• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

The security risks of modern Voice over Internet Protocol

Cyber crime is becoming an increasingly significant and growing global problem that affects all sectors with an on-line platform or service.  The UK Cyber Security Breaches Survey 2016 commissioned by the Department for Culture, Media and Sport (DCMS) found that 25% of companies experience a cyber-breach at least once a month.  At the annual Black Hat USA cyber security conference, warnings were delivered about the security inadequacies of modern VOIP (Voice over Internet Protocol) or unified communications systems which are sometimes overlooked when corporates or individuals assess their cyber-attack vulnerabilities.   The incorporation of VOIP into a corporate network means that VOIP tends to be another service running over the IP network and is therefore another door through which hackers can gain access to a wider system or underlying infrastructure.

What is VOIP?

VOIP or Voice over Internet Protocol is a service that is used to send voice transmission over a broadband internet connection.  It transmits analogue voice signals as digital packets over the internet instead of using the traditional public switched telephone network.  This convergence of data and voice means that VOIP is another data service over the IP network and there is no physical separation of the networks.   For VOIP providers it, it is an electronic communications service and is regulated in the UK by Ofcom.  Since it was first launched, gateways have been subsequently created as an add-on to VOIP to allow computer to telephone calls and vice versa.  Corporate VOIP services can now also be integrated with other corporate enterprise systems to search for users in internal corporate directories and deliver voicemail to a desktop. 

The advantage of VOIP is that standard call charges are not incurred.  However, the disadvantage is that as VOIP is delivered using a third party application, the same requirements to patch and update the software apply. An additional issue is that the standard firewalls cannot always analyse the data carried by the SIP Protocol (the protocol commonly used for controlling VOIP calls) and consequently cannot determine whether a call is legitimate or fraudulent.

There has been a reported increase in cyber attacks on VOIP infrastructure and particularly on UK servers with most attacks taking place outside of regular working hours.

The VOIP Security Alliance has identified the following five types of threats to a VOIP service:

  • Social threats: misrepresentation of identity, authority, rights or content – it is possible to doctor voices or change incoming phone numbers.
  • Interception: eavesdropping on calls (which without lawful authority is illegal in the UK)
  • Service abuse: hacking into a system to make calls to premium rate numbers or international numbers (one of the most common attacks).
  • Intentional interruption of service: a denial of service attack particularly targeted to the VOIP system.
  • Other physical interruptions: such as loss of power to the servers hence bringing the service down.

From a practical perspective, companies often assume that the VOIP service should be handled by a telephony specialist when in fact, the security of the system is a networking matter.  Obviously, securing a PBX (Private Branch Exchange) completely from the outside world would render the service totally redundant but it is a case of focusing on minimising vulnerabilities.  This can be from a practical perspective through mailbox passwords, implementing security features provided with the service such as barring access to premium rate numbers and using a VPN to carry the traffic between a remote endpoint and the PBX.

Information and Cyber Security Legal Position

The current general legal position in the UK requires those organisations that control personal data to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data (Data Protection Principle 7, Data Protection Act 1998).

In practice this requires corporates to:

  1. Adopt security measures (both physical and technological) commensurate with the type of data being held and the harm that may result from a security breach;
  2. Be ready to respond to any breach of security swiftly and effectively; and
  3. Be clear as to who is responsible for information security within the organisation and back this up with policies, procedures and well trained staff in relation to the security measures, reporting and responsibility.

In essence, the VOIP service and infrastructure should form part of the IT and Communications estate that has equally as stringent security measures applied to it (yet adapted to address the protocols used to provide the service).

The UK Privacy and Electronic Communication Regulations also need to be complied with for VOIP service providers.  Essentially the technical and organisational measures to be adopted mirror those in the Data Protection Act with the following additional requirements that they must:

  1. Ensure that personal data can be accessed only by authorised personnel for legally authorised purposes;
  2. Ensure the implementation of a security policy with respect to the processing of personal data; and
  3. Notify the Information Commissioner (ICO) in the event of a personal data breach within 24 hours of becoming aware of the basic facts, with full details as soon as possible (with a more detailed follow up notification 72 hours later if applicable) and notify the subscriber without undue delay if the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or user;
  4. A log of any breaches must be kept and should be submitted to the ICO on a monthly basis.

Any notification to a user of the system is not required if the service does not have a direct relationship with the end user (but it must notify the organisation that does). Alternatively, if the service provider has demonstrated to the ICO’s satisfaction that it has implemented measures that render the data unintelligible to any person not authorised to access it and that those measures were applied to the data concerned in that breach.  The ICO also has an audit right to assess compliance with the notification requirements and a failure by a service provider to comply with the notification requirements may attract a fine of £1000.  Where there remains significant risk to the security of the service, the service provider shall inform the subscribers concerned of the nature of the risk, any appropriate measures the subscriber may take to safeguard against that risk and the likely cost of such measures.

Regardless of Brexit, the general consensus seems to be that the EU General Data Protection Regulation (GDPR) will come into force in May 2018 and that the UK will adopt legislation that closely mirrors both that and the recently adopted Network and Information Security Directive once the UK leaves the European Union. Obviously, any EU laws already in effect in the UK will need to be revoked or repealed before they cease to be law.  With this in mind, the data breach notifications that currently apply to public electronic communications service or network providers i.e. the VOIP service providers will now also fall on those using the services in the event of a data breach, with the potential for significant fines if this timescale is not met (assuming fines are at a similar level to those set in the GDPR).  The NIS Directive’s application is broader than incidents affecting personal data - although it will only apply to ‘essential service providers’ determined as such by the Government and digital service providers such as search engines, cloud computing providers and online market places.  There are notification requirements where there is an incident to the network and information systems of that service would have significant disruptive effect on the provision. This could include the failure of a VOIP or unified communications service whether or not there has been a breach of personal data.

For those faced with procuring a VOIP service, it appears to be an increasingly common position from VOIP providers that they are a more conduit for the data and do not store personal data.  Once the GDPR applies, the distinction between a processor and controller will be less stark as processors will also incur liability.  In addition, companies should ideally place and enforce their own information security requirements on the service provider and if this is not possible, ensure that the service providers own information security requirements are sufficient.  It is always worth carrying out due diligence and asking if there have been data breaches or security issues arising from the service. The question of who incurs the cost in the event there has been fraudulent use of the system is always relevant – particularly when it becomes an issue of whether the fraud has occurred due to the security vulnerabilities of a particular VOIP service.  Such an issue is generally always contentious and where it Is a risk that the VOIP service provider is not willing to assume this should also be built into any business case of assessing the cost savings of moving to the service.  In the event that a main switchboard and/or phone lines (internal and external) may cause significant disruption, the limits of liability should be negotiated with the size and nature of the business and service credits in mind.

The costs savings brought about by migrating to VOIP systems are clear but the convergence of the networks and the increased cyber vulnerabilities this brings about as companies add a service which by its very nature must be connected to the outside world should not be overlooked as cybersecurity increasingly becomes a Board level issue where reporting on security breaches will in May 2018 be a matter for all companies not just the telcos and with potentially significant fines attached.

This article was previously published in the September 2016 issue of  Cyber Security Practitioner.

Contact our experts for further advice

Emma Wright