• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

View All

Data retention and fundamental human rights: a Leviathan or a Behemoth?

The English law over the last fifteen years on interception and investigatory powers has been dynamic. The Regulation of Investigatory Powers Act (‘RIPA’) was introduced in 2000, but in 2014, the CJEU judged that RIPA was not fully compatible with the EU Charter of Fundamental Rights and Liberties (the ‘Charter’). A series of secondary legislation and the Data Retention and Investigatory Powers Act (‘DRIPA’) 2014 was implemented by the government in response to this, but this itself has been subject to further judicial review and scrutiny. In December 2016, the CJEU again declared the UK law here was not compatible with the Charter.

This challenge was first brought by MPs Tom Watson and David Davis (prior to his now cabinet position responsible for exiting the EU), that DRIPA was not compatible with the Charter, and therefore should be repealed or amended to be in accordance with the Charter values. The Court of Appeal referred the matter to the CJEU which gave a clear declaration that DRIPA 2014 “exceeds the limit of what is strictly necessary and cannot be considered to be justified, within a democratic society” (para 107).  The matter has been referred back to the Court of Appeal for a judgment based on that verdict.

At the heart of the matter is the DRIPA requirement for communications providers to retain call logs, traffic data and mobile phone locations data for up to 12 months. While a series of previous verdicts have interpreted this sort of law as only being able to be compatible with the Charter for specific purposes (serious crime), or with specific protections, this verdict went further. The CJEU’s verdict included its view on ‘general and indiscriminate retention’ (para 97): which it states is contrary to the Charter, regardless of protections in place.

The practical impact here is interesting. This is a verdict which the Court of Appeal will take into account in its subsequent verdict which will follow. In any case, the Government repealed the entire DRIPA law at the end of 2016, replacing it with the all new Investigatory Powers Act 2016 (‘IPA’), commencing at the start of 2017. With much the same data retention rights in place in IPA as were in DRIPA, the heart of the judgment CJEU judgement against DRIPA can be mapped by the Court of Appeal against the new provisions of IPA.

Of course, in response to any verdict which declares aspects of data retention under IPA as being incompatible with the Charter, the government could make tweaks to IPA. Those tweaks may well be subject to further challenge and litigation. As Tom Watson and David Davis first raised their concerns in July 2014, the High Court verdict was in July 2015, and the Court of Appeal is yet to implement the CJEU verdict as of 16 January 2017, we may not see a further appeal ever reach a European Court if Theresa May achieves her Brexit timetable.

This does not necessarily mean however that the UK Government can ignore the Charter or equivalent European concerns: for the lawful data export from the EU to the UK (as a third country), it is likely that the would require its laws to be reviewed by the European Commission, which would declare whether they are adequate to protect the rights of citizens, and therefore if data exports should be permitted prima facie. If the UK government adopts a contrary approach to the Charter prior to Brexit, this may colour the Commission’s analysis as to the rigour of UK law as it relates to the fundamental rights of EU citizens.

There will be plenty more turns as the legislation and litigation continue in this arena. For now, the CJEU has struck a significant theoretical blow to the UK’s data interception rights, but the practical matter of bulk data interception is likely to continue regardless.

Ulster Bank customers face payment delays

Ulster Bank, which is owned by the Royal Bank of Scotland, is experiencing problems processing customer payments. A spokeswoman for the bank stated that “some payment files have been delayed in the system this morning and we are working to have these applied as soon as possible.” The Bank has stated that it will make emergency cash available for customers who have not received account credits as a result of the problem.

These problems come less than 18 months after around 600,000 payments due to RBS, NatWest, Ulster Bank and Coutts customers failed to arrive in their accounts. Furthermore, in 2014 RBS was hit with a £56 million fine from the Prudential Regulation Authority and the Financial Conduct Authority after a computer failure in 2012 saw as many as 6.5 million customers unable to make payments for as long as three weeks.

The FCA stated that the underlying cause of the 2012 incident was a failure to put in place adequate systems and controls to identify and manage exposure to IT risks.

Regulated firms must organise and control their affairs effectively by putting in place adequate risk management systems, including processes for identifying, analysing and resolving IT incidents. Changes to IT systems need to be carried out in a carefully planned and consistent manner and new software should be tested robustly before being launched.

Single-minded thinking needed to face singularity

The EU steps in to kick-start a meaningful discussion on legislative direction of AI

On the 12th January 2017, the Legal Affairs Committee of the EU Commission passed a report that announced the need for EU wide rules on AI and robots.  For decades the development of artificial intelligence (AI) had been stymied by the delay in the actual technology to catch-up with the theory and the science-fiction.   But this decade has seen us reach the tipping point - the technology can start to deliver on the theory – the worry has become that the law would be the delay to the development of AI.  Whilst ambiguity and lack of clarity can often generate opportunity – typically larger enterprises view uncertainty and see fear and risk – and such fear and risk causes hesitancy in uptake.  

Keen to remove the uncertainty both UK and EU legislators have both been active in the last 6 months in setting out plans to bring legal certainty to the areas challenged by AI – with different rates of progress:

  • UK: In October 2016, the Commons Select Committee for Science and Technology reported on “Robotics and artificial intelligence”.  The Committee called for a Commission on Artificial Intelligence to be established at the Alan Turing Institute to examine the social, ethical and legal implications of recent and potential developments in AI and also looked to the Government to ensure that education and training systems were optimised to better skill the future workforce
  • EU:  On the 12th January 2017, the Legal Affairs Committee of the EU Commission (with a vote of 17-2 in favour) passed a report that announced the need for EU wide rules on AI and robots.  The report marked an interesting step forward for AI within Europe as it gave some recommendations as to what the legislation of AI might look like.  These include:
  • ‘personhood’: consistent with the conclusion that Kemp Little has been making for over 2 years – for example see our seminar on AI in February 2016 -  the report noted that a legal status, perhaps akin to that granted to corporates, should be created at some point to help deal with issues of liability and ownership;
  • Agency: The creation of a European agency for robotics and AI;
  • Registration: A system of registration of the most advanced ‘smart autonomous robots’;
  • Code: An advisory code of conduct for robotics engineers aimed at guiding the ethical design, production and use of robots;
  • Insurance: A new mandatory insurance scheme for companies to cover damage caused by their robots; and
  • Driverless Vehicles’: The report notes that self-driving cars are “in most urgent need of European and global rules…Fragmented regulatory approaches would hinder implementation and jeopardise European competitiveness”.

KL Comment:  Whilst it is good to see that there was general recognition that the UK was falling behind in creating a legislative framework for AI – at the moment the UK based activity revolves around the push to greater thinking, rather than any guidance or conclusive thoughts.  The EU report starts to ‘flesh out’ how the legislators might approach the status of AI and the laws for development.  This feels like the first time a major legislative body has done so for AI at this level of granularity.  Keen ‘techies’ will note that the fundamental principles of  Isaac Asimov’s ‘Laws of Robotics’ – first articulated in 1943 – are referred to and form a basis of the proposed rules.  This reliance on 74 year old rules is either indicative of the prescient and visionary work of Asimov or shows how far we still have to go in our thinking in this area.  It is perhaps too soon to tell which…

Improving the UK's digital infrastructure: public funding for fibre and 5G

On 23 November 2016 Chancellor Philip Hammond delivered the Autumn Statement where his announcements included improvements to the nation’s digital infrastructure. The announcement comes amidst sentiments that the UK has fallen behind other countries with respect to the availability of high speed internet services.

The Autumn Statement announced the creation of a new National Productivity Investment Fund (NPIF) which will target four areas: digital communications, housing, transport and R&D. The NPIF will spend £23 billion on these four areas by 2022. In respect of digital infrastructure, Hammond stated that “[o]ur future transport, business and lifestyle needs will require world class digital infrastructure to underpin them”. Of the NPIF’s £23 billion, £740 million will be targeted towards two main objectives: encouraging the private sector to implement full-fibre connections and supporting trials of mobile 5G.

First, of the £740 million, £400 million is part of the Digital Infrastructure Investment Fund to fund the extension of fibre networks to more areas across the UK over the next four years. Fibre networks are faster and more reliable than traditional copper internet cables and the work envisioned is to extend the networks directly to people's houses, rather than, as is currently the case, to a local connection point from which copper cables connect to the house causing the speed to slow down.  Fibre-optic cables extending to homes directly is called “full fibre” or Fibre-to-the-Premises (FTTP) and avoids the slower copper cables entirely. The intention if for the £400 million to be matched by private investment.  Smaller providers will be able to borrow from this fund so as to provide a competitive service.

A set of tax breaks will be available for internet providers for five years starting 1 April 2017 when the Government will provide a new 100% business rates relief for new full-fibre infrastructure.  The hope is to help smaller businesses by reducing the cost of fibre and thereby supporting extension to more areas. The intention is also to provide funding to local areas to support investment in a larger full-fibre network across the UK. On 29 December 2016 the Government opened a call for evidence seeking views on how public funding can be better used to encourage further and faster deployment of full-fibre broadband networks.[1] The review is set to close on 31 January 2017.

Second, the Government is aiming to provide funding for fibre and 5G trials.  5G stands for fifth generation and is expected to be rolled out in 2020. It will greatly increase download speeds and is expected to provide connections for up to a million mobile internet users per square kilometer. 5G will also allow the use of much higher quantities of data enabling for instance streaming of high-definition media on mobile devices without Wi-Fi. Research into 5G also seeks to improve support for the internet of things (IOT). Additional details are expected in due course, with confirmation of the allocation at Budget 2017. 

The overall goal is to bring faster and more reliable internet access across the UK, boost the next generation of mobile connectivity, and keep the UK at the forefront of the development of IOT.

With reliable, fast internet service now considered a basic expectation and many feeling that the UK has lagged behind other countries in terms of speed and connectivity, the announcement of public funding being earmarked to tackle these problems can only be seen as welcome. The coming years will show how the extension, including by smaller industry players, work out, how successful the tax incentives are, and what the results of the 5G trials are.  What can at this stage be surmised is that the Chancellor acknowledges that the UK’s digital infrastructure needs upgrading and has a keen desire to stimulate improvements, which in turn shows an appreciation by the Government of just how essential access high speed broadband really is.

M&A Diligence: when term sheets can be legally binding (again)

Back in March 2016, we reported on the case of New Media Holding Company LLC v Kuznetsov [2016] EWHC 360, where the High Court held that a term sheet was legally binding, even though the document referred to itself as being a “Term Sheet describing principal terms and conditions of Company share management and control” and, on the face of the document, made no reference to consideration.   Despite Mr Kuztenov arguing that the term sheet was a “casual and informal” document, the Court was swayed by the fact that it had been drafted by lawyers and the rights granted to the other party were expressed in unqualified legal terms. It even contained an express governing law and jurisdiction clause, the purpose of which the court found difficult to understand “absent an intention to create a legally binding agreement”.  The term sheet was therefore deemed to be legally binding and not “merely a document that was aspirational”.

The recent case of Arcadis Consulting (UK) Limited v AMEC (BSC) Limited [2016] EWHC 2509 (TCC) serves to re-iterate that term sheets can form the basis of a legally-binding contract, although the Arcadis case involved a number of forms of contract passing between the parties, rather than just one term sheet.

The facts of the case were that Arcadis and AMEC were in the process of negotiating the terms of an agreement for the design of a car park, and became involved in a “battle of the forms” where one party would send a version of the agreement to the other, only to receive a different set of terms in response.  Various versions went between them and no formal contract was ever signed.  However, during the process, AMEC sent a letter to Arcadis instructing Arcadis to begin work (which it did).

A dispute later arose over liability and whilst AMEC argued there was no contract between it and Arcadis, Arcadis countered that a binding agreement did exist and it included a term contained in the last version of the document circulated by Arcadis which limited Arcadis’ liability.  Whilst the court agreed that there was a binding contract between the parties, it concluded that the terms of this contract were limited to the brief summary set out in the instruction letter.  No other terms of the versions circulated between Arcadis and AMEC applied (including the liability limitation clause); on that basis, Arcadis’ liability was uncapped.

As in the Kuznetsov case, the decision in the Arcadis case provides a helpful summary of the applicable principles determining whether or not there is a binding contract between parties, with the judge referring to the elegant summary of Lord Clarke in RTS Limited v Molkerei Alois Müller GmbH [2010] 1 WLR 753:

It depends not upon their subjective state of mind, but upon a consideration of what was communicated between them by words or conduct, and whether that leads objectively to a conclusion that they intended to create legal relations and had agreed upon all the terms which they had regarded or the law requires as essential for the formation of legally binding relations.  Even if certain terms of economic or other significance to the parties have not been finalised, an objective appraisal of their words and conduct may lead to the conclusion that they did not intend agreement of such terms to be a precondition to a concluded and legally binding agreement.”       

Applying this to term sheets in an acquisition or fundraising context, it is important for the parties to ensure all key commercial terms of a deal are contained within any document agreed between them.  Parties also should think carefully about performing a contract which is still being negotiated – otherwise, they run the risk of creating a binding contract by conduct which fails to incorporate the non-finalised terms.

M&A Diligence: "what time is close of business"?

The recent High Court case of Lehman Brothers International (Europe) (in admin) v ExxonMobil Financial Services BV [2016] EWHC 2699 (Comm) confirms what us corporate lawyers have known for a long time: that “close of business” means a time later than 5pm.

The case concerned a portfolio of securities which Lehman Brothers had sold to ExxonMobil on 9 September 2008, having agreed to buy it back on 16 September 2008.  The day before the agreed buy-back date, Lehman Brothers collapsed and ExxonMobil served a notice of default.  The agreement between Lehman Brothers and ExxonMobil provided that ExxonMobil had the right to serve a default valuation notice if it did so by close of business on the fifth day after the day the default occurred.  The phrase “close of business” was not defined in the securities agreement.

ExxonMobil served its default valuation notice by fax on the fifth day after default, which was received by Lehman Brothers at 6.02pm London time.  Of the many arguments submitted by Lehman Brothers as to why the notice was invalid, one centred around ExxonMobil being out of time, as the notice should have been received before “close of business”, which Lehman Brothers took to mean 5.00pm.  ExxonMobil took a more literal approach and argued that in the modern world, commercial banks close later, at around 7.00pm, so “close of business” should refer to the typical time a commercial bank closed.

The court agreed with ExxonMobil:

[Lehman Brothers] submits that if a reasonable person was asked at what time close of business occurred in London, 5.00pm (at the latest) is the obvious answer, and that accordingly, ‘5.00pm is the candidate to beat’.  I do not accept that either.  In the context of financial business of the kind at issue… a reasonable person might be surprised to hear that business closes at 5pm.  In fact, it does not, and I do not understand this to be in dispute.”    

The courts will therefore look at the nature of the agreement and the respective businesses of the parties to determine what typically would be “close of business”, as the phrase has no legal meaning.  If it is important for the agreement to specify precise time periods, the parties should ensure a specific time and day are agreed and contained in the final version of the contract.  Given the global nature of many businesses, it would also to be sensible to refer to the relevant time-zone.

Biometrics in banking and payments (...but first let me take a selfie)

We are all used to using passwords, for lots of different things, but in truth they are an inconvenience at best.

Passwords are a user experience nightmare for bank customers and the wish to avoid going through endless “forgotten password” loops leads customers to compromise their own security by using the same password for multiple services and choosing overly simple combinations - alarmingly, the most commonly used password is “123456”[i]. Therefore, “if they are hacked, the intruder has access to almost all their data.”[ii] So if, for many people, the only way to retain easy access to multiple services in an increasingly online world is to heavily compromise their own security, one has to ask whether passwords are really fit for purpose. And it is not just individual failings that bring the efficacy of passwords into doubt. They can be brute-forced by determined hackers, but more commonly are simply stolen in large numbers from online services – as recent thefts from Dropbox and Yahoo have demonstrated. In both cases, millions of sets of user credentials were stolen and subsequently made available for purchase on the dark web.

It is not surprising that fraud in this area is a significant issue for banks; in fact, cybersecurity is now the top risk for every bank in the country. Citibank currently sets aside $400 million each year for losses it expects to incur as a result of fraud.[iii] This has created an enormous market for start-ups seeking to disrupt the sector. If a bank can cut their fraud related losses by just 10 or 20%, the volume of money in play is extremely significant. Given this and the surge in mobile banking and payments it is not surprising that biometric technology is beginning to take over from traditional passwords.

Use of biometrics

The term biometrics describes the use of unique physical features such as a fingerprint or retina as a method of authenticating a user’s identity. These systems don’t require the user to remember anything, and biometric data is harder to use than passwords in the event that it is stolen. Generally speaking, for these reasons biometrics are perceived to be more secure than passwords, and as such we are seeing biometric authentication entering the mainstream.

The most famous example is perhaps Apple’s Touch ID, allowing users to unlock their phone, purchase apps and even log onto online banking apps such as Nationwide and HSBC. Touch ID is popular; it is convenient and there is no risk of a forgotten password, something the average user does once a week. There are, however, issues, Apple currently refuses to release their near field communication (NFC) [for more information on NFC click here] data to anyone, as it would, “compromise the security of its platform.”[iv] This is causing conflict in Australia where Apple refused to let several banks access the NFC radio and create contactless payment systems on top of the iPhone. It has also created a global need for companies to implement their own fingerprint and other biometric methods of verification via mobile apps. One such company, Onegini found that the number of transactions through banking apps rose by 100% when users could elect to authorise payments with their fingerprint.

Elsewhere in financial services, after.  surveying 10,000 consumers and discovering that forgotten passwords led to 33% of people abandoning purchases and 66% missing out on limited items such as event tickets[v], MasterCard now allows users to verify their identities using a selfie. In order to utilise Selfie Pay the image data from a selfie is used to create a unique code which is then compared with the encrypted data from the selfie taken when making a purchase. The user must also blink, so as to prove that a hacker is not simply using a photograph to trick the system.  

Both Barclays and HSBC plan to increase their use of voice recognition so as to speed up the security clearing process for telephone banking. As well as being more convenient for customers, this also reduces the time taken to deal with telephone queries, and therefore reduces call centre costs for the bank.

In addition to common biometrics (fingerprint, face and voice) companies have begun to explore more obscure possibilities. Fujitsu have developed “palm technology” using infrared cameras to measure the oxygen reduction in blood as it returns to the heart making veins in the palm visible. While, this technology is too expensive to be used in mobile phones, its contactless nature presents global application in the health sector.

The above are examples of biological biometrics (face, finger, voice etc), however, behavioural biometrics also play a role. The Spanish bank, Cecabank is now completely paperless and as part of this process adopted the use of biometric signatures. The technology is extremely detailed and even identifies the pressure and flight of the pen. To date the bank has only faced two legal claims in relation to their implementation of the digital signature.

Given banks’ never-ending quest to improve the customer experience and reduce their cost base around customer interactions, together with the growing prevalence of biometric sensors in popular consumer hardware, it is reasonable to expect other financial institutions to follow suit and for other even more innovative forms of biometric identification to become apparent in the near future.

The ‘spoofability’ of particular biometrics in banking

Although biometrics boast a number of advantages over passwords, the technology does have its downsides. In the same way that passwords can be stolen, so too can biometric data. For example, when the Office of Personnel Management was hacked in the United States, criminals stole the fingerprints of some 5.6 million US government employees. Unlike a password, you can’t change your fingerprint: those fingerprints and identities are forever compromised.

In common with other types of authentication such as passwords, biometrics compare an input (for example a user’s fingerprint or a scan of their retina) with a base document or record held on file to check whether the two match. There are several ways that such “static” biometrics can be spoofed. An imprint of the fingerprint could be stolen, and presented at the point of authentication in place of the real thing. Alternatively, if a hacker can change the base document, then the authentication system could be made to think that another person’s fingerprint is that of the authorised user.

In addition, biometric data, unlike traditional passwords, cannot be ‘hashed’. Hashing can be explained using four characteristics as follows:

  1. hash values have a fixed number of digits;
  2. if the same password is hashed, the same hash value is delivered;
  3. if passwords are even slightly different the hashed values will be totally different; and
  4. it is nearly impossible to reconstruct a password from its hash value.

Given the nature of fingerprints, they cannot be cryptographically hashed. The finger will press the scanner in a different way, angle or position each time. There might be something on your finger or scanner that would interfere with the sensor etc, therefore the hashed data would be impossible to compare to a stored template. Similar problems exist with facial recognition; Mastercard’s Selfie Pay app has been spoofed by people taking photographs and animating them by drawing on eyelids. It may be for similar reasons that Google has admitted on its website that facial recognition is “less secure than a pattern, PIN or password”[vi].

This is where “dynamic” forms of biometrics, such as voice recognition or personal typing patterns – the modern equivalent of handwriting analysis - may well be a safer option, and companies like Nuance and Behaviosec have made great strides in this area. Whereas a fingerprint can be spoofed just by presenting it in isolation at the right time, it is far harder both to mimic a person’s voice quality and to do so in a way that is responsive to the context at the time of the security check (a recording of the fraud victim’s voice saying the same phrase over and over again in a loop is unlikely to get past the most basic of security checks). Similarly, it would be very difficult to accurately imitate the way another person types, and to do so accurately at a speed that would not be suspect. In addition, with typing analysis of this type, authentication can run continuously in the background, and can be used in fraud detection: just as it can identify the real person, it can also be used to positively identify the fraudster. But even these forms of “dynamic” authentication are not impregnable: if the “yes” signal emanating from a successful comparison can itself be spoofed, then the battle is lost no matter what input is used.

Biometrics and the GDPR

The US government fingerprint theft example above throws into sharp focus the need to protect this source data appropriately, which is why biometric data is expressly included in the GDPR as a “special category” of personal data. The provisions around processing sensitive data in the GDPR are broadly similar to those contained in the Data Protection Directive, although it should be noted that under Article 9(4) of the GDPR, member states have the right to impose further conditions or limitations on sensitive data such as biometric, health or genetic data. It is therefore reasonable to expect that national differences on rules around the processing of such data will remain, and banks will need to pay close attention to any UK amendments in this area.

Consent is likely to be the most prevalent provision relied upon in relation to banking and payments, and processors should ensure that:

  • each time the data is processed, a separate consent is granted;
  • the consent in question is not contingent on other factors;
  • the consent is clear and not commingled with other information;
  • silence does not amount to consent; and
  • data subjects are made aware of their right to withdraw consent at any time.

At a time when financial fraud in the first half of 2016 reached a value of almost £400 million[vii], there can be little doubt that increasing the standard of security offered by banks has to be a major focus. With personal information exposed in data breaches increasingly being exploited as the basis for fraud, assuring the identity of customers has never been more central to the fight to reduce losses. The advent of the GDPR will place even greater emphasis on the need to process and store customer data securely: failure to do so could result in significant maximum fines (4% of global turnover) not to mention severe reputational damage and remediation costs.

Biometrics and PSD2

Under the Second Payment Services Directive (PSD2), which has to be transposed into national law by 13 January 2018, there is a requirement for ‘strong customer authentication’ when users access their account online, initiate electronic payment transactions or carry out any action through a remote channel which implies a risk of payment fraud or other abuses. The definition of strong customer authentication is covered by Article 4(30) of PSD2 and states that authentication must be based on two or more of the following independent elements:

  • knowledge (something only the user knows);
  • possession (something only the user possesses); and/or
  • inherence (something the user is).

Biometric data clearly constitutes ‘inherence’: it is data about what the user is. However, inherence alone is not enough. This issue can be resolved to an extent when biometrics are used via mobile payments as the user’s phone constitutes ‘possession’ and therefore fulfils the required second element.

Biometrics is likely to continue to impact the payments marketplace and financial institutions will seek opportunities to make payments easier for customers whilst bolstering their fraud protection. The European Banking Authority (EBA) have been tasked with developing the detailed requirements for strong customer authentication. Their draft paper has been released with the final standards expected to be published in January 2017. The draft Regulatory Technical Standards (RTS) standards show an appreciation for those making payments to be aware of how much money they are sending and to whom, something easily overlooked in an environment where biometric technology seeks to make payments quicker, easier and require less attention. The principle of dynamic linking has been introduced by the EBA. It requires that:

  • the payer be aware at all times of the amount of the transaction and the payee;
  • the authentication code generated for each payment be specific to the transaction and payee; and
  • the underlying technology ensures confidentiality, authenticity and integrity of the amount of transaction and payee and the information displayed to the payer through all phases of the authentication procedure.

The draft RTS have come under recent criticism. The European Parliament’s PSD2 negotiating team argues that it is not clear on whether strong customer authentication exemptions should be regarded as optional or mandatory. This creates a problem, “according to the draft RTS no risk-based analysis would be possible outside of the very narrow set of exemptions listed by the EBA”, however, this is inconsistent with Level 1 legislation where such restriction is not foreseen.”[viii]

What is clear is that while regulation around payments becomes more stringent, it is possible that in the future, customer authentication may require all three of the elements mentioned above. If this should occur, then it is likely that biometrics combining both biology and behaviour will surge in popularity. For example, a voice based authentication system whereby users are required to speak (inherence) their password (knowledge) into their own phone (possession) in order to validate a payment.

Where next?

For all the advances in technology and market penetration in recent years, biometrics is still really in its infancy as the market wakes up to the authentication capabilities of the supercomputers that so many of us carry around in our pockets. So far the only big users of biometric data have been banks, government institutions – and Apple / Samsung, all of whom have a generally very good record around confidentiality. For banks in particular, they are of course very used to holding sensitive data, and in practice many of them may well choose to protect biometric data by banks in much the same way as credit card data (think PCI DSS). However, as the use of biometric data becomes more commonplace, it could well be that other types of services, less experienced at guarding such information, start to hold biometric data on the basis that it smooths the customer experience but perhaps without the stringent security processes of a bank. Banks and other financial institutions will of course remain major targets for hackers due to the value of the potential payload; but as the technology becomes more prevalent, there may well emerge numerous soft targets to attack - potentially leaving many at risk of having their biometric credentials compromised with long-lasting effects.

Further, the holding of biometric data, with the regulatory and reputational risks it poses, will undoubtedly pose an administrative and compliance burden for any organisation – even banks who are used to protecting sensitive data. It may be that new business models arise in the secure holding of biometric records, enabling businesses both within and outside the financial sector to outsource the protection of the data to specialist third parties, who would hold the records on their behalf and serve up tokenised, non-sensitive versions of it for authentication purposes – thereby allowing them to use the benefits that biometrics can bring to the customer experience, whilst avoiding the regulatory burden and legal and reputational risk of holding it themselves. Perhaps a service of that type could even become the next big thing in commercial banking.


FCA signals new crowd-funding rules

On 9 December 2016, the FCA published a Feedback Statement (FS 16/13) summarising the feedback it had received on emerging risks in the crowdfunding market. The Feedback Statement reviews market developments since crowdfunding became regulated in 2014, describes the FCA’s key concerns and sets out the FCA’s intention to modify some of its rules to address these concerns.  

The FCA noted the following concerns in relation to loan-based (peer-to-peer) and investor-based crowdfunding:

  • Investors find it difficult to compare platforms or comparing crowdfunding with other asset classes, as a result of complex and unclear product offerings;
  • Investors find it difficult to assess the risks and returns of platform-based investments;
  • Some financial promotions fail to meet the basic requirement of being “clear, fair and not misleading”; and
  • In the case of some firms, operational risks or conflicts of interest are not managed sufficiently, due to complex firm structures.

In response to these concerns, the FCA will consult on rules on the content of disclosures to investors.

Further, the FCA noted the following concerns specifically in relation to loan-based crowdfunding:

  • Investors do not have sufficient understanding of certain features of loan-based crowdfunding;
  • Some firms have inadequate plans for wind-down in the event of their failure; and
  • Some firms have inadequate client money handling standards.

Due to the potential for customer detriment, the FCA intends to consult on new loan-based crowdfunding rules with the following aims:

  • Improving firms’ wind-down plans;
  • Restricting cross-investment (whereby a crowdfunding platform allows investments to be made in loans that originated on other platforms); and
  • Extending the mortgage-lending standards to protect investors (lenders) who are not acting in the course of a business.

The FCA intends to publish a consultation paper in early 2017. Once the consultation is complete, final rules are likely to follow in the summer of 2017. Depending on the outcome of the post-implementation review, the FCA may conduct a second consultation in mid-2017, with any rules resulting from this likely to come into force in 2018.

These developments confirm the increasing focus of the FCA on the crowdfunding market and underline the importance of ensuring that crowdfunding platforms comply with the required standards and, wherever possible, anticipate future regulatory changes.

Protections for public Wi-Fi providers affirmed by ECJ

A recent case in the European Court of Justice (ECJ) considered whether a business owner in Germany, who provided a public, open, Wi-Fi network, should be liable for the copyright infringements carried out by members of the public using the network[1].

In 2010 an individual used the Wi-Fi network to download music unlawfully.  The German court, which first considered the case, accepted that the business owner, Tobias McFadden, did not directly infringe the copyright in the music but considered whether he was liable for indirect infringement by facilitating the infringement.  The case was referred to the ECJ on the basis that a finding of liability for indirect infringement could be incompatible with the protections afforded to service providers in the E-commerce Directive 2000/31 (the Directive).

The ECJ found that the Wi-Fi network offered by McFadden qualified as ‘information society service’ under the Directive.  Providers of an information society service benefit from the ‘mere conduit’ defence, which exempts intermediary network providers from liability for the infringing acts of third party users, providing that the provider is a passive facilitator of services and has no knowledge of the infringing acts.

The ECJ found that these conditions were satisfied in McFadden. However, the court also found in such circumstances that copyright holders could be entitled to secure the co-operation of the provider to prevent or limit the infringing acts.  In this case, the court found nothing in the Directive which would prevent the claimant from seeking other remedies, including granting an injunction to compel McFadden to password protect the Wi-Fi service and require users to declare their identity, to act as a deterrent to those users who would otherwise be able to carry out unlawful acts anonymously.

It is worth noting that the findings of the ECJ deviate (in part) from the opinion provided by the Advocate General (AG), which found that service providers should not be compelled to password protect Wi-Fi services (although both the AG and the ECJ agreed that the provider should not be liable for copyright holders’ losses, or be compelled to withdraw the Wi-Fi service).  The court found that its approach was an appropriate balance between upholding an intermediary Wi-Fi provider’s rights under the Directive and those of the intellectual property rights holders.

The ECJ’s finding mirrors the court’s approach in L'Oréal SA v eBay International AG, in approving the use of injunctions to curtail demonstrably infringing activity of users of the intermediary platform (in this case, users selling counterfeit goods bearing L'Oréal trade marks).  However, the court also found that a proportionate approach should be taken so that intermediaries, such as eBay, would not have to withdraw their services completely, or check every item users offered for sale on the platform.

What does this mean for public Wi-Fi network providers?

The prospect of rights holders bringing claims is only likely to increase given the proliferation of Wi-Fi services and providers presenting a more attractive target for litigation given they are easier to identify and likely to have deeper pockets.

Providers can take comfort in the general finding that they will not be liable for the losses incurred by rights-holders but, given that the judgment required McFadden to apply security measures, providers may wish to minimise the risk of liability by password protecting such services, and collect certain personal data sufficient to deter users from carrying out infringing acts.  The judgment also confirms that rights holders have other remedies available to them, including injunctions, which could require providers to take steps as may be deemed appropriate on a case by case basis.

Issues for lawyers to consider

  • Terms of use/AUP: McFadden is a reminder that Wi-Fi access, whether public or otherwise, should be subject to the acceptance of terms of use.  Such terms should include the standard warranties given by users that they shall not use the service to carry out any unlawful acts, with users required to positively confirm that such restrictions have been understood.  Given the rise in malware and ransomware attacks on users of public Wi-Fi networks, providers should also include relevant disclaimers in the terms of use.
  • Data protection: In McFadden, the ECJ also required the provider to collect personal information from users.  Providers should consider their obligations under relevant data protection legislation, including lawful processing, the implementation of adequate technical safeguards for such data, the duration of data retention, and its use in connection with marketing activities.  Providers may also wish to reserve the right to disclose an infringing user’s details to a rights holder in the event of a claim.
  • Commercial public Wi-Fi providers: Where a provider is making Wi-Fi services freely available on a commercial basis (for example to shoppers on behalf of a shopping centre, or to employees in an office block on behalf of the employer) the provider will also have to consider the terms between it and the organisation or business on behalf of which it makes the service available. Providers should consider whether to bear the risk of claims for infringement (in the relatively unlikely event the provider is found to be liable) or whether to back off its liability against the organisation or business.  This issue is more likely to be relevant if such organisation or business has a degree of control over the users – for example, if the users are employees. In such circumstances, the provider may seek indemnity protection for losses it incurs due to the infringing acts from users.
 

[1] McFadden v. Sony Music Entertainment Germany GmbH, Case C-484/14.

Tesco Bank hack - lessons to be learned

Ralph Lovesy, financial regulatory consultant at Kemp Little, and Krysia Oastler, data protection associate at the firm, explain how money was withdrawn from thousands of Tesco Bank customers following a cyber-attack and examine the related legal issues for banks and consumers.

What happened?

Tesco Bank has been the subject of what is a highly sophisticated and coordinated cyber-attack, which appears to be the most serious to date in the UK banking industry. On 5 November 2016, Tesco Bank identified suspicious activity on a number of its current accounts. Two days later it announced that some customers’ current accounts had been subject to ‘online criminal activity’ and ‘a systematic, sophisticated attack’, in some cases resulting in money being withdrawn fraudulently. It is understood that a total of £2.5m was stolen from around 9,000 accounts and that Tesco Bank has refunded this amount in full to affected customers.

Tesco Bank has stated that it knows the exact nature of the breach, but has not provided any further details. Interestingly, it has not described the breach as a ‘hack’ and has stated that no customer data were lost, none of its systems were breached and it has not been subject to a security compromise. Accordingly, it has advised customers that it has not changed—and it is not necessary for them to change—their login or password details.

The National Crime Agency said it was ‘coordinating the law enforcement response to the Tesco Bank data breach’, while the Information Commissioner’s Office (ICO) said it was ‘looking into the details of the incident’. The Financial Conduct Authority (FCA) also announced that it would investigate after its chief executive said the incident ‘looks unprecedented in the UK’.

What are the obligations of banks in terms of preventing such cyber-attacks? How could this have been prevented?

Data protection law requires organisations that process personal data to have appropriate technical and organisational measures in place to keep that personal data secure and confidential. Such measures include using encryption techniques to protect personal data at rest and in transit, monitoring and testing systems for vulnerabilities, implementing firewalls and anti-virus software, deploying updates and security patches as soon as possible once available, training staff and applying access and authentication controls on a ‘least privilege’ basis. Certification to an industry standard such as ISO270001 is a way to comply with good practice.

At this stage, it is unclear how the hackers were able to access the data and whether there was a breach of data protection laws—were Tesco’s security measures inadequate and vulnerable to attack or were the hackers highly skilled at being able to circumvent a sophisticated data security regime?

What steps must banks take in the wake of a cyber-breach?

The General Data Protection Regulation

Once an attack is detected, banks should take steps to remedy the breach, identify the data and data subjects affected (including volumes and categories of data), consider whether they need to notify their regulators (the ICO and the FCA) and make any required notifications. Once the General Data Protection Regulation, (EU) 2016/679 (the GDPR) applies from 25 May 2018, controllers of personal data will have a mandatory obligation to notify breaches affecting personal data to the ICO without undue delay and at least within 72 hours of becoming aware of the breach.

What consumer protections are afforded to banking customers who suffer financial loss as a result of this type of attack?

Rights of data subjects

Banks are generally proactive in refunding any amounts stolen to customers who have been genuine victims of fraud. However, if a customer is not able to resolve their issue with the bank, they have the right to complain to the Financial Ombudsman Service, which will reach a decision on the basis of what it regards as ‘fair and reasonable’. Customers also have the right under the Data Protection Act 1998 (DPA 1998) to claim compensation where they suffer damage or distress as a result of a breach of DPA 1998.

What are the potential consequences of this incident for Tesco Bank?

The reputational damage caused by a data breach can be significant. The damage to customer trust and business performance in the long run is very much down to how the organisation handles the breach. Having a robust response plan in place and ‘war gaming’ to test the plan are key to ensuring that the business can respond quickly and in a way that minimises the damage both to customers and the business.

The Information Commissioner and enforcementMonetary penalty notices—database

The ICO and FCA have a memorandum of understanding governing cases where an FCA-regulated entity suffers an incident affecting personal data. Both regulators have the power to issue monetary penalties/fines. The ICO currently has the power to issue monetary penalties of up to £500,000 for serious data protection breaches that are likely to cause substantial distress. Once the GDPR applies, the ICO will have the power to issue fines of up to the greater of €20m or 4% of global turnover. There is no limit on the amount of fines the FCA can impose. In the past, the FCA has taken the lead on issuing fines to financial services businesses that have breached the FCA rules and DPA 1998. The ICO also has the power to issue enforcement notices that require organisations to change the way they operate, for example, to implement further security measures to prevent further breaches from occurring. Often the cost of complying with these notices is higher than the fine that is issued.

Are there any gaps in financial services regulation regarding cyber-attacks? If so, how could the law be improved in this area?

The FCA Handbook already contains wide requirements in relation to the systems and controls that a regulated firm must have in place. In particular, a firm must have effective processes to identify, manage, monitor and report risks and internal control mechanisms. Therefore, the FCA has considerable discretion to interpret any cyber-security failings as indicative of wider failings in systems and controls. The FCA has a range of enforcement options including public censure, the power to issue unlimited fines and, perhaps most significantly, the ability to restrict or revoke a firm’s authorisation if it regards the firm’s conduct to be particularly serious.

Firms are required to scrutinise carefully any third party to which they wish to outsource the performance of any important function such as cyber-security. Further, in undertaking such outsourcing, firms need to do all they can to avoid impairing either the quality of their internal control or the ability of regulators to monitor the third party’s compliance.

Further, banks are subject to the senior manager’s regime, under which responsibility for important functions must be allocated to a designated senior manager. Therefore, the FCA will expect to see clear ownership of cybersecurity at a senior level and will not be satisfied if responsibility for such matters is delegated to someone at a more junior level. If a senior manager’s conduct were to fall below the required standard, they would be at risk of criminal sanctions.

Any further thoughts which lawyers advising in this area can take away?

The risk of cyber-attack is more significant than ever. Preparation is key to being able to limit the impact of a breach. This means knowing what data the business has and where it is stored, having appropriate security measures in place to reduce the risk of a breach occurring and implementing a data breach and incident response plan, which is regularly tested to ensure its effectiveness.

This article was first published on Lexis®PSL IP & IT on 22 November 2016. Click for a free trial of Lexis®PSL.

  • Page 8 of 25