct secret investigations and currently makes far too routine use of secrecy orders.
The litigation is heating up. Microsoft, which filed this suit on 14 April 2016, just amended its complaint to note, among other things, that over a recent 20-month period, federal courts issued more than 3,250 secrecy orders preventing Microsoft from speaking about the government's demands for its customers' data (with almost two-thirds of those orders having no fixed end date). The US government has indicated its intent to ask the federal court to dismiss this case, with its initial briefing due in late July. In addition, the American Civil Liberties Union ("ACLU"), a well-known civil rights organisation, has sought to join this case as a plaintiff to vindicate its own rights, as a Microsoft cloud customer, to receive notice of any government efforts to seize its stored data. The case stands as another effort by Microsoft to find a path between the need for US investigators to have access to stored data relevant to criminal investigations, and the privacy demands of its customers as well as privacy regulators outside the US.
Proposed legislation that would have required tech companies and cloud providers to provide stored electronic data to US government investigators in an unencrypted form appears unlikely to receive formal legislative consideration this year.
The "Compliance with Court Orders Act of 2016" was released in draft form in a bi-partisan effort by the Republic chair and the Democratic vice-chair of the US Senate's Select Committee on Intelligence. The draft provides that entities, including device manufacturers, software makers, tech companies and cloud providers, that receive a court order for data relevant to a criminal investigation must provide it to the government in an "intelligible"—that is, unencrypted—format, or else provide the technical assistance necessary to make such data intelligible (though it would not make companies responsible for data that they did not encrypt). The draft legislation noted at the outset that "no person or entity is above the law," which may be a reference to companies that are viewed by law enforcement as increasingly resistant to government demands for electronic information. In a statement accompanying the draft, the senators noted that this legislation would not create any new data collection authorities for the government, but would simply require companies to ensure that "lawfully obtained evidence is readable."
While a few legislators did support the measure, the White House indicated that it would not back the bill in its current form, which may reflect its concerns about the controversial nature of the issue as well as scepticism that the bill would receive much traction in this election year. Industry and civil liberties advocates, for their part, expressed misgivings about any legislation that potentially could undermine encryption protections, citing both security and privacy concerns. And at least one senator has threatened a "filibuster" (a Senate procedural tool to block consideration of legislation) should the bill make it to the Senate floor. Thus, at least for now, it appears that issues surrounding data encryption will continue without formal legislative guidance in the US.
Beyond Borders M&A report finds companies concerned about data protection and cyber security
Herbert Smith Freehills has published the first edition of its global cross-border M&A report, carried out in association with FT Remark, the research division of the FT.
The report canvasses the opinions of 700 senior executives at major businesses around the globe on their experiences of cross-border M&A and their views on the outlook for M&A activity over the next three years. The original survey was conducted at the end of 2015 but, in order to capture any change in sentiment due to the market downturn in early 2016, the report also includes a second study of a significant cross section of the same respondents, providing a comprehensive review of the current M&A landscape.
The report showed that anxieties over data protection and cyber security rules are rising up the agenda.
In the Americas, respondents listed five issues – data protection, environmental regulation, money laundering regulation, bribery and corruption laws and anti-trust regulation – as being equally likely to have caused a deal failure in the past.
In Japan and South Korea, meanwhile, almost a third of those businesses considering acquisitions in the region (30%) were concerned about data privacy and cyber security regulations – for these buyers, this issue represented their single biggest concern.
In Western Europe, where the European Union has passed new legislation on data protection, some 15% of acquirers were concerned.
However, it is in the TMT sector where these concerns really have the potential to put a block on the surge of cross-border deal activity for TMT companies. Forty-two percent of TMT respondents stated that they were concerned over these ever-tightening rules.
To download a copy of the Beyond Borders report, please click here.
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2020