• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

ITWG releases draft Internet of Things data security and privacy standards

The Internet of Things (“IoT”) – put simply, the connection of physical objects to the Internet, or other networks, allowing them to send and receive data – is increasingly encroaching into every aspect of our daily lives.

With the growing popularity of products such as Internet-connected smoke alarms and thermostats, door locks, fitness trackers, and smartwatches, Gartner predicts that the number of in-use IoT devices will exceed 25 billion by 2020 - over 6 times the number recorded in 2014. However, the integration of Internet-connected physical objects and appliances into every aspect of consumers’ daily lives results in the collection of increasingly sensitive and personal data – including information regarding health, lifestyle choices, and behavioural patterns.This brings with it an amplification of data privacy and security risks.

Background

Following a report from the Federal Trade Commission (“FTC”) in January 2015 urging IoT device manufacturers and retailers to limit the quantity and duration of retention of collected data, US non-profit organisation the Online Trust Alliance established the IoT Trustworthy Working Group (“ITWG”). Coordinating multi-stakeholder input from companies (including Microsoft) and consumer groups (including the Consumer Reports), the ITWG set out to develop a voluntary framework of best practices in security, privacy, and sustainability (the “Framework”), with a particular focus on the primary categories of:

  • home automation and connected home products; and
  • wearable technologies (limited to health & fitness categories).

On 11 August 2015, the ITWG released a draft version of the Framework containing 23 proposed ‘minimum requirements’ and a further 12 ‘additional recommendations’. The draft Framework constitutes a ‘proposed baseline for any self-regulatory and/or certification program’ pertaining to connected home and wearable products, and rather than being a ‘lowest-common denominator’ on privacy and security is intended to set a higher bar that is supplemental to regulatory and legal requirements.

Principles of the Framework

The ITWG has created the Framework on the basis of the Fair Information Practice Principles (“FIPPs”); a US framework of defining principles to be used in the evaluation and consideration or systems, processes, or programs that affect individual privacy.

Building on best practices recommended by the FTC and OWASP, the Framework drives forward the fundamental principle of transparency and data security. The OWASP IoT Top 10, in particular, highlights the need for a holistic approach when considering security and privacy in the IoT as many surface areas play a part in providing the overall solution - including the IoT device, cloud, mobile application, network interfaces, software, physical security, and others. This leads to multiple potential attack vectors and points of vulnerability; from insecure web interfaces and network services to insufficient authentication / authorisation and security configurability. Addressing this in the Framework, the ITWG has stressed the principle that security and privacy by design must be a priority from the onset of product development, with all members of a company taking a holistic view of end-to-end security and privacy.

Draft Framework

The ITWG has clearly reflected the fundamental principles of transparency and data security in the Framework, with 10 of the 23 ‘minimum requirements’ requiring ‘manufacturers’ (including service and product providers) to openly publish or provide consumers with access to information and the remaining 13 requiring specific security measures and protocols to be put in place to protect consumer data. 

In particular, some of the key ‘minimum requirements’ include:

  • the privacy policy must be readily available to review prior to download, purchase, etc., and optimised for the user interface to maximise readability. In particular, the policies must disclose key consequences of declining to opt-in or opt-out of policies (including impact to usage or key product features or functionality), identify all personally identifiable data types and attributes collected, and notify the user of the term and duration of data retention
  • all device sites and cloud services must utilise HTTPS encryption by default and adhere to SSL best practices using industry standard testing
  • manufacturers must conduct penetration testing for devices, applications, and services, and have capabilities to promptly and reliably remediate vulnerabilities
  • manufacturers must have a breach response and consumer safety notification plan (to be reviewed at least every 6 months)
  • the device must have controls and/or documentation enabling the consumer to set, revise, and manage privacy and security preferences, including the type and amount of information is that transmitted via the device.

Further to the ‘minimum commitment’, manufacturers are encouraged to implement and comply with 12 ‘additional recommendations’; though some may not be applicable to every service or device. These include:

  • taking steps to help prevent personal data from being re-identified
  • adhering to the FIPP of minimal data retention
  • agree to not materially change privacy policies after the product is purchased without consumer consent, providing the core product functionality is not impacted
  • plan for the need to include support for evolving protocols/standards
  • provide the ability for a consumer to return a product without charge after reviewing the privacy practices that are presented during initial set up.

What’s next?

The draft Framework represents a broad consensus of nearly 100 participants, though there are some use cases where consensus is still pending. The OTA will be collecting comments on the draft Framework until 14 September 2015, following which they intend to amend and release a final version of the Framework around mid-November 2015. Should you wish to comment, you should follow the submission information here.

Following the publication of the final Framework, the ITWG has expressed that it or another party may investigate and develop a certification program evaluating devices and applications against published criteria – much like the PCI-DSS Tier certification program for payment cards. It is intended that the Framework will continue to evolve to reflect latest best practices, regulatory requirements, security standards, and the changing threat landscape; ensuing consumers are protected against the latest security and privacy issues as new threats and risks evolve.

Although the ITWG has obtained feedback from a large number of entities in creating the Framework, the requirement for subscribing companies to comply with obligations that are both in addition to, and more onerous than, applicable laws and regulation may deter a number of companies from subscribing. This is added to by the fact that, despite being voluntary, companies that sign-up to the Framework could be subject to government regulation and enforcement – from the FTC in the US, for example.

Despite this, the development of a certification program through which companies can demonstrate that they comply with the best practice requirements set out in the Framework will undoubtedly be attractive to consumers as concern about the amount of data collected by IoT devices, along with fears about data breaches, increases. Given the growing market for IoT devices, companies may find that they have no choice but to to assess and alter their practices in line with the Framework simply in order to remain competitive.  

For further information please contact Nicola Fulford