• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

Annual cybersecurity roundup 2014

2014: the year of the cyberattacks. From a cybersecurity and data privacy perspective, it has been a year like no other.

Positive advancements in the level of privacy afforded to individuals were made by several of the market leading internet companies. Google and Yahoo encrypted emails in a continued post-Snowden crackdown, whilst Apple made changes to encryption to close a backdoor that allowed data to be obtained from iOS devices to comply with lawful warrants.

However, these positive changes have been truly overshadowed by a year of sustained cloud-breaches, tactical hacks, and increasingly aggressive cyberattacks. Driven by an evolution of methods and tactics used by attackers, and aided by vulnerabilities in the infrastructure of the Internet, 2014 gave us everything from opportunistic data theft from large-scale corporations to cyberespionage by nation-states.  

Nicola Fulford, privacy and data protection partner, looks back at the most significant security and data privacy issues of 2014, and consider what we might expect to see in 2015.

Targeting the cloud

The use of public cloud solutions for data storage again increased in 2014. Companies continue to benefit from the efficient, scalable, and low-cost nature of cloud solutions whilst individuals enjoy the ability to expand data storage capacity beyond that provided by a physical device; particularly in light of the significant quantities of data amassed via ever enhancing functionality of personal devices such as smartphones.

The increasingly large amount of personal, confidential, and other data stored in the cloud is a treasure trove for attackers. Previously it was thought that public cloud solutions were well protected, with multiple layers of security and high levels of encryption protecting our most-personal data. Unfortunately, 2014 brought us a wake-up-call on the limits of cloud security in the form of a series of high-profile attacks on cloud services such as Dropbox, Google Drive, and of course Apple (via the infamous iCloud celebrity nude picture leaks we wrote about on 24 September; spreading some of our most private and confidential information across the Internet.

Cyberespionage and Nation-States

A number of systematic spying campaigns were discovered in 2014, using extremely complex and stealthy spying programs to steal data from a wide range of companies. Operations by the Eastern European collective “Dragonfly” and a party using the highly sophisticated Regin malware[i] both targeted energy companies, including grid operators and industrial equipment providers; seemingly focussing on national infrastructure. In fact, the tail-end of 2014 saw the FBI warn US defence contractors, energy firms, and educational institutions that they may be targeted by a sophisticated Iranian hacking operation dubbed “Operation Cleaver”.[ii]

As is often the case, we’re left to our own inferences in these attacks as accusations of cyberespionage tend not to be directly attributed to other nations, partly for reasons of political diplomacy and partly because it is invariably difficult to make such an accusation with total certainty. The FBI stopped short of attributing Operation Cleaver to the Tehran government, but did note that attacks such as these underscore a determination and fixation on large-scale compromise of critical infrastructure by attackers. Similarly, it was noted that the Regin malware was suited to persistent, long-term surveillance operations that suggests intent to do more than to just make money.

However, in a dramatic climax to 2014 and highly unusual departure from the norm, the US government directly accused the Democratic People’s Republic of Korea (North Korea) of using a “sophisticated worm” to perpetrate cyber exploitation activities on Sony Pictures in retaliation for Sony’s proposed release of the film “The Interview”[iii]. These activities culminated in the early release of “The Interview” and other unreleased films, as well as significant amounts of personal, sensitive, and confidential information about Sony and its employees, across the Internet. The result for Sony: losses of as much as $100 million at the time of writing, in addition to further potential losses resulting from a systemic non-compliance with data protection principles in the collection and use of sensitive personal data including medical records.  The result for everyone else: heightened political tension between the US and North Korea and a fresh series of embargoes against DPRK. 

Large, targeted cyberattacks

Following suit from the “BlackPOS” point of sale malware attack on Target in December 2013 that led to the theft of an estimated 70 million items of personal data, attackers in 2014 increased their targeting of large corporations – in particular within the retail sector. The first major attack of the year came in May when eBay was hacked[iv], with the loss of an estimated 145 million records, including personal data and payment card information. Although not a retail organisation in the truest sense, attackers instigated a major targeted attack against JP Morgan in August[v], leading to the theft of approximately 76 million records of personal and banking data over a period of three months. A third attack came shortly after, in September, when attackers stole 56 million records from Home Depot[vi] following an attack perpetrated by installing the same “BlackPOS” malware as used in the Target data theft via a hole in decades-old Windows XP. The year was memorably topped-off by the targeted attack on Sony Pictures mentioned earlier.

The common trends amongst these third-party security challenges include the targeting of physical devices (such as point of sale software) and historical slow self-detection of malware or attack, leading to a more significant data loss than has been previously encountered. Interestingly, as discussed by us in our article of 27 January, the Payment Card Industry Security Standards Council (consisting of Visa, Mastercard, and other major payment card companies) identified these 2014-and-onwards evolving issues as drivers for new requirements relating to the handling of payment card information in the new Payment Card Industry Data Security Standards (v3.0) that were released in November 2013.

The internet’s infrastructure is vulnerable

If not for the cyberattacks, 2014 may have been remembered as the year in which the Internet broke. In just three months, two serious security bugs in code constituting core pieces of the Internet’s infrastructure sent the world into panic, with a third (albeit less significant) bug being discovered shortly thereafter.

The first serious vulnerability, “Heartbleed”, existed in the OpenSSL open-source cryptographic library that encrypts communications between users’ computers and a web server to provide communication security and privacy over the Internet. As we mentioned in our article of 6 June, the bug allowed hackers to eavesdrop and steal personal (name or address), sensitive (medical records), financial (credit card and bank details) and other data, and vanish without leaving a record in the affected server’s log.

A short while later, the second serious vulnerability (dubbed “Shellshock”) was discovered. As discussed in our article on 24 November, this bug was found in the Unix Bash shell; a command-line interpreter that provides a user interface for the Unix (and Unix-like) operating systems, including as the default shell for Linux and Mac OS X and having been ported to Microsoft Windows and Android. Attackers were able to utilise the Unix Bash Shell’s improper handling of “environment variables” to execute commands of their choice on the target machine or process, including servers, laptops, desktops and smartphones.

Less than a month after Shellshock was revealed, another bug (dubbed “Poodle”)[vii] was discovered in the 18-year-old encryption standard SSL 3.0. However, unlike Heartbleed and Shellshock, this vulnerability was difficult to exploit and required skilled attackers to control the Internet connection between the browser and the server (for example, if the attacker were in range of an unencrypted wi-fi access point).

The potential impact of each of these bugs, however, was significant. All three were discovered in code that has been used widely for many years in its current form, with the Heartbleed vulnerability affecting up to two-thirds of all websites on the Internet due to the large-scale usage of OpenSSL and Shellshock being used in a very wide range of IT products.

Attackers were able to exploit these vulnerabilities to target larger companies which would usually have been protected by strong security measures, including cloud solution providers such as Dropbox, as mentioned above. All of this has led to the growing consensus that the Internet infrastructure needs a complete overhaul to ensure ongoing protection of data.  

In 2015?

Following on from the evolution of methods and tactics used by attackers in 2014, this year we should not only expect to see more of the same, but may also see more intrusive attacks on individuals as a result of the increasing adoption of the Internet of Things (the interconnection of computing devices within the existing Internet infrastructure, including smart objects such as thermostats, smoke alarms, and baby monitors). We’ve set out below the key areas to watch.

Internet of things vulnerabilities

Of late there has been an increasing focus on technology being integrated into household and other devices to create smart objects, as demonstrated by Google’s acquisition of smart thermostat and smoke alarm manufacturer Nest Labs in January 2014[viii]. However, the inherent vulnerability of technology has not only allowed cybersecurity-wise individuals to provide us with proof of concept hacks against everyday items such as refrigerators and cars in the last year, but has already resulted in individuals hacking into wireless cameras used as baby monitors. In this last case, default security codes were left unchanged by purchasers, and hackers posted the live feeds on the Internet.

Over the next year or so we expect to see a marked increase in the number of smart objects being added to the Internet of Things, whether by existing manufacturers such as Nest or creative technology startups such as Coolest Cooler (an ice box with integrated USB charger and Bluetooth to enable you to play music)[ix], Nomiku (a technology-driven immersion circulator for home cooking)[x], or Pebble (a smartwatch with multiple integrated functions)[xi]. As more items use embedded technology to integrate into our personal lives, it is likely that we will see attackers targeting smart objects to gain and utilise a better understanding of our daily habits and behaviours – whether to determine when we are home or finding out our personal preferences. Individuals will need to be more conscientious about user-controlled security mechanisms within these devices in order to better control their personal security and address potential security issues (such as those seen with the webcams). At the same time, manufacturers will need to ensure that the security mechanisms protecting their devices are capable of preventing malicious cyberattacks.

Cyber-espionage increasing

2014 brought us a year of nation-state cyberespionage from countries outside of those usually thought of as perpetrators for such sophisticated attacks. Historically, cyberespionage accusations by Western governments have focussed on Chinese and Russian-backed attempts to monitor and attack critical infrastructure. However, last year saw successful attacks thought to have originated from Iran and Eastern Europe, amongst others.

US cybersecurity experts have now acknowledged that Iran has technological experts capable of significant cyberattacks, using sophisticated programs to steal valuable and confidential data. Similarly, Western governments have had to acknowledge the threat of Syrian cyberattackers following the hacking of a number of Western media websites in 2014. With increasing political tension, there may be a greater number of nation-state backed attacks from countries that, whilst not previously considered a threat, are now believed to be technologically capable of causing significant damage. Following a year of successful attacks from individuals situated within countries outside of those usually associated with nation-state attacks, we should expect to see further development in cyberespionage programs and hacking from nation-states, including “lone wolves” acting for or in support of such states.

More retail targeting

Following a number of successful cyberattacks in 2014 against retail and consumer banking organisations, we anticipate more (in terms of both size of theft and number) cyberattacks to be targeted against organisations within these sectors over 2015. Despite attempts by payment card companies to safeguard payment card data through more stringent requirements as set out in PCI DSS v3.0, we are likely to see continually evolving threats from third-parties in relation to point of sale devices and associated software; in particular in light of the continued refinement and use of new malware products such as “BlackPOS” for significant and highly-successful data thefts over the last twelve months. 

Businesses will have to consider their risks and the adequacy of their cybersecurity and be ever more vigilant to meet their legal obligations and protect their commercial interests, if they are to try to avoid or mitigate the business, reputation, commercial and regulatory implications of a major cybersecurity event.    

For further information, please contact Nicola Fulford.