1. Secure all (cyber) areas: Cyber security high on the political agenda in the EU and UK

The issue of cyber security appears is climbing high on the political agenda both at a European and a national UK level. The European Commission has published a cyber security strategy and proposed Directive, at the same time as the UK Government investigates the possibility of a cyber security standard and launches its own cyber security information sharing partnership.

EU Strategy and Directive

In February 2013, the European Commission launched a new Cyber Security Strategy and associated Directive.

According to the European Commission, cyber-security incidents are increasing in frequency and magnitude, becoming more complex and knowing no borders. These incidents can cause major damage to safety and the economy. For example:

  • There are an estimated 150,000 computer viruses in circulation every day and 148,000 computers compromised daily.
  • According to the World Economic Forum, there is an estimated 10% likelihood of a major critical information infrastructure breakdown in the coming decade, which could cause damages of $250 billion.
  • Cybercrime causes a good share of cyber-security incidents. Symantec estimates that cybercrime victims worldwide lose around €290 billion each year, while a McAfee study put cybercrime profits at €750 billion a year.
  • The 2012 Eurobarometer poll on cyber security found that 38% of EU internet users have changed their behaviour because of these cyber-security concerns: 18% are less likely to buy goods online and 15% are less likely to use online banking. It also shows that 74% of the respondents agreed that the risk of becoming a victim has increased, 12% have already experienced online fraud and 89% avoid disclosing personal information online.
  • Eurostat figures show that, by January 2012, only 26% of enterprises in the EU had a formally defined ICT security policy.

The European Commission believes that previous efforts in relation to cyber security have been too fragmented and is therefore proposing a new Cyber Security Strategy and associated Directive as a coordinated approach to tackle the issue of cyber vulnerabilities.

The Cyber Security Strategy sets out how Europe plans to prevent and respond to online security incidents. Among the measures the strategy recommends are that each European country set up a "CERT" (Computer Emergency Response Team) and designate a "competent authority" to manage online security for EU organisations.

The proposed Directive would require all Member States, key internet enablers and critical infrastructure operators (e.g. e-commerce platforms and social networks and operators in energy, transport, banking and healthcare services) to ensure a secure and trustworthy digital environment throughout the EU. It sets out specific measures including:

  • Member States must adopt a network and information security ("NIS") strategy and designate a national NIS competent authority to prevent, handle and respond to NIS risks and incidents;
  • Creating a cooperation mechanism among Member States and the Commission to share early warnings on risks and incidents;
  • Operators of critical infrastructures in some sectors (financial services, transport, energy, health), enablers of information society services (including app stores, e-commerce platforms, Internet payment, cloud computing, search engines, social networks) and public administrations must adopt risk management practices and report major security incidents. In relation to incident reporting, only incidents having a significant impact on the security of core services provided by market operators and public administrations will have to be reported to the competent national authority. The competent national authority may also require that the public be informed, although public announcement will not be mandatory; and
  • Sanctions imposed by Member States for breach of the Directive must be effective, proportionate and dissuasive. When a security incident involves personal data, the proposed Directive also states that any sanctions imposed must be consistent with the European Commission's proposed Data Protection Regulation. It is not clear at this point in time whether this means that the proposed Data Protection Regulation fine of up to 2% of annual global turnover could also be imposed upon undertakings subject to a security incident involving personal data.

UK Call for Evidence and Cyber Threat Centre

The UK Government has also published a call for evidence setting out its intentions to encourage industry-led standards and guidance that could be used by organisations to manage the risk to their information and to encourage companies that are good at managing information risk to make this a selling point for their business.

The UK Government published its own Cyber Security Strategy back in November 2011. Since that time, the Government calculates that the average cost of a small business’ worst information security breach in 2012 was £15,000-£30,000, and of a large organisation’s, £110,000-£250,000.

The Government now intends to select and endorse an organisational standard that best meets the requirements for effective cyber risk management. There are currently various relevant standards and guidance in the market, which the Government believes can be confusing for organisations, businesses and companies that want to improve their cyber security. The call for evidence, and the Government's subsequent selection of a preferred standard, should help companies identify what good cyber risk management looks like and select which organisational standard to invest in.

Given the European Commission's own efforts to improve and harmonise standardisation in the field of cyber security as part of its proposed Directive, it remains to be seen whether or not the UK will impose a security standard upon organisations prior to implementation of the European proposals.

However, in the meantime, a new initiative to share information on cyber threats between businesses and Government is being launched. The UK Cyber Security Information Sharing Partnership ("CSISP") will include experts from GCHQ, MI5, police and business, and aims to better co-ordinate responses to cyber threats. Eighty companies from five sectors of the economy - finance, defence, energy, telecommunications and pharmaceuticals – were originally encouraged to share information, and this was expanded to 160 firms, who will have access to a secure web-portal to share information in real time. It is hoped that additional firms will join over time.

Government officials have been reported to be uncomfortable with the EU's proposed Directive (discussed above) requiring companies to disclose security breaches and hope that a voluntary partnership such as CSISP would provide a more workable solution.

A copy of the EU Strategy and Directive are available here and here. A copy of the UK Call for Evidence is available here.

  1. Still committed? European Commission issues fine for non-compliance with Microsoft commitments

The European Commission has imposed a €561 million fine on Microsoft for failing to comply with its commitments to offer users a browser choice screen enabling them to easily choose their preferred web browser.

In December 2009, Microsoft made certain legally binding commitments to the European Commission. These commitments had been offered by the company to address competition concerns relating to the tying of Microsoft's web browser, Internet Explorer, to its dominant client PC operating system Windows. In particular, Microsoft committed to make a "choice screen" available for five years (i.e. until 2014) enabling users of the Windows operating system to choose in an informed and unbiased manner which web browser(s) they wanted to install in addition to, or instead of, Microsoft's web browser.

The Commission has now found that Microsoft failed to roll out the browser choice screen with its Windows 7 Service Pack from May 2011 until July 2012 meaning that 15 million Windows users in the EU did not see the choice screen. Microsoft has itself acknowledged that the choice screen was not displayed during this period.

This is the first time that the Commission has fined a company for non-compliance with a commitments decision. Where a company breaks legally binding commitments, Article 23(2) of the Antitrust Regulation empowers the Commission to impose fines of up to 10% of its total turnover in the preceding business year. In calculating the level of this particular fine, the Commission took into account the gravity and duration of the infringement, the need to ensure a deterrent effect of the fine and, as a mitigating circumstance, the fact that Microsoft has cooperated with the Commission and provided information which helped the Commission to investigate the matter efficiently.

Further details on the case are available here.  

  1. BYO DP: ICO publishes BYOD guidance

A survey commissioned by the Information Commissioner’s Office ("ICO") has shown many employers appear to have a ‘laissez faire’ attitude to allowing staff to use their personal laptop, tablet computer or smartphone for work business, which may be placing people’s personal information at risk.

The survey, carried out by YouGov, reveals that 47% of all UK adults now use their personal smartphone, laptop or tablet computer for work purposes. But less than 3 in 10 who do so are provided with guidance on how their devices should be used in this capacity, raising concerns that people may not understand how to look after the personal information accessed and stored on these devices.

In response, the ICO has published guidance explaining some of the risks organisations must consider when allowing personal devices to be used to process work-related personal information. The guidance explains how this approach, commonly known as "bring your own device" ("BYOD"), can be adopted safely and in a manner that complies with the Data Protection Act.

In the guidance, the ICO highlights that:

  • BYOD raises a number of data protection concerns due to the fact that the device is owned by the user rather than the data controller;
  • It is crucial that the data controller ensures that all processing of personal data which is under his control remains in compliance with the DPA;
  • Protecting data in the event of loss or theft of the device will need to be considered but not to the exclusion of other risks; and
  • Data controllers must remain mindful of the personal usage of such devices and technical and organisational measures used to protect personal data must remain proportionate to and justified by real benefits that will be delivered.

More and more organisations in the UK are looking at implementing BYOD strategies and so are likely to welcome any guidance from the regulator as to implementation and data protection compliance. However, organisations should be aware that the guidance does not provide a prescription for a compliant solution and data controllers will still need to carefully consider how they can implement a BYOD policy in compliance with their data protection regulatory obligations.

A copy of the guidance is available here.  

  1. Get out of jail free? ICO continues to push for prison sentences for unlawful access to personal data

A former receptionist at a GP surgery in Southampton has been prosecuted by the Information Commissioner’s Office ("ICO") for unlawfully obtaining sensitive medical information relating to her ex-husband’s new wife.

Marcia Phillips was prosecuted under section 55 of the Data Protection Act and fined £750 and ordered to pay a £15 victim surcharge and £400 prosecution costs.

Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of a fine of up to £5,000 in a Magistrates Court or an unlimited fine in a Crown Court.

However, the ICO has, for a while, been calling for tougher penalties, including imprisonment, for this type of offence. In relation to this latest case of unlawful access to data, Deputy Commissioner David Smith commented: "We continue to urge the Government to press ahead with the introduction of tougher penalties to enforce the Data Protection Act. Without these unscrupulous individuals will continue to break the law. Action to replace the section 55 "fine only" regime with an effective deterrent is long overdue. This change is not directed at the media and should not be held up while Lord Justice Leveson's recommendations on data protection and the media are considered."  

  1. Right on time: Changes to late payment regulations implemented in the UK

The Late Payment of Commercial Debts Regulations 2013 came into force on 16 March 2013. The Regulations implement the European Directive on Late Payment of Debt in Commercial Transactions and applying to contracts made on or after 16 March for the supply of goods or services between businesses (including public authorities).

The Regulations amend the Late Payment of Commercial Debts (Interest) Act 1998 and the main changes relate to the date when statutory interest starts to run.

Under the new rules, a purchaser is required to pay statutory interest from the date which is 31 days from the later of:

  • the supply of the relevant goods or services;
  • the receipt by the purchaser of the supplier's invoice; and
  • the completion of any acceptance or verification procedure in relation to the goods or services as provided for by contract or statute.

A public authority may not agree a longer period for payment. A purchaser who is not a public authority may agree a later payment date, but if the payment date is more than 61 days from the later of the events set out above, it must not be grossly unfair to the supplier.

Organisations should now consider reviewing their standard wording regarding payments to ensure that they would not fall foul of the new rules. In particular, organisations should carefully consider any payment terms which allow for a period of payment longer than 61 days to ensure that they would not be considered "grossly unfair", a new concept under English Law and one which has not yet been applied or tested by the courts.

A copy of the Regulations is available here.  

  1. One click from your customer and you're a joint tortfeasor

Joel Smith and Rachel Montagnon from the Herbert Smith Freehills IP team consider the recent Court of Appeal judgment regarding the liability of websites providing access to databases outside the UK which infringe UK rights.

The Court of Appeal has held that the provision of facilities to download infringing material onto a user's computer is inevitably a joint act of infringement of sui generis database right, even if the material is not displayed.

The recent decision in Football Dataco Ltd & Ors v Stan James plc & Ors, Sportradar & Ors [2013] EWCA Civ 27 makes parties who might otherwise avoid infringement as being merely an "intermediary", liable as joint tortfeasors, in this case in relation to sui generis database right infringement but Sir Robin Jacob, giving the leading judgment, also commented that joint liability would apply equally in terms of copyright infringement.

In the case, the provider of a link to information which was supplied by a third party, was held jointly liable with those accessing the link (its customers), even where the customers themselves did not realise they were infringing any rights and in fact did not see the infringing material being downloaded onto their computers (as it was not necessarily displayed).

Both the online betting company Stan James (based outside the UK) and Sportradar, a non-UK company and provider of data from the infringing database (from servers outside the UK) to which the betting site provided links, were found by the Court of Appeal to be liable as joint tortfeasors with the betting site's customers in the UK who (unknowingly) downloaded the infringing data.

The case has implications for website operators as a whole. They will need to be vigilant in their provision of data and be confident that it is not infringing, since lack of knowledge by the provider of the infringing material is not a defence to joint tortfeasorship according to Sir Robin Jacob.

Of obvious significance is the relative ease with which off-shore companies providing access to infringing off-shore databases will now be able to be sued in the UK courts. The days of applying the rules of secondary liability seem long gone. The ability to target both the infringing database provider and those enabling access to it, whether situated in the UK or not, will be welcomed by those who have invested in databases in the UK.