• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

New 24 hour deadline for notifying personal data breaches

New rules that came into force on 25 August 2013 under Regulation 611/2013/EU (the “Regulation”) now require certain personal data breaches to be notified to the Information Commissioner’s Office (“ICO”) within 24 hours.

Prior to the Regulation coming into force, under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) personal data breaches were to be reported to the ICO ‘as soon as possible’.  The Regulation now supplements PECR and sets a tight deadline of 24 hours for notifying certain data breaches.  This important change means that certain sector-specific organisations must ensure that they have the necessary internal procedures in place to allow the requisite information to be compiled (including time to obtain advice from external advisers) within the short timescales.

The ICO has published guidance on the new rules which provides information to help understand which organisations the revised rules under PECR apply to and when and how to notify the ICO about a security breach.  In summary, the guidance discusses the following obligations:

  • Notification to the ICO that a personal data breach has occurred must be made within 24 hours of becoming aware of the basic facts.  Full details must be provided as soon as possible. 
     
  • Organisations in the telecoms and communications sectors are affected.
     
  • If the breach is likely to adversely affect individuals, a notification must also be made to those individuals without undue delay.
     
  • A log of any breaches must be kept, and should be submitted to the ICO on a monthly basis.

Relevant personal data breaches

The obligations of PECR and the Regulation to notify within 24 hours fall upon organisations providing publicly available electronic communications services.  In essence, these are service providers that allow members of the public to send electronic messages, for example telecoms providers and internet service providers.  If an organisation is responsible for the delivery of only part of such a service and does not have a direct contractual relationship with members of the public then it does not have to notify the ICO of a personal data breach.  However, such organisations must immediately notify the organisation that does have the direct contractual relationship with members of the public (and then that organisation must notify the ICO in accordance with PECR and the Regulation).

If any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proposer authorisation there will be a personal data breach.  Importantly, there is no threshold for how serious the breach must be; service providers must notify all breaches. 

Notifying the ICO

The Regulation’s most significant impact is the requirement on service providers to notify the ICO no later than 24 hours after the breach is detected.  Detection is deemed to occur when the service provider has acquired sufficient awareness that a security incident has happened that led to personal data being compromised.  In other words, as soon as service providers have enough information to confirm that there has been a breach and confirm some basic facts they must notify the ICO.

The ICO does accept that in many cases service providers will need longer than 24 hours to fully investigate the security incident.  In such cases, service providers must still make the initial notification containing certain information only within 24 hours, essentially to inform the ICO that there has been a breach.  The service providers must then follow up with a second notification to provide further information as soon as possible and, in any event, not more than three days after the initial notification.  If a service provider is unable to comply with these timescales, it will be required to submit a reasoned justification to the ICO.  Although it is yet to be seen what justifications will be acceptable, current guidance from the ICO does expect the investigation into the breach to be prioritised as a matter of urgency.  In any event, the ICO would not expect an investigation to take longer than two weeks.

The ICO provides a secure security breach notification web form for service providers to notify the ICO of breaches, which also sets out the information that must be included in the notification.

Notifying customers

Where a breach is likely to adversely affect the personal data or privacy of an individual (a customer of the service provider), the service provider must also notify that individual of the breach. 

Whether the breach is likely to adversely affect individuals is primarily a decision for the service provider.  In making such determination, the service provider must take into account the nature and content of the personal data, the likely harm that could be caused to the individual and the circumstances of the breach.  For example, where the breach includes any sensitive personal data or intrusive data such as financial data, or where the disclosure could result in distress, humiliation or damage to reputation it may be more likely to have an adverse effect on a person.

Where such a notification to customers is to be made it must be made without undue delay and must include certain information set out by the ICO.  (Full details are contained in the ICO guidance).

The ICO does not provide a standard form that service providers must use to notify affected individuals.  However, service providers must use clear and easily understandable language, and in a format that ensures prompt receipt of information and appropriate security.  Service providers must also ensure that the notification is not combined with a communication on another topic and are expressly prohibited from using the notification as an opportunity to promote or advertise new or additional services.

Security breach log

Service providers are also required to keep a log of security breaches which details the facts surrounding the breach, the effects of the breach and the remedial action taken. 

The ICO has produced a template log to help service providers record the information needed.  To ensure that all breaches have been properly notified to the ICO, the ICO recommends that completed logs are submitted to it on the first working day of each month.  Although, strictly speaking, PECR does not require this monthly return, the ICO believes that this remains a useful exercise so that it can see that service providers are monitoring their security properly and taking their responsibilities seriously.

Comment

The intention of the new Regulation is to better regulate the telecoms and communications sectors.  The new Regulation gives service providers additional clarity about how to meet their existing obligations under PECR and to reassure subscribers of such service providers that personal data breaches will be dealt with effectively.   The new 24 hour deadline means that affected organisations cannot afford only to be reactive to personal data breaches; they must ensure they have in place appropriate internal procedures to facilitate compliance and allow the requisite information to be collected.  Importantly, consideration will also need to be given as to whether and how quickly legal advice may need to be obtained.

The changes incorporated in the Regulation may not be an end to mandatory security breach notification.  There are proposals under the new draft Data Protection Regulation currently being discussed that the security breach notification scheme set out in PECR and the Regulation should be expanded to further types of organisations, including online service providers such as those engaged in e-commerce retailing.  There is a strong argument highlighted by the recent exposure by Facebook of the personal details of six million users that the scope should be extended to organisations other than simply telecoms providers and internet service providers.  Although the new Regulation does not set a precedent for the proposals in the draft Data Protection Regulation, it may provide an insight into how a wider personal data breach notification system might work.

For further information, please contact Lee Rubin.