A little bit about me...
I am a London-based lawyer specialising in privacy, data protection and data security law. My practice includes litigation and court-room advocacy. My client base includes major government departments, FTSE 100 companies and multi-nationals. I regularly undertake media work and am often quoted in the press. For example, I was the legal expert on the Channel 4 Dispatches documentary 'The Data Theft Scandal', which exposed security failings in the Indian call centre industry.
Posted on March 27, 2013 by Stewart
The UK’s position on Cybersecurity continues to develop at a pace. Students of this area will recall that the Cabinet Office first produced a national Cybersecurity back in 2008 – the first EU country to do so – which was beefed up by the Coalition Government in October 2010 (this was when the UK assessed Cybersecurity as a “Tier 1″ threat to the country, on the level with terrorism and above nuclear weapons). Since then many concrete measures have been put in place to share threat intelligence between Government and select parts of the private sector, which commenced with a pilot programme kicked-off by the Prime Minister in 2011.
This intelligence sharing model is now set to fully operationalise, as the Government revealed last month (February 2013) and confirmed today. The heart of this model is the Cybersecurity Information Sharing Partnership (CISP) which is now moving intelligence into about 160 private sector organisations. This is being accompanied by something called a “Fusion Cell”, a somewhat James Bondy name for a building at a secret location where cyber experts from Government and the private sector will work together, to keep the intelligence moving and to cross-pollinate expertise.
This rubbing of shoulders between the public and private sector experts reminded me of one of the US developments in this area; President Obama is talking about seconding private sector cyber experts to Federal agencies, to ensure cross pollination of ideas. So, in a comparative law sense, how close is the UK to the EU and US positions on Cybersecurity?
Much of the UK strategy for Cybersecurity is mirrored by the draft EU Cybersecurity Directive, which was published in February this year. It’s obvious what is influencing what. However, there are two three key elements within the draft Directive which do not form part of the UK strategy.
First, the UK does not seem to believe that it’s strategy requires new legislative underpinning. The UK seems to be very happy building cybersecurity without new legal foundations. If this is a true policy position, then, arguably the UK is seeking a strategy which has even looser legal foundations than the one proposed by President Obama (also in February), which has mandated Feferal agencies to check their legislative foundations for any Cybersecurity gaps, with the implication being the the US will cyber-legislate at some point. Basically, the EU wants legislation specifically to mandate intelligence sharing. If the Directive is adopted, the UK will have to change its position.
Second, the UK does not seem to support the idea of compulsory breach disclosure obligations for Cybersecurity breaches. This is a central part of the EU position however. The challenge for the UK is to explain why this is not really necessary when the UK accepts – and was the first adopter of – a need for intelligence sharing. Perhaps the UK feels that its voluntary scheme will catch enough of the economy to address the real risks. This puts the UK very close to the US model.
Third, the UK does not seem to support the introduction of a Cybersecurity regulator, another key part of the EU position. This is a classic problem for the UK; our business-friendly and commercially pragmatic economy isn’t a natural bedfellow for all-encompassing EU-style regulators. Again, this puts the UK much closer to the US strategy that the EU’s.
Basically, the UK wants a voluntary, cooperative framework for Improving cybersecurity. This is the US position. So, the UK is much more aligned with the US than the EU on this critical hot topic.
Posted on March 27, 2013 by Stewart
The UK's position on Cybersecurity continues to develop at a pace. Students of this area will recall that the Cabinet Office first produced a national Cybersecurity back in 2008 – the first EU country to do so – which was beefed up by the Coalition Government in October 2010 (this was when the UK assessed Cybersecurity as a “Tier 1″ threat to the country, on the level with terrorism and above nuclear weapons). Since then many concrete measures have been put in place to share threat intelligence between Government and select parts of the private sector, which commenced with a pilot programme kicked-off by the Prime Minister in 2011.
This intelligence sharing model is now set to fully operationalise, as the Government revealed last month (February 2013) and confirmed today. The heart of this model is the Cybersecurity Information Sharing Partnership (CISP) which is now moving intelligence into about 160 private sector organisations. This is being accompanied by something called a “Fusion Cell”, a somewhat James Bondy name for a building at a secret location where cyber experts from Government and the private sector will work together, to keep the intelligence moving and to cross-pollinate expertise.
This rubbing of shoulders between the public and private sector experts reminded me of one of the US developments in this area; President Obama is talking about seconding private sector cyber experts to Federal agencies, to ensure cross pollination of ideas. So, in a comparative law sense, how close is the UK to the EU and US positions on Cybersecurity?
Much of the UK strategy for Cybersecurity is mirrored by the draft EU Cybersecurity Directive, which was published in February this year. It's obvious what is influencing what. However, there are two three key elements within the draft Directive which do not form part of the UK strategy.
First, the UK does not seem to believe that it's strategy requires new legislative underpinning. The UK seems to be very happy building cybersecurity without new legal foundations. If this is a true policy position, then, arguably the UK is seeking a strategy which has even looser legal foundations than the one proposed by President Obama (also in February), which has mandated Feferal agencies to check their legislative foundations for any Cybersecurity gaps, with the implication being the the US will cyber-legislate at some point. Basically, the EU wants legislation specifically to mandate intelligence sharing. If the Directive is adopted, the UK will have to change its position.
Second, the UK does not seem to support the idea of compulsory breach disclosure obligations for Cybersecurity breaches. This is a central part of the EU position however. The challenge for the UK is to explain why this is not really necessary when the UK accepts – and was the first adopter of – a need for intelligence sharing. Perhaps the UK feels that its voluntary scheme will catch enough of the economy to address the real risks. This puts the UK very close to the US model.
Third, the UK does not seem to support the introduction of a Cybersecurity regulator, another key part of the EU position. This is a classic problem for the UK; our business-friendly and commercially pragmatic economy isn't a natural bedfellow for all-encompassing EU-style regulators. Again, this puts the UK much closer to the US strategy that the EU's.
Basically, the UK wants a voluntary, cooperative framework for Improving cybersecurity. This is the US position. So, the UK is much more aligned with the US than the EU on this critical hot topic.
Posted on March 27, 2013 by Stewart
The UK's position on Cybersecurity continues to develop at a pace. Students of this area will recall that the Cabinet Office first produced a national Cybersecurity back in 2008 – the first EU country to do so – which was beefed up by the Coalition Government in October 2010 (this was when the UK assessed Cybersecurity as a “Tier 1″ threat to the country, on the level with terrorism and above nuclear weapons). Since then many concrete measures have been put in place to share threat intelligence between Government and select parts of the private sector, which commenced with a pilot programme kicked-off by the Prime Minister in 2011.
This intelligence sharing model is now set to fully operationalise, as the Government revealed last month (February 2013) and confirmed today. The heart of this model is the Cybersecurity Information Sharing Partnership (CISP) which is now moving intelligence into about 160 private sector organisations. This is being accompanied by something called a “Fusion Cell”, a somewhat James Bondy name for a building at a secret location where cyber experts from Government and the private sector will work together, to keep the intelligence moving and to cross-pollinate expertise.
This rubbing of shoulders between the public and private sector experts reminded me of one of the US developments in this area; President Obama is talking about seconding private sector cyber experts to Federal agencies, to ensure cross pollination of ideas. So, in a comparative law sense, how close is the UK to the EU and US positions on Cybersecurity?
Much of the UK strategy for Cybersecurity is mirrored by the draft EU Cybersecurity Directive, which was published in February this year. It's obvious what is influencing what. However, there are two three key elements within the draft Directive which do not form part of the UK strategy.
First, the UK does not seem to believe that it's strategy requires new legislative underpinning. The UK seems to be very happy building cybersecurity without new legal foundations. If this is a true policy position, then, arguably the UK is seeking a strategy which has even looser legal foundations than the one proposed by President Obama (also in February), which has mandated Feferal agencies to check their legislative foundations for any Cybersecurity gaps, with the implication being the the US will cyber-legislate at some point. Basically, the EU wants legislation specifically to mandate intelligence sharing. If the Directive is adopted, the UK will have to change its position.
Second, the UK does not seem to support the idea of compulsory breach disclosure obligations for Cybersecurity breaches. This is a central part of the EU position however. The challenge for the UK is to explain why this is not really necessary when the UK accepts – and was the first adopter of – a need for intelligence sharing. Perhaps the UK feels that its voluntary scheme will catch enough of the economy to address the real risks. This puts the UK very close to the US model.
Third, the UK does not seem to support the introduction of a Cybersecurity regulator, another key part of the EU position. This is a classic problem for the UK; our business-friendly and commercially pragmatic economy isn't a natural bedfellow for all-encompassing EU-style regulators. Again, this puts the UK much closer to the US strategy that the EU's.
Basically, the UK wants a voluntary, cooperative framework for Improving cybersecurity. This is the US position. So, the UK is much more aligned with the US than the EU on this critical hot topic.
Posted on March 27, 2013 by Stewart
The UK's position on Cybersecurity continues to develop at a pace. Students of this area will recall that the Cabinet Office first produced a national Cybersecurity back in 2008 – the first EU country to do so – which was beefed up by the Coalition Government in October 2010 (this was when the UK assessed Cybersecurity as a “Tier 1″ threat to the country, on the level with terrorism and above nuclear weapons). Since then many concrete measures have been put in place to share threat intelligence between Government and select parts of the private sector, which commenced with a pilot programme kicked-off by the Prime Minister in 2011.
This intelligence sharing model is now set to fully operationalise, as the Government revealed last month (February 2013) and confirmed today. The heart of this model is the Cybersecurity Information Sharing Partnership (CISP) which is now moving intelligence into about 160 private sector organisations. This is being accompanied by something called a “Fusion Cell”, a somewhat James Bondy name for a building at a secret location where cyber experts from Government and the private sector will work together, to keep the intelligence moving and to cross-pollinate expertise.
This rubbing of shoulders between the public and private sector experts reminded me of one of the US developments in this area; President Obama is talking about seconding private sector cyber experts to Federal agencies, to ensure cross pollination of ideas. So, in a comparative law sense, how close is the UK to the EU and US positions on Cybersecurity?
Much of the UK strategy for Cybersecurity is mirrored by the draft EU Cybersecurity Directive, which was published in February this year. It's obvious what is influencing what. However, there are two three key elements within the draft Directive which do not form part of the UK strategy.
First, the UK does not seem to believe that it's strategy requires new legislative underpinning. The UK seems to be very happy building cybersecurity without new legal foundations. If this is a true policy position, then, arguably the UK is seeking a strategy which has even looser legal foundations than the one proposed by President Obama (also in February), which has mandated Feferal agencies to check their legislative foundations for any Cybersecurity gaps, with the implication being the the US will cyber-legislate at some point. Basically, the EU wants legislation specifically to mandate intelligence sharing. If the Directive is adopted, the UK will have to change its position.
Second, the UK does not seem to support the idea of compulsory breach disclosure obligations for Cybersecurity breaches. This is a central part of the EU position however. The challenge for the UK is to explain why this is not really necessary when the UK accepts – and was the first adopter of – a need for intelligence sharing. Perhaps the UK feels that its voluntary scheme will catch enough of the economy to address the real risks. This puts the UK very close to the US model.
Third, the UK does not seem to support the introduction of a Cybersecurity regulator, another key part of the EU position. This is a classic problem for the UK; our business-friendly and commercially pragmatic economy isn't a natural bedfellow for all-encompassing EU-style regulators. Again, this puts the UK much closer to the US strategy that the EU's.
Basically, the UK wants a voluntary, cooperative framework for Improving cybersecurity. This is the US position. So, the UK is much more aligned with the US than the EU on this critical hot topic.
Posted on March 27, 2013 by Stewart
The UK's position on Cybersecurity continues to develop at a pace. Students of this area will recall that the Cabinet Office first produced a national Cybersecurity back in 2008 – the first EU country to do so – which was beefed up by the Coalition Government in October 2010 (this was when the UK assessed Cybersecurity as a “Tier 1″ threat to the country, on the level with terrorism and above nuclear weapons). Since then many concrete measures have been put in place to share threat intelligence between Government and select parts of the private sector, which commenced with a pilot programme kicked-off by the Prime Minister in 2011.
This intelligence sharing model is now set to fully operationalise, as the Government revealed last month (February 2013) and confirmed today. The heart of this model is the Cybersecurity Information Sharing Partnership (CISP) which is now moving intelligence into about 160 private sector organisations. This is being accompanied by something called a “Fusion Cell”, a somewhat James Bondy name for a building at a secret location where cyber experts from Government and the private sector will work together, to keep the intelligence moving and to cross-pollinate expertise.
This rubbing of shoulders between the public and private sector experts reminded me of one of the US developments in this area; President Obama is talking about seconding private sector cyber experts to Federal agencies, to ensure cross pollination of ideas. So, in a comparative law sense, how close is the UK to the EU and US positions on Cybersecurity?
Much of the UK strategy for Cybersecurity is mirrored by the draft EU Cybersecurity Directive, which was published in February this year. It's obvious what is influencing what. However, there are two three key elements within the draft Directive which do not form part of the UK strategy.
First, the UK does not seem to believe that it's strategy requires new legislative underpinning. The UK seems to be very happy building cybersecurity without new legal foundations. If this is a true policy position, then, arguably the UK is seeking a strategy which has even looser legal foundations than the one proposed by President Obama (also in February), which has mandated Feferal agencies to check their legislative foundations for any Cybersecurity gaps, with the implication being the the US will cyber-legislate at some point. Basically, the EU wants legislation specifically to mandate intelligence sharing. If the Directive is adopted, the UK will have to change its position.
Second, the UK does not seem to support the idea of compulsory breach disclosure obligations for Cybersecurity breaches. This is a central part of the EU position however. The challenge for the UK is to explain why this is not really necessary when the UK accepts – and was the first adopter of – a need for intelligence sharing. Perhaps the UK feels that its voluntary scheme will catch enough of the economy to address the real risks. This puts the UK very close to the US model.
Third, the UK does not seem to support the introduction of a Cybersecurity regulator, another key part of the EU position. This is a classic problem for the UK; our business-friendly and commercially pragmatic economy isn't a natural bedfellow for all-encompassing EU-style regulators. Again, this puts the UK much closer to the US strategy that the EU's.
Basically, the UK wants a voluntary, cooperative framework for Improving cybersecurity. This is the US position. So, the UK is much more aligned with the US than the EU on this critical hot topic.
Posted on March 27, 2013 by Stewart
The UK's position on Cybersecurity continues to develop at a pace. Students of this area will recall that the Cabinet Office first produced a national Cybersecurity back in 2008 – the first EU country to do so – which was beefed up by the Coalition Government in October 2010 (this was when the UK assessed Cybersecurity as a “Tier 1″ threat to the country, on the level with terrorism and above nuclear weapons). Since then many concrete measures have been put in place to share threat intelligence between Government and select parts of the private sector, which commenced with a pilot programme kicked-off by the Prime Minister in 2011.
This intelligence sharing model is now set to fully operationalise, as the Government revealed last month (February 2013) and confirmed today. The heart of this model is the Cybersecurity Information Sharing Partnership (CISP) which is now moving intelligence into about 160 private sector organisations. This is being accompanied by something called a “Fusion Cell”, a somewhat James Bondy name for a building at a secret location where cyber experts from Government and the private sector will work together, to keep the intelligence moving and to cross-pollinate expertise.
This rubbing of shoulders between the public and private sector experts reminded me of one of the US developments in this area; President Obama is talking about seconding private sector cyber experts to Federal agencies, to ensure cross pollination of ideas. So, in a comparative law sense, how close is the UK to the EU and US positions on Cybersecurity?
Much of the UK strategy for Cybersecurity is mirrored by the draft EU Cybersecurity Directive, which was published in February this year. It's obvious what is influencing what. However, there are two three key elements within the draft Directive which do not form part of the UK strategy.
First, the UK does not seem to believe that it's strategy requires new legislative underpinning. The UK seems to be very happy building cybersecurity without new legal foundations. If this is a true policy position, then, arguably the UK is seeking a strategy which has even looser legal foundations than the one proposed by President Obama (also in February), which has mandated Feferal agencies to check their legislative foundations for any Cybersecurity gaps, with the implication being the the US will cyber-legislate at some point. Basically, the EU wants legislation specifically to mandate intelligence sharing. If the Directive is adopted, the UK will have to change its position.
Second, the UK does not seem to support the idea of compulsory breach disclosure obligations for Cybersecurity breaches. This is a central part of the EU position however. The challenge for the UK is to explain why this is not really necessary when the UK accepts – and was the first adopter of – a need for intelligence sharing. Perhaps the UK feels that its voluntary scheme will catch enough of the economy to address the real risks. This puts the UK very close to the US model.
Third, the UK does not seem to support the introduction of a Cybersecurity regulator, another key part of the EU position. This is a classic problem for the UK; our business-friendly and commercially pragmatic economy isn't a natural bedfellow for all-encompassing EU-style regulators. Again, this puts the UK much closer to the US strategy that the EU's.
Basically, the UK wants a voluntary, cooperative framework for Improving cybersecurity. This is the US position. So, the UK is much more aligned with the US than the EU on this critical hot topic.
Posted on March 26, 2013 by Stewart
The UK Ministry of Justice opened a public consultation yesterday on the expansion of the Information Commissioner's compulsory audit power to the NHS. The NHS, which is one of the UK's biggest employers and controllers of sensitive personal data, has been firmly in ICO's sights for over a year now, as back in January 2012 the Commissioner identified “health” as his number 1 priority for regulatory action (see the “Information Rights Strategy”), which led to a series of high profile fines being imposed on NHS bodies for various data breaches (after Local Authorities the NHS was the sector that received most fines in 2012). ICO has long been arguing for the extension of its compulsory audit power to the NHS and its clear from the consultation document that the Government is supportive.
These audits, or “Assessment Notices” as the statutory language prefers, were introduced into ICO's regulatory tool kit by the Coroners and Justice Act 2009 but while the legislation envisaged the possibility of ICO being able to audit any part of the economy, at the moment the audit power is restricted to Government departments. Many commentators regard this as odd and out of kilter with both the Parliamentary intent and the overall trajectory of data protection law. For instance, under the E-Privacy Regulations ICO has a related compulsory audit power which they can use in the electronic communications sector (principally telecoms companies and ISPs). Likewise the draft Data Protection Regulation includes a proposed wide-ranging audit power for national regulators in the EU. Similarly, the draft Cybersecurity Directive published in 2013 proposes a regulatory audit power for “Market Operators” who underpin the Internet, Cloud Computing services, health, transport, financial services and energy. In other words, compulsory regulatory audit powers are considered to be a fundamental component of mature regulation, albeit, of course, these powers should be exercised sparingly, proportionately and in a non-discriminatory manner.
The current proposal is a welcome opportunity for Government, ICO and the NHS to sort out the mess that is data protection regulation in the NHS. Currently, the “assessment” regime leads to very unfair results, in the sense that a data controller who undergoes a compulsory audit or assessment of legal compliance receives much more favourable treatment through immunity from fines than one who voluntarily reports a data handling problem to ICO for investigation. The recent pattern of fining in the NHS has not been universally welcomed, but these developments may reduce their frequency in a sector that feels harshly treated.
However, NHS bodies should not think that compulsory audits or assessments leave them free of enforcement measures. While ICO cannot fine after exercising an Assessment Notice, they can still impose Enforcement Notices, which are backed up by criminal sanctions for those controllers who do not comply with their terms. Yet, at least Enforcement Notices keep the money in the NHS, which means that the NHS can dedicate what would have been fine money to data protection improvements.
It will be very interesting to see how the NHS responds, but many bodies will be thinking about how they can avail themselves of ICO audits in the meantime to remove the spectre of fines. This is because voluntary audits and assessments carry the same immunity from fines as compulsory ones. Indeed, one might think that it will be a very unfortunate NHS body who is fined, because there is a pathway here to fine neutrality. So, will we see a rush of requests for voluntary audits and assessments? Clever NHS bodies must be thinking about this.
The Consultation closes on 17 May. If you would like to know more about Assessment Notices and how they operate, or if you would like a copy of my firm's research into ICO enforcement actions in 2012, please contact me.
If you choose to leave a comment on this article, be aware that WordPress will drop a Cookie. Don't leave a comment if you don't want a Cookie. Leaving a comment constitutes consent for the Cookie.
Posted on March 21, 2013 by Stewart
Yesterday's announcement by ICO that it has imposed a fine of £90,000 on Glasgow-based DM Design Bedrooms Ltd is welcome news for consumers and the advertising industry alike. Unwanted direct marketing from the private sector is more than an unwanted nuisance – it truly invades the private space – and it pollutes the overwhelmingly good environment of marketing and advertising. ICO's approach to fining here makes sense and is good policy.
One of the key principles of good regulatory enforcement is the disgorgement principle, whereby the financial penalty seeks to claw back some of the unfair financial gain achieved by the entity being fined. For this reason it makes perfect sense for ICO to be fining unlawful direct marketers.
Judging by the contents of the Monetary Penalty Notice (MPN) this is a fine that sticks and ICO will feel confident that it will be unimpeachable in an appeal. Critical factors behind this view include the fact that it is actually very hard to get things legally wrong on direct marketing phone calls! This is one of the last areas where lawfulness of marketing is presumed until the recipient of the call opts out. All you have to do to be on the right side of the law is to follow Telephone Preference Service opt-outs and run a marketing suppression list. This is easy to get right.
Second, there were literally scores of complainants to the TPS and ICO about DM's activities. As such, ICO has the consumer on its side, which is critical when it comes to an assessment of the presence or absence of privacy harm. The volume of complaints also substantiated the seriousness of the legal contravention, another of the critical ingredients within the make up of the fining regime.
Third, whether the legal test for non-deliberate non-compliance is recklessness or negligence (which is yet to be resolved), the facts as disclosed in the MPN get ICO over the line in my opinion.
Of course, there is a wider context here. Back in January 2012 ICO published their “Information Rights Strategy”, which identified its priority areas for enforcement. This fine lends further support to the impression that ICO has a fining game plan. Moreover, this fine suggests that ICO is now clearly focused on the private sector, which answers many of the criticisms made about ICO only hitting public sector soft targets. Indeed, I have just completed a piece of research with other lawyers at my firm, which shows that ICO's enforcement activity across the public and private sector is much more balanced than people think (contact me if you want a copy of the research please).
However, for me the more important part of the wider context is what does this recent line of cases tell us for more complex and invasive direct marketing practices? Well, only time will tell, but I feel that if ICO concentrates on this area, it could bring the world of cookies, tracking, profiling and OBA properly into regulation. This would be an interesting result and probably a win-win for consumers and the advertising industry.
You see, the brain of advertising has understood the importance of consumer preferences and consents. The trajectory here is crystal clear. Those who pollute the well ruin it for all. In my view, tackling bad and shady advertising practices is good for everyone.
Of course, this is not to argue for a regulatory regime that will hobble Internet advertising, or direct marketing generally. Some of the EU ideas around “explicit consent”, while well meaning, do not provide an intellectually sound platform for regulation of this space, nor do they demonstrate sufficient understanding of the economics of the Internet and the critical importance of advertising revenues in this area. Quite simply, while there are Internet benefactors out there, it takes big money to keep the net alive and generally subscription free. Privacy law needs to accommodate these realities.
Posted on March 7, 2013 by Stewart
The Annual #IAPP Global Privacy Summit has got off to a cracking start with Cass Sunstein's fascinating take on privacy defaults.
The central premise of Mr Sunstein's talk is that your default setting generates your results, due to inertias. So, in Austria nearly 100% of people are would-be organ donors, while in Germany it's a statistical handful, simply because in Austria the legal default is opt-out, while in Germany it's opt-in. Likewise, if you make workplace retirement savings plans opt-in, you'll end up with lots of poor pensioners.
In the privacy context the default setting is hotly contested. In the US we see this being argued particularly in the context of do-not-track. In the EU it's being argued in just about every context!
Mr Sunstein presented a range of possibilities for privacy defaults. He suggested that where information sharing is generally for the public good, we might prefer a default that supports this, with his reference point being social networks. But this default seems to work best where the choice is easy to understand and the data controller is trusted. Needless to say, there will be many people who will take issue with the idea that all social networks fall automatically into this category, but to be fair to the proposition, Mr Sunstein is not actually saying that the conclusion should be that social networks should always be default info share. Trust is fundamental to the setting of the default.
Another possibility is Active Choosing, where the individual is pushed down the route of having to select their defaults. This works best as an option where the user group is diverse, or where there is a core trust issued that needs resolving. But what seems to be fundamental to this route, is that service delivery can be conditional upon a choice being made for information sharing. That's an outcome that I personally support at a high level, but we do need to think about “universal service” issues – in theory a service may be so fundamental to societal well being that it would be wrong to lock people out because they are more privacy risk adverse than the average person.
Mr Sunstein also looked at the role of “Choice Architects”, data analysts who can set personal defaults based on data profiling. In other words, if a profiling exercise suggests that a person is privacy risk adverse, they will be given a personal default that supports this. In other words, the Choice Architects can process private information to deliver privacy. At first blush this might be problematic for Europeans, but if we think about this properly it can make a lot of sense, albeit we need to look hard at the checks and balances to control the Choice Architects; privacy power could concentrate in their hands, so they would have to earn their trust.
A great start to the #IAPP. Really thought provoking, intelligent and very well timed.
Posted on February 14, 2013 by Stewart
A common, though slightly belated, New Year resolution has emerged within the EU and the US; a fully-formed ambition to see greater Cybersecurity across the private sector. In the EU, this is signified by the Draft Cybersecurity Directive. In the US, it's the President Obama Cybersecurity Executive Order. While the details and tools of regulation differ, there isn't a cigarette-paper's width between them on the motives for regulation and the core objectives of Cybersecurity law making. Both agendas were published this month, just four days apart, and they herald the beginnings of a very challenging new compliance puzzle for a wide range of private sectors actors, if they underpin economic stability and societal well-being.
Before considering the detail of the two approaches, its worth remembering the wider context within which they sit. Cybersecurity has been one of the hottest political topics of recent years. It has been rammed up the agenda by a combination of hundreds of high profile cyber incidents, sometimes extreme rhetoric from “opinion formers”, a lot of political grandstanding, and bucket loads of fear mongering, often from people who have solutions to sell. Occasionally the language has been regrettable, with concepts like “Cyber Armageddon” and the UK government's rating of Cybersecurity being a greater threat than Nuclear weapons (within the UK Cyber Security Strategy) being cases in point. Yet, between the FUD there is truly a very real problem here. Cybersecurity is an incredibly serious problem for societies like our's whose reliance on electronic communications networks and services is total. Neelie Kroes, the EU Commissioner behind the Directive, and President Obama, speak the truth when they say that the threats to Cybersecurity could cause us very grave damage.
This contextual view leads to only one conclusion; regardless of the overstatements and the hyperbole, new Cybersecurity law making is necessary and the trajectory for many businesses is one where wholesale operational change will be necessary.
Yet, a person new to this topic may think after reading the Directive and the Order that the EU and US are not as aligned as my opening seeks to suggest. A reader in the private sector could suggest that on the face of the Order there isn't much for them to worry about. I mean, President Obama isn't actually saying that his vision is one of Cybersecurity lawmaking for bigCos.
That observation is fair as far as it goes, but the President lays many clues for those who want to spot them. In his speech launching the Order, he referred expressly to the financial system as being under threat. The Order talks about the economy. There is more than enough there to say with supreme confidence that the US has chartered exactly the same course as the EU, as far as the private sector is concerned. To borrow a phrase from one of President Obama's predecessors, “it's the economy, stupid” and so it's obvious where the President's priorities lie. The US has to protect the key platforms that support business because the economy rests on them and much of this is in the private sector. Period.
This will be borne out soon enough, because the Secretary of Homeland Security has been charged with a Presidential task to identify critical infrastructures that need to be protected for, cyber threats. This task, which needs to be completed within 150 days, cannot avoid identifying critical infrastructures in the private sector.
However, the US approach to regulation will be one that builds more on cajoling than coercion, in stark contrast to the EU approach. This reflects political differences just as much as cultural and legal differences and viewing US matters from this size of the pond it's clear that the President will always have to be cautious in his approach and how he presents things, seeing how the US political system is so split. So, the Order talks about consultations, voluntary frameworks, rather than “you must do this”. But however they get there, our US cousins are on the same path as us Europeans.
This is not to say that the EU will not promote consultation processes, industry working groups, the creation of public sector – private sector “partnerships”, and other positive engagements with business, which are the meat and drink of the Presidential Order, but the EU's overwhelming preference is always regulation with a slap; as far as the EU is concerned why give a friendly tickle when a punch in the mouth will do?
So, what we see within the Directive is the standard EU approach to regulation; the EU prescribes its objectives and then commands the Member States to deliver. The natural result is that rather than dancing around the issue, the Directive names key parts of the private sector as being a compulsory focus of regulation. If President Obama is ballet dancer, the EU is a headbanger. The Directive is as subtle as a brick. All “market operators” are being ordered to “up” their Cybersecurity, which includes ecommerce platforms, internet payment gateways, cloud services, app stores, search engines, social networks and the financial and payment services sector, namely banking and credit institutions and financial market infrastructures, including stock exchanges and central counterparty clearing houses. And if they fail to be cybersecure they will have to disclose security breaches and take the regulatory pain that will be metered out. At all times they will be overseen by a watchdog, who will feel overwhelming pressure to be tough on failure.
There is a complex compliance puzzle here. For multi-nationals, they will have to cope with different regulatory styles, that is a given and it can be very unhelpful, yet this is not an uncommon problem and people will adjust. The greater problem is the nature of organisational change that will be required to deliver legal compliance. Presently, Cybersecurity is a silo'd operational function, where most of the corporate intelligence is contained in individuals' minds, rather than written down on paper. The cybersecurity function will be concerned more about delivering patching, monitoring its dashboards and so on, rather than creating an organisational structure that is capable of demonstrating legal compliance to a regulatory mind. The means by which the adjustment from an operational function to a legal compliance function can be properly managed is probably the greatest puzzle that the Directive and the Order present.
Stewart Room is a partner in Field Fisher Waterhouse's Privacy and Information Law Group. He is also a Director of Cyber Security Challenge UK.
← Older posts
Posted with Blogsy
