IMPLEMENTATION OF EU LAW
The French NIS Directive implementing law was published on 27 February 2018 and became applicable on 10 May 2018.
Pursuant to this law, if an OES or a DSP fails to comply with its obligation to notify severe security breaches which have (or, for an OES, which will likely have) a significant impact on the provision of its services, to the French National Agency for the Security of Information Systems (l’Agence Nationale de Sécurité des Systèmes d’Information, the ANSSI), its managers could be personally subject to penalties of up to EUR 75,000 (in the case of an OES) and EUR 50,000 (in the case of a DSP).
On 9 November 2018, the French Prime Minister (helped by the ANSSI) appointed 122 OESs. This list is strictly confidential and will be updated every year.
OTHER RELEVANT LAW AND REGULATION
France has focused on making its critical infrastructure more resilient to cyber attacks. The French military programming law on critical infrastructure information protection (CIIP Law) entered into effect on 20 December 2013 with a view to establishing minimum cyber security standards for operators of “vital importance”. These are defined in the French Defence Code as “public or private operators having or using plants or structures whose unavailability could strongly threaten the economical or military potential, the security or the resilience of the nation”, or establishments where there is a risk of serious danger for people in the event of destruction or damage to these establishments (e.g. nuclear installations) (the OVIs). The application of the CIIP Law is monitored by the ANSSI which also assists the French government and OVIs with respect to cyber security issues. A list of more than 200 OVIs has been created by the French authorities and is strictly confidential. These OVIs operate in 12 different sectors identified as “critical” – food, health, water, telecoms and broadcasting, space and research, industry, energy, transport, finance, civilian administration, military activities and justice. One of the OVIs’ main obligations contained in the CIIP Law consists of putting in place a specific protection plan (dealing with surveillance, alert and material protection issues) that must be approved by the ANSSI.
On 13 July 2018, the French military programming law for years 2019-2025 has modified and completed the CIIP Law notably with respect to the relationships between the OVIs and the ANSSI (e.g. regarding the assistance that the ANSSI could provide to the OVIs in the event of a threat affecting them).
The CIIP Law also includes four different types of measures:
The ANSSI has set out technical and organisational rules to protect OVIs’ information systems. These rules are very detailed and technical and relate to the following categories: information systems security policy, security accreditation, security maintenance, security incident detection and handling, alert-processing, administration access control, information systems used for administration, segregation in systems and networks, traffic monitoring and filtering.
In addition, various specific rules have been enacted for each of the 12 critical sectors to take into account the specificities of each sector.
OVIs must notify the ANSSI of security incidents occurring on their critical information systems and include specific information, such as: a detailed explanation of the security incident; a detailed explanation of its consequences and the corrective measures; and the technical details to enable the ANSSI to determine the level of risk (e.g. whether the incident qualifies as a “major crisis”).
OVIs’ information systems must be subject to controls in order to verify both their level of security and their compliance with the CIIP Law. Those controls can be carried out by the ANSSI or a service provider duly qualified as a “Trust Service Provider” by the ANSSI (e.g. cyber security audit service providers, incident detection service providers, electronic certification service providers, etc.).
In the case of a “major crisis” (declared by the ANSSI), the ANSSI can impose specific measures on OVIs (e.g. steering and coordination of corrective measures, establishment of a business continuation plan, etc.).
The transposition of the EU NIS Directive into French law will benefit from the work already done under the CIIP Law (for instance, we understand from the ANSSI that security measures for OESs (as defined by the NIS Directive) will be drawn from the existing list of measures provided in the CIIP Law).
GDPR, NIS DIRECTIVE AND PSD2
Cyber security is a strategic issue for European businesses which are increasingly gathering and monetising data but are at risk of significant cyber attacks. Such attacks have led to significant reputational damage, negative media coverage and diminished customer confidence and trust. European legislators are increasingly concerned with protecting the data of individuals and, in response, have introduced pan-European legislation.
The GDPR became effective on 25 May 2018. It represents the biggest change in EU data privacy law in a generation. There are very serious sanctions for breach, including fines that can be as high as 4% of global turnover.
The following are some of the cyber security provisions of the GDPR:
- Obligations on data processors: The previous regime did not directly regulate processors. Under the GDPR, data processors are now required to implement appropriate technical and organisational measures, and are subject to breach notification requirements; and contracts between data controllers and processors will be required to contain mandatory provisions relating to data
- Personal data breach notification: Data controllers will now be required to report personal data breaches to the relevant national data protection authority, generally “without undue delay” and within 72 hours of becoming aware of them. Data processors will be required to notify data controllers of security breaches affecting personal data.
- Information security measures: Data controllers and processors are required to implement technical and organisational measures to ensure a level of security appropriate to the risk, including, for example: pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore availability of personal data following an incident; and processes for regularly testing, assessing and evaluating the effectiveness of measures for ensuring the security of data
The GDPR has significantly extended the extraterritorial effect of the EU data protection regime, including the cyber security elements. Entities processing entirely outside the EEA will be within scope if the processing is carried out in order to offer goods and services to, or monitor the behaviour of, individuals within the EEA.
As an EU Directive, the NIS Directive required member states to adopt and publish local laws necessary to comply with the Directive by 9 May 2018. The purpose of the Directive was to improve the overall level of cyber security across the EU. Sanctions for breach are to be determined by each member state; in the UK, for example, the government has indicated that it favours a sanctions regime mirroring that of the GDPR.
Member states will be required to identify operators of essential services (OESs), within the following sectors:
- Financial market infrastructure
- Digital infrastructure
Operators of essential services will be required to take appropriate and proportionate technical and organisational measures to detect and manage the risks posed to networks and information systems and notify, without undue delay, the competent authority of incidents that have a significant impact on continuity of the core services provided. Additionally, digital service providers (DSPs), being broadly online search engines, online marketplaces and cloud computing services, will be required to implement similar technical and organisational measures and be required to comply with notification obligations. Of course, close attention should be paid to the local law implementation of the Directive, which will provide the detail of the obligations to be complied with. Even if entities are not within scope of the NIS Directive, many counterparties will expect compliance as “best practice”.
By way of example, as at the present date, various jurisdictions have taken steps to implement the NIS Directive, including France, Italy, the Netherlands and the United Kingdom (see further below).
Member states were required to transpose PSD2 into national laws and regulations by 13 January 2018. Member states have discretion regarding sanctions; for example, in the UK, the Financial Conduct Authority has a far-reaching sanctions regime with no upper limit on penalties. PSD2 requires payment service providers to comply with additional cyber security obligations, including in relation to:
- Policies and procedures: Requirements for payment service providers to have a security policy, security control and mitigation measures, including maintenance of effective incident management procedures and a policy to detect and classify major operational or security incidents relating to payment services.
- Major incident reporting: Requirement for payment service providers to notify the national regulator of major operational or security incidents within four hours of detection, with intermediate reports required at least every three days or whenever there is a new development and a final report to be submitted once the root cause analysis has been carried out.
- Customer notification of major incidents: Requirement for payment service providers to notify customers, directly and without undue delay, if a major operational or security incident might impact the financial interests of customers.
- Annual risk assessments: Submission of annual assessments to the national regulator of the operational and security risks relating to the payment services they provide and the adequacy of the mitigation and control mechanisms implemented.
- Strong customer authentication: Application of “strong customer authentication” when a payment service user accesses its account online, initiates an electronic payment transaction or carries out any other action through a remote channel that may imply a risk of payment fraud or other abuse.
CYBER SECURITY REGULATION
In the US, cyber security enforcement authority is split between a number of state and federal agencies. While there is no single cyber security regulatory regime, several regulatory agencies have been increasingly active in this area in response to the steady stream of high-profile data breaches and cyber security incidents. Thus, most companies operating in the US will be subject to cyber security oversight by both state attorneys general, the Federal Trade Commission, and one or more sector- specific agencies such as the Securities and Exchange Commission and the New York Department of Financial Services.
Two federal regulators – the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) – have taken a primary role in enforcing US cyber security standards.
The FTC is the self-described “nation’s leading privacy enforcement agency” and has sought to hold companies accountable for breached cyber defences and other violations based on its general authority to monitor “unfair or deceptive acts or practices in or affecting commerce’’ under Section 5 of the FTC Act. Initial FTC settlements typically do not include financial penalties because the FTC can only collect monetary penalties for knowing violations of its rules, consent orders or cease and desist orders. However, repeated or subsequent violations can lead to significant financial penalties.
Separately, the SEC has authority to bring enforcement actions against registered entities (e.g. investment advisers and broker-dealers) and public companies. Registered entities are obliged to protect their customers from cyber-threats by Regulation S-P, which requires that they adopt policies that are reasonably designed to safeguard customers’ non-public personal information, protect that information against anticipated threats, and prevent unauthorised access and use of non-public material information that could result in significant harm to the customer. The SEC has brought enforcement actions against registered entities for violations of this rule.
The SEC has also recently focused on cyber security disclosures by public companies, stating that it is critical that public companies take all required actions to inform investors about material cyber security risks and incidents in a timely fashion, including those companies that are subject to material cyber security risks but may not yet have been the target of a cyber attack. In February 2018, the SEC released updated guidance on cyber security market disclosure. The Guidance specifically references the requirements of Regulation S-K and Regulation S-X, which impose an obligation to disclose cyber security risks and incidents in the following manner:
- Periodic Reports: Issuers are expected to provide timely and ongoing information in their reports regarding material cyber security risks and incidents that trigger disclosure obligations
- Securities Act and Exchange Act Obligations: Issuers should ensure they are providing adequate cyber security-related disclosure in connection with Sections 11, 12, and 17 of the Securities Act and Section 10(b) and Rule 10b-5 of the Exchange Act
- Current Reports: Issuers are encouraged to utilise current reports in Form 8-K or Form 6-K to ensure their shelf registration statements remain current with regard to the costs and other consequences of material cyber security
Issuers are also expected to disclose “such further material information, if any, as may be necessary to make the required statements in light of the circumstances under which they are made, not misleading”. Omitted information about cyber security risks or incidents may be material depending on the nature, extent, and potential impact of the event. Finally, the guidance also “encourage[s] companies to adopt comprehensive policies and procedures related to cyber security.”
Following the announcement of its own data breach, on 25 September 2017, the SEC announced a new enforcement initiative that will target cyber-related threats. The new Cyber Unit is part of the SEC’s Enforcement Division and will focus on conduct, including:
- Spreading false information through electronic and social media to manipulate the market
- Hacking to obtain material non-public information
- Violations involving distributed ledger technology and initial coin offerings
- Intrusions into retail brokerage accounts
- Cyber-related threats to trading platforms and other critical market infrastructure.
State governments are also key players in the US cyber security regulatory arena, through their attorneys general offices. These state regulators have pursued data breach actions under state unfair and deceptive trade practice statutes (often deemed “little FTC Acts”), or in some instances, under dedicated privacy statutes and regulations. In addition, many state unfair and deceptive trade statutes permit a right of enforcement by private claimants, which is not available under Section 5 of the FTC Act, and provide for attorneys’ fees for successful litigants.
Most state statutes also include data breach notification requirements, requiring notification to affected individuals and/or state government agencies when a company suffers a data breach involving certain enumerated categories of personal identifying information (PII). These state statutes are triggered by the state(s) in which the affected data subjects reside.
A particularly stringent cyber security regulation issued by the New York Department of Financial Services (NYDFS) requires insurance companies, banks and other covered entities who operate in New York State to maintain department-approved plans to deter cyber attacks, and report any significant attacks to the NYDFS within 72 hours of when they occur. Since promulgation of this regulation by the NYDFS, the National Association of Insurance Commissioners (NAIC) has adopted a similar model rule on 24 October 2017, signalling broader acceptance within the insurance regulatory community. So far this year, the model rule has been introduced by both Rhode Island and South Carolina in their respective state legislatures.
The NY Reg came into effect on 1 March 2017. Covered entities had 180 days in which to implement most requirements. The following are some of the key provisions of the rule:
- Programme, policies and procedures: Based on a risk assessment, entities are expected to establish written cyber security policies and procedures to protect their information systems (including in-house developed applications) and sensitive non- public data
- Periodic Risk Assessment: Entities must conduct a periodic risk assessment to address any changes in the entity’s information systems, non-public information or business operations
- Chief Information Security Officer (CISO): Each entity must designate a qualified individual to serve as the CISO, who is responsible for implementing, overseeing and enforcing the cyber security programme and policy
- Notification of cyber events to NYDFS: Entities must notify NYDFS no later than 72 hours from a determination that a significant cyber security event has occured.
CRITICAL INFORMATION INFRASTRUCTURE LAW, PERSONAL DATA LAW, NATIONAL PAYMENT SYSTEM LAW, VPN LAW AND IM LAW
Cyber security issues became very important in light of successful cyber attacks on Russian companies that were carried out a couple of years ago. The legislator recognised the importance of cyber security and, in addition to fragmentary regulations that previously existed in certain legal areas, adopted the new law regulating the general requirements of cyber security in the most important spheres of the Russian economy.
The main purpose of the CDI Law, which came into force on 1 January 2018, is to ensure that Russia’s critical data infrastructure (that consists of “critical data infrastructure facilities and telecommunications networks used for the interaction of such facilities”) is secure and stable in the face of cyber attacks.
The CDI Law imposes certain obligations upon, amongst others, Russian entities and/or individual entrepreneurs (CDI Operators) that own, lease or have other legal rights to critical data infrastructure facilities (such as data systems, data and telecommunications networks and automated control systems) operating in the following areas: (i) healthcare,
(ii) science, (iii) transport, (vi) communications, (v) energy, (vi) banking and other sectors of financial markets, (vii) oil & gas, (viii) nuclear, (ix) defence, (x) rocket and space, (xi) mining,
(xii) metals and (xiii) chemical industry (CDI Facilities).
The main obligation of any CDI Operator is to inform the Federal Security Service of the Russian Federation and the Central Bank of the Russian Federation, as the case may be, immediately of any “cyber incident”. The definition of “cyber incident” is broad and does not necessary come down to a cyber attack, but rather includes “any malfunction or stoppage of a critical data infrastructure facility or telecommunications network used for the interaction of such facilities, and/or a breach of the security of the data processed by such facilities, including as a result of a cyber attack”.
In addition, the CDI Law focuses on the security of what is called “important critical data infrastructure facilities” (Important CDI Facilities). Important CDI Facilities will be determined by the CDI Operators in accordance with specific regulations on the basis of various criteria of importance (such as social, political, economic, and ecological importance, and their importance for national defence and law and order) and will be registered in a special register of important critical data infrastructure facilities (the Register).Any CDI Operator whose CDI Facility is on the Register will have additional obligations under the CDI Law. In particular, such CDI Operator will be obliged to comply with specific security regulations for Important CDI Facilities and, in case of a cyber incident, to respond to the cyber incident in accordance with special procedures.
CDI Operators’ compliance with requirements under the CDI Law will be monitored by the Federal Service for Technical and Export Control of the Russian Federation through scheduled and unscheduled audits. Scheduled audits will take place every three years.
Unscheduled audits will be carried out in the circumstances specified in the CDI Law (for example, in the event of a cyber incident with negative consequences for an Important CDI Facility). CDI Operators’ officers may be criminally prosecuted for violations of the CDI Law, if the violation has resulted in damage to the critical data infrastructure.
The Personal Data Law concerns anyone that processes the personal data of individuals (the Personal Data Operators). “Personal data” is extremely broadly defined and covers “any information relating to a, directly or indirectly, identified or identifiable individual”.
The Personal Data Law requires any Personal Data Operator to apply all necessary legal, administrative and technical measures to protect personal data from illegal or accidental access, destruction, modification, blocking, copying, transfer, dissemination or other illegal operations. In particular, they include, amongst others:
- detection of security threats;
- application of specific administrative and technical security measures stipulated by the personal data regulations for the purposes of compliance with the personal data security requirements;
- application of information security tools that have passed compliance verification;
- evaluation of efficiency of the personal data security measures in place before the personal data information system has been put into operation;
- adoption of the personal data access rules and recording of all operations with the personal data; and
- security measures
In the case of a security breach, the Personal Data Operators may face damage claims from individuals whose personal data has been breached. In addition, the Personal Data Operators may be subject to administrative fines of up to RUB 15,000 that potentially may be multiplied by the number of the relevant individuals affected.
Money transfer operators, banking paying agents, payment system operators and, payment infrastructure service providers (the Supervised Entities) have the relevant security obligations with respect to bank secrecy and other information in the payment system. In particular, they are obliged to comply with specific security requirements, including, amongst others:
- design and implementation of the security system;
- application of information security measures (encryption (cryptographic) tools, security measures preventing unauthorised access, antivirus protection, firewalling measures, intruder detection systems, protection control tools); and
- detection of incidents regarding violations of security
The National Payment System Law also requires uninterrupted operation of money transfer and, therefore, money transfer operators are obliged to apply specific measures to provide uninterrupted operation of money transfers that include, amongst others:
- collection, systematisation, and accumulation of money transfer information by reducing the electronic money balance of payer and increasing the respective balance of the receiver;
- prevention and, if it occurs, remedying of malfunction of operational and technical facilities engaged in recording of information with respect to electronic money balances and their transfer;
- analysis of causes of malfunction; and
- ongoing testing of operational and technical
In addition to the above, money transfer operators are required to adopt internal regulations that must contain, amongst others, the response plan in case of malfunction of operational and technical facilities.
Sanctions for violation of the National Payment System Law depend on whether the operation of the money transfer was interrupted as a result of the violation. In case of interruption, the Russian Central Bank may limit or suspend operations of the relevant entity. In addition, fines of up to RUB 1 million may be applied.
Specific regulations relating to information security can be applied to Russian companies operating in certain spheres of Russian economy. For example, the most developed cyber security regulations in this regard are in the banking sphere. In particular, there are information security standards issued by the Bank of Russia that are followed by Russian banks. Although these standards are advisory in nature rather than mandatory, in practice most (if not all) Russian banks comply with them in practice.
CYBER SECURITY LAW OF THE PEOPLE’S REPUBLIC OF CHINA
The Cyber security Law of the People’s Republic of China (the “Law”) came into force on 1 June 2017 with the aim of strengthening the protection of network operation information security. The Law states that China will take steps to monitor, defend and address cyber security risks both from within and outside China. The Law applies to everyone who operates networks in the PRC, particularly multinational corporations. It applies to the construction, operation, maintenance and use of networks as well as the regulation of cyber security within the PRC. It also applies to both the internet and individual intranets as long as there is any network-related activity taking place in the PRC.
The Law comprises 79 articles in seven chapters. Amongst other things, the Law focuses on network operation security and network information security.
Network operators are the main entities regulated under the Law. According to Article 76 of the Law, the term “network operators” refers to owners and administrators of networks and network service providers. Any person or entity in China which has access to a network may, by definition, be a network operator. In addition to traditional telecom and internet operators, network operators may also include financial institutions that provide online services, such as banks and insurance companies.
Network operators must observe the following security requirements:
- network operators must take technical and other necessary measures to safeguard network operations, respond effectively to cyber security incidents, prevent cybercrime and maintain the integrity, confidentiality and accessibility of network data (Article 10); and
- network operators must safeguard networks from interference, destruction or unauthorised access, and must prevent network data from being leaked, tampered with or stolen by following applicable cyber security requirements set out under a grading protection system (Article 21).
CIIs include critical information infrastructures for public communication and information services, utilities (such as energy, transportation and water), finance and public services, as well as other infrastructures that may result in damage to state security, public welfare and public interests if they were destroyed, disabled or subject to data breaches (Article 31). If a network operator operates a CII, it will be subject to more stringent rules and requirements. CIIs operators must carry out an assessment of their CII’s cyber security at least once a year and report potential risks and proposed remediation measures to the authorities (Article 38).
On 10 July 2017, the Cyberspace Administration of China (CAC) published a consultation draft of the Regulations on Security Protection of Critical Information Infrastructures (the Consultation Draft). Although the Consultation Draft has not yet been finalised, it echoes the Law and clarifies relevant issues and requirements concerning the security protection of CIIs, including (i) specifying the scope of a CII; (ii) prescribing the scope of in principle, security protection obligations for CII operators in a more structured way; and (iii) requiring the operation and maintenance of CIIs to be carried out only in China in principle. According to the Consultation Draft, competent authorities will issue a further guideline regarding the scope and identification of CIIs at a later stage.
The Law contains strict requirements regarding the protection of personal information controlled by network operators. Personal information protected under the Law includes all types of information recorded electronically or otherwise that may identify a person, including, for example, name, date of birth, telephone number(s) and address(es).
In principle, personal information can only be collected when individuals have been informed and have agreed to the purpose and scope of the collection. The Law explicitly provides that:
- network product and service providers that collect users’ information are required to inform and obtain consent from the users (Article 22);
- in collecting and using personal information, network operators must adhere to the principles of legality, fairness and necessity, disclose their rules of collection and use, explicitly indicate the purposes, means and scope of collecting and using the information, and obtain consent from the persons whose information is collected (Article 41);
- network operators shall neither collect personal information irrelevant to the services provided by them, nor collect or use personal information in violation of the provisions of laws, administrative regulations or the agreement with users, and should process personal information controlled by them in accordance with the provisions of laws, administrative regulations and user agreements(Article 41);
- network operators must not disclose, tamper with or destroy personal information they have collected (Article 42); and
- individuals are entitled to request the operator to delete personal information where it has been obtained in breach of the provisions of laws, administrative regulations and user agreements (Article 43).
A non-compulsory national standard regarding personal information security (the National Standard) was issued on 1 May 2018 by way of implementing guidelines for the Law.
According to the National Standard, personal information may be classified as personal information and personal sensitive information. The latter mainly refers to information that may endanger physical or property security, cause damage or discriminative treatment to personal reputation and/or physical and mental health in the event of data leakage, illegal provision or misuse. Moreover, personal information of children aged 14 or younger is classified as personal sensitive information. When collecting personal sensitive information, expressed and distinct consent is always required.
Personal information and important data collected and generated by CIIs must be stored within China. Where information and data are to be transferred overseas, a security assessment will be conducted in accordance with measures jointly defined by China’s cyberspace administrative bodies and relevant departments under the State Council (Article 37). These restrictions apply to both personal information and nonpersonal data that constitute “important data.” The Draft Measures on the Security Assessment of Cross-Border Transfer of Personal Information and Important Data (the “Draft Measures”) that were published in April 2017 and revised in May 2017 suggest that all network operators (not only CIIs) will be subject to the above requirements. The Draft Measures include:
- absolute prohibitions on overseas transfers in certain circumstances, such as where the data relates to state politics, the economy, national defence and security, and social and public interests;
- a requirement for express or implied consent from individuals to the cross-border transfer unless otherwise provided in the Draft Measures (g. the cross-border transfer is necessitated by an emergency that endangers the life and property of citizens); and
- a requirement for prior regulatory notification and assessment where certain thresholds are
Vendors can only sell critical network equipment, products or services after the products or services have been certified by a qualified establishment in compliance with national standards (Article 23). CII operators purchasing network products and services that might affect national security must pass a national security review by the CAC (Article 35).
There are monetary penalties for companies and individuals found to be in breach of the Law. Business licences may be revoked, websites shut down and offenders detained. Note that the network operators and network products or services providers may be subject to a fine of one to ten times the illegal gains in respect of certain non-compliance, including infringement of the rights concerning personal information (Article 64). This flexibility empowers regulators to impose significant penalties.
On 25 August 2017, the CAC issued two new regulations concerning internet forums and chat rooms: the Administrative Provisions on Internet Forum Community Services and the Administrative Provisions on Online Comment Threads Services. Both provisions took effect on 8 October 2017. In addition, the CAC issued the Administrative Provisions on Microblogs Information Services on 2 February 2018, which took effect on 20 March 2018.These three provisions complement the “real name registration” requirement and require providers of internet forums, community boards, chat rooms and microblogs to verify the identity of the user. Only those who have their real names and identify information registered and verified are able to use these services and post comments. The provisions also impose requirements on service providers to:
- create a robust system for information censorship, real-time inspection, emergency responses, complaints and data privacy;
- provide necessary information and technical support to the authorities for inspection;
- preserve the records of logs and other information for at least six months;
- dispose of illegal information in a timely fashion; and
- establish a mechanism for refuting unsubstantiated rumours (for microblog service providers only).
United Arab Emirates (UAE)
CYBER CRIMES LAW
The Cyber Crimes Law has been in force since 27 August 2012 and comprises 51 articles, most of which set out specific cyber crimes and prescribe the applicable penalty for each crime. The Cyber Crimes Law penalises hacking; phishing; unauthorised access to electronic sources including laptops and emails; obtaining/ intercepting communications (including emails) intentionally; unlawfully accessing banking details (including any form of electronic payment like PayPal) or secure details (such as passwords) using information technology; forging electronic documents or credit/debit cards; and capturing an asset, benefit or right through fraudulent means or by taking a false name or capacity via an electronic source.
Apart from these, the Cyber Crimes Law also penalises acts such as:
- Using a Virtual Private Network (VPN) to commit a crime or prevent its discovery
- Inciting, tempting or assisting in committing prostitution or debauchery by using information technology (it is questionable if dating apps might fall foul of this)
- Insulting another person or attributing an incident to a person via information technology that may make that person subject to contempt or punishment (akin to defamation)
- Calling for donations or promoting the same using information technology without a licence (e.g. raising moneys for charities through the internet)
- Crimes related to morality and public order committed through the internet including pornography, blackmail, gambling or materials prejudicing public morals, criticism of the State or its Rulers or insulting one of the monotheistic religions.
In addition to the Cyber Crimes Law, Article 29 of Federal Law No.1 of 2006 concerning e-transactions and e-commerce penalises the committing of a crime under any other applicable law by electronic means.
The Cyber Crimes Law is intended to penalise the perpetrators of the crime and does not place any obligations on individuals or entities to protect themselves from Cyber crimes or penalise them for lack of such protection. However, Cabinet Resolution No. 21 of 2013 imposes requirements in respect of governmental information systems and on governmental employees to take various measures to prevent cyber crimes. In Dubai, the Government has created an Information Security Committee tasked with, amongst other things, developing a unified policy for information security in governmental information systems to protect against hacking and defining clearly the roles and responsibilities of governmental bodies and their employees regarding cyber security.
All the crimes under the Cyber Crimes Law carry a penalty of imprisonment and/or a fine, with prison sentences ranging from temporary imprisonment to no minimum sentence, and fines ranging from AED 100,000 to AED 3 million, subject to any
more severe punishment that is applicable under any other law. An attempt to commit any of the cyber crimes enumerated by the Cyber Crimes Law is punishable by half the penalty prescribed for the relevant crime. Other measures the courts can take include confiscating devices, erasing information and closing sites, deporting convicted foreigners and supervising, controlling or prohibiting a convict’s use of electronic sources. The courts can reduce or waive the prosecution of any individual who informs the authorities of a cyber crime relating to the security of the state (a list of which is included in Article 44) based on a request from the public prosecutor.
The UAE’s free zones – the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Markets (ADGM) – do not have specific cyber security laws. However, the DFSA (a regulator in the DIFC) and the ADGM have signed memorandums of understanding with the Telecommunications Regulatory Authority (TRA) to cooperate in the aim of preventing cyber crimes. In addition, the UAE Central Bank has recently announced that it will be setting up a department dedicated to cyber crime.
Under Article 31 of the UAE Constitution, the right of confidentiality of communication is entrenched. There is neither federal data protection law in the UAE, nor a single national data protection regulator. Instead, there are various UAE Federal Laws that contain provisions relating to privacy and protection of personal data including the Penal Code, the Cyber Crimes Law and some sector-specific laws discussed below. The DIFC and ADGM have their own comprehensive data protection laws and data protection regulators. In addition, Dubai Healthcare City (another free zone) also maintains its own data protection system. The data protection regulations in these free zones are generally consistent with laws in other developed jurisdictions.
The Penal Code sets out a number of defamation and privacy offences including: (a) publishing anything which could expose the victim to public hatred or contempt (Article 372); (b) false accusations that could dishonour or discredit a person (Article 373); (c) recording or publishing of any news, pictures or comments which may reveal the secrets of people’s private or family lives, even if the published material is in the public interest and true (Article 378); and (d) disclosing a secret that a person is entrusted with by reason of his profession or circumstance without consent unless permitted by law.
Article 21 of the law makes it an offence to “assault the privacy of a person” online by recording or transmitting communications, audio-visual materials, pictures or electronic news or information, even if they were correct and true. Social media posts, for example, might fall foul of the UAE’s privacy laws as they could theoretically constitute a breach of privacy, defamation and be an offensive publication all at once. We understand from media stories that people have been convicted for posting videos without consent of a friend sleeping, of road rage incidents and for posting a picture of an illegally parked car. These examples highlight the need for sensitivity to such laws. The TRA issues guidance on the appropriate usage of social media and online platforms which users should familiarise themselves with.
On 10 January 2017, the TRA issued consumer protection regulations that require telecoms companies in the UAE to take all reasonable measures to prevent the unauthorised disclosure or use of a subscriber’s information, which includes their personal details, service usage, call/message records, payment history and credit rating. Disclosure is permitted where the subscriber has consented, or is required, to disclose to law enforcement agencies any such information which might aid criminal investigations. A subscriber’s consent can be recorded in their contract provided they have a right to subsequently opt out.
The UAE Credit Information Law (Federal law No. 6 of 2010) requires commercial banks and financial institutions in the UAE to provide the Credit Bureau with credit information. Such information must be kept confidential and the data subject’s consent must be sought before any proposed disclosure of his/her information. The law imposes criminal sanctions on persons who disclose credit information without authorisation. On 1 January 2017, the UAE Central Bank issued regulations governing digital payment service providers (PSPs) who provide digital media for retail/ government credit and debit payments, peer-to-peer payments and money remittances (such as e-wallets). PSPs are required to store within the UAE (but outside the free zones) for five years from the date of the original transaction all user identification data and transaction records. They are required to keep such information confidential with disclosure only permitted to the user, the UAE Central Bank, another regulatory authority with the UAE Central Bank’s consent or by a UAE court order. PSPs shall not process or share users’ personal data unless necessary under anti-money laundering or anti-terrorism laws. The Cyber Crimes Law makes it a crime to disclose or damage confidential information relating to medical treatment without permission.
We understand that the UAE has appointed public prosecutors specifically tasked with prosecuting cyber crimes. Complaints in respect of cyber crimes would first need to be made to the relevant Emirate’s police department. Most Emirates have a designated cyber crimes department which will investigate such crimes and, based on its report, the public prosecutor then decides if a criminal case should be filed or not. As with cyber security, the unauthorised disclosure of private data attracts criminal sanctions and the data subject could lodge a complaint with the police in the relevant Emirate. Other bodies in the UAE with cyber security responsibilities include the: (a) National Electronic Security Authority, a federal authority; (b) TRA; (c) UAE Computer Emergency Response Team (aeCert), a subsidiary of the TRA; and (d) Dubai Electronic Security Centre. Article 274 of the UAE Penal Code requires any individual who has knowledge of a crime to report it to the competent authorities or risk a fine of up to AED 1,000. However, in practice, we understand that this might not be strictly applied. The victim of cyber crime or data breaches could also bring parallel civil proceedings against the perpetrator if they can prove that the crime caused them damage. If successful with a criminal complaint, there is a presumption of liability in UAE civil proceedings.
Guidance for UAE companies
The restriction in Article 379 of the Penal Code could apply to personal data of employees. Where possible, companies should seek an employee’s consent prior to disclosure of his/her data. Law No.2 of 2015 concerning Commercial Companies requires directors and employees to act in their organisation’s best interests and with reasonable skill and care. In the DIFC and ADGM, entities are also obliged to implement adequate operating systems and controls. Failure to maintain adequate cyber security or to prevent unauthorised disclosure of data may constitute a breach of those duties, opening the doors to liability for compensation and regulatory sanctions against such persons. If the directors or employees of UAE companies were found guilty of cyber crimes or data privacy breaches while performing their duties, it might also expose the company to vicarious liability under UAE law. It is advisable for companies to adopt international best practices in relation to cyber security and data protection systems and instate adequate training for its personnel.
JAPANESE CYBER SECURITY LAW
The existing cyber security-related laws in Japan include the Basic Act on Cyber Security, the Act on the Protection of Personal Information and the Act on the Prohibition of Unauthorised Computer Access. The regulator of financial institutions has also promulgated regulations to deal with cyber security issues in each of the financial sectors as part of its supervising activities. Certain cyber attacks are criminalised in Japan.
The BAC was enacted in 2014 and came into force on 1 April 2016. The relevant regulator is the Ministry of Internal Affairs and Communications. Mandatory obligations are imposed on different categorises of entities: CII operators (operators of businesses that provide vital infrastructure), cyber space-related business entities and other business entities.
The BAC stipulates the following responsibilities:
- CII operators are to make efforts to deepen their awareness and understanding of the critical value of cyber security, ensure cyber security voluntarily and proactively, and cooperate with the measures on cyber security taken by the national government or local
- Cyber space-related business entities and other business entities are to make an effort to ensure cyber security voluntarily and proactively in their businesses and to cooperate with the measures on cyber security taken by the national government or local
However, the BAC is enacted as a basic act indicating general government policy and it does not necessarily cover specific activities and incidents related to cyber security. For example, any sanction for breach of the above-mentioned obligations is not stipulated under the BAC.
An Amendment Act to the BAC (the Amendment Act) was approved by the Cabinet and was submitted to the National Diet on 9 March 2018. If the Amendment Act is enacted, it will establish a Cyber Security Council involving governmental bodies, educational institutions and relevant service providers to improve communication between these parties and to enhance cyber security.
The APPI is the legislation in respect of protection of personal data in Japan and applies to all private sectors. Major amendments to the APPI came into force on 30 May 2017 in order to raise the level of protection of personal data to the same level as that in the EU. The relevant regulator is the Personal Information Protection Commission (PIPC) which was established on 1 January 2015 as the sole regulatory body under the APPI and now regulates and supervises all private industries, in cooperation with other regulators such as the Financial Services Agency (FSA).
All businesses that handle, collect or process personal information (such as information that can identify the specific individual by name, date of birth, certain kinds of biological information and ID numbers) would be subject to the regulations and the APPI.
Various obligations will apply under the APPIto secure the protection of personal information, and some regulations and/or obligations would be relevant to cyber security, for example:
- Information handlers shall specify the purpose of use of personal information as much as possible and shall not handle personal information of an individual without obtaining the prior consent of such individual, beyond the scope necessary to achieve the purpose of use
- The handlers principally shall not provide personal information to a third party without obtaining the prior consent of the individual
- The handlers shall promptly notify the PIPC and other relevant supervising authorities if the personal information has been disclosed or leaked (including in case of cyber attack by other parties and breach of cyber regulations by itself or relevant parties) to others in an unauthorised way
- The handlers shall take necessary and proper measures for the security control of personal information, and shall exercise necessary and appropriate supervision over the employees of the handler and outsourced entities to ensure the security control of personal data
- The handlers shall endeavour to appropriately and promptly process complaints about the handling of personal
Under the APPI, if the handler breaches the requirements under the APPI and breaches the improvement order, criminal sanction of up to six months’ imprisonment or a fine of JPY 300,000 could be imposed on the handler. If the handler is a representative, an agent or an employee of a legal entity, such legal entity could also be imposed with the fine. In addition, if the handler files a false report, a criminal sanction up to JPY 300,000 could be imposed.
In accordance with the implementation of the BAC, the FSA has adopted rigorous policies and measures to strengthen cyber security in the financial sector since 2015. The supervisory guidelines for commercial banks, securities firms, insurance companies and licensed moneylenders published by the FSA have been updated in order to include check-points on cyber security since February 2015. These require regulated financial institutions to take appropriate measures to protect customer data and to ensure cyber security.
In addition, the FSA organised financial industry-wide cyber security drills (so-called “Delta Wall”) in 2016 and 2017. Around 80-100 financial institutions have participated in these drills.
Under the Act on the Prohibition of Unauthorised Computer Access and the Penal Code, certain cyber attacks may be subject to criminal sanction.
THE CYBER SECURITY ACT, THE PERSONAL DATA PROTECTION ACT AND THE COMPUTER MISUSE ACT
Cyber security ranks high on the Singapore Government’s agenda, and the seriousness with which it views cyber security threats can be seen in, amongst others, the establishment of the Cyber Security Agency (CSA) of Singapore as the central agency to oversee and coordinate all aspects of cyber security for the nation. In October 2016, Singapore’s Cyber Security Strategy, with the aim to create a resilient and trusted cyber environment for Singapore, was launched.
In February 2018, the Singapore Parliament passed a Cyber Security Act which purports to be a broad omnibus cyber security law. The Cyber Security Act will apply to organisations that are designated as operating “critical information infrastructure” in Singapore and would include organisations in the energy, telecoms, water, health, banking, transport and media sectors.
The Cyber Security Act exists alongside other Singapore legislation that deals with information security, such as the Personal Data Protection Act. Aside from that, the regulators of some sectors which are deemed to be critical information infrastructure sectors (e.g. financial services providers) have also promulgated regulations dealing with cyber security incidents.
The Cyber Security Act takes a holistic approach towards Singapore’s resilience against cyber attacks and focuses on ensuring that the country is prepared and can respond effectively and promptly when an attack occurs. It seeks to establish a framework for the oversight and maintenance of national cyber security in Singapore, and empower the CSA to carry out its functions.
- To provide a framework for the regulation of sectors considered to be CII sectors. This is with the intention of formalising the duties of owners of CII in ensuring the cyber security of their respective CIIs
- To provide CSA with powers to manage and respond to cyber security threats and incidents. The intention is to enhance the existing powers related to cyber security which are provided for in the Computer Misuse and Cyber Security Act, and to specifically vest the officers of the CSA with sitting powers
- To establish a framework for the sharing of cyber security information with and by the CSA, and the protection of such information
- To establish a light-touch licensing framework for cyber security service
Under the Cyber Security Act, organisations which have been designated as CII owners will be subject to various duties, including:
- A duty to report certain cyber security incidents
- A duty to disclose certain information
- A duty to undertake periodic cyber security audits and risks assessments, and could be further required to adhere to codes of practice or standards
- A duty to notify changes in legal or beneficial ownership of
It is acknowledged that cyber security is related to personal data protection and in connection with that, the PDPA requires organisations to make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
In July 2017, the Singapore Personal Data Protection Commission (PDPC) launched a public consultation on the review of the PDPA, and proposed mandatory data breach notification. It was proposed that:
- Organisations must notify affected individuals and the PDPC of a data breach that poses any risk of impact or harm to the individuals affected
- Even if the breach does not pose any risk of impact or harm to the affected individuals, organisations must notify the PDPC where the scale of the data breach is
The CMCA was enacted in 1993 to secure computer material against unauthorised access or modification. It was recently amended in April 2017 to address the changing nature of computer offences and the growing threat of cybercrime.
Under the CMCA, it is an offence to:
- Use a computer to secure unauthorised access to any program or data held in any computer
- Cause an unauthorised modification of the contents of any computer
- To knowingly secure unauthorised access to any computer to obtain any computer service
- To obstruct the use of or prevent access to a computer without authority
- To knowingly and without authority, disclose any password, access code or any other means of gaining access to any program or data held in any computer for wrongful gain, any unlawful purpose or with the knowledge that it is likely to cause wrongful loss to any
In 2017, the Act was amended to criminalise the use of personal data obtained via an act in breach of the CMCA, where the person knows or has reason to believe that the personal information was so obtained. It is not an offence if the personal information was obtained or retained for a purpose other than for use in committing, or in facilitating the commission of any offence. It was clarified that this exception was created to exempt journalists or researchers who use information derived from hacks for their news reports or research, so long as they do not circulate the personal details that were disclosed through the hack.
The CMCA was also amended to:
- Criminalise the act of obtaining and the act of dealing in tools which may be used to commit an offence under the CMCA
- Extend the territorial scope of offences under the CMCA to cover any offence committed by any person who was in Singapore at the material time, any offence where the computer, program or data was in Singapore at the material time, and any offence which causes or creates a significant risk of serious harm in
- Allow prosecutors to amalgamate cyber crime charges against a perpetrator instead of having to bring separate charges for each instance of a distinct
Following the passing of the Cyber Security Act, the CMCA will be correspondingly amended to remove references to cyber security in its title and within the Act itself.
CYBER SECURITY STRATEGY
In 2016, the Australian Government released its national “Cyber Security Strategy”, as a roadmap until 2020 for protecting and advancing Australian Government and private sector interests online. With 84% of small and medium Australian businesses operating online, cyber security is an essential element of doing business in Australia.
The Privacy Act imposes some obligations in relation to cyber security:
- Entities subject to the Australian Privacy Principles (APPs) (each an APP entity) must have a clearly expressed and up-to-date policy in relation to the management of personal
- Entities that hold personal information (or credit reporting information) are required to implement appropriate measures to protect personal information from misuse, interference and loss, and from unauthorised access, modification or
- Recipients of individuals’ tax file numbers (TFNs) must take reasonable steps to protect TFN information from misuse and loss, and from unauthorised access, use, modification or disclosure, and ensure that access to records containing TFN information is restricted to individuals who need to handle that information for taxation law, personal assistance law or superannuation law
- Generally, if an entity holding personal information, credit reporting information or an individual’s TFN no longer requires the information, the entity must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.
- An APP entity must take such steps as are reasonable in the circumstances to ensure that an overseas recipient of personal information from the entity does not breach the APPs in relation to the information (for example, through contractual provisions), unless an exception applies (such as where consent is given or the recipient of the information is subject to a law that has the effect of protecting the information in a way that is substantially similar to the way in which the APPs protect the information, and there are mechanisms that the individual can access to take action to enforce that protection).
It is also important to note that the extraterritorial effect of the EU’s GDPR will mean that certain Australian businesses will be subject to the GDPR in addition to local law requirements.
The NDB Scheme came into effect on 22 February 2018, as an amendment to the Privacy Act.
The NDB Scheme imposes mandatory investigation and notification obligations in respect of eligible data breaches on a number of agencies and organisations including APP entities, credit reporting bodies, credit providers, and tax file number recipients. Under the NDB Scheme, an entity covered by the scheme which is subject to an eligible breach is required to notify the Office of the Australian Information Commissioner (OAIC) and any individuals likely to be at risk of serious harm as a result of the breach. The notice must include:
- The identity and contact details of the organisation
- A description of the data breach
- The kind of information that has been disclosed
- Recommendations about the steps individuals should take in response to the data
APRA has released a new Prudential Standard “CPS 234 Information Security” to take effect from 1 July 2019. This new standard applies to authorised deposit-taking institutions (ADIs), general insurers, life insurers, private health insurers, licensees of registrable superannuation entities (RSE licensees) and authorised or registered non- operating holding companies. The Standard aims to ensure that APRA-regulated entities are resilient against information security incidents (including cyber attacks) by requiring that each such entity maintains an information security capability that is commensurate with information security vulnerabilities and threats. The Standard requires, inter alia, that APRA-regulated entities have clearly defined information security-related roles and responsibilities of the board, senior management, governing bodies and individuals, and that APRA is promptly notified of any material information security incidents. Other relevant APRA standards and guidelines include:
APRA Prudential Standards – CPS 220 (Risk Management) and CPS 231 (Outsourcing)
These Standards require APRA-regulated entities to have proper risk management strategies, including IT systems, and to ensure that they properly manage outsourcing risk in relation to material business activities
APRA Prudential Practice Guides – CPG 234 (Management of Security Risk in Information and IT) and CPG 235 (Managing Data Risk)
These Guides provide guidance to senior management, and risk management and technical specialists (both management and operational) about data and security risks and specifically target areas where APRA continues to identify weaknesses as part of its ongoing and supervisory activities
APRA Information Paper – Outsourcing Involving Cloud Computing Services
This paper, released on 24 September 2018, provides an update to APRA’s July 2015 publication which outlined prudential considerations and key principles that should be considered when adopting the use of cloud computing services.
In addition to continuous disclosure obligations which may require a company to disclose a breach of data security, ASIC’s Cyber Resilience Health Check 2015 set out ASIC’s expectation that company boards participate in cyber security issues, recommending that companies (i) adopt the US Department of Commerce’s National Institute of Standards and Technology Cyber Security Framework, (ii) engage with cyber security bodies, and (iii) involve directors and the Board in managing cyber security to foster a strong culture of cyber resilience. In November 2017, ASIC released a report on the cyber resilience of firms in Australia’s financial markets, which revealed only 66% of organisations surveyed had cyber incident response plans in place.
This Act establishes offences that are consistent with those required by the Council of Europe Convention on Cybercrime. The provisions are drafted in technology-neutral terms to accommodate advances in technology. The Act establishes cybercrime offences, including serious offences which are defined as offences punishable by imprisonment for five years or more, including life sentences.
This Act seeks to strengthen the Australian Government’s ability to respond to national security threats, particularly sabotage, espionage and coercion that may be brought about by cyber attacks. The Act captures approximately 165 assets in the electricity, gas, water and ports sectors, and creates a Register of Critical Infrastructure Assets, gives the Government greater information-gathering powers with respect to these assets, and creates a ministerial directions power to allow the Minister for Home Affairs to issue directions to owners or operators of these critical assets in order to mitigate national security risks.
HKMA AND SFC GUIDANCE
There is no overarching legal framework for cyber security in Hong Kong. Entities regulated by the Hong Kong Monetary Authority (HKMA) and Securities and Futures Commission (SFC) must abide by the regulatory guidance issued, including the various guidelines and circulars concerning cyber risk management, resilience testing and management accountability. The Personal Data Privacy Ordinance, Cap. 486 (PDPO) addresses the security of personal data, including data storage and security measures. There are a number of offences under Hong Kong law targeting cyber security-related crimes, including “unauthorised access to a computer by telecommunications” under the Telecommunications Ordinance, Cap. 106, “access to a computer with criminal or dishonest intent”, and criminal damage under the Crimes Ordinance, Cap. 200.
An HKMA Circular dated 14 October 2014, issued to all Authorised Institutions (“AI”), required a review of existing controls, compliance with the PDPO, and addressed reporting requirements and failure to report. The circular stated that AIs should implement “layers” of security controls (covering both IT and non-IT) to prevent and detect any loss or leakage of customer data. AIs should be prepared to implement additional stringent controls related to Bring-Your-Own-Device (BYOD) devices in accordance with their data classification and risk assessment results whenever there is a need to protect systems and networks. AIs should have in place effective incident handling and reporting procedures.
A later HKMA Circular, sent on 15 September 2015, dealt specifically with cyber risk management. It pinpointed areas of cyber risk management, including risk ownership and management accountability, periodic evaluations and monitoring of cyber security controls, increased industry collaboration and contingency planning and regular independent assessment and tests. It stated that senior management should evaluate periodically the adequacy of the AI’s cyber security controls, having regard to emerging cyber threats and a credible benchmark of cyber security controls endorsed by the board.
In December 2016, the HKMA launched a Cyber Security Fortification Initiative and an Enhanced Competency Framework on cyber security. This is a certification programme for cyber security practitioners in the Hong Kong banking industry.
Following a cyber security review commenced in the fourth quarter of 2016 (in which the SFC conducted inspections and deep dives into the industry practices and the benchmarking of its requirements against other major regulators), the SFC commenced a consultation in May 2017, in which it proposed the introduction of the Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading (the Guidelines). The purpose of the Guidelines is to (i) strengthen control practices to address known threats and vulnerabilities; (ii) standardise and codify common local cyber security control practices for their consistent adoption by internet brokers across the industry; and (iii) provide unambiguous and practical guidance to internet brokers with respect to the SFC’s expectations on cyber security controls.
The Guidelines set out 20 baseline requirements as minimum standards, covering preventive controls (to protect internet brokers’ internal networks and internet trading systems, as well as client accounts, from cyber attack s), detective controls (to detect suspected hacking activities and alert internet brokers and clients on a timely basis to mitigate their impact and reduce financial losses) and internal governance-related controls (to strengthen overall cyber security governance and management of internet brokers and the cyber security awareness of both brokers and their clients).
On 27 October 2017, the SFC published the conclusions of the consultation and issued the Guidelines (with minor amendments resulting from the consultation) via a circular, requiring all licensed corporations engaged in internet trading to implement the 20 baseline requirements in the Guidelines to enhance their cyber security resilience and to reduce and mitigate hacking risks. One key control, the implementation of two factor authentication for clients to log in to their internet trading accounts, took effect on 27 April 2018, while all other requirements took effect on 27 July 2018.
The PDPO requires all practicable steps to be taken to ensure that personal data held by a data user is protected against unauthorised or accidental access, processing, erasure, loss or use, having particular regard to:
- The nature of data and the damage that could result from unauthorised or accidental access, processing, erasure, loss or
- The physical location where the data is
- Any security measures used for the equipment where the data is
- Any measures taken for ensuring the integrity, discretion and competence of persons having access to the
- Any measures taken for ensuring the secure transmission of the data (Data Protection Principle 4(1)).
The Privacy Commissioner issued an information leaflet on BYOD in August 2016, highlighting the personal data privacy risks and best practices of which an organisation needs to be aware when it develops a BYOD policy, as well as a “Physical Tracking and Monitoring through Electronic Devices” information leaflet in May 2017 to draw attention to the possible risks of personal data privacy associated with physical tracking or monitoring through electronic devices.
The PDPO does not require that personal data security breaches be notified, either to data subjects or the Privacy Commissioner. While not a legal requirement, the Privacy Commissioner does encourage notification of breaches.
There is a range of criminal sanctions for breach of the PDPO. If a data user is found to have breached the Data Protection Principles of the PDPO, the Privacy Commissioner may issue an enforcement notice requiring the data user to take steps to rectify the contravention. A breach of the enforcement notice constitutes a criminal offence, punishable by a fine of up to HK$50,000 (doubled for any subsequent convictions) and imprisonment for up to two years. Contravention of other requirements of the PDPO is also an offence.
In addition, it is an offence for a person to obtain personal data from a data user without the data user’s consent and disclose that personal data with the intent to obtain a gain or cause loss to the data subject; or in circumstances where the disclosure causes psychological harm to the data subject. The offence is punishable by a fine of up to HKD 1 million and up to five years’ imprisonment. Lesser contraventions of the PDPO are punishable by fines of up to HKD 10,000 and up to six months’ imprisonment. In addition to criminal sanctions, a data subject who suffers a loss due to a breach of the PDPO is entitled to seek compensation from the data user through civil action, including for emotional distress.
CYBER SECURITY ACT
As regards the regulation of cyber security, the Czech Republic is ahead of many EU member states. The comprehensive regulation of cyber security was already introduced in 2014 when the Czech Parliament passed Act No. 181/2014 Coll. on Cyber Security (the Cyber Security Act). The Cyber Security Act came into effect on 1 January 2015.
Following the adoption of the NIS Directive, the Cyber Security Act was amended several times to bring the national regulation on cyber security in line with the EU law. In particular, Act No. 205/2017 Coll. amending the Cyber Security Act introduced a number of requirements arising from the NIS Directive into the Cyber Security Act.
The Cyber Security Act aims to improve cyber security and to ensure active cooperation between the private and public sectors in handling cyber incidents. To achieve this, the Cyber Security Act imposes a number of obligations upon selected entities. These entities include (i) providers of electronic communication services and operators of electronic communication networks, (ii) authorities and administrators of important networks, (iii) administrators and operators of information systems of critical information infrastructure, (iv) administrators and operators of communication systems of critical information infrastructure, (v) administrators and operators of important information systems, (vi) administrators and operators of information systems of essential services, (vii) operators of essential services and (viii) providers of digital services. Unsurprisingly, public sector entities are subject to more obligations than those operating in the private sector.
Under the Cyber Security Act, the entities listed under (iii) to (vi) must adopt security measures to provide for cyber security of information and communication systems. Similarly, providers of digital services must implement appropriate security measures with respect to electronic communication networks and information systems which they use to provide their services. Furthermore, the Cyber Security Act requires the selected entities to notify the relevant authorities of a cyber security incident once it has been detected. The operator of the national computer emergency response team, currently the CZ.NIC association, and the National Cyber and Information Security Agency (NCISA) are in charge of handling notifications. The details on notifications and classification of cyber security incidents are specified in Decree of the National Cyber and Information Security Agency No. 82/2018 on security measures, cyber security incidents, reactive measures, details on notifications in the area of cyber security and data liquidation.
The newly established authority, the NCISA, is the central body responsible for cyber security, including the protection of classified information in the area of information and communication systems and cryptographic protection. It prepares strategic documents concerning national cyber security and submits them to the Czech Government for approval. The Czech Government approved the currently valid National Cyber Security Strategy for 2015 – 2020 by resolution No. 105 on 16 February 2015, and the Action Plan for the National Cyber Security Strategy for 2015 – 2020 by resolution No. 382 on 25 May 2015.
The NCISA’s competencies also include the right to issue a warning once it becomes aware of a cyber security threat. The NCISA may also impose an obligation upon the selected entities to adopt reactive or protection measures, and require the operators of information systems of critical information infrastructure, information systems of critical communication infrastructure or important information systems to provide traffic data and information concerning the systems to the administrator of such systems. Finally, the NCISA monitors compliance with the Cyber Security Act and may conduct an inspection. In the event of a breach of obligations arising from the Cyber Security Act, it may impose a fine of up to CZK 5 million.
IT SECURITY ACT AND CRITIS
In July 2015, thus before the EU Directive on Security of Network and Information Systems (“NIS Directive”) entered into force, the German legislator had issued the Act to Increase the Security of Information Technology Systems (Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme, “IT Security Act”) which mainly focused on the protection of installations and facilities of major importance for the functioning of the community and public security (so-called critical infrastructures, “CRITIS”). Following the adoption of the NIS Directive, the IT Security Act was amended, in particular, so as to cover also providers of digital services. Currently, a further, comprehensive amendment of the IT Security Act is being discussed in Germany and a first draft bill has been published by the Federal Ministry of the Interior and submitted to the other ministries for consultation in March 2019 (“Draft Second IT Security Act”). It is still unclear when the draft bill will enter into force and in which final form.
The main German authority competent in relation to questions of cyber security and the monitoring of the requirements of the IT Security Act is the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, “BSI”).
Apart from the cyber security requirements imposed on CRITIS and providers of digital services and the requirements under the General Data Protection Regulation (see section on the European Union), further statutory obligations apply in relation to cyber security (i) that are either sector specific (e.g. to the financial sector) or (ii) relate to the provision of certain services (e.g. telecommunications services).
IT SECURITY ACT
The IT Security Act amended a number of pre-existing acts. The most relevant provisions were inserted into the Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik, “BSIG”), which, in particular, imposes a number of obligations on CRITIS and providers of digital services and specifies the competences of the BSI.
CRITIS in the sense of the BSIG include installations and facilities relating to the following seven sectors which are of major importance for the functioning of the community and public security:
- information technology and telecommunications;
- transport and traffic;
- nutrition; and
- finance and insurance.
Whether an installation or facility falling within the scope of these sectors in fact qualifies as CRITIS is to be assessed by the operators of the relevant installations or facilities themselves based on the Ordinance on the Determination of Critical Infrastructures under the BSIG (Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSI-Gesetz). The assessment is mainly to be made based on certain thresholds regarding the contribution to the provision of services or supplies to the public (basic reference value for the different thresholds is the supply of 500,000 persons).
Providers of digital services in the sense of the BSIG include, providers of online search engines, cloud computing services and online marketplaces.
The current Draft Second IT Security Act provides for a significant extension of the applicability of the BSIG. According to the draft, the cyber security-related requirements under the BSIG shall also apply to installations and facilities relating to
(i) the waste sector, (ii) the armaments sector, (iii) the cultural and media sector,
(iv) DAX companies and further facilities and installations of particular public interest to be defined in the Ordinance on the Determination of Critical Infrastructures under the BSIG. In addition, the draft provides for specific obligations of manufacturers of IT products.
Pursuant to the BSIG, operators of CRITIS and, to some extent, providers of digital services must comply with obligations including (but not limited to):
- Designation of a contact point to the BSI which is available at all times;
- Implementation of appropriate organisational and technical precautions according to the state of the art to avoid disruption to the availability, integrity, authenticity and confidentiality of information technology systems, components or processes (compliance with this requirement must be appropriately evidenced at least every two years, g. through security audits, tests or certifications); and
- Notification to the BSI of disruptions to the availability, integrity, authenticity and confidentiality of information technology systems, components or processes that have led or may lead to a failure or significant impairment of the functionality of the relevant installations or
Intentional or negligent violations of the obligations under the BSIG may lead to, administrative fines against responsible individuals and, under certain circumstances, to corporate administrative fines against legal entities of up to EUR 100,000
Please note that the Draft Second IT Security Act provides for a drastic increase of potential administrative fines imposed in cases of non-compliance with the requirements under the BSIG. The framework relating to fines shall be adjusted to that of the General Data Protection Regulation, i.e., the statutory maximum amount of administrative fines per infringement shall be increased to EUR 20 million or to 4% of the total worldwide annual turnover of the group in the preceding financial year, whichever is higher.
The main German authority competent in relation to questions of cyber security is the BSI. Its competences and tasks include, in particular,
- Collection and evaluation of information on security risks;
- Assessment of the security of information technology systems or components;
- addressing warnings to the public or to affected parties about security gaps, malware or data loss;
- Auditing the CRITIS operators’ or digital services providers’ compliance with their obligations under the BSIG;
- Issuance of orders to CRITIS operators and providers of digital services for the elimination of any security deficiencies; and
- Development of minimum standards for the security of information technology of, primarily, the Federal Government.
Please note that under the Draft Second IT Security Act the competences of the
BSI shall be significantly expanded. For example, the BSI shall have the right to issue requests for information subject to a fine to manufacturers of IT products or to inform the public on the lack of cooperation of certain companies in the search for security vulnerabilities.
OVERVIEW OF SELECTED SPECIAL STATUTORY REQUIREMENTS FOR CERTAIN SECTORS OR SERVICES
Apart from the requirements imposed on CRITIS and providers of digital services and the requirements under the General Data Protection Regulation (see section on the European Union), there are several further special statutory requirements in relation to cyber security applicable to certain sectors or to the provision of certain services, such as, amongst others, the financial sector, the provision of telecommunications services, the operation of energy supply networks or the provision of telemedia services.
Cyber security requirements in the financial sector include, the following:
- Under the German Banking Act (Kreditwesengesetz, “KWG”), financial institutions are required to implement a proper business organisation, which explicitly includes an adequate technical organisation and the determination of an appropriate emergency concept for IT systems. The requirements under the KWG are further specified by the risk management guidelines (Mindestanforderungen an das Risikomanagement, “MaRisk”) published by the German Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, “BaFin”). Furthermore, in relation to the cyber security requirements specified in the KWG and the MaRisk,
BaFin published further detailed guidelines (Bankaufsichtliche Anforderungen an
die IT, “BAIT”) which set out, BaFin’s expectations with regard to the secure design of IT systems and associated processes as well as the related requirements for IT governance. Pursuant to the BAIT, financial institutions are required to implement the independent function of an information security officer and to keep a central register of their individual data processing applications.
- Pursuant to the Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz), payment service providers must establish, maintain and apply appropriate
risk mitigation measures and control mechanisms to control operational and security-related risks associated with the provided payment services, which includes cyber security-related measures preventing operational disruptions. Furthermore, in the event of serious operational or security incidents, payment service providers must notify BaFin and, under certain circumstances, affected payment service users without undue delay. Intentional or negligent violations of this notification duty may lead to administrative fines against responsible individuals and, under certain circumstances, to corporate administrative fines against legal entities of up to
Cyber security requirements for the provision of telecommunications services include, the following:
- Under the German Telecommunications Act (Telekommunikationsgesetz, “TKG”) providers of telecommunications services are required to take technical precautions and measures according to the state of the art to protect the secrecy of telecommunications and personal data. In the event of a data breach, providers of publicly available telecommunications services are obliged to notify the Federal Network Agency (Bundesnetzagentur, “BNetzA”) and the Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit) without undue delay as well as, under certain circumstances, the persons affected by the data
- Furthermore, under the TKG, operators of public telecommunications networks and providers of publicly available telecommunications services are imposed with, the following obligations:
- obligation to take adequate technical and other measures for protection against interferences with, and unauthorised access to, the networks and services;
- obligation to appoint a security officer and prepare a security plan setting out, amongst others, the technical or other measures needed to fulfil the security requirements; and
- obligation to notify both the BNetzA and the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) without undue delay of interferences with telecommunications networks and services which lead or could lead to significant security breaches.
- The BNetzA published a security catalogue providing guidance on, amongst others, the fulfilment of the afore-mentioned cyber security-related Intentional or negligent violations of these requirements may lead to, administrative fines against responsible individuals and, under certain circumstances, to corporate administrative fines against legal entities of up to EUR 100,000.
Cyber security requirements for the operation of energy supply networks and energy plants include, in particular, the following:
- Pursuant to the German Energy Industry Act (Energiewirtschaftsgesetz), operators of energy supply networks and operators of certain energy plants (covering both electricity and gas supply networks and plants) are required to take adequate measures to protect their networks and plants against threats to telecommunications and electronic data processing systems necessary for secure network The Federal Network Agency (Bundesnetzagentur) published IT security catalogues setting out the minimum requirements for adequate protection which have to be fulfilled by operators of energy supply networks and certain energy plants.
- Furthermore, operators of energy supply networks and certain energy plants are obliged to report disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes to the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) without undue delay via a specific contact point to be designated.
Intentional or negligent violations of these requirements may lead to, administrative fines against responsible individuals and, under certain circumstances, to corporate administrative fines against legal entities of up to EUR 100,000.
Under the German Telemedia Act (Telemediengesetz), telemedia service providers must, amongst other requirement, take technical and organisational precautions to the extent technically possible and economically reasonable to protect the technical equipment used for their telemedia services from unauthorised access and attacks and to prevent violations of the protection of personal data. The term “telemedia service provider” covers, any persons operating a website. Intentional or negligent violations of this requirement may lead to, in particular, administrative fines against responsible individuals and, under certain circumstances, to corporate administrative fines against legal entities of up to EUR 50,000.
IMPLEMENTATION OF EU LAW
The Italian Legislator has recently implemented the NIS Directive by means of Legislative Decree No. 65 of 2018.
Under the Decree, the Ministry competent for the operator’s business sector is the NIS competent authority to adopt specific security measures, supervise the operators of essential services and impose penalties.
National strategy on the security of network and information systems has not yet been adopted.
Penalties up to EUR 125,000 (up to EUR 150,000 for non-compliance with instructions specifically provided to an operator by the competent Ministry) will apply in case of
The table below lists the Italian NIS-competent authorities for each business sector.
ITALIAN NIS COMPETENT AUTHORITY
Energy, oil and gas
Ministry of Economic Development
Transport (air, rail, water, road)
Ministry of Infrastructure and Transport
Ministry of Economy and Finance
Financial market infrastructures
Ministry of Economy and Finance
Ministry of Health
Drinking water supply and distribution
Ministry of Environment
Ministry of Economic Development
OTHER RELEVANT LAW AND REGULATION
Italian Law no. 12 of 11 February 2019 provided:
- a definition of blockchain and smart contracts; and
- a description of the legal effects of blockchains and smart contracts.
Now, under Italian law, the storage of an electronic document by means of blockchain technology produces the same legal effects as electronic time stamps under Article 41 of the eIDAS Regulation, i.e. it can provide the evidence of the date and time of creation of electronic documents. However, blockchain technologies must meet the requirements set out by the Agency for Digital Italy (AGID).
Smart contracts will meet the written form requirements. To this purpose, parties will need to be electronically identified in compliance with the guidelines which will be issued by the AGID.
The Italian NIS-competent authorities have recently identified 465 operators of essential services (OESs), including public and private entities. The OES list will be updated every two years, to effectively reflect OES activities.
The Decree provides that security incidents6 under the NIS Directive must be notified to the Italian computer security incidents response team (CSIRT), set up at the Presidency of the Council of Ministers, and to the NIS-competent authority.
Further, NIS-competent authorities are in the process of issuing security measures to be adopted by OESs to ensure appropriate risk management.
The Decree provides for penalties from EUR 25,000 to EUR 125,000 in the case of failure to notify the CSIRT of a security incident. Penalties of up to EUR 150,000 will apply in case of non-compliance with instructions specifically provided to an operator by the competent Italian NIS authority.
Notification requirements under the NIS Directive may overlap with those under the GDPR.7 The Italian Data Privacy Authority recently highlighted the symmetry between data protection and cyber security and the importance of a responsible approach by business operators, to prevent “social” risk linked to information networks and information systems.
IMPLEMENTATION OF EU LAW
In the Netherlands, the NIS Directive has been implemented in the Act on the security of network and information systems of 17 October 2018 (Wet beveiliging netwerk- en informatiesystemen; the Wbni).
In line with the NIS Directive, the Wbni applies to operators of essential services designated by governmental decree and to digital service providers who offer online marketplaces, online search engines or cloud computing services (excepting micro and small enterprises). Pursuant to the NIS Directive, the Dutch Minister of Justice and Safety has been designated as the national single point of contact on the security of network and information systems in the Netherlands and harbours the computer security incident response team (CSIRT) for essential services. To function on its behalf, the Minister of Justice and Safety has established the National Cyber Security Centre (NCSC) which also serves as a central information hub and centre of expertise for cyber security in the Netherlands. The NCSC regularly issues publications on the state of cyber security in the Netherlands and guidelines for implementing security measures.
A number of different competent authorities have been designated for the various vital sectors distinguished in the NIS Directive. The Dutch Minister of Economic Affairs and Climate is the competent authority and CSIRT for digital services. With regard to both operators of vital services and digital service providers, the Wbni imposes obligations to implement safety measures and to notify security breaches.
Failure to comply with the obligations imposed under the Wbni can result in fines of up to EUR 5 million.
CYBER SECURITY ACT
In the Slovak Republic, cyber security was not comprehensively regulated at a national level until 2018. Certain issues concerning cyber security have been governed by the Act on Critical Infrastructure, the Act on Information Systems of Public Administration and the Act on Trusted Services for Electronic Transactions in the Internal Market. Given that the fragmentary regulations did not ensure an appropriate level of security of network and information systems, the Slovak Parliament passed Act No. 69/2018 Coll. on Cyber Security (the Cyber Security Act) in January 2018, which implements the NIS Directive.
The Cyber Security Act, which came into effect on 1 April 2018, aims to ensure the security of cyberspace in the Slovak Republic. In line with the NIS Directive, it introduces obligations for operators of essential services and providers of digital services. In particular, operators of essential services must adopt general and sectorial security measures. These measures do not only include technological security measures but also personal and organisational measures, such as internal security policies. In addition, operators of essential services and providers of digital services are subject to several notification obligations, including the obligation to notify the National Security Authority (NBU) of incidents via the cyber security integrated information system. The obligations, however, do not apply to all operators providing services in the selected sectors (energy, transport, banking, financial market infrastructure, etc.). The identification criteria of essential services are defined in a Decree of the National Security Authority No.
164/2018 Coll. determining the identification criteria of essential services.
Compliance with the Cyber Security Act is monitored by the NBU which acts as the national computer security incident response team. The NBU is also in charge of preparing the national cyber security strategy. Current strategic documents concerning cyber security include the Cyber Security Concept of the Slovak Republic for 2015 – 2020 approved by the Slovak government under resolution No. 328/2015 and the Action Plan for Implementation of the Cyber Security Strategy of the Slovak Republic for 2015 – 2020 approved by the Slovak government under resolution No. 93/2016.
While the first strategic document proposes a new institutional framework of cyber security, the latter proposes tasks to be undertaken to provide for adequate protection of the state’s cyber space against potential dangers that could cause irreparable damage to the Slovak Republic.
Finally, the NBU has an important role in incident handling. Upon the occurrence of a serious incident or its threat, the NBU may give a warning of such incident via the cyber security integrated information system and require operators of essential services and providers of digital services to take reactive measures. Operators of essential services and providers of digital services must then demonstrate without undue delay to the NBU that they met the obligation imposed by the NBU.
In the event of a breach of obligations arising from the Cyber Security Act, operators of essential services and providers of digital services may be subject to administrative fines of up to EUR 300,000. The fine may be doubled for repeated breaches.
IMPLEMENTATION OF EU LAW
The Data Protection Act 2018 is the UK’s implementation of the GDPR, replacing the Data Protection Act 1998 which had created criminal offences that may be committed alongside cyber-dependent crimes including:
- obtaining or disclosing personal data;
- procuring the disclosure of personal data; and
- selling or offering to sell personal
This provision was most typically/commonly used to prosecute those who had accessed healthcare and financial records without a legitimate reason but, for example, could also be used in a scenario such as where Trojans can appear as legitimate computer programs but facilitate illegal access to a computer in order to steal personal data without a user’s knowledge.
The new Act (at s.170) builds on this, to add the offence of:
- knowingly or recklessly retaining personal data (which may have been lawfully obtained) without the consent of the data
There are some exceptions, such as where the obtaining, disclosing, procuring or retaining was necessary for the purposes of preventing or detecting crime.
The Network and Information Systems Regulations (NIS) 2018 came into force on 10 May 2018, which implement the NIS Directive. The regulations identify the UK’s national competent authorities for energy; transport; health; drinking water supply and distribution; and digital infrastructure subsectors. Whilst listed as sectors in the NIS Directive, the NIS regulations, in line with Recital 9 and Article 1(7) of the NIS Directive, do not set out any criteria for identifying and regulating those in the banking sector and the financial market infrastructures sector, as equivalent EU legislation – for example PSD2 – already applies. The regulations also:
- set out the UK’s national NIS strategy;
- identify the UK’s single point of contact (GCHQ);
- identify the UK’s Computer Security Incident Response Team (GCHQ);
- identify the criteria in each subsector for identifying OESs;
- set out the duty to notify incidents;
- set out what digital service providers are and their requirement to notify cyber incidents;
- set out the enforcement regime and penalties for failure to comply with the regulations; and
- specify that the OES will be regulated by Competent Authorities (CA) who will have the power to issue guidance, inspect organisations and take enforcement action (including imposing penalties of up to GBP 17 million) where necessary.
The National Cyber, and Security Centre (NCSC), as the UK’s national technical authority for information assurance, and which provides advice and assistance on cyber security, has provided cyber security guidance to the Competent Authorities and OESs on meeting the requirements of the NIS Directive.
The Network and Information Systems Regulations (NIS) 2018 came into force on 10th May 2018. The legislation applies the EU’s Network and Information Security (NIS) Directive which aims to raise levels of the overall security and resilience of network and information systems across the EU.
- set out the UK’s national NIS strategy;
- identify the UK’s single point of contact [GCHQ];
- identify the UK’s Computer Security Incident Response Team (GCHQ);
- identify the UK’s national competent authorities for Energy; Transport; Health; Drinking Water Supply and Distribution; and Digital Infrastructure (Whilst listed as sectors in the NIS Directive, the NIS regulations, in line with Recital 9 and Article 1(7) of the NIS Directive, do not set out any criteria for identifying and regulating those in the banking sector and the financial market infrastructures sector, as equivalent EU legislation - for example PSD2 ¬already applies);
- identify the criteria in each subsector for identifying operators of essential services (OES);
- set out the duty to notify incidents;
- set out what digital service providers are and their requirement to notify cyber incidents;
- set out the enforcement regime and penalties for failure to comply with the regulations.
The regulations apply to those sectors which are vital to the economy and society such as Energy; Transport; Health; Drinking Water Supply and Distribution; and Digital Infrastructure.
The regulations cover relevant digital service providers (RDSP) and OESs. RDSPs, except for micro and small businesses (those with fewer than 50 staff and/or a turnover of El Om a year), are directly subject to the new rules, whilst the regulations provide the relevant UK authorities with the power to designate which organisations are to be classed as OESs.
The Regulations require organisations identified as OES to take appropriate and proportionate measures Ito:
- manage risks posed to the security of the network and information systems on which their essential services rely;
- prevent and minimise the impact of incidents on the delivery of essential services;
- report serious network and information incidents that impact on provision of the essential
The OES will be regulated by Competent Authorities (CAs) who will have the power to issue guidance, inspect organisations and take enforcement action (including imposing penalties of up to GBP 17 million) where necessary.
Oversight & Monitoring
For CAs regulating OES, active oversight will be expected. In its guidance to CAs, the Department for Culture, Media and Sport (DCMS) said CAs should proactively engage with industry. publish guidance, meet with representatives from OESs, and implement an assessment framework including an audit programme.
This is different for RDSPs where the Information Commissioner’s Office (ICO) will be limited to post-ante oversight. The DCMS guidance still recommends the ICO provides guidance and support to DSPs.
Enforcement and penalties
According to the DCMS guidance CAs should not rush to take action just because an incident has been reported. An incident is not by itself an infringement of the NIS Regulations, and that the key factor for determining enforcement action is whether or not appropriate and proportionate security measures and procedures were in place and being followed.
CAs have a lot of flexibility under the regulations when it comes to the exact form that any enforcement action takes. Information Notices and Enforcement Notices are both available as well as financial penalties. The DCMS guidance recommends CAs should implement a stepped process of enforcement in which OES and DSPs are given warnings, and that CAs publish their enforcement policy so that OES and DSPs are clear as to the approach being taken.
The regulations set out a tiered system of financial penalties, capping the potential fines that CAs can impose for different breaches of the regulations:
- not exceeding GBP 1 million for any contravention which the enforcement authority determines could not cause an MS incident;
- not exceeding GBP 3.4 million for a material contraventon which the enforcement authority determines has caused, or could cause, an incident resulting in a reduction of service provision by the OES or RDSP for a significant period of time;
- not exceeding GBP 8.5 million for a material contravention which the enforcement authority determines has caused, or could cause, an incident resulting in a disruption of service provision by the OES or RDSP for a significant period of time; and
- not exceeding GBP 17 million for a material contravention which the enforcement authority determines has caused, or could cause, an incident resulting in an immediate threat to life or significant adverse impact on the United Kingdom economy.
The Brexit effect
The UK currently remains a full member of the European Union and all of the rights and obligations of EU membership remain in force, including under the NIS Directive.
The outcome of on-going negotiations on the future UK-EU partnership will determine what arrangements apply in relation to EU legislation once the UK has left the EU. However, it is the UK Government’s stated intention that on exit from the EU the policy provisions of the NIS Directive will continue to apply in the UK.
A key part of the functioning of the Regulations will be how the sector CA assess and enforce the regulations. CAs are strongly encouraged to use the National Cyber Security Centre’s Cyber Assessment Framework (CAF) as part of their toolkit in order to provide consistency across sectors and the UK.
Ofcom, The Department of Health and Social Care (DHSC), and the Department for Transport (DfT) have published guidance thus far.
Ofcom, which is the CA for the digital infrastructure sector, has published interim guidance for OESs.
Ofcom’s interim guidance:
- gives a high-level introduction to the MS Regulations;
- sets out Ofcom’s initial views on the immediate steps we expect the OESs in the digital infrastructure subsector to take, as a minimum, to meet their obligations under the NIS Regulations;
- provides information about which types of operators on which duties have been imposed under the NIS Regulations;
- sets out the process and thresholds for reporting relevant security incidents that such operators must initially follow;
- introduces Ofcom’s intended initial enforcement
OESs “deemed to be designated” for the digital infrastructure subsector are: -
- Top Level Domain Name Registries (which service an average of two billion or more queries in 24 hours for domains registered within the Internet Corporation for Assigned Names and Numbers);
- Domain Name Service Providers (which service an average of two million or more requesting DNS clients based in the United Kingdom in 24 hours; or are servicing 250,000 or more different active domain names); and
- Internet Exchange Point Operators (IXP Operators which have 50% or more annual market share amongst IXP Operators in the United Kingdom, in terms of interconnected autonomous systems, or which offer interconnectivity to 50% or more of global internet routes).
Anyone meeting these criteria on 10 May 2018 is deemed an OES and were required to notify Ofcom by 9 August 2018 of this fact. Anyone meeting the criteria after 10 May 2018 had a duty to notify Ofcom within three months after the date the criteria was met.
Ofcom states that it currently expects enforcement to be broadly in line with the approach set out in its Enforcement Guidelines for Regulatory Investigations and it will review in due course whether this approach needs adapting.
The DHSC, which is one of the CAs for the health sector, will be responsible for overseeing the operation of the NIS Regulations within the sector. It has published guidance on the NIS Regulations.
NHS Trusts and Foundation Trusts are considered OES for the health sector in England for the purposes of the NIS Regulations. The Department will also designate other NHS healthcare providers, as OES and those organisations will be individually notified.
DHSC’s implementation of the NIS Regulations will be to incorporate its requirements into a wider approach to implementing the National Data Guardian’s 10 data security standards. These data security standards apply to all health and care organisations to ensure that systems and data are protected. While the NIS Regulations will only apply to organisations considered OESs, the 10 data security standards and wider regulatory framework, including the General Data Protection Regulation (GDPR), apply to all health and care organisations.
NHS Digital will publish guidance on implementing the 10 data security standards, incorporating the requirements for fulfilling the security duties of the NIS Regulations. This guidance will be accessible through the Data Security and Protection Toolkit.
The Department for Transport (DfT), which is one of the CAs for the transport sector, has published guidance aimed at those organisations that are designated as OESs.
- sets out the responsibilities of OESs
- sets out as the roles and responsibilities of the CA and how these will be carried out, with particular focus on the first year post-May; and
- Sets out the process and thresholds for mandatory incident notifications.
Further to this, it contains specific guidance for each transport mode and provides clarity on how the NIS Regulations will align with any existing guidance, standards or regulations related to network and information system security.
The types of organisations in scope within the transport sector are:
- Owners or managers of airports;
- Air navigation service providers;
- Air carriers;
- Harbour authorities;
- Shipping companies;
- Operators of port facilities;
- Operators of vessel traffic services;
- Operators of railway assets (trains, networks, stations and light maintenance depots) for domestic and international rail plus some light rail and underground services; and
- Roads authorities and operators of intelligent transport systems.
Specific thresholds will apply to many of the above types of entities, which are generally based on the scale of the operation in terms of annual passenger numbers or freight tonnage. For domestic and international rail there are no specific thresholds and so any entity that meets the definitions will be in scope.
The DfT has set out its expectation for how the process to assess OES will operate during its first year and beyond:
- From 10 May: incident notification requirements need to be followed.
- May-June 2018: NCSC will run a CAF pilot within the transport The initial version of the CAF has been published.
- July 2018: the DfT Cyber Compliance Team (CCT) begin site and organisational visits to OES in rail, maritime and roads sectors to introduce themselves and offer support throughout the self-assessment period.
- July 2018: (This is the earliest date and may be subject to change based on feedback from pilot): CAF rolled out for self-assessment with guidance to rail, maritime and roads OES.
- July 2018: (and each year after): CCT to submit annual report of MS incidents to the SPOC, for them to submit to the European Commission in August 2018 and every year thereafter.
- September 2018: (interim milestone - may be subject to change based on feedback from pilot): OES may find it useful to have identified their critical systems and discussed this list with the CCT by this point.
- November/December 2018: (may be subject to change based on feedback from pilot): deadline for self-assessments and initial supporting evidence to be provided by OES to the CCT.
- November 2018: (and biennially after): report of the number of OES and the thresholds for identification submitted to the EU by the SPOC.
- January 2019: the CCT to engage with OES to discuss findings of self-assessments and request further evidence if required. The CCT will prioritise OES programme of engagement based on risk, self-assessments and other factors.
- May 2019: the CCT will begin follow-up audits where required.
- May 2019: the CCT will conduct a full review of incident notification thresholds.
Guidance from the Department for Business. Energy & Industrial Strategy, and Ofgem in relation to the oil, gas and electricity sub sectors and the Department for Environment, Food and Rural Affairs for drinking water supply and distribution are expected shortly.
Under the PSRs, although the Financial Condust Authority (FCA) is the competent authority for most of the provisions (including being responsible for authorising and supervising payment service providers (PSPs)), the Payment Systems Regulator (PSR) is the competent authority for monitoring and enforcing compliance with certain requirements relating to payment systems.
In light of PSD2, the FCA has made changes to its regulatory reporting and record- keeping requirements, which include:
- changes to the requirements in Chapter 15 of the Supervision Manual (SUP) in respect of major operational or security incident reporting (such as of a cyber attack on an IT system that prevents consumers using their bank accounts), together with a template for notification. Notifications must be made within four hours of an incident being identified; and
- from 13 January 2018, all PSPs have been required to collect fraud data and annually report that data to the
OTHER RELEVANT LAW AND REGULATION
The CMA is the main piece of UK legislation relating to offences or attacks against computer systems such as hacking or denial of service (DoS) attacks.
Offences under the CMA include those relating to: unauthorised access (ss.1, 2);
- unauthorised acts with the intent to impair the operation of a computer (relevant, for example, to cases involving distributed denial of service (DDoS) attacks, such as those launched against Lloyds Banking Group and Barclays in 2017) (s.3);
- unauthorised acts causing, or creating a risk of, serious damage, for example, to human welfare, the environment, economy or national security (aimed at those who seek to attack critical national infrastructure) (s.3ZA); and
- making, supplying or obtaining articles for use in offences contrary to section 1, 3 or 3ZA (deals with those who make or supply malware) (s.3A).
It is an offence for a person intentionally and without lawful authority to intercept, at any place in the UK, any communication in the course of its transmission by means of a public telecommunication system (s.1(1)(b)) or for a person to intercept any communication in the course of its transmission by means of a private telecommunication system (s.1(2)).
Either or both of these offences could apply in a ‘hacking’ case where content has been unlawfully intercepted through cyber-enabled means, and offenders may be charged under the RIPA instead of or in addition to the CMA. The RIPA would usually be used where material was unlawfully intercepted in the course of its transmission and the CMA would usually be used where material is acquired through unauthorised computer access.
There is a wealth of UK legislation to address crimes which do not depend on computers or networks but have been transformed in scale or form by the use of the internet and communications technology. These include the category of economic-related cyber crime, including fraud and intellectual property crime (piracy, counterfeiting and forgery).
Economic-related Cyber crimes include unauthorised access, sabotage or use of computer systems with the intention to cause financial gain to the perpetrator or financial loss to the victim. They may involve computer fraud or forgery, hacking to steal personal or valuable data for commercial gain, or the distribution of viruses.
Offences under the Fraud Act 2006 are applicable to a wide range of cyber-frauds by focussing on the underlying dishonesty and deception. The nature of the offending will dictate the appropriate charges, and prosecutors may also consider offences under the Theft Act 1968, Theft Act 1978, CMA, Forgery and Counterfeiting Act 1981 and Proceeds of Crime Act 2002.
The statutory objectives of the financial and prudential regulators in the UK, the FCA and the Prudential Regulation Authority (PRA) means that the cyber resilience of regulated firms is of key significance. The FCA has a strategic objective to ensure that relevant markets function well, as well as operational objectives which include the protection of consumers and protection of financial markets. One of the PRA’s statutory objectives is promote the safety and soundness of the firms it regulates.
Key FCA principles and rules relevant to firms’ resilience to cyber issues include:
- Principles for Businesses, Principle 3: a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems;
- Senior Management Arrangements, Systems and Controls handbook (SYSC) 1.1: a firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business; and
- SYSC 3.2.6: a firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime.
The Senior Managers and Certification Regime (SMCR) creates a Chief Operations Senior Management Function (SMF 24) and the regulators have made it clear that this will be the individual responsible for the resilience of operations and technology of the firm – and so responsible for the firm’s cyber resilience.
Firms must report a material cyber incident to the FCA under Principle 11 of the Principles for Businesses. A firm may consider an incident material if it:
- results in significant loss of data, or of the availability or control of its IT systems;
- affects a large number of customers; and/or
- results in unauthorised access to, or malicious software present on, its information and communication systems.
The PRA similarly has key rules relevant to firm’s resilience to cyber issues, including:
- Fundamental Rule 5: a firm must have effective risk strategies and risk management systems;
- Fundamental Rule 6: a firm must organise and control its affairs responsibly;
- PRA Rulebook, Risk Control: a firm must establish, implement and maintain adequate risk management policies and procedures, including effective procedures for risk assessment, which identify the risks relating to the firm’s activities, processes and systems, and where appropriate, set the level of risk tolerated by the firm; and a firm must adopt effective arrangements, processes and mechanisms to manage the risk relating to the firm’s activities, processes and systems, in light of that level of risk tolerance; and
- PRA Rulebook, Group Risk Systems: a firm must have adequate, sound and appropriate risk management processes and internal control mechanisms for the purpose of assessing and managing its own exposure to group risk, including sound administrative and accounting procedures; and ensure that its group has adequate, sound and appropriate risk management processes and internal control mechanisms at the level of the group, including sound administrative and accounting procedures.
VIEW FROM THE REGULATORS
In March 2019, the ICO prosecuted two employees who had accessed or shared personal data obtained from their employer without a valid reason. Faye Caughey had to pay fines and costs totalling GBP1,640 after she viewed personal data held on the systems of a National Health Service foundation trust. Jayana Morgan Davis forwarded several work emails containing personal data of customers and other employees to her personal email account and had to pay fines and costs of GBP820. Mike Shaw, who heads up the criminal investigations team at the ICO, said: “People expect that their personal information will be treated with respect and privacy. Unfortunately, there are those who abuse their position of trust and the ICO will take action against them for breaking data protection laws.”
In April 2019, the ICO fined the London Borough of Newham GBP 145,000 after an employee sent an email with the personal information of more than 200 people who featured on a police intelligence database which records information in respect of alleged gang members.
In October 2018, the FCA fined Tesco Personal Finance plc (Tesco Bank) GBP16,400,000 for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack which took place in November 2016.
The FCA found that cyber attackers exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations Team to carry out the attack. Those deficiencies left Tesco Bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the cyber attackers EUR 2.26 million.
The FCA found that Tesco Bank breached Principle 2 of the FCA’s Principles for Businesses because it failed to exercise due skill, care and diligence in:
- designing and distributing its debit card;
- configuring specific authentication and fraud detection rules;
- taking appropriate action to prevent the foreseeable risk of fraud; and
- responding to the cyber attack with sufficient rigor, skill and urgency.
The level of the penalty could have been higher – a 30% credit for mitigation and settlement at the first stage of the FCA’s executive settlement procedure meant that it came down from a starting figure of GBP 33,562,400.
In 2017 and 2018, the FCA surveyed 296 firms to assess their technology and cyber capabilities to gain a better understanding of the industry’s resilience. The survey looked at key areas such as governance, delivery of change management, managing third party-risks and effective cyber defences. Firms self-assessed their capabilities and the FCA then analysed the responses for each firm and across sectors.
Firms’ responses highlighted cyber weaknesses in three areas: people, third-party management, and protecting their key assets. Many firms reported that they have mature IT change management functions, but the FCA noted that failed IT changes caused 20% of the operational incidents reported to the FCA between October 2017 and September 2018.The FCA expects all firms to consider the findings and feedback in its report and its relevance to their business. The FCA reiterated that, under Principle 11, it expects firms to report major technology outages and cyber attacks to the FCA, and noted that evidence suggests that firms are under-reporting.
In March 2019, the FCA published a document bringing together industry insights on cyber resilience, with the objective of aiding cyber security practices. This highlighted the importance of ensuring that cyber risk is on a firm’s executive agenda, systematically reviewing the linkage between risk and controls to monitor effectiveness, and planning for incidents, testing internal and external communications. In July 2019, an FCA FOIA request revealed that the number of declared cyber incidents rose from 69 in 2017 to 819 in 2018; an increase of over 1000%.
THE VIEW OF THE COURTS
Whilst the vast majority of claims brought before the English courts in respect of cyber issues relate to cyber-enabled crime, the courts are seeing an increasing number of civil claims, particularly in relation to data privacy issues.
- In October 2018, the Court of Appeal dismissed an appeal by Morrisons against a decision that it was vicariously liable for the actions of a disgruntled employee, who had copied mass employee data and published it on the internet. As a result, the Court of Appeal confirmed that employers may be vicariously liable for wrongful acts by their employees which breach data protection legislation (here the Data Protection Act 1998). The Court suggested that employers should consider insurance to protect themselves against such
- In October 2018, a claimant in a class action failed to obtain permission to serve proceedings on Google in California. The proceedings related to allegations that Google had secretly collated browser-generated information from iPhone users and sold it to Whilst preliminary in nature, the judgment makes clear that no compensation can be awarded when a breach of duty has caused neither pecuniary loss nor emotional harm and has had no other consequences for the data subject.
- In July 2018, a group of unknown defendants were found to have perpetrated a cyber-hack on an English company’s email system, causing the Bank of China to transfer moneys to the The Commercial Court granted a worldwide freezing injunction against the unknown hackers, and damages were subsequently ordered for the full amount of the loss, on the basis of successful claims for, amongst other things, “unlawful means” conspiracy (with the unlawful means including breaches of the CMA).
- In June 2016, in another case concerning damages under the Data Protection Act 1998, it was determined that family members of data subjects who have their data misused can bring statutory and common law claims where their identities can also be readily inferred from published
The English courts are also prepared to act quickly, and grant injunctive relief and other interim applications to seek to recover and prevent further dissemination of data and/or funds which are the subject of a cyber incident, even where the perpetrators are unknown.
Download the report
Perfect for offline use
As cyber attacks increase around the globe, regulators are responding with new cyber and data laws. New audit powers and mandatory reporting requirements are putting businesses in the spotlight, and a serious attack could mean significant reputational and financial impact and loss of customers.
Cyber is not just a technology issue. This is now a major legal risk.
In this report, our experts discuss the new regulations taking effect globally, and how these will impact you now and in the future.
We are here to help.DOWNLOAD NOW