• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

What businesses have learnt from 2017's most hard hitting breaches

2017 has seen some high-profile data breaches hitting the headlines, from Equifax to Pizza Hut. Regardless of how commonplace reports of major data breaches now are, there are still lessons to be learned from how the organisations affected have handled these breaches. Emma Wright, Partner at Kemp Little LLP, suggests here five important lessons that are to be learnt from the data breaches of 2017.

As many predicted at the start of the year, a news item announcing a data breach is now a regular occurrence and is only set to become more common with the breach reporting obligations in the General Data Protection Regulation (‘GDPR’) taking effect in May 2018. In fact with the Network and Information Security (‘NIS’) Directive taking effect on 9 May 2018 it will not only be personal data breaches but also attacks on the networks carrying the data that will be notifiable for certain key industry sectors. Will the cyber security breach headline become ever more common, and is there a possibility that these breaches will become ‘normal’ and so commonplace that the general public will become desensitised to these types of attack?

With this in mind I have tried to summarise the top five lessons to be learnt from the data breaches of 2017 (the analysis is based on publicly available information) and whether we are heading into an era when cyber security, or the lack of it, may no longer damage a brand?

Do not try and hide the breach

Whether a data breach becomes a regular occurrence or not, the way Uber handled its data breach demonstrates that if handled incorrectly, a data breach can send a signal to both the public and regulators that there is a wider lack of ethics and compliance at the core of the company. These kinds of indicators will damage a brand. This type of behaviour is also likely to lead to increased regulatory scrutiny in relation to the breach but also sends a signal to other regulators that there is a more fundamental problem. The size of the Uber data breach is significant but the headlines would have been different if it had not tried to hide the breach and pay the criminals - and we suspect the treatment it receives from regulators will be less sympathetic than if Uber had not tried to hide it.

The accountability and transparency requirements that companies will be expected to demonstrate in a post- GDPR era appear hard to reconcile with hiding the loss of millions of customers’ personal data and paying criminals.

A data breach response plan that demonstrates: i) the breach is being treated seriously, ii) every attempt is being taken to quantify the risk, and iii) genuine and effective steps are being taken to protect the individuals, is essential and should be followed.

There are unfortunately plenty of examples of companies that have appeared totally unprepared for a cyber attack. This should arguably improve once mandatory data breach notification takes effect after the coming into effect of the GDPR, although the example of TalkTalk, who at the time of the data breach was subject to such a notification, might indicate the contrary. Except for one notable difference, with the advent of the GDPR, the fines that will apply for even failing to notify the ICO of a data breach or attack on the network have stepped up significantly from the ‘parking level’ type of fines previously imposed on the telco sector under the Privacy and Electronic Communications Regulations.

Notify all relevant regulators and the time lag to then notify affected customers should be minimal

When the Equifax data breach was reported, the ICO resorted to publicly stating that Equifax should be informing affected customers before Equifax itself got around to doing so. Equifax’s handling of the breach has been much criticised with the UK Financial Conduct Authority only finding out about the breach through the media. Although the Pizza Hut breach last year was spotted fairly quickly, this did not mean that customers were informed equally promptly or before their account information had reportedly been used fraudulently for a prolonged period of time. Any breach response plan must include the relevant regulatory reporting requirements as, setting aside the fines for failing to notify, this kind of behaviour can (understandably) be taken as an indication that there was not an adequate breach response plan in place.

The GDPR will require breach notifications to the ICO within 72 hours for most data breaches with a notification to customers ‘where there is a high risk to the rights and freedoms of data subjects’ without undue delay. There will no doubt need to be careful consideration of whether notification to customers is triggered; however recent breach examples indicate that trust and confidence in the company experiencing the breach quickly evaporates if customers believe they should be informed that there has been a breach and it is not forthcoming.

When conducting an internal review of a breach or attack, considering the messaging to customers is as equally important as reporting to the ICO, and trying to explain what has happened in simple terms with steps that customers should take to protect themselves should be a priority.

A cyber breach response plan should include collaboration, knowledge sharing and implementing recommended standards or schemes

The WannaCry attack sent a very clear warning that the nature of globalisation means that a cyber security attack will also be global in its reach and impact, with WannaCry attacking 200,000 computers in 150 countries and leaving a path of devastation. However, just like highly organised physical criminal activity, it also demonstrated that collaboration and sharing information of heightened threats will help mitigate the effects of such an attack. At a local level simply understanding your network architecture and segregating back-up servers from the network should reduce the impact of an attack. Those data maps produced for GDPR compliance should be maintained and kept with the data breach response plan.

The WannaCry virus spread to almost 100 countries on its first day but through the reporting of the risk and security forces working collaboratively, the spread was halted as many in the US were able to patch their systems before being hit. The UK National Cyber Security Centre encourages the reporting of cyber risks to it and through companies joining C-iSPS - the cyber security information sharing partnership set up to encourage collaboration between Government and industry. Although aimed more at SMEs, the Cyber Essentials UK Government accreditation which acts as an annual ‘cyber security MOT’ theoretically allows a company to focus on the more complicated cyber risks. Through its accreditation it aims to ensure that companies have basic cyber security and hygiene in place so they can focus on elimination and responding to the larger and more complex cyber security risks.

The IoT changes the risk profile.

The prediction that the Internet of Things (‘IoT’) significantly increases the cyber risk profile is correct. The Mirai botnet cyber attack in 2017 was the largest attack of its kind in history - although to be fair the possibility of such attacks has only been there for years rather than decades. The attack was targeted on the servers of a company that controls much of the internet’s domain name system infrastructure (and under the NIS Directive it is likely that a report of this kind would have to be notified to government authorities). The difference with this botnet was that instead of using computers, it was largely made up of Internet of Things devices i.e. any device that has a connection to the internet. The effect of the attack was that it took down many high profile websites including The Guardian, Netflix, CNN and many others.

Setting aside that this attack is yet another indication that IoT devices are being flooded onto the market with insufficient cyber or privacy safeguards, it also highlights that the number of machines that can be used as a weapon and that ultimately may become casualties in a ‘cyber war’ has increased exponentially. This will be of particular consideration for the ‘essential operators’ under the NIS Directive, many of which rely on machine-tomachine (‘M2M’) assets as there is a risk that such assets are unlikely to have sufficient computing capacity to deploy adequate cyber security protection.

If you limit access to data internally then it will be easier to identify and notify where the breach has occurred

All employees do not need access to all of the company’s data. Restricted access should be introduced and applied systematically and reviewed regularly. This is good information security practice and allows some of the potential causes of a breach to be removed in order for a breach response team to focus on a more limited set of scenarios. With the recent Morrisons case, where the supermarket Morrisons was found by the High Court to be vicariously liable for the actions of a rogue employee who disclosed personal data, there is an even greater imperative to provide access to company systems on a ‘strictly needs’ basis

The Morrisons lawsuit was brought by 5,500 current and former Morrisons workers who were seeking compensation over the 2014 data security breach in which payroll information of almost 100,000 staff had been posted on the internet and sent to newspapers by a disgruntled employee. The data included names, addresses, NI numbers, bank account details and salaries. It was argued by the claimants’ lawyers that the data theft meant 5,518 former and current employees were exposed to the risk of identity theft and potential financial loss and that the company was responsible for breaches of privacy, confidence and data protection laws.

In the case of Bupa, it was a similar set of circumstances, where more than 500,000 Bupa customers’ data were released after an employee ‘copied and removed’ their information from the health insurer’s systems. The loss of access to personal data constitutes a data breach under the GDPR regardless of whether it is publicly released.

Bupa was able to advise customers relatively promptly and efficiently exactly as to what data had been taken, which customers were affected and what the cause of the breach was, with a video being placed on its website for customers to watch and advice as to what steps to take also being given. Information like this will no doubt assure customers that a company is proactively managing the impact of a data breach.


A point to note is that the focus to date on cyber attacks has been on personal data breaches and essentially minimising the risk of consumer harm and protecting those that have had their data lost. As demonstrated by WannaCry, attacks do not always focus on acquiring personal data; cyber attacks can also make people feel extremely vulnerable through the loss of essential services or facilities such as hospitals. The emphasis will change with the implementation of the NIS Directive where the providers of essential facilities in various key industries will be required to adopt high standards in relation to cyber security and there are reporting requirements where there is an attack on the systems or networks of providers in these sectors. Unfortunately in the case of essential operators, many of which have old assets and infrastructure, implementing high standards of cyber security and measures to allow reporting obligations to be complied with in the event of an attack is likely to be extremely difficult.

2017 has been a year where it seems that there have been constant reports yet another high profile data breach. This is likely to increase post May 2018. It may be that 2018 will be the turning point for data breaches, and that there will be a clear difference between those companies that respond to a data breach in a measured and organised manner compared to those that at best display signs of struggling to cope or at worst appear to be withholding information and not giving the matter sufficient attention. The latter will be clearly remembered by the public and for the wrong reasons.

A well-thought through data breach response plan that considers the network architecture, data flows and access rules alongside the customer base and the regulatory reporting requirements, and is able (even through a process of elimination) to identify the cause of the breach accurately and quickly, will reassure the affected company’s board, customer base and regulatory authorities that the breach is under control, and this should be a top priority for 2018.

This article was first published on Cecile Park Media

Contact our experts for further advice

Emma Wright