The UK Government’s (UKG) proposals for new, sector-specific cybersecurity rules continue to take shape. Following the announcement of a Product Security and Telecommunications Infrastructure Bill and a consultation on the security of apps and app stores in the Queen’s Speech (which we briefly discuss here), the UKG issued a call for views on whether action is needed to ensure cyber security in data centres and cloud services (described here).

In recent weeks, the UKG has made two further announcements:

  • On 30 August 2022, it issued a response to its public consultation on the draft Electronic Communications (Security measures) Regulations 2022 (Draft Regulations) and a draft Telecommunications Security code of practice (COP), before laying a revised version of the Draft Regulations before Parliament on 5 September.
  • On 1 September 2022, it issued a call for information on the risks associated with unauthorized access to individuals’ online accounts and personal data, and measures that could be taken to limit that risk.

We set out below further detail on these latest developments.

*****

UKG response to public consultation on telecoms security regulations and a code of practice

Last year, the Telecommunications (Security) Act 2021 passed, creating a new security framework for public communications network and service providers. Section 1 of that Act (amending the Communications Act 2003) granted the UKG the power to pass regulations specifying the precise security measures that providers of public electronic communications networks (ECN) and public electronic communications services (ECS)) must implement. Section 3 also granted the Secretary of State for the Department of Digital, Culture, Media and Sport to issue codes of practice setting out how ECN and ECS should comply with these specific measures.

The Draft Regulations and COP therefore aim to set out the precise security measures that ECN and ECS providers must take to comply with the Act. The UKG’s consultation response follows submissions from 38 stakeholders, and addresses a number of specific, technical concerns about the requirements of the Draft Regulations and COP (e.g., precisely when encryption must be applied to signals, and the need to retain data about logging and monitoring for 13 months).

Most prominently, the revised version of the Draft Regulation includes obligations on ECN and ECS providers to:

  • reduce the risk of unauthorized access to their networks and services (including specific obligations to ensure workstations that can make changes to security-critical functions are not exposed to external traffic, and to monitor ongoing risks proactively). It also obliges ECN only providers to protect data transmitted across those networks (including specific obligations to ensure their networks are secure by design);
  • ensure they can identify security risks without the use of staff or equipment outside the UK, and operate their services without the use of such staff or equipment, on the basis that this limits the risk that foreign actors (including governments) could undermine the integrity of UK communications networks;
  • Minimize, for similar reasons, misuse of tools that allow monitoring of data on ECN or ECS located outside the UK. (The Draft Regulations prohibit the use of tools on servers located in certain countries, including—for now at least—China, Russia, and Iran);
  • monitor and analyze access to “security critical functions” (i.e., functions that are likely to have a material impact on the whole of or part of a service) to identify any compromise;
  • minimize the risk of security compromises arising from suppliers;
  • put in place appropriate governance frameworks, including obligations to have standardised processes for categorizing security incidents, to mandate post-incident reviews, and, like the EU’s NIS2 Directive, to require a person or committee at board level to have responsibility for the security policy required by the Telecommunications (Security) Act, and to prepare for incidents to minimize the impact of those incidents; and
  • conduct regular reviews and ensure software and hardware are up to date.

The COP provides additional detail on these requirements, and establishes three “tiers” of ECN and ECS provider (based on their turnover—there is no provision in the COP for Ofcom to expressly designate ECN and ECS providers as being in particular tiers). Smaller providers with turnover of under GBP 50m (i.e., those in Tier 3) are not expected to comply with the COP, but may do so voluntarily. Other providers (i.e., those in Tier 1 and Tier 2) are required to comply, but those in Tier 2 (with turnover of GBP 50m-1bn) will have additional time to do so. It explains that Ofcom will be responsible for taking enforcement action in the event of non-compliance, and that Ofcom will consult on an update to its existing guidance on enforcement to take account of these new rules.

The consultation response confirmed that the tiering system for providers in the COP would remain in place, but extended the timelines for compliance. Tier 1 providers will be required to implement the COP in four stages: certain provisions must be complied with by 31 March 2024, with additional milestones through to 31 March 2028. Tier 2 providers will not have to meet the 31 March 2024 milestone, but will otherwise be expected to meet the same milestones as Tier 1 providers.

On 5 September, the UKG laid the amended Draft Regulations before Parliament, and aims for them to come into force on 1 October 2022. The COP will be laid before Parliament on or after the day the Regulations come into force, and absent any objections, will be issued in final form 40 days later.

Call for information on unauthorized access to online accounts and personal data

Among other things, the UK Computer Misuse Act 1990 makes unauthorized access to online accounts and computer systems a criminal offence. Although providers offering online accounts (e.g., providers of financial services, e-commerce, and communications services) are subject to existing obligations to keep accounts and associated data secure, the UKG’s call for information states that the UKG still has concerns about the vulnerability of these online accounts.

The call for information states that the Home Office is considering new measures to reduce the burden of keeping accounts secure on individuals, and placing greater responsibility on providers to make their offerings secure by default by imposing a “Cyber Duty to Protect”.

To that end, the call for information requests stakeholders’ views on matters including:

  • the types of harms that can arise from this sort of unauthorized access in different circumstances;
  • who should have responsibility for ensuring protection against these sorts of harms;
  • what actions companies currently take to prevent them; and
  • their experience of enhanced authentication solutions, such as two-factor authentication.

The call for information is open under 27 October 2022, after which the UKG may propose new legislation or other instruments.

Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Paul Maynard Paul Maynard

Paul Maynard is an associate in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is an associate in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.