The status of the proposed EU General Data Protection Regulation is still up in the air at the moment, but there is a greater sense… Read More
The status of the proposed EU General Data Protection Regulation is still up in the air at the moment, but there is a greater sense of optimism around that the reform agenda will complete fairly soon, i.e., in the medium term, say by the end of 2015. The European Parliament elections depressed sentiment for a while, but they are now history. And the reform agenda has received a considerable boost from the CJEU decisions in the Google Spain case and the Digital Rights Ireland case, by Snowden’s disclosures and by the growth of citizen and pressure group litigation (e.g., Max Schrems’ cases against Facebook and the pressure group litigation about Prism and Tempora). People connected into the political scene are detecting clear shifts in policy formation too, as the political classes tune-in to the pro-privacy vibes in the air.
That is all ‘big picture’ stuff however. As I was discussing with a close friend in the privacy community the other day, I sense that we are entering the ‘post-regulatory’ phase of data protection, ironic as that sounds.
What I mean by this, is that when the phenomena of regulation is viewed for what it is – basically a mechanism to cure imperfections in market behaviours – a time should be reached when regulation has done its job. Take telecoms regulation from the 1980s. The core aim was to liberalise the markets, by breaking up monopolies. Clearly, that regulatory goal was successfully achieved. Thus, for that aspect of telecoms, we are in a post-regulatory age. No one seriously believes in telecoms monopoly anymore, although people used to.
Data protection as a concept has moved past the initial regulatory goals, of creating principles-based norms for good behaviours. I believe that we no longer need regulation to teach the economy that data protection is important. The case has been proved and accepted. Only foolhardy businesses will think that shoddy attitudes will be good for the bottom line.
Thus, the nature of the conversation that professional services providers (like me) have with businesses has changed. Scanning back five years or so, the argument might have been described as a ‘fear sell’ in some quarters, because the argument was ‘bad data protection has bad consequences’. Now the conversation is about how good data protection adds value.
This transition is the hallmark of a post-regulatory environment. The status quo, or the norm, is now about data protection as a positive. This includes security too. Good security adds value and enables business. We should not be talking about how security strangles or suffocates business. That would be stupid.
For business, the evidence is building up. There a number of factors at play and they are all interrelated. The newsworthiness of data protection and cyber security is clearly a huge part of the picture. The more the story is played out in public, the greater is the impact on the minds of individuals. Of course, regulatory actions have been another big factor. But, the real drivers of change are the positions of ordinary individuals. We all wear many different hats. We are customers, employees, business partners, shareholders (and so on), so we hold all the power. Cumulatively, the effects that we are having on business and corporate minds is profound. Principally, we are causing businesses to look at data protection and security in terms of trust, confidence, brand and reputation.
This translates into something in economic terms. We sometimes try to define the effect as ‘goodwill’, but it is hard to put a pound-value on goodwill. Yet that doesn’t matter, because businesses instinctively understand the connection between goodwill and profit.
This explains why, if you work in the space that I do, you find significant shifts in attitudes towards data protection compliance in business. Sure, lots of businesses are performing sub-optimally, but the improvements in recent years have been immense.
Hence, we have entered the post-regulatory age. Of course, this is not to say that we do not need regulation or a new Data Protection Regulation. Market imperfections change, develop and evolve. Oversight, sometimes light touch, sometimes heavy, is a thing to embrace, welcome and support, provided that the regulators themselves act properly, proportionately and fairly.
The fact that the legal environment for privacy in Europe has become considerably more contentious over the past year or two will not have been… Read More
What we are seeing in these cases is the next stage of development of the “Bear Market’ for privacy, data protection and security. A Bear Market is a time of negative sentiment, pessimism and loss of confidence, the opposite of a Bull Market, when optimism is rising. The negativity in the environment stems simply from a trust problem. People do not trust what is happening to their data. The first stage in the development of the Bear Market was the ‘Regulatory Bear Market’, when the cudgels against bad data processing were taken up by the data protection authorities and other regulators, who have made more frequent use of their powers of intervention, investigation and enforcement to challenge and censure bad data processing, while at the same time campaigning for more and tougher powers. As awareness levels around privacy issues and data breaches has increased, the regulators have been joined by pressure groups, individuals and businesses in the contentious aspects of the law.
This a natural part of the cycle of development of the law and we will reach a point relatively soon when disputes and litigation over privacy, data protection and security are just part and parcel of doing business, as has happened in so many other areas of the law.
Putting it another way, how many sane business leaders now scratch their heads, in ponderance about the risk of employment or health and safety disputes and litigation? Obviously, the answer is none. Everyone sane accepts that if you run a business, you will need to insure or protect yourself against employment and health and safety litigation problems. Eventually, the same attitude will prevail for privacy, data protection and security.
Yet despite knowing that they are sailing in treacherous waters, many data controllers are simply not yet ready for the contentious environment. There is a feeling that many will not see the iceberg before it’s too late to take evasive action. Reflecting again on the Google ‘right to be forgotten’ case, there is an increasing sense that they did not see the outcome as being remotely likely and that they were taken by surprise by the court’s decision. They knew they were in treacherous waters, but the first time they saw the ‘berg was at the point of the judgment being handed down, after which they were stunned into silence for a few days, which was followed by a defeated public sigh of compliance. Google’s positions on controllership and establishment had been truly holed by the privacy iceberg and the regulators are taking increasing advantage.
There are many steps that controllers can take to improve their positions and to lessen their exposures to contentious business. The way security and security breaches are handled in some organisations could not be worse if deliberately designed that way: smoking guns’ are liberally sprinkled around audit reports, internal reports and memoranda (and every regulator and litigator knows this and where to look) while the benefits of legal privilege are ignored, or shunted into the sidings. Really risky projects, like ‘Binding Corporate Rules’, are regularly undertaken without the slightest consideration of the contentious exposures that are created, such as grants of regulatory audits that, sooner or later, are going to be used against the controller.
The prudent captain of a ship traveling through treacherous water will keep a proper lookout for the icebergs ahead and around. In this Privacy Bear Market, the prudent controller will consider the contentious risks and will plot a course around them. Those that do not will hit the bergs and they will be holed. The fights around privacy and security are only going to be more frequent and tougher. It is best to be ready.
Many lawyers will have had a restless night’s sleep following the Information Commissioner’s warning yesterday that he has us in his spotlights due to a… Read More
Many lawyers will have had a restless night’s sleep following the Information Commissioner’s warning yesterday that he has us in his spotlights due to a recent increase in security breach notifications by the profession. While his press release refers to both barristers and solicitors being at risk, his reference to legal professionals who ‘also often carry around large quantities of information in folders or files when taking them to or from court, and may store them at home’ and his work with the ‘The Bar Council to update the Information Security Guidance provided to Barristers’ seem to suggest that its our bewigged friends who have the most immediate cause for concern.
The reality is that data protection risk is not the same throughout the legal profession. Many solicitors and barristers have very little to do with client personal data in their daily practices. Corporate lawyers, commercial litigators and the like aren’t processing much client personal data at all. For many of them, the most they will touch on a daily basis is email addresses. The picture is very different for personal injury lawyers, employment lawyers, family lawyers, criminal lawyers and general litigators. Their practices will churn through some of the most sensitive personal data imaginable. As a guide, the further the lawyer is from massive City practices, the greater is the probability that they will be within the regulatory scope. This means that individual lawyers, like barristers, sole practitioners and smaller high street firms are carrying the greater regulatory risk. It follows, perhaps, that the regulatory burden is inverse to the ability to carry it or discharge it.
But security risk and regulatory risk is not just about data protection. The Solicitors Regulatory Authority (SRA) has warned in a number of recent guidance papers that security risk gives rise to confidentiality risk and, of course, the maintenance of client confidentiality is one of the sacrosanct principles within the professional Code of Conduct. So, a security breach at a law firm affecting non-personal client data might put the law firm into conflict with its professional regulator, regardless of the position under the Data Protection Act. Similarly, if security breaches affect the resilience of the law firm, that can be a regulatory problem under the Code of Conduct.
A similar warning to the Commissioner’s was sounded at the beginning of the year, in relation to cyber security. The publication of the government-backed ‘Cyber Security in Corporate Finance’ report underscored the fact that insecure law firms constitute one of the weakest links in the City, the economic engine room of the country. This message is understood by both the SRA and The Law Society, so its easy to see the ramifications for City lawyers.
Similarly, corporate clients are hearing and heeding the messages of security and many are starting to ask questions of their legal advisors about the resilience of their businesses. The last thing a FTSE company wants to do is to put its sensitive commercial data or intellectual property into an insecure bucket. Lawyers are just one component within the commercial supply chain and they get no special privileges or special pleadings just because they are trusted advisors. They have to be secure, just like everyone else.
The Information Commissioner’s warning yesterday is part of troubling trend for lawyers everywhere. Whether or not we deal with personal data, the point is the same. The legal obligations for security are as real in the legal profession as they are everywhere else.
I’m deep in the process of writing my new book at the moment. It will be the second edition of my last book, ‘Butterworth’s Data… Read More
I’m deep in the process of writing my new book at the moment. It will be the second edition of my last book, ‘Butterworth’s Data Security Law and Practice’, which was published in late 2009, but it will be renamed ‘Butterworths Cyber and Data Security law and Practice’, reflecting the crashing way that the topic of cyber security has risen to prominence here in the UK and internationally. I did refer to the topic of cyber security in the first edition, of course, but the discussion did not fill even one page! In contrast, the second edition will be dominated by cyber security.
Shortly after publication of the first edition I put together a short movie, to get across some of the key ideas within my argument that there is a new legal framework for data security. Watching the movie this morning, I was struck by just how far the law has progressed in four short years. The key ideas within my argument still hold good and its clear that the trajectory of law making remains the same as it was back then, but what has happened is that the law has moved forward in a substantive sense. For instance, transparency through breach disclosure is now the norm and will soon be compulsory for the entire economy, if the General Data Protection Regulation completes its journey into law. Security breach fines are now routine events. The government’s policy framework continues to extend its tentacles further and further into the ordinary business of security. Disputes and litigation are becoming more common by the week.
I’m putting together an updated version of the movie right now, but here’s the original.
Here’s a short movie from PwC’s fantastic cyber security team, seeking applications from people who want to join them. What are you waiting for? If… Read More
Here’s a short movie from PwC’s fantastic cyber security team, seeking applications from people who want to join them. What are you waiting for? If you want to apply, click here.
The UK’s national cyber security strategy, published in 2011, has significant legal effects. Building upon the country’s first national strategy, published in 2009, it has… Read More
The UK’s national cyber security strategy, published in 2011, has significant legal effects. Building upon the country’s first national strategy, published in 2009, it has borne much fruit, within which the seeds of new legal obligations for cyber security are found. Many of these seeds of new law have germinated into strong saplings, some of which are growing fast.
The idea that the UK government is creating new legal obligations for cyber security may be a surprising assertion, seeing that the government is lukewarm (at best) in its attitude towards the EU’s ambitions for a Cyber Security Directive, but legal effects do not always need legislation. Law is built in many different ways.
The common law provides one of the most fertile grounds for the growth of new legal duties. Case law in this country already tells us that where an equitable duty of confidence exists for confidential information, a parallel duty of care for security can co-exist, within the common law tort of negligence. The tortious duty for security wraps a legal envelope around the confidential relationship, to require the taking of security measures to help preserve the confidentiality of the information. If the confidential information exists in ‘cyber space’ (as most electronic information does), then the duty for security can be properly called a duty for cyber security. When cyber security law is viewed in this way, it become obvious that the UK national cyber security strategy is having legal effects in this area of the law, due to its programme for awareness-raising, including at Board level and within the general population (these aims are served by projects such as the FTSE 350 Cyber Governance Health Check and the Cyber Streetwise campaign, as well as through the alerts issued by CISP and CERT-UK). One of the foundational requirements for the creation of duties within the tort of negligence is that risks and harms should be foreseeable. Awareness-raising addresses this requirement head on. Due to the government’s work it is now harder than ever for organisations to deny that cyber threats and harms are foreseeable.
Contract law is just as fertile a place as the tort of negligence for the development of legal duties for cyber security. Contract law has long recognised the existence of implied terms, which fill the gaps between the lines that are actually written down and signed. One of the reasons to imply terms into contracts is for business efficacy. When business is done in cyber space, or in reliance upon cyber space, it is now easier than ever before, because of the government’s awareness-raising, for the Boards of business to foresee that their businesses can be interrupted because of cyber insecurity. Contract terms will not be implied if they are not truly necessary, however, nor will the law want to create a contractual duty to guard against all force majeure events, but there are endless situations where implied contractual duties for cyber security will exist as a matter of necessity. Any business providing Cloud services, or data storage or data processing services will be in this category, as will any other business that handles confidential information as part of its core services. Any businesses providing financial services, health care services or insurance services will be caught in this category also. So will every IT security company. So will professional services businesses like law and accountancy. So will businesses supplying services to IP-rich sectors, such as the media, engineering, pharmaceutical and manufacturing.
The government has also made it easier to understand the details of the legal duties to be cyber secure, through its work on the development and promotion of professional and industry standards and benchmarks for cyber security. Platform initiatives within the national strategy, such as the Cyber Essential Scheme, CBEST and the research commissioned from PwC on standards frameworks, help organisations to roll out controls and measures for cyber security in methodical ways, that build upon the consensus of professional opinion in this area. The common law for matters of expertise will always turn to the consensus of professional opinion to clarify the nature of obligations and to determine issues of liability. The government has enriched that part of the law through its work. The detail of the law is much clearer now than it was just 3 years ago.
The government is also using ‘soft law’ powers to encourage organisations to become cyber secure. The Cyber Essentials scheme contains the message that government procurement will focus on adherence to the scheme. This is a clever and subtle approach to law making that utilises the incentive of taxpayers’ money to change behaviours. It achieves everything that legislation can achieve, but not in a way that ruins the government’s ‘low regulation’ credentials. This soft law approach also weaves into the common law, as norms of behaviour provide benchmarks for judging whether the law common law has been breached.
Similarly, the benchmarks of behavioural norms feed into the regulatory law space. Statutory regulators, like the Information Commissioner, have already taken substantive steps into cyber space. The Commissioner has imposed two financial penalties for cyber security breaches affecting personal data (and many of his other data security fines concern cyber space). His work is getting easier by the day, due to the government’s awareness-raising and it’s impressing of the benchmarks into the mass consciouness. Professional regulators like the ICAEW and The Law Society have engaged with the national strategy through their participation in the ‘Cyber Security in Corporate Finance’ initiative. The Solicitors Regulatory Authority has embedded the government’s ’10 Steps to Cyber Security’ into official regulatory guidance. The government has also corralled the Critical Infrastructure regulators into the national strategy, who issued their Joint Communique in February. Thus, the national strategy is helping to make new regulatory law.
I said at the beginning that legislation for cyber security is not necessary to create new legal obligations, yet the government has moved into cyber regulation nonetheless. The new Data Retention and Investigatory Powers Act creates new security obligations for communications and internet companies, which are policed through new compulsory audit powers for the Information Commissioner. In the recent Queen’s Speech the government also said that it would amend the Computer Misuse Act, to make it more relevant to the current realities of cyber security offences. If the EU reform process completes, there will be new cyber security legislation in the UK flowing from the Cyber Security Directive, the Payment Services 2 Directive and the Electronic Identity Directive. The General Data Protection Regulation will also see some legislative changes. Likewise, so might the legal challenges to RIPA, Prism and Tempora, which are currently before the Interception of Communication Tribunal and the European Court of Human Rights.
Yes, cyber security law is developing fast and much of the momentum is generated by the national strategy and the government’s work in rolling it out. Businesses and other organisations need to apprise themselves of these realities, because legal duties come with legal liabilities. The law will soon develop even stronger consequences for cyber insecurity.
Note: The government’s key policy documents are found in the Law and Policy page of this website, under Resources.