Archive for the 'IT Law' Category

Cloud computing and “data ransom” – it’s not a myth

Here on TechBlog we have mentioned on a couple of occasions (here and here) that one of the biggest risks arising out of the use of cloud computing/third party hosted services is the concept of “data ransom”.

That is, in the event that the contract terminates or the supplier becomes insolvent the customer is unable to get its hands on its data without handing over a chunk of cash.

According to a story in Computing Weekly last Friday about the insolvency of acquisitive data centre operator 2e2, that risk is no longer a hypothetical one.

Last week, the administrators of 2e2 contacted its customers (including a number of NHS Trusts) and told them that they required its customer base to provide nearly £1m of funding in order for the business to continue providing services. This is presumably in addition to the charges that the customers are obliged to pay.

The joint administrators’ letter to customers states that this funding is required in order to enable 2e2 to continue trading and allow customers to access their data and migrate to another provider:

As you will understand, we have received a number of requests from customers seeking to gain access to their data immediately and to transition services to alternative providers. Unfortunately, the levels of data held in the Companies’ Data Centres are such that this process could take up to 16 weeks and we will need to ensure that the integrity of third party data and security is maintained.

If its customers do not pay then:

We will be unable to maintain the datacentre infrastructure and we will have no alternative, other than to cease all operations without any managed wind-down of those operations.

For “without any managed wind-down” read “we will switch off the service without notice and without any assistance to help you access your data and transition elsewhere.” For any business that depends on the operation of the data centre for its livelihood, that’s a pretty frightening prospect.

Warning signs
In the case of 2e2, it seems that it had been suffering financial problems for some time.

In 2012, it was in court twice following the late payment of debts. It was also revealed that the annual interest payments on its debt were more than £20m a year (as against a turnover of around £40m).

A fortnight before the adminstrators were actually appointed, Channel Register also reported that 2e2 had breached its banking covenants in December and had reached its credit limits with suppliers.

These should all have acted as warning signs to customers that things weren’t looking good, and that action was required.

Contracting for cloud services
So what can you do?

  • First of all, don’t use a traditional IT services contract to contract for critical cloud/hosting services. It will likely be deficient. As will the supplier’s standard terms. It’s also essential that your lawyer understands how the cloud works, terminology, and why the risk profile is different to that for other ICT. If not, then your contract is unlikely to deal with those risks.
  • Carry out financial diligence on your supplier (and its parent company). How solvent is it? How much debt is it carrying? Can you get a parent company guarantee? Does the supplier actually own its kit/premises or is it leased? What happens if the supplier defaults on lease payments and the lessor wants its kit back?
  • Keep financial diligence under review by carrying out regular checks on the supplier.
  • Ensure that the contract allows you to terminate in the event that things look bad. Once a supplier has entered insolvency it will be much harder to transition away from the supplier. If the business isn’t viable as a going concern then the administrator is unlikely to be interested in your problems.
  • Ensure that your contract includes exit assistance provisions and that a draft exit plan is actually developed (and maintained) whilst things are going well.
  • Ensure that you have internal business continuity plan in place to deal with supplier insolvency. How critical is the supplier? What is your strategy? How do you mitigate the risks? Do you have dual suppliers (potentially expensive)?
  • Consider other technical measures. Source code escrow is pretty pointless for cloud (your immediate requirement is the object code and data, not the source code). How about ensuring that you get a regular of the data or a copy of virtual server?

Finally, think about auditing your existing contracts for cloud services. What do they say? Are you comfortable that you can quickly (and safely) transition away from the supplier? If not, now is the time to review them and ensure that you have appropriate provisions in place. Remember – the time to repair a roof is when the sun is shining.

Martin Sloan

Better the devil you know? Proposed reform to Service Provision Changes and the application of TUPE

The Government has recently announced that it is proposing to make a number of changes to the scope of the Transfer of Undertakings (Protection of Employment) Regulations 2006 (“TUPE”).

These proposals include the removal of references to service provision changes: outsourcing, ‘second generation’ outsourcing (i.e. the transfer of the outsourced services from one provider to another) or in-sourcing.

As it currently stands, TUPE will apply where a service provision change takes place which involves an organised grouping of individuals in Great Britain whose principal purpose is carrying out activities which are transferred to a new provider. The effect of this is, of course, that the outgoing and incoming parties in such a scenario have duties to inform and consult with the affected employees about the transfer, and the affected employees’ employment will automatically transfer to the new provider.

For many the benefit of the current system is certainty. Generally, parties involved in a service provision change will presume that TUPE will apply and are prepared to negotiate the contractual documentation on that basis – the parties know where they stand.

However, the UK Government was not under an obligation to develop TUPE law by expressly stating that TUPE would apply on a service provision change and many felt that this was a step too far – increasing costs on the parties in respect of situations which may previously have been outside the regulations’ scope. These concerns have led to the Government’s current proposals.

Should the service provision change references be removed from TUPE it must be remembered that many service provision changes will still be caught by TUPE anyway. The standard TUPE test is met where there is a transfer of an economic entity that retains its identity. However, parties will be left having to step back in time to look at older case law to assess whether TUPE applies to their situation

What now?
The Government’s consultation closes on 11 April 2013.

Should the Government decide to take the proposals forward any changes will not be implemented until October 2013. Even if the reference to service provision changes is removed at that time there is certainly no need to panic! The Government is aware that:

  • many contracts involving service provision changes are drafted on the basis that TUPE will apply on the cessation of the services (i.e. on ‘exit’), and therefore obligations and liabilities in respect of TUPE will have been heavily negotiated and factored into the deal commercials; and
  • outsourcing projects can be very large, complicated and a significant amount of time can pass between the initial planning stage and the implementation stage where the services actually transfer.

As a result, the Government recognises that there will need to be a transitional period prior to any change in the law becoming effective.

The Government is due to publish its response to the consultation in July and there will be much more clarity on what is going to happen at that time. Many hope for the status quo to continue and say it’s never too late for the Government to change its mind, but given the numerous changes the Government are making to employment law at the moment I would be surprised if the changes didn’t go ahead. However, it’s certainly a case of watch this space…

You can take part in the consultation by following this link.

Andrew McConnell

Andrew is an associate in Brodies’ Employment, Pensions and Benefits department, and regularly advises on the application of TUPE to outsourcing and services agreements. Andrew blogs on Brodies’ EmploymentBlog.

Real time journey information systems – enabling innovation through data sharing and interoperability

Over the last few years, I’ve been involved in a number of projects involving the creation and use of transport and journey information in the transport sector. These include the procurement of real time passenger information (RTPI) (where real time journey information is made available to passengers online and through on-street display boards) and smart ticketing systems and the opening up of that data to third parties through an API.

When procuring a RTPI system, there are a number of issues to consider.

Firstly, who owns the data? RTPI systems are often procured by a local authority or regional transport partnership. The location data going in to the system may be collected by equipment owned by the local authority (or the contractor operating the system) and deployed on vehicles or by the bus company’s own fleet tracking system. It will then be processed by the RTPI system to provide the real time journey data. The contracts that are put in place between the various entities need to make clear who owns the data and what rights each of the other parties have to use it.

Secondly, it’s important that the RTPI system enables interoperability. This will allow data to be shared with other RTPI systems (for example, multi-modal or in neighbouring geographic areas) and other users (for example, mobile apps developers seeking to incorporate journey information in their products and services). This means that the system will need to include appropriate APIs that make the data available in a recognised industry standard format. As part of any support and maintenance arrangements, those interfaces should keep up with market developments on interoperability.

Re-use of public sector information regulations
Part of the reason for local authorities making available data through an API is a response to the Re-use of Public Sector Information Regulations, which implemented an EU directive on the re-use of public sector information directive (the PSI Directive) and the UK Government’s Open Data iniative.

The regulations are intended to open up access to information and datasets held by public authorities, so that publicly owned data can be reused for innovative purposes. The regulations provide rules on requests to reuse information held by public sector organisations. RTPI and journey data is a good example of data that can be reused and mashed up into other applications.

Notably, the regulations prohibit public authorities from acting in a discriminatory manner or from entering into exclusive arrangements in relation to the re-use of public sector information unless that arrangement is in the public interest. This means that local authorities should not be entering into exclusive arrangements in relation to the use of transport information that they hold.

The regulations also limit any charges that the public authority may levy on the use of the information. The authority may recover a “reasonable return on investment”, but cannot charge for the costs it has incurred if it has already charged the recipient under freedom of information or data protection laws.

The authority should also publish details of its charging structure and terms of use of the information.

Rather than develop bespoke interfaces and licence terms for each person seeking to utilise the data, the easiest way for local authorities to make available RTPI data is through a publicly available API, with a standard form licence setting out the terms of use.

Proposed reform
The European Commission is currently consulting on new legislation in this sector.

It does not think that the PSI Directive has been effective in ensuring open access to transport data. Notably, the PSI Directive applies only to public sector bodies (so not private transport operators), and does not apply to information where the intellectual property rights are owned by a third party – for example, the bus or train company in question.

The Commission is therefore proposing that all transport operators are obliged to make available, fare, schedule and real time journey information in an industry standard format. The Commission proposes that the European standardisation bodies work together to develop related standards to ensure interoperability using a common standard.

This should help to open up access to transport data that is not currently being made available, and lead to new and innovative use of that data by third party developers.

What’s not clear from the proposed consultation is how the reforms will work in practice. In the UK, public transport is largely run by companies in the private sector. However, RTPI systems for buses tend to be operated by local authorities or regional transport partnerships, who then aggregate data from different operators. In order for the reforms to be effective the new laws will need to cover all parts of the chain.

There will be other concerns as well. In the UK, the bus industry is regulated by traffic commissioners, who have powers to fine operators for late running services. There is often a tension between bus companies and local authorities when making available real time journey information as that could be used to easily analyse the company’s performance without the need for commissioners to stand at bus stops with a watch, a timetable and a clipboard. It will be interesting to see whether the transport industry lobbies against this requirement.

In the meantime, any organisation considering procuring an RTPI or other transport data system should ensure that their technical specification addresses interoperability, the use of common (or mandated standards) and APIs to help ensure compliance with the Commission’s proposals.

The consultation closes on 12 March 2013.

Martin Sloan

Managing the legal risks with BYOD

I have an article in this month’s edition of Supply Management, the journal for the Chartered Institute of Purchasing and Supply.

The article looks at how organisations can manage some of the legal risks arising out of allowing staff to use their own smartphones, tablets and other devices for work purposes (“bring your own device” or “BYOD”).

In particular, I look at:

  • how to manage the information security risks and the benefits of mobile device management software as a way of controlling access to enterprise data;
  • the software licensing issues that can arise from allowing staff to access the enterprise network through a virtual desktop such as Citrix or from a device that isn’t owned by the employer; and
  • the importance of a BYOD policy, and what this should cover

The article is essential reading for any organisation that allows (or is thinking of allowing) staff to access enterprise systems on their own devices. This applies regardless of whether such access is provided under a formal BYOD scheme or is done on a “turning a blind eye” basis.

As my employment law colleagues noted in our recent seminars on BYOD, the latter approach is likely to lead to problems, as the employer may be unable to take disciplinary action against the employee in the event of an information security breach. In contrast, a properly drafted BYOD policy will put the employer in a far better position – in terms of setting expectations with its employees (and managing misconduct) and compliance with its obligations under data protection laws.

You can read the article on the Supply Management website.

Martin Sloan

European Commission proposes new laws on accessibility of public sector websites

As I reported on Twitter earlier this week, the European Commission has proposed a new directive governing the accessibility of websites operated by organisations in the public sector.

If passed, the directive would set out requirements in relation to how many public sector bodies ensure that their websites are accessible to users with disabilities. The European Commission estimates that there are over 700,000 public sector websites in the EU.

Determining what is “accessible”
One of the big issues with legislating on website accessibility is the need to have an objective set of criteria for determining what an accessible website looks like. Accessibility, by its nature, is a subjective issue, as accessibility problems will vary depending on an individual’s disabilities and the device/browser software that the user is using. This makes it difficult to have a law that sets out clearly what organisations have to do.

The UK Equality Act deals with this by a set of objective criteria for determining discrimination (that apply regardless of the type of discrimination that is alleged to be taking place), but translating this into the specific steps an organisation should be taking in relation to its website has always been difficult, as the law simply refers to policies or practices that have effect of discriminating against the individual concerned.

The proposed directive addresses this issue by presuming that the website meets the accessibility requirements where it complies with a number of external standards.

These are:

  • initially, the recently approved international standard on website accessibility ISO/IEC 40500), which in turn references Level AA conformance under version 2.0 of the W3C‘s long-established and recognised web content accessibility guidelines (WCAG);
  • any European standard on website accessibility, which may include any standard under the ongoing Commission’s Mandate M/376 project (which is also likely to be based on WCAG Level AA conformance); and
  • ultimately the harmonised standards for accessibility drawn up and approved by the EU institutions, which in turn will be based on the European standard based on M/376.

Disappointingly, the presumption of “accessibility” appears to be based only on compliance with tick box criteria (rather than say, user testing, as recommended by the British Standard BS8878). However, as I note above, it is difficult to legislate for subjective assessment.

The proposed directive is intended to sit alongside the proposed European Disability Act, which will address the accessibility of goods and services, including ICT.

As a directive, the new laws will need to be locally implemented in each member state. The Commission’s current timetable envisages the date for this laws coming into force as being 30 June 2014.

Whilst the transitional arrangements are not yet clear, public sector bodies looking to update their websites over the coming year should bear in mind the likely new laws and accessibility requirements when developing their technical requirements specifications.

For many, this should not require a huge change in approach, as WCAG level AA conformance has been a UK Government recommended standard for several years now. However, if the directive is passed then that obligation will now be part of a clear legal framework.

Martin Sloan

Peter McCorkell from Brodies Employment team blogs on BYOD following our recent seminar on managing the risks with BYOD.

Brodies Employment Blog

Last Thursday the Brodies Technology and Employment teams delivered a joint seminar in Edinburgh on the burgeoning practice of employers allowing employees to bring their own devices to work. The seminar looked at the pros and cons for both companies and employees and sparked a few interesting debates about some of the more controversial issues of BYOD. What happens, for instance, to company owned material and confidential documents stored on the employee’s device when the employment comes to an end? What challenges does a company face in managing the risk of data security breaches when the device is owned by the employee?

The seminar looked at the best ways to protect the company’s position and discussed how to develop an effective policy to regulate BYOD.

One of the interesting things to note from research for the seminar was that a large number of organisations do not have a BYOD policy…

View original post 102 more words

Our colleagues over on Brodies EmploymentBlog blog about new guidance from ACAS on BYOD. To find out more about the legal issues surrounding adoption of BYOD and the importance of BYOD policies, come along to our autumn seminars.

Brodies Employment Blog

ACAS has produced some brief guidance on employee use of smartphones and other personal devices at work. It suggests there are advantages in having a ‘bring your own device’ (BYOD) policy, such as saving cost and portraying the company as being forward-thinking and flexible.

A well managed BYOD policy should isolate business use from personal use and employers should consider making provision for remotely deleting sensitive data from devices that belong to ex-employees or has gone missing. You can read the full guidance here.

As part of its Autumn client seminar series Brodies are delivering a seminar on this topic in Edinburgh, Aberdeen and Glasgow. More information about this seminar and how to sign up can be found here.

Verity Clark

View original post

Hurricane Sandy highlights the importance of effective IT business continuity planning

We’ve blogged on several occasions about the importance of business continuty and disaster recovery plans – most notably about the impact on global supply chains following the giant ash cloud caused by the erruption of Eyjafjallajoekull in 2010.

I was surprised at the impact that Hurricane Sandy had on the Internet earlier this week, with several major websites (including the Huffington Post, Gizmodo and Gawker) being knocked offline for several hours as a result of flooding and damage on the east coast of the United States. According to reports, a data centre lost power as a result of a battery failure caused by flooding.

Using third party data centres and IaaS vendors can provide a way of mitigating some of the risks of business interuption. Cloud providers are often better placed to manage these risks as they often operate multiple data centres which should, in theory, mitigate the impact of a single event. But in this case, for whatever reason, that hasn’t happened.

For the websites affected by Hurricane Sandy, that downtime will have led to a substantial loss of advertising revenue across the globe. Assuming that the hosting company has otherwise complied with its contractual obligations, it’s unlikely that the website operators would be able to recover any costs from the hosting company as the hosting company will likely claim relief under the force majeure provisions in its contract.

Geographic separation
When assessing your business continuity arrangements (and those of your suppliers), it’s therefore important that one of the things that you review the proximity of any back-up facility to the primary site. Events such as tropical storms, earthquakes, power failures and civil unrest can affect a large area, meaning that multiple data centres on either side of a single connurbation could easily be affected.

As one person I follow on Twitter said, what will happen to the Internet when the Big One finally hits California?

And it’s not just the data centre location that you need to think about.

I once heard a tale about an organisation who used two telecoms companies to provide physically telecoms links between its primary office and its data centre elsewhere in the city. All was well until roadworks took place on a bridge over a river. Whilst each company used physically separate cables between the premises (including separate points of exit and entry), it turned out that the bridge in question was a single point of failure – both companies had chosen to route their cables across the river using the same bridge – and a single jack hammer blow took out both links.

OFT finds that websites are continuing to fall short on consumer protection laws

The Office of Fair Trading (OFT) has recently published the results of its annual survey of over 150 websites to check whether or not they complied with consumer protection law.

The survey, which included the 100 top online retailers and most popular clothing sites, had some interesting results.

Key areas of non-compliance
Amongst the areas of concern, the OFT noted the following:

  • 33% of sites that provided information on returns placed unreasonable restrictions on consumers. For example, by only accepting returns in their original packaging.
  • The law – under the Consumer Protection (Distance Selling) Regulations (which apply to most contracts “concluded at distance – for example, over the Web or by phone/mail order) consumers have the right to inspect the goods that they have purchased and have a seven working day ‘cooling off period’ in which they can return the goods, though there are some exceptions to this, such as where the goods are perishable or customised. If goods need to be returned in their original packaging, un-opened, then it is difficult for consumers to inspect the goods to check if they are fit for purpose. It’s also important that the return period runs from the correct date, and isn’t subject to other unreasonable conditions. 

  • 62% of sites had no email contact address.
  • The law – the E-Commerce Regulations set out certain information that websites should contain, such as the registered or principal office of the organisation, its VAT number, if UK VAT registered, and a contact email address.

  • 24% of websites notified consumers of unexpected additional charges at checkout.
  • The law – The reach of the Advertising Standards Agency (ASA)’s remit now extends to advertising and promotions on an organisation’s own website. One of the main consequences of this is that pricing information should comply with the ASA’s CAP code – in particular, pricing should be transparent and not misleading. Websites should display total prices payable – if you can’t opt out of a charge then it’s not additional. Similarly, if most of the customers of a website pay VAT then prices displayed should be VAT-inclusive. For more information on ASA’s advertising rules see this earlier TechBlog post.

Website health check
The survey did show that the general awareness by website operators of their basic legal obligations in relation to trading online is improving. 

However, while the survey is a useful indicator of compliance with certain aspects of the law, it focussed only on the “fair trading” aspects of consumer protection law. It doesn’t look into some other key areas of legal compliance – for example what organisations do with the personal information of their customers.

Fair trading rules are just one aspect of a wider matrix of rules applying to trading online. The problem is that there are a lot of different aspects to website compliance and these will vary depending on whether or not the site is a trading website or whether it deals with consumers rather than businesses. Knowing exactly what is required can be complicated.

Brodies can help by carrying out a health check of your website, to audit its compliance with the key legal requirements and recommend changes that you should make to comply with the applicable laws. If you are interested in this, please get in touch.

Leigh Kirktpatrick

New ICO guidance on the use of cloud services

The Information Commissioner’s Office (ICO) has published new guidance on the use of cloud computing services. The guidance is intended to provide an overview of how data protection law applies to businesses that utilise cloud based solutions to handle and process data.

The guidance is essential reading for any organisation that currently utilises (or is considering utilising) cloud based solutions, and emphasises that organisations remain responsible for the security of data that they store or process in the cloud.

The guidance
The guidance covers a variety of cloud based services, including infrastrastructure as a service (IaaS), platform as a service (Paas), and software as a service (SaaS). It also considers the differences between private, public and hybrid deployment models, and “layered” services where, for example, a SaaS vendor is in turn utilising a third party IaaS vendor – such as using a third party SaaS service that is hosted on servers by Amazon Web Services.

Issues covered by the guidance include:

  • Identifying the data controller (or data controllers)
  • The data controller’s responsibilities – including risk assessment, due diligence and monitoring
  • Selecting a cloud provider
  • Access control and protecting your data
  • Encryption
  • Understanding how the cloud provider will process data – for example, will it use any of the data processed by it for the purposes of targeted advertising?
  • Use of cloud services located outside the UK/EEA – including the importance of understanding where the cloud provider will store and process data
  • Staff training

The guidance also provides a checklist to help organisations assess the risks of using a cloud service, covering confidentiality, integrity of the data, availability and legal/contractual issues.

Assessing the cloud provider’s security measures
As with previous ICO guidance on outsourcing, the guidance emphasises the importance of pre-contractual diligence, appropriate written contractual terms between the data controller and the cloud provider (which prevent the cloud provider from changing the terms of service without your approval), and regular monitoring and oversight of the cloud provider’s compliance with the agreed information security measures. As the ICO notes, the fact that auditing and oversight may be harder with a cloud provider does not lessen the data controller’s obligations under the Data Protection Act.

The ICO does recognise the role that independent security audits (such as an ISAE3402 or SSAE16 report) can play in verifying the adequacy of the cloud provider’s security measures. For more on the use of such audits see this previous TechBlog post.

Organisations should, however, be aware that the ICO draws a distinction between security audits conducted in accordance with recognised independent standards, and industry recognised standards and kitemark schemes, as a kitemark is unlikely to address all aspects of data protection compliance.

Increased regulatory focus
As the fine issued last month to Scottish Borders Council illustrates, the adequacy of outsourcing arrangements is a area coming under increased scrutiny from the ICO, with hefty fines being levied where data controllers have failed to exercise appropriate oversight of their data processors.

For organisations that are increasingly looking to use cloud based services, this guidance will provide a timely reminder of the important steps that should be taken to ensure that such services do not adversely impact upon the security of personal data.

You can download the guidance from the ICO website.

Twitter: @BrodiesTechBlog feed

December 2017
« May    

%d bloggers like this: