According to the World Economic Forum, cybercrime is estimated to cost $445 billion globally. Cyber threats come from different sources and can result in significant financial loss, reputational damage, loss of consumer and employee confidence and wasted management time. TMT businesses need to prepare for changes to existing data protection laws and forthcoming cyber-security regulations. This article sets out the law and regulation applicable to cyber-security in the TMT sector and practical measures that companies should take.
Cyber security and the UK
The cyber threat faced by businesses is growing and comes from a variety of sources – financial crime, cyber terrorism, industrial espionage, hacktivism, state sponsored attacks, or as is often the case, breaches instigated by employees (misfortunate incident or premeditated attacks).
Cyber-security has risen to the top of the UK Government's agenda. The first UK Cyber Security Strategy was announced in 2009 and funds of £650m were allocated to the Cyber Security Programme. In November 2016 Philip Hammond set out the UK's National Cyber Security Strategy and pledged £1.9bn to the UK's Cyber Security Programme. Key objectives include growing the cyber-security industry through the National Cyber Security Centre ('NCSC'), to bring together the UK's cyber expertise to transform how the UK tackles cyber-security issues and to address the UK's skills shortage – a shortfall of 1.5 million cyber-security workers by 2020 has been projected. The UK Cyber Security Challenge (jointly run by the UK Government, PwC, GCHQ and the Bank of England) provides an opportunity for the UK's best talent to partake in a three-day event that simulates the unfolding of an attack on a fictional energy company. In Europe, the European Commissioner has pledged €1.8bn in a public-private partnership on cyber-security – the US has pledged funding of over 10 times that in the UK.
Current regulation of data protection and cyber-security in the UK and Europe
A key starting point when considering a business's cyber-security obligations is the legal framework governing data protection. In the UK, the Data Protection Act 1998 ('DPA 1998') requires organisations to have appropriate technical and organisational measures in place to protect personal data being damaged, lost or stolen. Under the DPA 1998, personal data is defined as information that "relate(s) to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller".
Under the seventh Data Protection Principle (Schedule 1 DPA 1998) organisations must have "appropriate" technical and organisational measures to prevent unauthorised or unlawful processing of personal data and to prevent against accidental loss or destruction of or damage to personal data. Appropriate measures should be adopted to fit the nature of the data that is being protected and the harm that may occur to individuals as a result of a data security breach – the technology available and associated costs involved to protect data may be taken into account. Failure to protect personal data by preventing security breaches can result in fines levied of up to £500,000 (s55A DPA 1998).
GDPR – data security requirements
EU Member States' data compliance regimes will undergo a significant overhaul on 25 May 2018 when the General Data Protection Regulation ('GDPR') comes into effect. The GDPR will replace existing Member States' data protection laws, and increase the compliance requirements and the data protection responsibilities on businesses inside and outside of the EU. Non-EU companies offering goods or services to data subjects or monitoring the behaviour of individuals in the EU will be caught by the GDPR (irrespective of whether payment is received). Fines that the National Data Protection Authorities ('NDPAs') can impose will increase to a maximum of 4% of annual worldwide turnover or €20m, whichever is the greater.
There are a number of features of the GDPR that relate to data and cyber-security and which will have to be met by companies, the main requirements being that companies will have to:
- have "appropriate" technical and organisational measures to prevent unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data;
- notify any personal data breaches to the relevant NDPA within 72 hours of the company becoming aware of the breach;
- consider privacy and security issues from the outset of any project or creation of data processing systems; and
- Conduct Privacy Impact Assessments ('PIAs') for any data processing that could potentially be of high risk to data subjects.
Cyber Security ('NIS') Directive
The National Information Security Directive ('NIS Directive') (which must be implemented by Member States by 9 May 2018) sets out minimum standards for network and information security that must be met by market operators that are deemed systemically important to a country's operation. The sectors covered include energy, transport, banking, financial market infrastructures, health sector, water supply and distribution, digital infrastructure and "digital service providers".
The main requirements with which Member States will have to comply include:
- create an NIS strategy;
- create/assign a public body with a computer security incident response team, and with a Single Point Of Contact ('SPOC') for any cyber-security issues;
- implement a network between the SPOC and ENISA; and
- impose requirements on 'essential service' and 'digital service' providers to have appropriate and proportionate technical and organisational measures in place to protect network security.
'Essential service' and 'digital service' providers will need to notify the relevant competent authority and (if applicable) the competent authority of any relevant Member States in the event of a network security breach. When determining if a notification is required, the provider will have to consider the i) number of users affected ii) incident duration iii) geographic scope iv) extent of disruption and iv) potential economic and societal impact. If the authority believes that notifying the public may help to prevent or limit the impact of an incident, it will have the discretion to do so.
Member States are to determine appropriate penalties; however the directive does reiterate the guidance set out in the GDPR that sanctions should be "effective, proportionate and dissuasive".
TMT and cyber-security
Which TMT companies provide 'essential services', 'digital services' and to whom will the NIS Directive apply?
The NIS Directive will apply to providers that are considered to supply 'essential services' – what constitutes an 'essential service' will be determined by each Member State. This will also extend to the providers of "Digital Infrastructure". Industries within the TMT sector should consider their role within the UK's economy and consider if they could fall in scope of the NIS Directive's remit.
Digital services providers are caught by the NIS Directive but are subject to less onerous provisions than the providers of 'essential services'. Essential service providers must report "incidents that have a significant impact on the continuity of the essential services they provide", whereas digital services providers must report those incidents that have "a substantial impact on the provision of a service … they offer within the Union". This remit includes non-EU digital service providers. Under the NIS Directive, if a non-EU based digital service provider offers EU-based services, the company must designate a representative to act on its behalf within the EU. If the digital service provider's activities within the Union are in question, factors including language, currency, references to customers based in the Union and general services offered by the organisation will be analysed.
TMT Sector Rules
Telecoms providers are currently subject to the existing Framework Directive for Electronic Communications (2002/21/EC) and will not be subject to the NIS Directive. The 2002 Directive requires Member States to have in place laws requiring telecoms companies to notify regulators of any major security breaches of their network security. Under the Communications Act 2003, telecoms providers in the UK are required to report an incident which has a significant impact on the operation of a network or service to Ofcom. Presently, providers of networks and services must take technical and organisational measures to manage risks to the security of public electronic communications networks and services (S.105A). There is also an obligation under s.105B for providers to notify Ofcom of a security breach which has a significant impact on the operation or availability of a public electronic communications network or service.
Similar notification and security obligations also currently exist under the Privacy and Electronic Communications Regulations 2003 (PECR 2003) which implement the European Directive 2002/58/EC (the 'e-privacy Directive'). These Regulations require service providers to notify customer of network security breaches and notify personal data breaches to the ICO within 24 hours of detection in accordance with Regulation 611/2013 (the Notification Regulation). The Notification Regulation introduces "technical implementing measures" which aim to clarify how Providers should meet those obligations. If the breach is likely to adversely affect individuals, the service provider must also notify those individuals without undue delay. Ofcom may alert the public or other regulatory bodies, including ENISA. Under the PECR 2003, fines can be issued up to £500,000.
Brexit – will the EU regulations apply to UK businesses?
GDPR: the GDPR will come into force in the UK pre-Brexit and the Government's plan is to preserve existing EU-based laws. In any event, any business wishing to trade in the EU will need to comply with the GDPR. Therefore, UK based TMT sector companies will have to comply with the GDPR irrespective of Brexit.
The NIS Directive: the directive must be implemented by 9 May 2018. The UK Government has confirmed that it will implement the NIS Directive regardless of Brexit.
Deploying and maintaining a robust cyber-security strategy is crucial, particularly in light of the forthcoming GDPR and the mandatory notification rules that will apply to all organisations in relation to data breaches and some organisations in relation to cyber breaches. The possibility of Brexit should not deter organisations from taking the necessary steps to comply with these new laws. They will almost certainly continue to apply in the UK post-Brexit and, in any event, the UK is likely to take as hard, if not a harder line than the EU when it comes to organisational accountability in the longer term. Moreover, cyber-security breaches can severely damage customer and employee confidence as well as shareholder value in a company. To that end, cyber-security should be a key boardroom priority in most, if not all TMT sector companies.