• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

Stemming the Heartbleed

In-house analysis: What are the implications of the Heartbleed virus for organisations? Nicola Fulford, privacy and data protection partner at Kemp Little LLP, says the bug is capable of being abused by hackers for as long as the vulnerable version of OpenSSL is in use, and it is vital to make sure a response plan is in place.

What is Heartbleed?

The Heartbleed vulnerability is a serious security bug that exists in the OpenSSL open-source cryptographic software library.

OpenSSL encrypts communications between a user's computer and a web server in order to provide communication security and privacy over the internet for applications including web, email, and instant messaging. It is thought to be used by roughly two thirds of all websites on the internet (look out for the padlock symbol in your URL bar).

The Heartbleed bug allows anyone on the internet to read the memory of the systems protected by the vulnerable version of OpenSSL, obtaining secret keys used to encrypt traffic, names and passwords of users, and actual content of communications. Perhaps most concerning is that the bug can be used by hackers to capture this data without leaving a record in the server's log, allowing hackers to steal data without leaving a trace.

What effects is it having on businesses and individuals?

The main effect of the Heartbleed vulnerability is hackers are able to eavesdrop on communications and steal personal (name or address), sensitive (medical records), financial (credit card and bank details), and other data which could then be used to:

How is the Heartbleed bug different from other cyber-attacks?

The key difference is that the collection of data through the Heartbleed vulnerability is not a targeted attack by hackers, but is instead a flaw built into a key feature of internet security that is able to be utilised by hackers. In particular, the Heartbleed bug:

What can be done to combat it?

The key issue with the Heartbleed bug is that it is capable of being abused by hackers for as long as the vulnerable version of OpenSSL is in use. Little can be done by users and businesses before core-component (operating system, network appliance, and independent software) vendors make a fixed version of OpenSSL available, following which users and businesses will have to install the fix to remove the vulnerability.

Users and businesses could take an overly precautionary approach and not use such software (and therefore most likely their computers) until they are notified of the fix being available, although less reactionary users are instead advised to:

How should businesses respond if hackers use the Heartbleed vulnerability to cause a data security breach?

While preparation for, and prevention of, data breaches is key, if the Heartbleed vulnerability is exploited and a breach occurs businesses should:

Contain and recover

Your response plan should be put into action, including:

Assess risk

Assess the potential consequences of the data breach, including how serious, substantial, and likely adverse consequences are by:

Notify breach

Consider whether to inform relevant people and organisations such as users and regulators of the breach. Your notifications should include any steps users should take to protect themselves.

How should lawyers respond?

The main focus for lawyers should be to put in place a response plan and take a pro-active role in:

In some famous data breach incidents, more customers have been lost by inappropriate or insufficient responses than from the actual breach itself. It is vital to make sure the response plan is in place and aim to do the right things from the outset, working with teams such as PR, customer relations and IT and to communicate with users to maintain or regain trust.

For further information, please contact Nicola Fulford.

  • impersonate users to:
    • commit identity fraud or gain financial benefit (ie through fraudulent transactions)
    • hold accounts and information to ransom (such as valuable Twitter handles), and/or
    • increase spam
  • businesses:
    • impersonate customers and cause financial loss to businesses (by placing fraudulent orders, withdrawing account balances, etc)
    • disseminate confidential or other sensitive company information, in turn leading to breakdowns in relationships and reputations
    • delete or destroy critical documents, and/or
    • disseminate personal or sensitive data about customers
    • applies to a larger number of websites than conventional cyber-attacks, with millions of websites affected
    • cannot be traced (in terms of both access and compromised data), unlike most cyber-attacks
    • makes gathering data significantly easier compared to coordinating a targeted cyber-attack for the same data, and
    • has left large amounts of data exposed for a long period of time, giving hackers access to more data than through conventional cyber-attacks
    • check websites for the Heartbleed vulnerability using a real-time Heartbleed checker (located via the internet)
    • change passwords for each website (making each unique)
    • log out of mobile apps and (a few minutes later) log back in (to issue new authorisation tokens), and
    • wherever possible, set up two-step authentication so logins also require access to a recognised physical device
    • taking actions to stop the existing breach and further breaches (ie taking down the website whilst installing the OpenSSL fix)
    • have any systems that are fixed reissued with certificates with new keys (both client and server), and
    • change passwords on the fixed system
    • assessing the impact of the Heartbleed bug on your business (was a public-facing server at risk, or was your VPN breached?)
    • reviewing the type of data involved (personal, confidential, otherwise), and
    • determining what the data may be used for
    • escalating the issue to the relevant individuals internally
    • assessing the extent of the security breach, and determining whether it requires notification to regulatory bodies such as the Information Commissioner's Office (ICO)
    • determining whether users need to be informed and, if so, the content and method of delivery of the notice and any assistance that can be provided, and
    • ensuring IT staff are instigating the OpenSSL fix