• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

Tesco Bank hack - lessons to be learned

Ralph Lovesy, financial regulatory consultant at Kemp Little, and Krysia Oastler, data protection associate at the firm, explain how money was withdrawn from thousands of Tesco Bank customers following a cyber-attack and examine the related legal issues for banks and consumers.

What happened?

Tesco Bank has been the subject of what is a highly sophisticated and coordinated cyber-attack, which appears to be the most serious to date in the UK banking industry. On 5 November 2016, Tesco Bank identified suspicious activity on a number of its current accounts. Two days later it announced that some customers’ current accounts had been subject to ‘online criminal activity’ and ‘a systematic, sophisticated attack’, in some cases resulting in money being withdrawn fraudulently. It is understood that a total of £2.5m was stolen from around 9,000 accounts and that Tesco Bank has refunded this amount in full to affected customers.

Tesco Bank has stated that it knows the exact nature of the breach, but has not provided any further details. Interestingly, it has not described the breach as a ‘hack’ and has stated that no customer data were lost, none of its systems were breached and it has not been subject to a security compromise. Accordingly, it has advised customers that it has not changed—and it is not necessary for them to change—their login or password details.

The National Crime Agency said it was ‘coordinating the law enforcement response to the Tesco Bank data breach’, while the Information Commissioner’s Office (ICO) said it was ‘looking into the details of the incident’. The Financial Conduct Authority (FCA) also announced that it would investigate after its chief executive said the incident ‘looks unprecedented in the UK’.

What are the obligations of banks in terms of preventing such cyber-attacks? How could this have been prevented?

Data protection law requires organisations that process personal data to have appropriate technical and organisational measures in place to keep that personal data secure and confidential. Such measures include using encryption techniques to protect personal data at rest and in transit, monitoring and testing systems for vulnerabilities, implementing firewalls and anti-virus software, deploying updates and security patches as soon as possible once available, training staff and applying access and authentication controls on a ‘least privilege’ basis. Certification to an industry standard such as ISO270001 is a way to comply with good practice.

At this stage, it is unclear how the hackers were able to access the data and whether there was a breach of data protection laws—were Tesco’s security measures inadequate and vulnerable to attack or were the hackers highly skilled at being able to circumvent a sophisticated data security regime?

What steps must banks take in the wake of a cyber-breach?

The General Data Protection Regulation

Once an attack is detected, banks should take steps to remedy the breach, identify the data and data subjects affected (including volumes and categories of data), consider whether they need to notify their regulators (the ICO and the FCA) and make any required notifications. Once the General Data Protection Regulation, (EU) 2016/679 (the GDPR) applies from 25 May 2018, controllers of personal data will have a mandatory obligation to notify breaches affecting personal data to the ICO without undue delay and at least within 72 hours of becoming aware of the breach.

What consumer protections are afforded to banking customers who suffer financial loss as a result of this type of attack?

Rights of data subjects

Banks are generally proactive in refunding any amounts stolen to customers who have been genuine victims of fraud. However, if a customer is not able to resolve their issue with the bank, they have the right to complain to the Financial Ombudsman Service, which will reach a decision on the basis of what it regards as ‘fair and reasonable’. Customers also have the right under the Data Protection Act 1998 (DPA 1998) to claim compensation where they suffer damage or distress as a result of a breach of DPA 1998.

What are the potential consequences of this incident for Tesco Bank?

The reputational damage caused by a data breach can be significant. The damage to customer trust and business performance in the long run is very much down to how the organisation handles the breach. Having a robust response plan in place and ‘war gaming’ to test the plan are key to ensuring that the business can respond quickly and in a way that minimises the damage both to customers and the business.

The Information Commissioner and enforcementMonetary penalty notices—database

The ICO and FCA have a memorandum of understanding governing cases where an FCA-regulated entity suffers an incident affecting personal data. Both regulators have the power to issue monetary penalties/fines. The ICO currently has the power to issue monetary penalties of up to £500,000 for serious data protection breaches that are likely to cause substantial distress. Once the GDPR applies, the ICO will have the power to issue fines of up to the greater of €20m or 4% of global turnover. There is no limit on the amount of fines the FCA can impose. In the past, the FCA has taken the lead on issuing fines to financial services businesses that have breached the FCA rules and DPA 1998. The ICO also has the power to issue enforcement notices that require organisations to change the way they operate, for example, to implement further security measures to prevent further breaches from occurring. Often the cost of complying with these notices is higher than the fine that is issued.

Are there any gaps in financial services regulation regarding cyber-attacks? If so, how could the law be improved in this area?

The FCA Handbook already contains wide requirements in relation to the systems and controls that a regulated firm must have in place. In particular, a firm must have effective processes to identify, manage, monitor and report risks and internal control mechanisms. Therefore, the FCA has considerable discretion to interpret any cyber-security failings as indicative of wider failings in systems and controls. The FCA has a range of enforcement options including public censure, the power to issue unlimited fines and, perhaps most significantly, the ability to restrict or revoke a firm’s authorisation if it regards the firm’s conduct to be particularly serious.

Firms are required to scrutinise carefully any third party to which they wish to outsource the performance of any important function such as cyber-security. Further, in undertaking such outsourcing, firms need to do all they can to avoid impairing either the quality of their internal control or the ability of regulators to monitor the third party’s compliance.

Further, banks are subject to the senior manager’s regime, under which responsibility for important functions must be allocated to a designated senior manager. Therefore, the FCA will expect to see clear ownership of cybersecurity at a senior level and will not be satisfied if responsibility for such matters is delegated to someone at a more junior level. If a senior manager’s conduct were to fall below the required standard, they would be at risk of criminal sanctions.

Any further thoughts which lawyers advising in this area can take away?

The risk of cyber-attack is more significant than ever. Preparation is key to being able to limit the impact of a breach. This means knowing what data the business has and where it is stored, having appropriate security measures in place to reduce the risk of a breach occurring and implementing a data breach and incident response plan, which is regularly tested to ensure its effectiveness.

This article was first published on Lexis®PSL IP & IT on 22 November 2016. Click for a free trial of Lexis®PSL.

Contact our experts for further advice

Krysia Oastler