The UK Government’s (UKG) proposals for new, sector-specific cybersecurity rules continue to take shape. Following the announcement of a Product Security and Telecommunications Infrastructure Bill and a consultation on the security of apps and app stores in the Queen’s Speech (which we briefly discuss here), the UKG issued a call for views on whether action is needed to ensure cyber security in data centres and cloud services (described here).

In recent weeks, the UKG has made two further announcements:

  • On 30 August 2022, it issued a response to its public consultation on the draft Electronic Communications (Security measures) Regulations 2022 (Draft Regulations) and a draft Telecommunications Security code of practice (COP), before laying a revised version of the Draft Regulations before Parliament on 5 September.
  • On 1 September 2022, it issued a call for information on the risks associated with unauthorized access to individuals’ online accounts and personal data, and measures that could be taken to limit that risk.

We set out below further detail on these latest developments.

*****

UKG response to public consultation on telecoms security regulations and a code of practice

Last year, the Telecommunications (Security) Act 2021 passed, creating a new security framework for public communications network and service providers. Section 1 of that Act (amending the Communications Act 2003) granted the UKG the power to pass regulations specifying the precise security measures that providers of public electronic communications networks (ECN) and public electronic communications services (ECS)) must implement. Section 3 also granted the Secretary of State for the Department of Digital, Culture, Media and Sport to issue codes of practice setting out how ECN and ECS should comply with these specific measures.

The Draft Regulations and COP therefore aim to set out the precise security measures that ECN and ECS providers must take to comply with the Act. The UKG’s consultation response follows submissions from 38 stakeholders, and addresses a number of specific, technical concerns about the requirements of the Draft Regulations and COP (e.g., precisely when encryption must be applied to signals, and the need to retain data about logging and monitoring for 13 months).

Most prominently, the revised version of the Draft Regulation includes obligations on ECN and ECS providers to:

  • reduce the risk of unauthorized access to their networks and services (including specific obligations to ensure workstations that can make changes to security-critical functions are not exposed to external traffic, and to monitor ongoing risks proactively). It also obliges ECN only providers to protect data transmitted across those networks (including specific obligations to ensure their networks are secure by design);
  • ensure they can identify security risks without the use of staff or equipment outside the UK, and operate their services without the use of such staff or equipment, on the basis that this limits the risk that foreign actors (including governments) could undermine the integrity of UK communications networks;
  • Minimize, for similar reasons, misuse of tools that allow monitoring of data on ECN or ECS located outside the UK. (The Draft Regulations prohibit the use of tools on servers located in certain countries, including—for now at least—China, Russia, and Iran);
  • monitor and analyze access to “security critical functions” (i.e., functions that are likely to have a material impact on the whole of or part of a service) to identify any compromise;
  • minimize the risk of security compromises arising from suppliers;
  • put in place appropriate governance frameworks, including obligations to have standardised processes for categorizing security incidents, to mandate post-incident reviews, and, like the EU’s NIS2 Directive, to require a person or committee at board level to have responsibility for the security policy required by the Telecommunications (Security) Act, and to prepare for incidents to minimize the impact of those incidents; and
  • conduct regular reviews and ensure software and hardware are up to date.

The COP provides additional detail on these requirements, and establishes three “tiers” of ECN and ECS provider (based on their turnover—there is no provision in the COP for Ofcom to expressly designate ECN and ECS providers as being in particular tiers). Smaller providers with turnover of under GBP 50m (i.e., those in Tier 3) are not expected to comply with the COP, but may do so voluntarily. Other providers (i.e., those in Tier 1 and Tier 2) are required to comply, but those in Tier 2 (with turnover of GBP 50m-1bn) will have additional time to do so. It explains that Ofcom will be responsible for taking enforcement action in the event of non-compliance, and that Ofcom will consult on an update to its existing guidance on enforcement to take account of these new rules.

The consultation response confirmed that the tiering system for providers in the COP would remain in place, but extended the timelines for compliance. Tier 1 providers will be required to implement the COP in four stages: certain provisions must be complied with by 31 March 2024, with additional milestones through to 31 March 2028. Tier 2 providers will not have to meet the 31 March 2024 milestone, but will otherwise be expected to meet the same milestones as Tier 1 providers.

On 5 September, the UKG laid the amended Draft Regulations before Parliament, and aims for them to come into force on 1 October 2022. The COP will be laid before Parliament on or after the day the Regulations come into force, and absent any objections, will be issued in final form 40 days later.

Call for information on unauthorized access to online accounts and personal data

Among other things, the UK Computer Misuse Act 1990 makes unauthorized access to online accounts and computer systems a criminal offence. Although providers offering online accounts (e.g., providers of financial services, e-commerce, and communications services) are subject to existing obligations to keep accounts and associated data secure, the UKG’s call for information states that the UKG still has concerns about the vulnerability of these online accounts.

The call for information states that the Home Office is considering new measures to reduce the burden of keeping accounts secure on individuals, and placing greater responsibility on providers to make their offerings secure by default by imposing a “Cyber Duty to Protect”.

To that end, the call for information requests stakeholders’ views on matters including:

  • the types of harms that can arise from this sort of unauthorized access in different circumstances;
  • who should have responsibility for ensuring protection against these sorts of harms;
  • what actions companies currently take to prevent them; and
  • their experience of enhanced authentication solutions, such as two-factor authentication.

The call for information is open under 27 October 2022, after which the UKG may propose new legislation or other instruments.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Paul Maynard Paul Maynard

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is special counsel in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.