- Cyber Security Agenda
The New Year’s countdown had barely finished before we saw the first major cyber security breaches of 2014. Public backlash following late 2013 incidents quickly followed. Photo-sharing app Snapchat was subject to a cyber attack where hackers exposed the usernames and phone numbers of 4.6 million users. The ‘Syrian Electronic Army’ also hacked Skype’s Twitter and blog accounts to allege the sale of data to governments and publish contact details of outgoing Microsoft chief executive Steve Ballmer. Target, the third largest US retailer, is also being sued by at least 11 customers after hackers installed malware onto the computer systems at the checkout desks in almost 1,800 Target stores in December. The hackers subsequently stole data from 40 million credit/debit cards.
Given the ever-increasing prevalence of worldwide cyber security attacks, it is no surprise that raising awareness and increasing efforts to improve protection and tackle breaches is a high priority for the UK government. The government reiterated its commitment to addressing cyber security at the Govnet Security Summit 2013 in London, where it stressed that effective partnerships with businesses, academia, internationally and across central government are essential for the delivery and improvement of cyber security.
In 2014, the government intends to employ several new activities. Top of the agenda is a major public awareness campaign to make individuals, and small and medium-sized enterprises aware of cyber security risks. There are plans to expand vocational cyber security training through internships and apprenticeships to address the lack of skilled cyber security personnel in the UK. CERT-UK, the first national computer emergency response team, will also become operational to reinforce cyber incident response arrangements. In addition, the government will endeavour to establish international cyber security standards.
- EU Data Protection Regulation
As part of the continued effort to establish a single data protection law across the European Union (EU), the European Parliament recently voted to significantly overhaul current EU data protection laws. This vote follows months of negotiations between various European Parliament committees. A compromise text for the draft General Data Protection Regulation (Regulation) was approved, and authority was granted for certain members of the European Parliament to negotiate directly with the council of the EU regarding the adoption of the Regulation.
Key purposes/provisions of the proposed regulation include:
- one single data protection law across all EU member states; one single data protection authority for all EU member states;
- EU law to take precedence should there be any conflict with the laws of another jurisdiction;
- a new right of erasure of personal data for individuals giving greater control of their own data; and
- higher penalties for breaches of up to €100 million or 5% of global turnover (whichever is greater).
Clearly the extremely high penalties will be a cause for concern for companies, particularly for large companies operating globally, but this shows the level of seriousness adopted by the EU in seeking to ensure data protection compliance.
The majority of member states are keen for the Regulation to be agreed in 2014, and the European Parliament LIBE Committee intends to hold a plenary vote on the Regulation on 14-17 April 2014. The vote is expected to be a mandate for the Regulation, either in its current form or with further agreed amendments. Businesses likely to be affected should monitor developments closely and take note of when the Regulation is to come into effect.
- Cloud Computing Expert Group
In June 2013, the European Commission set up an “Expert Group”, including cloud providers, lawyers and academics, tasked with establishing a new set of model cloud computing contract terms. In particular, the group is to identify “safe and fair contract terms and conditions for cloud computing services for consumers and small firms”. The group will assist the Commission in improving the legal framework for cloud computing contracts with the aim being to increase trust, confidence and ultimately take up of cloud services by consumers and SMEs.
The Commission believes that many consumers and small businesses are reluctant to purchase cloud services due to unclear cloud computing service contracts. The group, comprising 30 individuals and companies from both the public and private sector, will develop best practices to improve trust and confidence amongst consumers and SMEs. The Commission is looking to ensure safety, fairness, reliability and to balance the interests of cloud users and providers. The project forms part of the Commission’s wider strategy for “Unleashing the potential of cloud computing in Europe”.
The group began work in November 2013 and is due to report back in Spring 2014 with recommendations for model contracting clauses.
However, it is unclear at this stage when the terms will come into effect. Whilst the Commission is clearly making efforts to encourage the use of cloud services by developing more balanced and reasonable model terms, such terms will not be obligatory, and it remains to be seen whether major cloud providers will adopt such terms. Certain providers may continue to use their own standard terms, which may be unduly onerous or unreasonably weighted in the provider’s favour. Some providers may also increase prices to account for the switch to more balanced model terms. Cloud providers and cloud users should keep a close eye on developments and consider carefully whether to utilise the model terms.