A New European Cyber Security Strategy – Part I

Julianna Tolan
Julianna Tolan

The Threat

Globalisation and advances in on-line commerce have been key to the success of many European businesses. The growth of the internet has enabled the UK in particular to tap into markets that were previously inaccessible, as a global leader in e-commerce. But as well as bringing new opportunities, this reliance on cyberspace also presents new challenges and risks.

The prospect of cyber-attacks on businesses in the UK has never been more potent. Based on the 2015 Information Security Breaches Survey Report by the Department for Department for Business, Innovation and Skills, 90% of large corporations and 74% of small businesses reported a cyber-breach in 2015. It has been estimated that the cost for the worst cyber-security breach estimated between £1.5m to £3.14m for large businesses and £75k to £310k for smaller ones.

Alongside international terrorism, the National Security Strategy categorised cyber-attacks as a Tier One threat to our national security and in recent months George Osborne raised the prospect that terror groups may launch deadly cyber-attacks on Europe.

A New Way Forward

Historically, the approach to cyber security amongst member states has varied considerably, with a patchwork of different legislative regimes. Those states with insufficient security measures diminished the EU’s overall protection and exposed it to attack.

Prompted by mounting concerns about online security issues, in July 2012 the European Commission launched a public consultation on a new strategy for network and information security. The results of this consultation were that 57% of respondents had experienced security problems in the previous year that had seriously impacted upon their activities.

As a result of these findings, on 7 February 2013 the Commission published a proposed new directive on cyber security, which would harmonise the way member states addressed information and network security. Alongside this directive, the European Commission published a Joint Communication setting out an EU cyber security strategy.

It was hoped that these measures would close any existing loopholes in the existing legislative framework of EU countries. At the same time, it demonstrates the Commission’s commitment to the issue of cyber security, both for its citizens and for businesses within and outside of the EU.

On 7 December 2015, negotiators of the European Parliament, the Council and the Commission  agreed on the first EU-wide legislation on cybersecurity. The text will now be formally approved by the European Parliament and the Council. After that it will be published in the EU Official Journal and will officially enter into force. Member States will have 21 months to implement this Directive into their national laws and 6 months more to identify operators of essential services.

In A New European Cyber Security Strategy – Part II, we will outline the key  provisions of this historic cyber-security legislation.

Protecting the quantified self: data protection issues related to wearable tech

Emma RoakeThe market for and consumer awareness of wearable tech has rocketed over the last few years, and is predicted by some analysts to be worth $25 billion by 2019.  From fitness bands for wrists and the first generation of smartwatches and smart eyewear, we will soon be able to purchase smart clothes with sensors to monitor fitness and athletic performance.  And with the technology developing at a dizzying pace, ingestibles and embeddables are just over the horizon, taking the form of digital pills, and chips to be inserted into muscles or under the skin.

Each new generation of wearable tech aims to be more sophisticated and less obtrusive than the last.   The less obtrusive it becomes, however, the greater the risk of it becoming more intrusive, as the wearer (and potentially third parties who come into close proximity with the wearer) are at risk of having their personal data used in ways which they may not have anticipated.

The data protection concerns inherent in wearable tech have been exercising regulators for some time.  Part of the problem is that the current legislation in the UK – the Data Protection Act 1998 – was drafted in a time when smart technology was in its very early development phase.  Despite this, regulators have emphasised that all stakeholders involved in the production and operation of wearable tech must comply with data protection laws.

Wearable tech companies will be “data controllers” for the purposes of the data protection legislation if their device collects “personal data” from users, and if (as is likely) the wearable tech company determines the purposes for which and the manner in which such data is to be used.

“Personal data” is any data which relates to a living individual who can be identified from that data alone, or from that data when it is combined with other information which is in the possession of the data controller. A common assumption is that personal data is limited to someone’s name, photograph, email address and mobile number, but in fact the definition goes much wider.  Data such as an IMEI number of a smartwatch can be personal data, if it is used to differentiate an individual from others.

There are various requirements with which data controllers have to comply under data protection legislation, including the following:

  1. The processing of the data must be fair and lawful. As part of this, the company will need to tell the user what data it is collecting and what the data will be used for.  Given that some wearable tech devices collect different sorts of data using different sensors, it is crucial that the user is aware of all the data being collected by all enabled sensors.
  2. The consent of the user to the processing of their personal data will almost always be needed for the processing to be fair. Consent must be freely given, specific and informed. In relation to sensitive personal data (such as data relating to an individual’s health) the requirements for consent are more stringent. Data controllers collecting data relating to an individual’s health (which will be a large proportion of the wearable tech industry) will need to ensure that their users give “explicit” consent before such data is collected.  Opt-in consent is required in these circumstances, not opt-out consent.
  3. The data must be protected by appropriate technical and organisational measures against unauthorised or unlawful use, and against accidental loss, destruction or damage. Given the extent of the personal data collected by many wearables, the sensitivity of that data and the rise of hacking, data security must be a top priority for wearable tech companies.
  4. Personal data must not be transferred to a country outside the EEA unless that country ensures an adequate level of protection of personal data. For US-based wearable tech companies selling into the EU, it should be borne in mind that the US is not considered by the European Commission to adequately protect personal data and that it is no longer possible to rely on Safe Harbors. An alternative solution should be put in place to ensure transfers outside of the EEA are lawful.

European Court of Human Rights (ECHR) finds that monitoring an employee’s Internet use was justified

Nigel Miller
Nigel Miller

Can an employer, who is considering disciplinary action against an employee, monitor the employee’s email and internet activity (e.g. to find evidence or check if the disciplinary action is needed)?  Or would that monitoring be unlawful under Article 8 of the European Convention on Human Rights (right to respect for private and family life, the home and correspondence)?

Bogdan Mihai Bărbulescu is a Romanian living in Bucharest. He was employed as an engineer in charge of sales. At his employer’s request, he created a Yahoo Messenger account to respond to clients’ enquiries. On 13 July 2007 he was informed by his employer that his Yahoo Messenger account had been monitored and that the records showed he had used the account for personal purposes.

Mr Bărbulescu replied that he had only used the service for professional purposes. He was then presented with a transcript of messages he had exchanged with his brother and his fiancée relating to personal matters such as his health and sex life.

On 1 August 2007 the employer terminated Mr Bărbulescu’s employment contract for breach of the company’s internal regulations that prohibited the use of company resources for personal purposes.

Mr Bărbulescu challenged his employer’s decision before the courts complaining that the decision to terminate his contract was invalid as his employer had violated his right to correspondence in accessing his communications.

His complaint was dismissed on the grounds that the employer had complied with the dismissal proceedings provided for by the local Labour Code and that Mr Bărbulescu had been duly informed of the company’s regulations.

Mr Bărbulescu appealed to the ECHR claiming that e-mails were protected by Article 8 (right to respect for private and family life, the home and correspondence).

The ECHR did not find it unreasonable that an employer would want to verify that employees were completing their professional tasks during working hours.  The monitoring of Mr Bărbulescu’s communications had been the only method of establishing whether there had been a disciplinary breach.

The ECHR decision confirms that employers do have the right to monitor employee internet use and communications. However, an important element of the case was that the employer had an internal regulation that prohibited the use of company resources for personal purposes, which the employee had breached leaving himself open to disciplinary action.

The key point for employers is that, if they wish to be able to monitor employee internet use and communications, it is important that employees are made aware that this may happen so as to ensure that employees do not have any expectation that their internet use and communications are private.  This is usually communicated in a Policy on internet use, which sets out guidelines on what employees can and cannot do on-line and gives the right to the employer to monitor this for compliance and take disciplinary action as needed.

It is also important that employers use this right proportionately and only so far as necessary to verify compliance with the policy, and not for indiscriminate monitoring of private communications.

CASE OF BĂRBULESCU v. ROMANIA (Application no. 61496/08) 12 January 2016

Beware the perils of allowing employees to “bring your own device” (“BYOD”)

Helen Farr
Helen Farr

It is no surprise that many employees now want to use their own personal mobile devices at work rather than their employers’ equipment.  There are clear benefits to employees and the business in which they work if a decision is taken to allow employees to do so.

It is an easy way to improve employee morale and job satisfaction by allowing increased flexibility and efficiency in working practices.  It also reduces business costs because employees invest in IT!

But allowing BYOD is not risk free.  Businesses need advice on how to implement the right policies and procedures which, if not correctly dealt with, are capable of having a serious impact on the business.

A key characteristic of BYOD is that personal and business data are stored on the same device. This raises potential risks under the Data Protection Act for the business as the controller of the personal data.  The employer cannot avoid its legal obligations under the Act because the personal data is not being stored on its systems.

What steps can business take to mitigate against these risks?

First, businesses should implement security measures to prevent unauthorized or unlawful access to the data.  As a minimum, users must use a strong password to protect business data.  Ideally, access to devices should be locked and data automatically deleted if an incorrect password is used too many times.  The business should ensure that its employees understand what business data can and cannot be stored on a personal device.

Second, the business must be mindful of the personal usage of the device. Therefore, employees’ own personal data, including details of their personal lives, could inadvertently end up on company systems, the result of backup policies or misfiling.

Third, protecting data in the event of loss or theft is a key consideration.  Data is only as secure as the security measures in place on that device.  Most personal devices are not encrypted and so easy for any person with physical access to the device to access the information stored on it. Many personal devices store copies of data in consumer cloud services such as Apple’s iCloud or Microsoft’s OneDrive (formerly SkyDrive) automatically.  Such data is then only as secure as the employee’s password for those services.

Fourth, require employees to submit their devices to security configuration by the IT team, or to use a product to enforce separation of business and personal data on the device. However, it is important to obtain employees’ consent before deploying these measures.

Fifth, ensure that if employees’ leave, the business is able to maintain confidentiality by ensuring that business information can be wiped from the employees’ systems quickly and effectively.  Registering with a locate and wipe facility is one way to do this.

How best to protect your business?

The most effective way to address these issues is to introduce a well drafted, clear and up to date BYOD policy that is effectively communicated to employees. Involve IT, HR and legal professionals when drafting any policy to ensure all relevant issues are covered. Employment contracts should also be reviewed.

If your business does not already have a policy dealing with these issues, a good New Year’s resolution is to take steps to put a policy in place.