Cyber Alert – Q2 2015 – Regulatory radar

Claire Walker

Europe

  • General Data Protection Regulation (GDPR): The introduction of a general breach notification obligation has come a step closer. On 15 June the GDPR reached another key milestone with the EU Council (i.e. Member States) adopting their “general approach” to negotiating the whole proposal with the Parliament and the Commission. This means that all three EU institutions have declared their negotiating stance on the wide ranging proposal and that three way negotiations can now begin.  The first such trilogue took place on 24 June, with the proposal’s Rapporteur MEP Jan Albrecht quoted by the MLex service as saying “the three texts on the table …are far more near to each other than I think all of us thought”. There is a six month provisional timetable for the negotiations, recently outlined by a group of MEPs here, aimed at adoption of the proposal by the end of 2015.
  • Given the complexity of the proposal and the fact that it has already taken three and a half years to reach this milestone, it remains to be seen whether adoption by the end of 2015 (and by implication its coming into force by the end of 2017) is optimistic or realisitic.  For those interested in the respective negotiating positions and with an appetite for detail, the relevant texts are: the Commission’s original 2012 proposal here, the text approved by the EP in 2014 here and the Council’s proposed revisions (text dated 11 June 2015) which are available via a search of the Consilium website  here or via direct link here.
  • Network and Information Security Directive (NISD): At the time of writing (1 July) the NISD has still not been fully agreed by the EU institutions. However, on 29 June the Presidency of the Council (at that point held by Latvia) announced that agreement had been reached on the main principles of the Directive.
  • The most controversial aspect of the proposal – namely the extent to which online platforms should be subject to the new requirements on breach reporting – does not appear to have been fully resolved.  The press release states that: “It was agreed that digital service platforms would be treated in a different manner from essential services. The details will be discussed at a technical level.”  It is unclear at this stage just how differently, and what this might mean in practice.  The UK is one of the Member States which has resisted the proposal to make online services subject to the same level of cyber breach notification obligations which will apply to more conventional essential services, such as energy and transport.
  • As readers of Datonomy’s weekly cyber updates will be aware, this is the issue which has held up negotiations and is one of the reasons that successive target dates for adoption have come and gone.  So, while the broad principles of the new regime may have been agreed, there still appears to be some way to go on the detail. Luxembourg took over the Council Presidency on 1 July and will be under pressure to finish the job, after EU Member States called for “rapid adoption” of the Directive in the Council meeting held on 25 and 26 June.
  • At the time of writing, there is little information in the public domain about the detail of the compromise reached on 29 June.  The Council’s Telecoms Working Party is due to be debriefed on the latest negotiations when it meets on 2 July.  Datonomy will continue to monitor and report on developments in Brussels as the talks continue – please sign up for our weekly alerts at www.datonomy.eu.
  • Digital Single Market Strategy: The European Commission released its long-awaited Digital Single Market Strategy on 6 May 2015.  The strategy contains 16 initiatives intended to realise the creation of a single European market for e-commerce.  Initiative, number 13 relates to cybersecurity and states that “in the first half of 2016 the Commission will, propose a partnership with the industry on cybersecurity in the area of technologies and solutions for online network security.”   European Commission Vice-President for the Digital Single Market, Andrus Ansip, gave an interview regarding data protection and cybersecurity to the European policy website, EurActiv. In the interview, Ansip commented that he expects the Commission’s proposed public-private partnership on cybersecurity to go live in early 2016.  Olswang has published its reactions to the telecoms regulatory aspects of the strategy more broadly here.
  • Review of the ePrivacy Directive: The Digital Single Market Strategy also mentioned the forthcoming review of the ePrivacy Directive, something that was heralded in President Junker’s Mission Statements to his new Commissioners at the end of 2014. The Strategy document alludes to a potential widening on the PECD rules to Internet players in future – it states that the PECD may need to be reassessed since most of its provisions apply only to providers of electronic communications services.  The review of the PECD will not begin until the provisions of the new GDPR are adopted “which should be by the end of 2015” according to the Strategy.

Germany

  • Germany is the latest EU Member State to adopt cyber legislation in advance of the adoption of the NISD. On June 12 the German Bundestag passed the long-awaited IT Security Act (BT-Drs. 18/4096, as amended by the committee on internal affairsBT-Drs. 18/5121). The new Act does not form a coherent body of legal rules but amends several existing laws like the Act on the Federal Office for Information Security, the Telecommunication Act, the Telemedia Act or the Act on the Federal Criminal Police Office. It creates new obligations, in particular for providers of so-called critical infrastructures (“CI Providers”), and aims to improve the IT security standards in companies and federal institutions.  The legislation is not yet in force and the effective date is still not certain. A regulation – which will specify exactly which entities are subject to the new rules – still needs to be published by the ministry and as yet its publication date is not known. It is the go live date of this regulation which will then trigger organizations’ new obligations, such as:
    • implementing the required security measures, within two years of the effective date of the regulation
    • notifying a point of contact to the BSI (Federal Office for Information Security) within six months of the effective date of the regulation.
  • We will report further on the progress of the regulation and the relevant effective dates and deadlines. Read our full analysis of the new Act on the Olswang website here.

Belgium

  • In 2014, the number of cyber incidents in Belgium more than doubled and threats appear to have become more complex as well, when compared to 2013. Looking even further back, cyber incidents have multiplied by seven since 2010, according to a CERT-Belgium press release dated 9 March 2015.  CERT partially attributes the increased number of reported cyber events to their own improved visibility (as companies become more comfortable with incident reporting), however, the increased complexity of cyber threats is also driving up reporting numbers as companies seek greater assistance from CERT in order to solve related issue. CERT’s full report can be found here.

UK

  • The new Conservative Government made the following ministerial appointments which will have a bearing on cyber policy: Ed Vaizey as Minister of Culture and the Digital Economy, Matt Hancock as Minister for the Cabinet Office and Sajid Javid as the Secretary of State for Business, Innovation and Skills. A written statement by Ed Vaizey, Minister for Culture and the Digital Economy on 11 June in advance of the Telecoms Council meeting sets out the UK Government’s stance on the NISD negotiations as follows: “I do not intend to intervene on this item. However, if a round table is initiated by others on this item I will remind Council that whilst the UK supports the aim of raising the level of, cyber security across the Union it would be prudent to take our time and make sure we get the detail right so the Directive is not unduly burdensome on business.”  As previously reported by Datonomy, the UK is one of the Member States opposed to the Directive extending to online service providers.
  • On 11 June the much-anticipated Report of the Investigatory Powers Review (or Anderson Report) was published, making recommendations for overhaul of the UK’s regimes for communications data retention and communications interception. It will inform the government’s promised Investigatory Powers Bill which is due to be published in the autumn for pre-legislative scrutiny. The news has been widely covered by the BBC, the Guardian and some initial tech sector reaction is here on Tech UK.
  • A recent ICO sanction demonstrates that dealing with data security breaches is still high on the regulator’s agenda. The ICO’s follow up assessment of, and follow up undertaking from, Oxford Health NHS Foundation Trust highlighted some common data security weak spots. The Trust was required to give an undertaking in 2014 following two data breaches, one of which stemmed from errors by a data processor who posted a file of patient data online in the course of migrating a website.  The undertaking required the Trust to address supply chain compliance in various ways, including better due diligence, the use of Privacy Impact Assessments and appropriate processor clauses and appropriate breach management plans. The ICO’s action did not set any new precedents but it does serve as a reminder that a data controller’s compliance is only as good as that of its weakest link – often its supplier – and that  that the ICO will keep a close eye on data controllers who have previously been found to have breached the DPA.

US

  • President Obama signed his second cybersecurity Executive Order of the year on 1 April 2015. The “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities” Executive Order allows the US government to levy economic sanctions against overseas individuals who engage in cyber activity that is likely to result in, or has materially contributed to, “a significant threat to national security, foreign policy, or [the] economic health” of the US.  The Order represents an added weapon in the US arsenal when combatting international hacking groups by allowing the government to go after individuals who may previously have been unreachable due to weak cybersecurity laws in their resident country (e.g. Russia).  The Order also extends to those who knowingly use and receive data stolen in such attacks (e.g. companies which hire hackers).  However, the ability to sanction individuals or companies is predicated on the foreign actor having assets in, wanting to trade with, or wanting entry into, the US.  Read the White House’s blog here and com’s further analysis here.
  • The House of Representatives passed the Protecting Cyber Networks Act on 22 April. The bill (which you can read more about here, when Datonomy originally reported on the bill’s introduction on 24 March 2015) provides for a “cyber portal”, administered by the Department of Homeland Security, through which private companies would be able to share cyber threat information.  The Executive Office of the President published a letter expressing concern about the extent of the liability protection afforded to private companies under the Act.  Furthermore, the American Civil Liberties Union (and many other civil society organisations, security experts and academics) also wrote a letter urging the House to reject the bill, citing specific concerns regarding government’s proposed enhanced surveillance activities.  Nonetheless, the House passed the bill by a landslide 307 to 116 vote.  The bill is scheduled to be voted on by the Senate in the next quarter.  Read further analysis from com here.

Asia

  • Singapore’s new Cyber Security Agency (CSA) went live on 1 April 2015. The CSA replaced the Singapore Infocomm Technology Security Authority’s function as the Computer Emergency Response Team (CERT).  Formation and investment in the new agency shows how seriously the Singaporean government is taking the threat of cyber attacks.  Read more here.
  • Korea passed one of the first cloud-specific laws. The Act on the Development of Cloud Computing and Protection of Users (Cloud Act) is designed to address the cybersecurity concerns inherent in storing a greater amount of data in a digital space by imposing a series of security and privacy standards on cloud service providers.  Read Olswang’s analysis of the Act here.
  • According to E&T (who are quoting China Daily and Chen Wai of the Ministry of Industry and Information Technology), China is planning to unveil a five-year cybersecurity plan that prioritises the protection of state secrets and data. In order to do so, the Chinese government is reportedly set to choose domestic, rather than Western, software within all government agencies.
  • Indonesia has announced plans to form a National Cyber Agency, or BCN, to step up Indonesia’s capabilities in fighting off cyber threats.  The Communications Minister said that Indonesia has been the target of a high number of cyber threats and there has also been cases of cyber criminals who use Indonesia’s name to attack other countries. See the news report here.
  • Australia’s Federal Government will this year deliver its first Cyber Security Strategy to generate ‘practical’ means to improve security including public-private partnerships.  See the news report here.

One thought on “Cyber Alert – Q2 2015 – Regulatory radar”

Leave a Reply

Your email address will not be published. Required fields are marked *