Legal & Government Affairs Update Issue 4 - 2017
Guarding against ransomware
Cyber-attacks are, of course, nothing new. However, the recent wave of large-scale ransomware attacks has drawn more attention than ever before to the great threat they pose to our national security and economy.
You will no doubt have read about the NHS cyber-attack. On Friday 12 May, NHS IT systems fell victim to a global attack which, in total, affected at least 150 countries and continues to cause widespread disruption. With 47 NHS trusts being hit, the ransomware attack meant that routine appointments had to be cancelled and patients diverted. This demonstrates just how catastrophic the consequences of a cyber attack can be.
As the name suggests, "ransomware" describes a particular type of malicious software designed to seize control of, and disable, a computer system until a ransom is paid. Other examples of cyber-attacks include malware (virus) attacks, hacking and phishing scams; all of which can be used in a deadly combination.
With instances of the above on the rise, cybercrime is now the most prevalent crime in the UK. In its latest POST note published this month, the Government therefore rightly identified cybercrime as being one of six Tier 1 threats to UK national security (to read this short note, please visit: http://researchbriefings.files.parliament.uk/documents/POST-PN-0554/POST-PN-0554.pdf).
In view of this, you might be wondering what businesses can do to protect their systems from the increasingly prevalent threat of cyber-attacks. This article is by no means intended to offer hard and fast advice (no pun intended); nor is it an appropriate medium in which to do so. Nevertheless, for completeness, and to encourage further discussion, it seems necessary to briefly comment on some of the methods for improving cyber security.
As expected, there is plenty of relevant guidance out there. However, in short, it is possible to categorise measures into three groups: (1) prevention; (2) damage limitation; and (3) recovery.
As you are aware preventative measures include robust anti-virus systems and cyber security policies. Equally important is ensuring that all staff are well trained and vigilant to the ever-growing number of cyber risks out there. In the unfortunate event that an attack does occur, organisations should seek to limit their impact by having clear crisis and incident response procedures in place. Amongst other measures, data backups are essential to business continuity and aiding a swift recovery.
Has your organisation considered cyber insurance? Unsurprisingly, this rapidly developing insurance area is being driven by the increase in cyber-attacks. Policies can be wide ranging in their cover and may include computer restoration, data recovery, business interruption and reputational damage. Some policies will also provide a team of experts and services, such as IT forensics, in the event of an attack. In an increasingly digitised world, cyber insurance is not something to be ignored.
So what does the future hold for cyber-attacks? In what is very much a cat and mouse game, where cyber criminals constantly adopt new methods and techniques, this is a question nobody quite knows the answer to. That being said, readers should consider taking the appropriate action before it's too late.
Case Law Updates
On 26 April 2017, the Court of Justice of the European (CJEU) issued its long-awaited decision in the Filmspeler case.
By way of background, Filmspeler was the name of a media player sold with pre-installed add-ons linking users to infringing TV and film streaming sites controlled by third parties.
The Dutch case therefore concerned the question of whether the sale and marketing of such a device constituted a "communication to the public" of copyright protected works pursuant to Article 3(1) of the InfoSoc Directive. Or to put it simply, whether the device itself infringed copyright even though it was separate to the websites actually transmitting the copyright protected work.
The CJEU adopted a broad interpretation of the right of communication to the public and decided that a multimedia player, such as Filmspeler, is a communication to the public. In short, the defendant knew that the media player enabled direct and easy access to websites broadcasting infringing works. This went beyond the mere provision of physical facilities. Further, there was a large number of potential users of the media player, meaning that it did constitute a communication to the public.
For those readers interested, a copy of the full judgment can be viewed here: http://curia.europa.eu/juris/celex.jsf?celex=62015CJ0527&lang1=en&type=TXT&ancre
European Commission mid-term review on the implementation of the Digital Single Market Strategy
Although not a consultation itself, the mid-term review follows the Commission's recent consultation on "Building a European Data Economy" and considers the progress to date in achieving the aims of the EU's Digital Single Market Strategy.
To summarise, the review (published on 10 May 2017) identifies three main areas where the EU needs to act further in making a digital single market a reality – these are (i) the data economy; (ii) cyber security; and (iii) online platforms.