27 January 2014 | By Jonathan Ames
New US cybersecurity framework issued: in wake of cyber attacks and lawsuits, how should organisations respond?
25 February 2014
13 February 2014
10 October 2013
28 October 2013
31 January 2014
The EU believes strict regulation is the path to online security, and accountants are already lining up to seize the advice work
As action heroes go, the sombre-suited members of the European Commission and their hordes of faceless Eurocrats aren’t a patch on a pumped, bloodied Bruce Willis in his sweat-soaked vest. But the commission’s president, plucky Portuguese José Barroso, and his band of 28 fellow commissioners have cast themselves in the roles of cyber policemen to rival the follicly challenged American and his bid to save humanity in Die Hard 4.0.
Film buffs will know that Willis has to do battle with a mastermind cyber criminal who first wants to hack into the US national security systems before doing all sorts of nasty things and then, of course, taking over the world. Winning the day involves two hours of shouting, gunfire, explosions and cheeky dialogue.
Typically, the European Commission’s version is somewhat more prosaic. It involves a directive – the draft Network and Information Security Directive, to be precise.
But from where they sit in Brussels, that 48 pages of prospective legislation is no less important or indeed less impressive than detective John McClane seeing off the hacker’s henchmen by launching a police cruiser at a looming helicopter. It’s just a matter of perspective and, Europe being Europe, taste.
Also, Europe being Europe, the directive is not exactly straightforward. Confusion reigns over what it will look like in final draft, which business sectors will be affected, whether it is necessary or is just another example of Brussels legislating simply because it can and, indeed, whether it will ever come to pass in light of the forthcoming European Parliament elections.
Bean-counters on the case
What is relatively certain is that cyber security is an area that ultimately will be legislated for in Europe. And some suggest the global accountancy practices are already aiming to steal a march on law firms to advise multinational corporations on how to cope.
Should the legal profession battle the accountants for market share in advising on the directive?
As one lawyer comments: “We don’t go through a single day without there being a headline about cyber security, so clearly something needs to happen.”
That suggests the directive, whether in present or subsequent form, represents an opportunity. But first, lawyers must get a grip on what the draft legislation will cover. And doing so requires patience.
The first thing to note about the draft legislation – known colloquially as the Cyber Directive – is that “it has nothing to do with data quality”, according to Field Fisher Waterhouse technology and outsourcing partner Stewart Room. That falls under a different tranche of EU thinking around updating data protection regulations.
Room – who literally wrote the book on the subject, Butterworth’s Data Security Law and Practice – says the Cyber Directive is concerned with the platforms and infrastructure through which all electronic information flows, personal or not. It divides information flow into two parts: critical infrastructure, including public administration, transport, health, energy supplies; and the online environment on which society has become so reliant for social networks, search engines, cloud services, app stores and financial payment gateways.
“What Europe has figured out,” says Room, “is that there are platforms sitting on top of platforms sitting on top of platforms. And its legislative approach is to deal with the foundation and then the next foundation.”
However, there will be swathes of businesses for which the Cyber Directive would be of little more than passing interest.
Richard Cumbley, an information management and data protection specialist partner at Linklaters, explains: “This is not a greenfield site – data security is already pretty heavily regulated in Europe. If you’re handling any information about people, you fall under the data protection regime.”
Cumbley maintains that data security obligations already cover big players in the financial services, telecommunications and pharmaceutical sectors. But, he says, “There will be isolated pockets of UK plc for which the Cyber Directive will be big news.”
Those sectors include energy generation, power transmission, upstream oil and gas, transport infrastructure and, to some extent, certain areas of manufacturing.
“These areas have not historically had to think from a regulatory perspective about data security because they don’t handle a lot of personal information,” explains Cumbley. “They will suddenly find themselves classed as running critical infrastructure facilities and are therefore going to be audited and inspected under the powers of a new regulator.”
Or, as Philip James, a digital media, technology and data partner at Pitmans, puts it: “The requirement under the directive is that instead of voluntary notification, there will be mandatory notification for a wider class of organisations. In turn, that means the authorities will have the ability to determine whether it is in the public interest to disclose the details of any breach. And that means a great risk to reputations.”
Protect and serve
The proposed directive will create a duty of care on organisations to maintain a high level of cyber security. Its second aim is to tackle cyber risks and breaches – in other words act as both preventative and reactive medicine.
The mechanics involve the creation of a regulatory framework, run by what is provisionally being called the European Network and Information Security Agency, which will issue guidance and enforcement. At member state level, each EU country will be required to publish a cyber security strategy (lawyers point out that the UK has had one since 2008) and a co-operation plan. Every state will also have to create a computer emergency response team (Cert), a government body responsible for monitoring cyber issues.
Crucially, individual member states will be required to have their own regulators, who will oversee and operate a sanctions regime. But that nuts and bolts element of the directive is, says Room, “deliberately being left a bit vague”. What we know is that it is likely to be aligned with the sanctions in the draft Data Protection Regulations, which, he predicts, “would mean mega fines based on a percentage of a business’s turnover”.
In summary, says Norton Rose Fulbright partner Ffion Flockhart, the directive “will try to ensure that companies and organisations have sufficient network and security measures in place, and also make sure organisations are obliged to report breaches of information security to the appropriate regulator”.
But the reality is not quite that simple. There is understood to be disagreement within Castle Brussels itself over the scope of the directive. According to Room, the directive’s rapporteur, Swedish MEP Carl Schlyter, objects to the inclusion in the directive’s remit of the online cyber world. In other words, while he supports provisions in the legislation covering critical infrastructure he would rather leave out coverage of search engines, social networks and other online commerce.
And at the national level there is already a row brewing over which entity should take regulatory responsibility in the UK if the directive is implemented. The obvious existing body – the Information Commissioner’s Office – has already said it doesn’t want the job, with the commissioner reportedly of the view that his budget would not bear the additional strain.
Harry Small, the London-based partner heading Baker & McKenzie’s global technology practice group, describes the directive as “a competence grab” by the commission.
“The directive is very prescriptive about how member states will handle information strategy,” says Small. “For example, it requires member states to adopt the strategy and to designate a national information strategy authority. In other words, more regulation.”
Who needs it?
More widely in the UK, the House of Commons’ European scrutiny committee last year expressed concerns over subsidiarity. After reviewing the directive it concluded that the British Government “needs to explain why the commission is not being resisted in principle and why – the Government’s manifest reservations notwithstanding – it prefers negotiated damage limitation”.
Indeed, it is understood that British ministers do have serious reservations regarding the directive, not least related to fears that it will impose more red tape on businesses at a time when the economy is struggling to recover.
According to Cumbley, “The view in Whitehall is: ‘why give [businesses] another new mandatory regime with sanctioning powers to which they will have to divert resources – and which runs the danger of being little more than a box-ticking exercise – when they would be much better off thinking about how to make their businesses more competitive in a productive way?’”
For Cumbley, the commission would be well-advised to think again about the whether the directive is needed.
“There’s an awful lot of merit in keeping this type of regulation within national boundaries,” he argues. “That’s because it’s so sensitive and because the needs and demands of different markets are very different. No one can suggest that critical infrastructure in some of the smaller EU states is as critical as that in Germany, France or the UK. The infrastructure of smaller countries is much less likely to be on the receiving end of a targeted threat.”
He and other lawyers speculate that a blanket Europe-wide regime runs the risk of imposing inappropriate obligations on less critical pieces of infrastructure in smaller member states, while forcing larger member states down a co-operation and co-ordination route that is more expensive and bureaucratic.
“And the larger jurisdictions are doing this work in any event,” says Cumbley, “whether through voluntary guidelines or some degree of mandatory imposition. This directive would force them to be co-ordinated across the EU in a way that will add cost to existing regimes but arguably not much benefit. The position of governments is that they would say that to the extent we need to co-operate across borders, we already have the mechanisms. We don’t need a new regulator – or 26 new regulators – that have to talk to each other.”
In addition to worries about over-regulation, lawyers point to potential conflicts between the provisions of the Cyber Directive and existing EU notification requirements for telecoms companies under the Data Protection Directive 1995 and the proposed reforms to its regulations.
“The new data protection regulation applies to personal data, whereas the Cyber Directive deals with security breaches that have a significant impact,” explains James. “Personal data may well be part of a security breach, so you have to look at an incident and decide to what extent it relates to personal or non-personal data, and at the notification requirements in each of the two laws and then assess what your notification duties are.
“But even once you’ve made the notification, you’ve got to make sure you don’t prejudice the data subjects. Wherever you have an information-sharing strategy it is inherently going to conflict with something designed to prevent the sharing of data too widely.”
It might never happen
Other specialists are adopting a wait-and-see posture.
Latika Sharma, a partner at PwC Legal, the niche law firm within the global accountancy practice, counsels: “We need to see the final versions of each to see whether they overlap. But we know the Cyber Directive is meant to do something above and beyond the data protection regulations. Cyber security is a wider issue than personal data.”
All well and good, but the whole exercise may be academic. Bearing down on the debate is the immovable object of the European parliamentary elections, scheduled to be held between 22 and 25 May across the EU. There is a strong view that if the Cyber Directive does not win approval from the present parliament before it is dissolved, the process would go back to square one.
“There hasn’t been a settled position from the parliament yet,” comments Cumbley. “There are even MEPs still asking ‘do we need this?’ I’m not saying the legislation is dead – far from it – but there appears to be significant resistance. People are asking if this is a layer of regulation we really need.
“And if it’s not passed before the elections it will have to be adopted by the new parliament. That could take quite a bit of time and there’s no guarantee it would be.”
Room says that while in principle proposed EU legislation can survive a dissolution, more often than not, it dies with the parliament.
“My instinct is that we’ll get a directive,” says Room, “but with a political compromise so it covers traditional offline cyber elements – transport, finance, utilities and public bodies. They can expect a cyber security directive this year, but the online stuff is likely to be excised.”
Small maintains that the composition of a post-May parliament is crucial.
“I’m not sure there will be member state approval for the directive. A lot depends on the outcome of the elections. If it produces a heavy block of MEPs concerned about sovereignty and EU scope-creep, the chances go down.”
That uncertainty has convinced Small that “it’s probably premature to advise clients too much in relation to the directive at this stage”.
Room is adopting a similar position. He says clients should not “get lost in the weeds of trying to understand what these directives are saying or whether their information is personal or not personal”.
He maintains that despite its apparent complexity, the proposed EU legal framework is essentially codifying duties of care that already exist in English common law.
“If you’re sufficiently proximate to people and through your acts or omissions you would cause harm, the duty of care in negligence, in tort, captures most of these concerns,” he explains.
“Clients need to be practical and pragmatic,” Room continues. “If you’re a business and you’re holding important confidential information for some other business or a consumer, there is a duty of care. The answer is yes. That’s all that this stuff is telling you. The duty of care to be cyber secure already exists in this country, regardless of EU regulations and directives. The question is whether a client is in possession of information that is sufficiently important so that harm would flow from omission.”
A job for lawyers
Despite the questions hanging over the Cyber Directive, the proposed EU legislation is seen as a growth area for the legal profession. Most importantly, says Flockhart, clients will require advice on how to deal with potential liabilities contained in the enabling legislation that would come into force in the UK.
“They’ll need to be advised on how to build these new obligations into their risk management procedures. That’s more of a preventative issue,” she says.
She and other lawyers also envisage a raft of insurance issues flowing out of those liabilities.
“Clients are likely to want insurance cover for investigation costs,” explains Flockhart, “for example, if there is an alleged or actual breach of the directive. Present cyber insurance products may need to be adapted. On the flipside, for insurance clients, the directive could be a further stimulus to the cyber insurance industry, which is a growing market in the US. And that’s a trend that is picking up in Europe.”
Perhaps more important for lawyers is the threat posed by the Big Four and other accountancy-led consultancies, which promote themselves as offering one-stop shop advice on cyber security. According to James Castro-Edwards at PwC Legal, in relation to both preventative compliance and post-cyber breach actions, “lawyers are going to have to be either very technically savvy or work closely with other disciplines, such as IT forensics and consultants, to understand what they’re meant to do or advise”.
His colleague Sharma adds: “This is not an issue that has a legal-only solution. There are existing compliance obligations and there will be more, but all these things need be run together. These are issues that affect almost all aspects of a business, so you need to have a co-ordinated and integrated response from advisers.”
Law firms would be foolish to ignore the work opportunities in cyber security.
As Castro-Edwards says: “Our forensic team frequently says there are two sorts of companies – those that have been breached and those that don’t know it yet.”
The consultant’s view
When working for the business development team at London-based media practice Olswang, Jonathan Pope says he was “gobsmacked” by the tidal wave of complex advice being pushed at lawyers regarding the firm’s cyber security policies.
Last year he launched Corax Cyber Security in a bid to cut through the complexities.
“Any attempt to regulate by the EU has to be welcomed,” says Pope, of the commission’s Cyber Directive. “However, the results of last year’s UK government consultation show that, within reason, most businesses in this country would prefer to have guidance, training, support and help with information-sharing rather than what this directive would do.”
Nonetheless, Pope says the cyber issue is critical to the future of British business. He maintains the UK cyber security sector will boom in the short term, from some £60bn now to £120bn by 2017.
“That’s big growth and there’s an opportunity for law firms to embrace the industry and get to know it better,” he says.
Law firms should be pushing the general counsel at their corporate clients to move the issue up the agenda to board level, he argues.
“At the moment, the issue is outside a standard GC’s comfort zone,” says Pope. “Law firms can help in educating GCs about crisis response. The legal profession could also show leadership in addressing cyber security issues more widely. The UK government is asking industries to collaborate on the issue – and the profession and the Law Society could be doing a lot more.”
The European Commission’s explanatory memorandum at the front end of the Cyber Directive describes the proposed legislation’s aim as:
“To ensure a high common level of network and information security. This means improving the security of the internet and the private networks and information systems underpinning the functioning of our societies and economies.
“This will be achieved by requiring member states to increase their preparedness and improve their co-operation with each other, and by requiring operators of critical infrastructures, such as energy, transport, and key providers of information society services (e-commerce platforms, social networks, etc), as well as public administrations to adopt appropriate steps to manage security risks and report serious incidents to the national competent authorities.”
Running more or less on a parallel schedule with the European Cyber Directive is a US regulation called the Presidential Executive Order on Network and Information Security. However, there are some key differences.
The Americans are not trying to create a cyber security duty of care in law, but instead to achieve the same aims through voluntary partnerships.
“They are being much more clever,” argues Field Fisher Waterhouse partner Stewart Room. “The way they will embed this will be by making access to federal contracts – in other words, US government tax dollars – conditional on businesses adopting the framework. That’s a big carrot, whereas the EU has gone for a big, big stick.
“The carrot is much better. As a lawyer, the worst sell to business is that you’re going to get battered. The client wants the law to make things better. The stick approach can create perverse incentives. You can deter compliance – if you’re worried you’re going to be done, you bury the bad news. If you bury the bad news you won’t information-share and if you don’t info-share you won’t be secure.”
Also, the proposed US legislation is not considering incorporating online elements such as the search engines and social media sites controversially caught by the draft European directive.