• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

CISA: Bolstering cyberdefences or permission to snoop?

The Cybersecurity Information Sharing Act (CISA)[i], a controversial piece of cybersecurity-related legislation which has attracted high profile criticism, was passed by the US Senate on a 74-21 bipartisan vote in October 2015. Advocates maintain CISA will bolster national cybersecurity defences, while detractors argue the legislation enables backdoor snooping by US government entities.

Why and what is CISA?

CISA has risen from the growing concern that US entities are becoming vulnerable to increasingly sophisticated cyberthreats, as demonstrated by a spate of high profile data breaches across a range of industry sectors throughout 2014 and 2015.

CISA aims to improve cyberdefences through encouraging the sharing between entities and government bodies of information related to cyberthreats. Consequently, the legislation contains provisions designed to:[ii]

  1. enable the Director of National Intelligence and the Departments of Homeland Security (“DHS”), Defence, and Justice to develop procedures to share cyberthreat information with private entities, non-federal government agencies, state, tribal, and local governments, the public, and entities under threat;
  2. aid detection, prevention, or mitigation of cyberthreats or security vulnerabilities. Private entities will be allowed to monitor and operate defensive measures on: (i) their own information systems; and (ii) with written consent, the information systems of other private or government entities;
  3. provide protection from liability for entities that voluntarily share and receive cyberthreat indicators and defensive measures with other entities and/or the government;
  4. develop a sharing process within the DHS for the federal government to: (i) receive indicators and defensive measures that are shared by any entity, and (ii) ensure that appropriate federal entities receive shared indicators in an automated, real-time manner; and
  5. enable the DHS Secretary to: (i) issue emergency directives to agencies in response to a substantial information security threat, vulnerability, or incident; or (ii) authorise intrusion detection and prevention capabilities to secure agency information systems in the case of an imminent threat.

In essence, CISA creates a legal framework which allows both business and government entities to pool and share data relating to cyberthreats and potential intrusions. The intention is that this will, in theory, bolster government and private entities’ abilities to prevent and counter cyberattacks in a harmonised manner, at a national level.

Arguments for CISA

The bill has been one of the Obama administration’s top priorities[iii] amid calls for a more unified and sophisticated approach to countering cybercrime. Congressman Dutch Ruppersberger, who serves on the U.S. House of Representatives intelligence committee, noted that “Sony was hit by a severe cyberattack by North Korea — the first destructive attack we’ve seen yet — and it cost the company millions of dollars”… “We must stop dealing with cyberattacks after the fact.”[iv]

The US Chamber of Commerce[v] (“UCC”), a non-governmental, business-orientated American lobbying group, has been one of the strongest advocates of CISA[vi]. They have reiterated that many companies have, until now, been reluctant to share details of cyberattacks as there has been a fear that, in doing so, they may open themselves up to litigation for potential data privacy breaches. Consequently, companies signing up to CISA will be afforded protection from liability as an incentive to share information relating to cyberthreats. Sponsors of the bill have stated that the type of information shared will largely consist of technical data relating to malware used by potential hackers, rather than companies’ own security protocols and mechanisms.[vii]

Addressing privacy concerns, the UCC has stressed that the CISA program is voluntary – companies are not obliged to opt-in to data sharing regarding cyberthreats. They also argued that the bill contains appropriate safeguards for privacy and civil liberties, as companies would be required to remove personally identifiable information from data before sharing it with the government.[viii] In turn, the government is only allowed to use the data collected for “cybersecurity purposes”, and not for example for the investigation or prosecution of data subjects for serious violent felonies or other crimes. The government is also prohibited from disclosing, retaining, or using the information in ways not authorised by CISA.[ix]

Adding further protections, in terms of oversight, law enforcement officials require written consent from the entity sharing cyberthreat information before commencing an investigation into a computer crime. Additionally, the Attorney General is required to develop and review privacy and civil liberty guidelines to govern the use of CISA, while federal entities are required to regularly report to Congress to examine the impact that information sharing has on privacy and civil liberties.

Arguments against CISA

However, CISA has faced criticism from many high profile individuals and organisations. A recent Internet poll[x] by Internet privacy group Fight for the Future[xi] lists 24 major technology giants who have publicly voiced opposition to CISA, including Apple, Google, Microsoft, Twitter, Wikipedia and Amazon. The general argument put forward by these entities is that CISA will not necessarily improve cybersecurity, but will inevitably erode user privacy. Some view the legislation as a backdoor legalisation of surveillance programs which, in light of the Snowden and Prism revelations, is still a nationally sensitive topic.

One senator to have vocally opposed CISA is Ron Wyden[xii], who states “any information-sharing legislation that lacks adequate privacy protections is not simply a cybersecurity bill, but a surveillance bill by another name.”[xiii] Wyden outlines that he opposed CISA because he believes the “insufficient privacy protections will lead to large amounts of personal information being shared with the government even when that information is not needed for cybersecurity.” Wyden also points out that “while corporations will have a choice about whether or not to participate in this sharing, they could do so without the knowledge or consent of their customers, and will be granted immunity from liability if they do so.“

In terms of the text if the bill itself, Wyden asserts that while the “excessively broad collection may not be the intent of this bill” he feels that the language is “clearly drafted broadly enough to permit it”. The bill defines a cybersecurity threat as anything which “may result” in harm to a network. Wyden argues this loose definition will “incentivize the sharing of information even when it is unlikely to pertain to an actual cybersecurity threat”, while a narrower definition would “ensure that information-sharing is more narrowly focused on actual threats.”

There has also been scepticism regarding the effectiveness of CISA to actually prevent cyberattacks. Referring to the 2015 Office of Personnel Management hack, Wyden argues that “I heard for days that this bill would have prevented the OPM attack”… “After technologists reviewed that particular argument, that claim has essentially been withdrawn.” Additionally, challenging the White House position on CISA, Wyden points out that “there is a saying now in the cybersecurity field, Mr President: if you can’t protect it, don’t collect it. If more personal consumer information flows to the government without strong protections, my view is that’s going to be a prime target for hackers.”

Other senators to have voiced concerns over CISA include Martin Heinrich[xiv] and Mazie Hirono[xv], who have argued that, however well intended, “the bill's provisions do not adequately direct companies to remove personally identifiable information when sharing cyberthreat indicators with the government.” They also point out that CISA “lacks a directive that the Department of Homeland Security scrub cyberthreat indicators for unnecessary personally identifiable information before sharing that information with other areas of the federal government.”[xvi]

Both senators also raise concerns relating to the protections from Freedom of Information requests offered by CISA, stating that they “are unconvinced that it is necessary to create an entirely new exemption to the Freedom of Information Act”… “Government transparency is critical in order for citizens to hold their elected officials and bureaucrats accountable; however, the bill's inclusion of a new FOIA exemption is overbroad and unnecessary.”[xvii]

Indeed, another fierce critic of CISA is the infamous Edward Snowden, a man many hold responsible for bringing the issue of state-sponsored snooping into the realm of public attention. He posted a tweet stating "We'll name the names of people who voted in favor afterwards. A vote for #CISA is a vote against the Internet".[xviii]

Next Steps

In terms of the next steps, a bill similar to CISA has already passed in the U.S. House of Representatives. It is likely that both bills will now be combined and signed into law by the White House, which supports the proposals.

The bill marks a concerted shift by Western governments towards cybersecurity-related legislation. This is reflected by the much anticipated European Network Information Security Directive, expected to pass through the European Parliament and European Council final vote shortly and the UK’s Investigatory Powers Bill, which is being read and debated in the House of Commons and House of Lords.

These, together with CISA, are being pushed through their respective legislative processes hastily on the premise that they will better protect companies and individuals from increasingly complex and sophisticated cyberattacks. However, the very public lobbying of the US legislature and open debates have brought highlighted a number of data privacy concerns that will apply to both individuals and companies alike. With similar issues applying to proposed UK legislation, and given the frequently observed influence of US legislation on UK legislation, many UK organisations will rightly be keeping one eye trained on the progress of this controversial bill.

For further information, please contact Tom Sutherland.