1. Data Use: Protecting a critical resource
Described by some as the “new oil” for the digital economy, there is no doubt that data are now seen as critical for organisations to succeed. Data are a powerful and lucrative fuel for productivity. If not adequately protected, data are vulnerable to leaks that can cause widespread damage, and their true value is only realised once they have been processed and refined. They are, however, an almost infinite resource when compared with the finite supply of oil.
Data affect all businesses and industries, and dealing with data is an issue for the whole business as it affects every team within an organisation. In this article we examine:
Market trends in the ballooning use of data worldwide.
Some of the legal implications of dealing with data, particularly in light of the General Data Protection Regulation (679/2016/EU) (GDPR) which will apply from 25 May 2018, including in particular, GDPR compliance, cyber security and employee monitoring.
Please click on the icon below to view the full article.
A version of this article was first published as the lead feature in the January/February 2018 issue of PLC Magazine.
Please also access the firm’s GDPR hub for our latest thinking on the GDPR and data issues more widely, as well as our Disruptive Technology & Innovation hub which brings together in one place our thought-leading initiatives that have been produced on this theme across our network. Recent related articles include “Technology Driving M&A: Data Data Everywhere” and “Artificial Intelligence: the Client Perspective”.
2. Risk of a “Meltdown”? Recent authority guidance and practical tips to mitigate the risk of organisations falling victim to the latest cyber exploits
Significant vulnerabilities that could allow cyber attackers to compromise data have been found in common processors in almost all modern devices.
What are “Meltdown” and “Spectre”?
The vulnerabilities, known as “Meltdown” and “Spectre”, are two related so-called “side-channel” attacks that have been found in central processing chips (CPUs) designed by Intel, AMD (Advanced Micro Devices Inc) and ARM (Advanced RISC Machines Ltd). The issue was recently discovered by security researchers at Google’s Project Zero in conjunction with academic and industry researchers from several countries.
Combined, the vulnerabilities have the ability to affect almost every modern computer, including smartphones, tablets and personal computers from a range of vendors running almost any operating system. The vulnerabilities undermine security features built into the processors which are designed to keep data from different running programs separate (including data used by the operating system itself).
Processors in most devices employ a range of techniques to speed up their operation, one of which is so-called “speculative execution” – attempting to anticipate in advance (and execute) the parts of a program that might be needed in future. In simple terms, a malicious attacker can exploit the two vulnerabilities to manipulate a processor into executing code which works on data that would ordinarily be out of bounds to the attacker, and then spy on the processor (via the side-channel attack) to compromise the content of the data being processed.
As a result, malicious code running on a vulnerable device is in effect able to access unauthorised areas of memory and data not normally visible to an attacker. In theory, any data on the device has potential to be accessed, including data of other running programs, or even data running on other virtual machines on the same hardware. This could result in the compromise of particularly sensitive data, including security keys and passwords.
How to protect your organisation?
Device and platform manufacturers are releasing updates to supported products to mitigate the issues posed by these vulnerabilities. The Head of Technology Policy at the Information Commissioner’s Office (“ICO”), recently published guidance on Meltdown and Spectre which strongly recommends that organisations determine which of their systems are vulnerable and ensure that the latest patches have been installed “as a matter of urgency”. This is re-iterated in related advice from the National Cyber Security Centre (“NCSC”), which also recommends not using unsupported devices where patches will not be issued to fix the vulnerabilities.
The ICO guidance goes on to state that failure to patch known vulnerabilities is a factor that the data protection authority will take into account when determining whether a breach of the seventh principle of the Data Protection Act 1998 (appropriate technical and organisational measures taken against unauthorised or unlawful processing of personal data) is serious enough to warrant a civil monetary penalty. Under the EU General Data Protection Regulation (“GDPR”), there may also be circumstances in which organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been implemented but were not.
Whilst these vulnerabilities have the theoretical potential to cause widespread exfiltration of data and disruption, there is currently no clear indication that they have been exploited to date or that any data have actually been compromised. It is also worth noting that the vulnerabilities can only be exploited by malicious code on the device – so there necessarily needs to be another vulnerability already present on a particular system for it to be exploited. Indeed, the first attempts by cyber attackers to exploit the existence of these vulnerabilities have seen them issue fake security updates purporting to fix the vulnerabilities, but that are in fact themselves malware.
Vulnerabilities in the cloud
The Meltdown and Spectre vulnerabilities present some unique issues for cloud services.
Whether cloud service providers are acting in the capacity of a data controller or a data processor, there will likely be obligations upon them to take steps to patch affected systems.
A challenge exists in that systems may need to be patched at multiple layers for the patches to be effective. For example, hardware running virtual machines might need to be patched at the firmware (BIOS) level, at the hypervisor level (the software managing the virtual machines), and on the guest operating system of each virtual machine. In practice, these components may be the responsibility of different corporate entities, such that cooperation and coordination is required.
For example, when using Infrastructure as a Service (IaaS), the service provider should patch the hardware (and possibly also the hypervisor), but organisations will themselves need to update the operating system of any virtual machines they manage. For Platform as a Service (PaaS) and Software as a Service (SaaS), the cloud service provider might have responsibility for installing all the required patches.
A particular issue arises for so-called “multi-tenanted” cloud systems that hold data from more than one party on the same infrastructure. Without effective patching at all levels, there is potential for data to be compromised and leaked between tenants. However, patching multi-tenanted systems may require cooperation between the service provider and all the respective tenants where those tenants manage their own software.
Whatever the type of hosting, organisations that use cloud-based systems should double-check the contractual responsibility for security (and patching in particular) and seek appropriate assurances from their service provider that these vulnerabilities have been patched. For multi-tenanted systems, as there will not necessarily be a direct contractual relationship between one tenant and another, in practice seeking these assurances will require the service provider to liaise between tenants to ensure all the guest operating systems have been patched.
To patch or not to patch: the balancing act
The patches being released to address Meltdown and Spectre by necessity go to the core of the operation of operating system and the processors concerned. They make changes at the “kernel” level of operating systems as well as the microcode that runs within the processors themselves. Such patches are complex and not without risk.
The fact that the existence of Meltdown and Spectre was leaked before the patches were quite ready means that development of the patches has had to be accelerated. There have been reports that patches released for both AMD and Intel hardware have led to system instability (spontaneous reboots) as well as systems failing to boot at all. Since the data protection principles also relate to accidental loss or destruction of personal data (as well as the risk of data breach), systems resilience is equally important and system owners are somewhat between a rock and a hard place.
In addition, even when the patches are made stable, there are confirmed issues with reduction of performance of systems where the patches have been installed. The reduction in performance is most acute for systems that involve significant storage access, which will often be the case for multi-user cloud or database systems.
Some organisations have also found that their anti-virus solutions have yet to be made compatible with the issued patches, meaning the patches cannot be installed until the anti-virus providers have added support.
Whilst the ICO acknowledges that it will ultimately be up to an organisation whether it applies a patch, if the organisation chooses not to, the regulator would expect “significant mitigations to be in place and well understood”.
A layered security system is therefore the key
The ICO guidance explains that cyber attackers should not be able to access core systems in the first place. It reiterates that the concept of “privacy by design” should be “in every part of your information processing, from the hardware and software to the procedures, guidelines, standards and policies that your organisation has or should have”. Privacy by design is one of the best practice concepts given statutory recognition under the GDPR; it requires controllers to think about privacy and cyber security at the inception of projects and system design.
The ICO recommends that organisations have an effective “layered security system” to mitigate the repercussions of an attack. It suggests that organisations look at their data flows, understand how data moves through, and beyond, the organisation (both in electronic format and the “real” world format) and consider system protections at each step. Organisations should be evaluating the impact of a data breach, or data loss, to the organisation (both financially and from a reputational point of view). Data should also be as secure at rest as when it is in transit (for example, through encryption, salting and hashing techniques), so that even if data is compromised, it cannot be read by the attacker. While encryption could in theory be circumvented through Meltdown and Spectre (by compromising the encryption key), salted and hashed passwords, even if compromised, can remain secure.
A well designed system will ensure that the network infrastructure is adequately protected and the ICO recommends that such a system would incorporate firewalls, access control lists, VLANs as well as physical security measures such as CCTV, fences and security personnel if required. The guidance reiterates that security is not just an IT issue; ensuring that appropriate policies and procedures are adequately implemented, enforced and reviewed in practice will also be key. A combination of senior management buy-in, governance and appropriate training and awareness of staff will help support achieving this aim. To reiterate the words of the ICO “the more layered approach you take, the less likely a vulnerability like Meltdown or Spectre could be exploited”.
What about liability?
Given the spectrum of end-users, organisations, service providers and manufacturers in the supply chain affected by these latest cyber vulnerabilities, there is no doubt that these players will be closely reviewing the terms and liability regimes in their respective commercial arrangements.
For example, cloud service agreements can often use cumulative processor time as the charging metric. Due to the degradation in performance caused, customers may find themselves subject to increased costs (which they will want to recoup) even though the workload itself has not increased. On the other hand, service providers will no doubt closely scrutinise their force majeure provisions to determine whether these provisions could be triggered by the vulnerability, and therefore whether the service providers are relieved of their contractual obligations.
In turn, cloud service providers or customers may seek redress from processor manufacturers if they are required to purchase additional hardware to maintain present levels of processing power. At least three class-action law suits have already been filed against one processor manufacturer on behalf of affected consumers. Even if cloud service providers and customers choose themselves not to sue, the need to renew end-of-life hardware will likely mean that the issue arises in negotiations with organisations seeking discounts or rebates, backed with the threat to procure processors from alternative providers.
It remains to be seen what the longer term legal fall-out will be from the Meltdown and Spectre vulnerabilities.
A version of this article was first published on the Legal IT Insider website. Also refer to our article below regarding the recent Morrisons case, the first successful group litigation order in the UK for data breach.
3. Cyber insurance requirements in commercial contracts: getting it right
Cyber incidents have the capacity to cause many different types of loss. Insurance coverage exists for at least some aspects of cyber risks in the UK market. However, given the range and diversity of risks that may arise, there are some key issues for businesses to consider when it comes to insurance against cyber risks in commercial contracts. Our recent article considers these issues in more detail and can be found here.
This article was first published in the December 2017 issue of PLC Magazine.
4. Outsourcing to the Cloud: EBA issues Final Report on Recommendations
On 20 December 2017 the European Banking Authority (“EBA”) published its Final Report: Recommendations on Outsourcing to Cloud Service Providers (CSPs). The Recommendations will apply from 1 July 2018 to credit institutions as well as investment firms (i.e. not solely to banks). The aim of the EBA Recommendations is to: (i) provide guidance for institutions to enable them to use cloud solutions whilst appropriately managing risk; and (ii) promote supervisory convergence across the EU. The Final Report follows the EBA’s draft recommendations that were published on 18 May 2017 (refer to our previous article here). It should be noted that there is little substantive difference between the draft recommendations and those set out in the Final Report.
Stakeholders have previously expressed concern at the high level of uncertainty regarding the “supervisory expectations that apply to outsourcing to cloud service providers” as well as differences in national regulatory and supervisory frameworks for cloud outsourcing (e.g. the duty for outsourcing institutions to adequately inform their competent authority about material (cloud) outsourcing). The EBA Recommendations therefore intend to clarify the EU-wide expectations and enable organisations to harness the benefits of cloud computing whilst ensuring that risks are appropriately identified and managed. The recommendations build on the existing general outsourcing guidance provided in the CEBS Guidelines which have been in place since 2006.
The principle of proportionality applies throughout the Recommendations, which should be viewed in the context of the size, structure and operational environment of the firm.
The EBA Recommendations acknowledge that cloud outsourcing services provide a much higher level of standardisation which allows the services to be provided to a large number of different customers on a large scale (when compared with more traditional forms of outsourcing offering more tailored solutions for clients). Whilst cloud services “offer a number of advantages such as economies of scale, flexibility, operational efficiencies, and cost-effectiveness”, they also raise challenges in terms of data protection and location, security issues and concentration risk (both in respect of individual institutions as well as at an industry level where large suppliers of cloud services can become a single point of failure where many institutions rely on them).
The key areas covered by the EBA Recommendations include: completing material assessments; informing supervisors ex ante for material outsourcing; access and audit rights; data and systems security; location of data and data processing; chain outsourcing (i.e. when cloud service providers subcontract elements of service provision and contingency planning / exit strategies. For further detail on the Recommendations in each of these areas please click here for our summary.
The EBA Recommendations are just one of a number of initiatives by regulatory bodies to try to accommodate cloud services where appropriate. The recommendations follow the Financial Conduct Authority’s national guidance issued in July 2016 for firms outsourcing to the cloud and other third party IT services.
Whilst the EBA Recommendations appear to reflect existing best practice in a number of Member States, they seem relatively light alongside other broader, all-encompassing – and potentially overlapping – policy efforts such as the forthcoming EU General Data Protection Regulation (“GDPR”) rekating to the European data protection framework, and the forthcoming EU Network and Information Security Directive ("NIS Directive") which aims to achieve a common level of network and information systems security across the EU and is due to be implemented in the UK by 9 May 2018. Organisations should therefore consider those overlapping frameworks alongside the EBA Recommendations, for example, to consider whether the outsourcing activities include the processing of personal data or whether any of the organisations in the supply chain fall within the scope of the NIS Directive, and therefore whether there are additional requirements and/or restrictions arising from applicable data protection or cyber security legislation as well.
This point was reiterated in a joint statement on the GDPR issued by the FCA and the ICO on 8 February 2018. The statement confirms that:
financial services firms will need to consider how the GDPR will apply to them and ensure they are ready to comply with the regulation from May 2018;
the GDPR does not impose requirements which are incompatible with rules in the FCA Handbook; and
whilst the ICO will regulate the GDPR, the FCA will monitor compliance with GDPR requirements, for example, the requirements in the Senior Management Arrangements, Systems and Controls (SYSC) module. As part of their obligations under SYSC, firms are required to establish, maintain and improve appropriate technology and cyber resilience systems and controls.
5. Morrisons: The first successful group litigation order in the UK for data breach
On 1 December 2017, the High Court handed down its judgement in the UK’s first group litigation order arising from a data breach (Various Claimants v Morrisons). The High Court allowed the claim and deemed Morrisons to be vicariously liable for the criminal actions of a “rogue” former employee.
In July 2015, Andrew Skelton (a former Morrisons’ employee) was sentenced to eight years in prison after he was found guilty of stealing and unlawfully sharing the names, addresses, bank, salary and national insurance details of almost 100,000 of his former colleagues with news outlets and data sharing websites. Morrisons then reportedly spent more than £2 million on measures to tackle the breach.
Almost 6,000 of those affected recently brought a group litigation order, despite not having suffered any financial loss, on the basis that Morrisons was liable, directly or vicariously, for:
(i) the criminal action of its rogue employee in disclosing personal information of co-employees; and
(ii) the subsequent distress suffered by those employees,
whether in breach of certain data protection principles under the Data Protection Act 1998 (“DPA”), an action for breach of confidence, or an action for misuse of private information (a tort established in Google v Vidal Hall, discussed further below).
The judgement cleared Morrisons of direct liability as it had not breached any of the data protection principles (except in one respect which was not causative of any loss), nor could direct liability be established for misuse of private information or breach of confidentiality. This is because once Mr Skelton acted autonomously in deciding how to handle the personal data, he became the data controller in respect of the relevant processing. Therefore, the acts that breached the DPA were those of a third party data controller (Mr Skelton), not Morrisons.
However, it was held that the DPA does not exclude vicarious liability, despite not expressly referring to it. As Mr Skelton’s disclosure of the data was deemed to be a seamless and continuing series of events it was held that Mr Skelton acted in the course of his employment and Morrisons was therefore vicariously liable for Mr Skelton’s actions. The judgement also stated that this conclusion would be the same regardless of whether the basis of Skelton’s liability was seen as a breach of duty under the DPA, a misuse of private information or a breach of confidence.
Google v Vidal-Hall
The recent judgement follows the landmark case of Google v Vidal-Hall in March 2015 which established the right to damages for emotional distress for breach of the DPA, including in the absence of any financial loss or other material damage. The principle of damages for emotional distress was established on the basis that section 13(2) of the DPA (which essentially required a claimant to establish actual financial loss before being able to claim compensation for data protection breaches) was incompatible with Article 23 of the EU Data Protection Directive. This meant that it should therefore be disapplied in accordance with the ‘Marleasing’ principle (to interpret national legislation “as far as possible” in light of the wording and purpose of the directive to achieve the result sought by the directive). It was also disapplied on the grounds that it conflicts with the rights guaranteed by the EU Charter of Fundamental Rights. Google v Vidal-Hall also recognised the misuse of private information as a tort. Prior to the case, the courts had used the law of confidentiality to afford appropriate protection to privacy rights under Article 8 of the European Convention of Human Rights. Therefore, recognising the misuse of private information as a tort did not create a new cause of action, but gave the correct label to an existing cause of action.
Implications for organisations
The Morrisons judgement establishes vicarious liability for data breach, in addition to direct liability, which could have significant implications for organisations. Not only are organisations liable for the distress caused by a data breach, even in the absence of financial loss, but they are now also potentially liable for the way that their employees (or former employees) access and handle data. That is even where the organisation has done as much as reasonably possible to prevent the misuse of data, and is found to not be at fault under the DPA or common law. We expect to see an uptake in organisations taking out insurance against the potential risks highlighted by the Morrisons case.
Where large scale data breaches are an almost weekly occurrence, it seems possible to imagine that such breaches could result in more compensation claims being brought from large numbers of individuals affected, even where they have not suffered financial loss. Whilst individuals may not themselves be entitled to significant sums, if the data breach affected tens or hundreds of thousands of individuals, the total potential compensation liability for organisations could become relatively large. For example, in September 2017, Equifax announced that it had experienced a cyber security incident. The firm is a major third-party provider to the financial services industry, with data used for identification and credit checking. Third parties had exploited a US website application vulnerability to gain access to certain files, one of which contained almost 15.2 million UK records dating from 2011 to 2016. Equifax concluded that there were nearly 700,000 UK consumers affected that it will need to contact.
With the GDPR applying from May 2018, the maximum fines that can be levied by regulators is very significantly increasing (in the UK from the £500,000 maximum fine the ICO can presently levy, up to a maximum of 4% of global turnover or €20 million for certain breaches, whichever is greater). It therefore remains to be seen whether damages to data subjects also increase, but the additional weight placed by regulators on data protection is likely to raise the profile of such claims. Also, given the requirements of the GDPR are stricter in some places than under the DPA, the risk of non-compliance is greater. And that is without taking into account the reputational damage cyber incidents can also bring.
In giving the judgement, Justice Langstaff stated his concerns that the wrongful acts of Skelton were deliberately aimed at Morrisons, such that by finding Morrisons vicariously liable, the Court could be regarded as “an accessory to furthering his criminal aims”. As a result, he granted leave to Morrisons to appeal the conclusion on vicarious liability, but would not, without further persuasion, grant permission to cross-appeal his conclusions as to direct liability. Morrisons has since confirmed its intention to appeal the decision, so it remains to be seen whether this judgement will stand.
6. FCA Feedback Statement on Distributed Ledger Technology Discussion Paper
As the UK Parliament's Treasury Committee launched an investigation in March 2018 into the benefits and risks of cryptocurrencies and the potential impact of Distributed Ledger Technology ("DLT"), and the European Commission launched an EU Blockchain Observatory and Forum in February 2018 (to highlight key developments of blockchain technology and reinforce engagement with multiple stakeholders involved in blockchain activities), regulators have also been taking a closer look at the implications of DLT, including the Financial Conduct Authority in the UK.
On 15 December 2017, the FCA published the Feedback Statement to its April 2017 Discussion Paper DP17/03 on the regulatory implications of current and potential developments of DLT in financial services. The Discussion Paper also explored the potential risks and benefits of DLT applications in financial services and whether DLT could promote the FCA’s statutory objectives of promoting effective competition, financial market integrity and financial consumer protection. A distributed ledger is a system for recording transactions via a peer-to-peer network, rather than a central database. DLT was the technology first used for the digital currency Bitcoin. Market participants are now exploring the benefits and risks of other use cases in financial services, most of which involve sharing data amongst multiple network participants, and do not need to involve digital currencies.
The introduction to the Feedback Statement, the FCA articulates its position on DLT as follows: “Our aim is to be alive to current and potential developments involving DLT, to keep pace with them, and to strike a proportionate regulatory balance between the risks and opportunities they present. We see regulation as an enabler of positive innovation based on new technologies as well as a means of containing undue risk. Our regulatory philosophy (subject to any risks to our objectives) is to be ‘technology-neutral’.”
The Feedback Statement covers observations highlighted by respondents in the following key areas: (i) operational risk, including outsourcing and network security; (ii) digital currency, including derivatives and Initial Coin Offerings; (iii) digital asset trading and smart contracts; (iv) regulatory reporting; (v) financial crime; and (vi) the EU General Data Protection Regulation.
The FCA received 47 responses to the Discussion Paper, ranging from regulated firms, trade associations, technology providers, law firms and consultancies. The regulator commented that the Discussion Paper was positively received, with particular support expressed for the FCA’s ‘technology-neutral’ approach to regulation as well as its open and proactive approach to new technology (including its “Sandbox” and “Regtech” initiatives).
The feedback received to the Discussion Paper also supported the view that the FCA’s current rules are sufficiently flexible to accommodate various technologies, including the use of DLT by regulated firms. Current FCA rules were said to present “no substantial barriers” to adopting DLT and no changes to specific rules were proposed. However, some respondents doubted the compatibility of permission-less networks with the regulatory regime. In addition, whilst respondents suggested that there are many benefits and risks in using permissionless and permissioned DLT networks in financial services, it was acknowledged that those risks depend heavily on the specific application of DLT.
On the interplay of DLT with the GDPR, at this stage the FCA did not identify any substantial incompatibilities between the FCA rules (including the management of CDD data or effective access to data obligations) and the GDPR requirements - as per the joint statement issued by the FCA and the ICO referred to above. As such, the regulator did not envisage further FCA guidance on this particular issue. The FCA also acknowledged that the combination of the GDPR requirements and the use of DLT have the potential to improve the way in which firms collect, store and process personal data, resulting in significantly improved outcomes for consumers.
The FCA will now continue to monitor DLT-related market developments to determine whether there is a need for regulatory action and will engage with both industry stakeholders and regulatory bodies at the national and international level to help shape the regulatory response to this new emerging technology.
7. Fintech focuses regulatory thinking: A round up of recent activity
The proliferation of Fintech comes at a time when international regulators are significantly increasing their oversight of the financial services sector. As such, the most appropriate way to approach Fintech continues to preoccupy international and regional standard setters. Whilst recent headlines over the past few months might suggest that regulators’ main focus is on virtual currencies, over the course of 2017 a number of key international standard setters released papers focussing more widely on Fintech - including the Financial Stability Board (FSB), the Basel Committee on Banking Supervision (BCBS) and the EU Commission. Typically, initiatives set out by the FSB and BCBS filter down to inform policies developed at the regional and national levels in due course.
The FSB publication, “Financial Stability Implications from Fintech“ from last year is, in some respects, the most comprehensive paper as it considered the implications of Fintech for financial stability across a broad spectrum of innovation.
In particular, the FSB helpfully categorised Fintech innovations by economic function. Overall, this report concluded that there were currently no compelling financial stability risks from emerging Fintech innovations, although it ascribed this to the currently small relative size of Fintech in the context of the wider financial system. The FSB report did, however, identify ten issues that merit closer consideration by authorities, with three of those issues prioritised for international collaboration, namely: (i) managing operational risk from third-party service providers; (ii) mitigating cyber risks; and (iii) monitoring macro financial risks that could emerge as Fintech activities increase. Addressing these priority areas is seen as important to promoting financial stability, fostering responsible innovation and preventing any derailment of authorities’ efforts to achieve a more inclusive financial system.
In November 2017, the FSB followed the above report with a report on the financial stability implications of AI and machine learning in financial institutions, setting out potential risks and benefits that should be monitored as the technology proliferates and more data about its use becomes accessible. While noting that AI and machine learning has the potential to contribute to a more efficient financial system and to improvements to supervisory approaches, the report notes that the use of these technologies “could result in new and unexpected forms of interconnectedness between financial markets and institutions”. The report also comments on the possibility that, if there is reliability on third parties, this could lead to a situation where systemically important players in the financial system are outside the regulatory perimeter.
In parallel, the BCBS also issued a consultation in last year: Sound practices: Implications of Fintech developments for banks and bank supervisors. The analysis in this paper considered several scenarios and, unlike the FSB reports, for each scenario it explored the potential future impact of Fintech specifically on the banking sector (particularly the business models of both supervisors and banks). The BCBS recognises that the emergence of Fintech is only the latest wave of innovation to affect the banking industry. However, the rapid adoption of new technologies along with their effect in lowering barriers to entry in the financial services market has fostered the emergence of new business models and many new Fintech entrants. The BCBS suggests that these factors may prove to be more disruptive than previous changes in the banking industry, although as with any forecast, this is in no way certain at this stage.
Changing customer behaviour and demand for digital financial services are thought to be key drivers for change. The faster pace of this change means that the effects of innovation and disruption are happening at a faster rate than before. A common theme across the various scenarios set out in the consultation suggests that incumbent banks are likely to find it increasingly difficult to maintain their current operating models, needing to become more agile to adjust more quickly to this change.In August 2017 the World Economic Forum issued its most recent Fintech report - Beyond Fintech: A Pragmatic Assessment of the Disruptive Potential In Financial Services - which considers the evolution and impact of Fintech firms on financial services to date and presents a series of contrasting outlooks for the future of the industry. The findings suggest that Fintech companies have materially changed the basis of competition in financial services, but have not yet materially changed the competitive landscape. They play a critical role in defining the pace and direction of innovation across the sector, but have struggled to overcome the scale advantages of large financial institutions. Among other key findings, the report also acknowledges financial regionalisation – with differing priorities, technological capabilities and customer needs challenging the narrative of increasing financial globalisation and making way for regional models of financial services suited to local conditions.
Meanwhile in Europe, the EU Commission received some 226 responses to its March consultation: Fintech: a more competitive and innovative European financial sector, these fed into the development of the Commission's own “Fintech Action Plan” (a policy approach towards technology innovation in financial services) which was released on 8 March 2018. The Fintech Action Plan is part of the Commission's efforts to build a Capital Markets Union ("CMU"), a true single market for consumer financial services. It is also part of the Commission's drive to create a Digital Single Market which aims to make EU rules more future oriented and aligned with the rapid advance of technological development. As a first major deliverable, the Commission is also putting forward new rules that will help crowdfunding platforms (Crowdfunding Regulation) to grow across the EU's single market. The Fintech Action Plan also consists of 23 steps to enable innovative business models to scale up, support the uptake of new technologies, increase cybersecurity and the integrity of the financial system. Examples include an EU Fintech Laboratory where European and national authorities will engage with tech providers in a neutral, non-commercial space, and a blueprint with best practices on regulatory sandboxes, based on guidance from European Supervisory Authorities.
For further information also refer to the firm’s latest thinking article Fintech to regulate or to partner that is the question and our Fintech blog.
8. Public Sector IT Procurement Update: UK Government publishes updated Model Services Contract, guidance on GDPR re-papering and extends “G-Cloud 9” framework for cloud services procurement
Model Services Contract: On 1 January 2018, the Cabinet Office, Crown Commercial Service (CCS) and the Government Legal Service (GLS) published an updated version of the Model Services Contract (MSC). This version is stated to reflect developments in government policy, regulation and the market.
The MSC forms a set of model terms and conditions for major services contracts that are published for use by the Government departments and many other public sector organisations. It has been developed for service contracts with a value over £10 million, reflects current government priorities and recommended ways of doing business and also aims to aid assurance and reduce administration, legal costs and negotiation time. It is stated to be suitable for use with the range of business services that Government purchases and contains appropriate provisions for contracts relating to business process outsourcing and/or IT delivery services.
The latest MSC was accompanied by both: (i) guidance on the MSC and; (ii) a statement of changes highlighting the (relatively minor) amendments made to the previous version issued, which include the introduction of reference to the EU-US Privacy Shield (for international transfers of personal data between the EEA the United States of America) and the introduction of e-invoicing, as well as relatively minor corrections and improvements.
GDPR re-papering: Of particular note, the data protection provisions were not updated in the latest MSC to take account of the requirements under the forthcoming GDPR (including the mandatory data processing conditions). However, at the end of December 2017 the CCS separately published a procurement policy note (PPN) explaining how “government buyers should bring existing and future commercial arrangements concerning data processing in line with” the GDPR. Whilst the PPN applies to all central government departments, their executive agencies and non-departmental public bodies, it acknowledges that other public bodies will also be subject to the GDPR and may wish to apply the approach set out in the PPN.
In particular, the PPN broadly covers the timing, key actions and key considerations for any new procurement after 25 May 2018 or any so-called “GDPR re-papering” exercise (i.e. contract variation and re-negotiation exercise to take account of GDPR requirements). As well as the process outlined and key areas to consider (including due diligence of existing contracts and existing or new suppliers to ensure they can implement appropriate technical and organisational measures to comply with the GDPR), the PPN also includes standard generic clauses, a draft letter to vendors and guidance to be applied to all stages of a procurement as well as the relevant documentation for contracts that include data processing activities.
G-Cloud 9 Framework: In November 2017, the CCS also decided to extend its IT procurement platform “G-Cloud 9” for (up to) 12 months, in line with the existing framework terms. The CCS has recently suggested that the next iteration of the platform (G-Cloud 10) is likely to go live in June 2018, slightly earlier than was originally intended.
G-Cloud 9 is the framework agreement that allows UK public sector bodies to procure cloud computing services covering infrastructure, platform, software and specialist cloud services via a compliant procurement vehicle (i.e. agreed with suppliers following the Official Journal of the European Union (OJEU) procurement process). G-Cloud, available via the Digital Marketplace, requires frequent procurement refreshes to take account of new suppliers and services.
G-Cloud 9 is the latest iteration of the framework, which first went live in February 2012. To date, the framework had been refreshed on an annual basis. The decision to postpone the refresh, for the first time, was made on the basis that the additional time between iterations of the framework agreement will allow a comprehensive review of end-user requirements. In parallel, the Government has also decided to extend other frameworks, including Digital Outcomes and Specialists 2 and Cyber Security Services. The Government anticipates that this will allow it to take a more holistic approach to the provision of IT services with the aim of providing a coherent end-to-end service for buyers and suppliers.
The delay has been met with criticism from interested stakeholders (particularly SME IT suppliers) and the Cloud Industry Forum’s G-Cloud focused Special-Interest Group has stated that any significant delay in the roll-out of G-Cloud 10, could go against the founding principles of the framework – i.e. principles to drive innovation, choice and value. It remains to be seen whether the new, more dynamic framework will justify the two-year wait.
9. UK Government support for connected and autonomous vehicle industry and related cyber concerns
Driverless vehicles are fast becoming a reality. It is estimated that the UK driverless car industry will be worth £28 billion to the UK economy and employ 27,000 people by 2035.
In light of this, it is unsurprising that in its 2017 Autumn Budget, the UK Government committed to boosting productivity (by supporting emerging technologies in order to build an economy that is driven by innovation). This includes an intention to lead in development standards and ethics for the use of data and AI, and to create the most advanced regulatory framework for driverless cars in the world.
The Budget sets out the steps that the Government is taking to ensure the UK is a leader in the development and deployment of new technologies. This includes plans to invest £1 billion in technology projects, including £400m for electric car charging points and £75m for research on artificial intelligence. The Government has also stated that is expects to see fully automated vehicles in commercial use in the UK by 2021 and that it will amend the regulatory framework where appropriate to help support this aim. The National Infrastructure Commission also plans to launch a new innovation prize to determine how future roadbuilding should adapt to support driverless cars.
In parallel, the Automated and Electric Vehicles Bill (the “Bill”) was announced in the Queen’s speech last year. The Bill passed its third reading in the House of Commons on 29 January 2018 and has begun its progression in the House of Lords. The Bill received its first reading in the House of Lords on 30 January with the second reading scheduled for 20 February, at which there will be a general debate on all aspects of the Bill. The Bill aims to:
specify who is liable for damages following accidents caused by automated vehicles; and
improve the network of charging points for electric vehicles.
The Bill meets these aims by extending the application of insurance law from a (human) driver-centric model to one that will cover automated vehicles where the car is essentially the driver. The proposed powers in the Bill would also allow the Government to regulate to improve the consumer experience of electric vehicle charging infrastructure, to ensure provision at key strategic locations like Motorway Service Areas (MSAs), and to require that charge points have “smart” capability.
The Bill forms a key part of the regulatory regime required for rapidly evolving automated and electric vehicle technology, a further critical element of which is ensuring the cyber security, data security and integrity of automated and electric vehicles. In the latter half of 2017, the Government sought to address the cyber security of automated vehicles in eight key principles. The principles are designed to encourage the industry to work together to enhance cyber security in this sector and place responsibility for system security at board level.
The principles are summarised below:
Principle 1: organisational security is owned governed and promoted at board level
Principle 2: security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain
Principle 3: organisations need product aftercare and incident response to ensure systems are secure over their lifetime
Principle 4: all organisations, including sub-contractors, suppliers and potential third parties, work together to enhance the security of the system
Principle 5: systems are designed using a defence-in-depth approach
Principle 6: the security of all software is managed throughout its lifetime
Principle 7: the storage and transmission of data is secure and can be controlled
The Government has previously stated its ambition to become a “leader” in autonomous technology. Its commitment to creating an adequate regulatory and legislative framework and provide funding in this area are both clears indication of its support for the further development and mass production of automated and connected vehicle technologies.
We recently hosted a series of panel discussions with guest speakers from a range of expertise to discuss the novel and challenging issues that arise from the evolving automated and connected vehicle technologies. Our latest report, Connected and Autonomous Vehicles: Navigating the Future, considers some of the key questions, challenges and potential solutions that were discussed during these sessions and that are expected to arise as this technology is developed and commercialised.
10. Drafting Contracts: Key lessons from 2017
As part of the firm’s annual contract law update we consider a number of interesting contract law cases that highlight key points for those involved in drafting or managing contracts.
The cases selected cover the formation of contracts, interpretation of contracts, endeavours obligations, limitation and exclusion clauses, penalties, notice provisions and termination. In each case we provide a brief summary of the facts and the Court’s decision together with some practical tips. We also consider the impact that Brexit will have on contracts and what steps contracting parties can take when reviewing and drafting contracts.
The full briefing is available here.