• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

Interaction between the GDPR and the NIS Directive

There is significant overlap between these two pieces of legislation which may sometimes apply to same incidents. 

The EU Directive on the Security of Network and Information Systems (NIS) is due to be implemented in the UK by 9 May 2018 and will place obligations on organisations to secure the technology, data and networks (Systems) used to provide the UK’s essential services and report incidents that affect them. NIS aims to ensure UK operators in essential industries are prepared to deal with the increasing numbers of cyber threats as it requires them to take steps to protect against threats affecting IT systems such as power outages, hardware failures and environmental hazards as well as cyber breaches such as the high profile Wannacry and NotPetya attacks of last year which highlighted the chaos that can be caused when systems stop working regardless of whether there is a personal data element to the attack. There is another aspect to the NIS Directive, affecting “Digital Service Providers” (DSP) where a “less stringent” regime is being introduced for certain cloud service providers, online marketplaces and search engines. This is recognition of the central role that these types of shared online services now play in all areas of our economy and the inclusion of digital service providers within NIS now placesan additional potential breach obligation on these service providers. Although we are still awaiting national implementing regulations, the UK government consulted on implementing NIS in late summer 2017. In the consultation, it asked about its definition of a DSP. It considered it necessary to clarify the three different types of DSPs in order to be able to identify those companies that do fall within the DSP definition.

The regime applying to DSPs is arguably less stringent because assessment of compliance and enforcement can only be carried out after an incident or if a company is reported to the Competent Authority as being non compliant with the Directive or implementing regulations. The government has stated that DSPs that employ fewer than 50 persons and whose annual turnover or balance sheet total does not exceed €10 million are automatically out of scope. Unhelpfully, it remains unclear whether these criteria are cumulative or alternatives.

Three types of DSP for UK

When issuing its response to the public consultation on 29 January 2018, the government acknowledged the difficulty in defining a Digital Service Provider, but repeated that in order to assist the Competent Authority (which will be the Information Commissioner’s Office for DSPs) and for the DSPs themselves to recognise whether they are in scope of NIS, three types of DSPs should remain:

  1. Online marketplaces: defined as a platform that acts as an intermediary between buyers and sellers facilitating the sale of goods and services. Online marketplaces, classified advert sites or online retailers are not included.
  2. Online search engines: allowing users to perform searches of the public parts of the worldwide web – site engines powered by other site engines do not fall within this.
  3. Cloud Computing Services: means any DSP that enables access to a scalable and elastic pool of shareable physical or virtual resources including providing public cloud services of the following nature: ‘Infrastructure as a Service’ (IaaS), ‘Platform as a Service’ (PaaS) and ‘Software as a Service’(SaaS). The Consultation response states that online gaming, entertainment or vOIP services are likely excluded but that SaaS providers “play an important role in the UK’s economy and it is right that they are held responsible.”1

The majority of responses to the consultation focussed on the cloud service providers, or CSPs (the third limb). The main issues raised by CSPs was difficulty in identifying what types of organisations should be classified as a DSP under the Directive. Some of the themes included the need for broader parameters such as widening definitions of Cloud and SaaS to include integration services, content providers, data centres and managed services, while others felt that definitions were too narrow and that all DSPs should fall under the Directive as many businesses rely on the Internet and digital services. CSPs have raised concerns that the criteria are not clear enough and that the use of the term "cloud” itself is misleading, questioning what might happen in the future if new types of “Cloud” service are produced, noting that there are already emerging technologies that do not fit well into the IaaS, SaaS, PaaS categories. Those that potentially fall within the definition of DSP highlighted, amongst other things, the additional cost that would need to be added to the services.

The government, however, has kept to its definitions in its response to the Consultation and has made a key point that: “[T]he government’s intention has always been to try to make it clear who was in scope and who was not, and to limit the scope of those who have to comply with the Directive to those companies whose loss of service could have the greatest impact on the UK economy either directly or through impact on other companies.”

The NIS provides a list of 14 security principles that DSP’s should abide by to ensure compliance. In addition, DSP’s should consider the 14 (different) security principles set out by the National Cyber Security Centre. The implementing regulation (Regulation) which was released shortly after the government’s response to the Consultation also sets out the elements to be taken into consideration when identifying and taking measures to implement a level of security. More broadly the implementing Regulation sets out the parameters to determine whether the impact of an incident is substantial and when an incident will be considered substantial. Incidents with a “substantial impact” will need to be notified to the ICO within the same 72-hour timeframe as the General Data Protection Regulation requires.

According to the Regulation (Article 4), the impact of an incident will be considered “substantial” where:

  1. The service provided by the DSP was unavailable for more than 5 million user-hours (i.e. the number of affected users within the EU for a duration of an hour);
  2. The incident has caused a loss of integrity, authenticity or confidentiality of transmitted, stored or processed data or the services relating to it offered by or accessible by a network or system of the DSP affecting more than 100,000 users in the EU;
  3. The incident has caused a risk to public safety, public security or risk of loss of life; or
  4. The incident has caused material damage to at least one user in the EU exceeding €1million in value.

Providers of private clouds, particularly to large enterprise customers will need to carefully consider how reporting an incident under point 4 above would or would not potentially prejudice a DSP’s position if faced with claims from customers for the loss of service or damage caused by the incident.

Organisations that are required to report under NIS will also be subject to the reporting requirements of the GDPR although of course the NIS reporting regime is wider than the requirement to notify personal data breaches pursuant to GDPR. The GDPR and NIS use different criteria to establish what might be considered to be appropriate technical and organisational measures with far greater detail being provided in the implementing Regulations under NIS. What does seem possible is that DSPs who report a personal data breach under GDPR where such breach would not be considered an incident having a “substantial impact” under NIS, could lead to the same DSP inadvertently highlighting that it is not compliant with the security elements set out in Article 2 of the NIS implementing Regulation.

Failure to comply with NIS could result in fines of up to £17 million being imposed. Unlike the level of fine available under the General Data Protection Regulation (GDPR), the UK government has stated that it will impose an overall cap of £17 million with the two bands for contraventions being merged – so there is a single fine band covering all contraventions. The UK government has recognised the risk of “double jeopardy” and this may discourage voluntary reporting, but has reiterated that competent authorities will need to act reasonably, appropriately and proportionately. However, cybersecurity needs to be taken seriously and the government believes the potential level of fines will incentivise a change in behaviour.

Security measures to merge?

In relation to notification of personal data breaches or incidents that have a “substantial impact” under NIS for DSPs or operators of essential services, this clearly needs to be provided for and managed within a supply chain to ensure issues are reported promptly. Although the First Tier Tribunal reached a conclusion under a different regime in the TalkTalk case, the Tribunal did find in relation to whether Talk- Talk knew of the data breach that due to the extensive detail of the breach provided by the customer, TalkTalk would have been aware of the breach and must have realised that the circumstances described by the customer could only have arisen by reason of a data breach. Under the NIS regime where the National Cyber Security Centre will play the role of the technical authority – assisting companies responding to a potential incident – companies will need to be aware of discussions and conversations (even informal) that are taking place between their IT department or security teams with the NCSC or its supply chain and when such discussions may start the 72-hour notification timeframe. DSPs may find themselves faced with a potential decision of failing to notify within timeframes or making voluntary notification and inviting a wider regulatory scrutiny by the ICO.

From a customer perspective, the Regulation provides a helpful checklist of the security parameters expected from a DSP. Considering this guidance and the duties on Controller customers in relation to due diligence when selecting processors, it is hard to see how the two regimes, at least from a security perspective will not merge, unless of course a System is not storing personal data. From a DSP perspective it seems likely that the cost base of doing business will increase, although arguably if this reduces the overall risk profile of Controller customers, then this may be a price most are willing to pay.

 

First published on www.privacylaws.com March 2018

1 Page 13, Security of Network and Information Systems, Governmentresponse to public consultation, January 2018, Department for Culture, Media and Sport. See www.gov.uk/government/consultation s/consultation-on-the-security-ofnetwork-and-information-systemsdirective
2 As above.
3 Commission implementing regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact.

 

Contact our experts for further advice

Emma Wright