UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK

Data Protection Report - Norton Rose Fulbright

The UK NIS Regulations (implementing the NIS Directive) come into force in the UK today (10 May 2018). These Regulations have received limited press attention, in part due to the emphasis that has been placed on GDPR implementation. However, the NIS Regulations represent a significant change in the legal environment relating to cybersecurity in the UK.

The NIS Regulations serve a number of purposes, including the development of the UK’s national framework and strategy relating to network security. The NIS Regulations also impose new obligations on operators of “essential services” and digital service providers in relation to the security of their network and information systems. Companies that fall within the scope of the NIS Regulations should be aware of these obligations and how they can be satisfied, particularly given that the NIS Regulations introduce a stringent penalties regime for non-compliance.

Key obligations on operators of essential services

Under the NIS Regulations, entities meeting certain threshold conditions in the energy, transport, healthcare, utilities and digital infrastructure sectors will be considered to be operators of essential services. Competent Authorities also have discretion to deem a particular organisation to be an operator of essential services even if these threshold conditions are not met.

Providers of essential services are required to take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems on which their essential services rely. These measures should have regard to the state of the art and ensure a level of security appropriate to the risk posed. A corresponding obligation to take appropriate and proportionate measures to prevent and minimise the impact of incidents affecting the security of these network and information systems is also imposed – such measures should be implemented with a view to ensuring the continuity of those services.

Providers of essential services must also notify their designated “Competent Authority” within 72 hours about any incident which has a significant impact on the continuity of the essential services that they provide. The relevant “Competent Authority” depends on the sector in which the provider of essential services is operating. Such “incidents” may include cyber-attacks, power outages, system malfunctions and hardware failures. In determining whether an incident has a significant impact, an operator should take into account criteria such as the number of users affected by the disruption, the duration of the incident, and the area affected by the incident.

Key obligations on digital service providers

The NIS Regulations impose similar obligations on digital service providers that provide online marketplaces, search engines or cloud computing services in the UK.

Such service providers are required to identify and take appropriate and proportionate measures to manage the risks posed to the security of network and information systems on which they rely. An obligation is also imposed to notify the Information Commissioner (as their Competent Authority) about any incident which would have a substantial impact on the provision of these services.

Penalties for non-compliance

Penalties for non-compliance with the NIS Regulations are potentially severe, with fines of up to £17 million permitted in some circumstances.

Pan-EU perspective

The NIS Regulations reflect the UK’s implementation of the EU NIS Directive, which is being or has been implemented into the law of all other EU member states by way national legislation.

There will inevitably be some variation in the way in which the Directive is implemented in each EU member state. Of particular note is that in some member states, the national legislation may extend the concept of “operators of essential services” to other sectors of societal importance, such as financial services.

It is therefore important that a broad range of organisations operating in Europe consider whether they may be caught within the scope of national legislation implementing the NIS Directive – in all of the EU member states in which they operate.



*Many thanks to Juliet Gordon for her assistance in preparing this content

FTC, privacy, vendor due diligence and opt-in consent

Norton Rose Fulbright - Data Protection Report blog

On April 30, 2018, the U.S. Federal Trade Commission (FTC) released for public comment an administrative complaint and proposed consent agreement with mobile phone manufacturer BLU Products Inc. and its owner and president. Although the FTC has entered into many settlements relating to privacy and data security, this proposed settlement is particularly noteworthy for two reasons: (1) the FTC allegation that a company’s failure to implement appropriate security procedures to oversee a vendor’s security practices (including a lack of vendor due diligence) can violate Section 5 of the Federal Trade Commission Act; and (2) the proposed remedy includes a separate notice and affirmative opt-in consent relating to collection, use, and sharing of certain consumer information. BLU does not admit or deny any of the FTC’s allegations. Continue reading

Massachusetts Senate passes data protection bill targeting consumer credit agencies

Data Protection Report - Norton Rose Fulbright

On Thursday, April 26, 2018, the Massachusetts Senate unanimously passed a data breach protection bill that strengthens consumer protections after security breaches involving consumer credit reporting agencies.  If passed, the proposed legislation would amend Massachusetts’s current breach notification law.  The bill aims to help consumers protect their sensitive information before, during, and after a data breach.

Continue reading

California privacy initiative likely to increase costs of civil litigation if passed in November

Norton Rose Fulbright - Data Protection Report blog

A little more than one month from implementation of GDPR, companies may be tempted to relax and exhale (and if GDPR is still causing you headaches, consult our checklist). After all, the U.S. couldn’t be crazy enough to implement something as onerous and difficult, right? RIGHT?!?

Enter California, which appears likely to place an initiative on the November 2018 ballot that could bring some familiar aspects of GDPR to the sixth largest economy in the world. The proposed initiative, the Consumer Right to Privacy Act of 2018 (the “CRPA”), still needs to obtain the necessary signatures to appear on the ballot and then be passed by a majority of California voters. However, given the high profile data misuse and breach stories in the news over the past several months, the possible passage of the initiative must be taken seriously. Continue reading

NIST releases latest version of its Cybersecurity Framework

Data Protection Report - Norton Rose Fulbright

On April 16, 2018, the National Institute of Standards and Technology (NIST) unveiled Version 1.1 of its widely known Cybersecurity Framework, which incorporates changes based on feedback collected through comments, questions, and workshops held in 2016 and 2017. Continue reading

Canada’s Mandatory Privacy Breach Reporting Requirements coming into force November 1, 2018

Data Protection Report - Norton Rose Fulbright

As of November 1, 2018, organizations across Canada subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) will be required to provide notice of certain privacy breaches.

Through an Order in Council, the Federal Government has announced that previous PIPEDA breach notification amendments will come into force this November.

Continue reading

Ninth Circuit further entrenches circuit split over standing in data breach cases

Norton Rose Fulbright - Data Protection Report blog

On March 8, 2018, the Ninth Circuit issued its highly anticipated decision in In re, Inc., finding that allegations of future risk of identity theft from a data breach are sufficient to confer standing. This decision fuels an ongoing circuit split, pitting the D.C., Sixth, Seventh and now Ninth Circuits against the Second, Fourth, and Eighth Circuits over whether the mere exposure of personal information – without actual identity theft or credit/debit card fraud – establishes Article III standing. Continue reading

FCC TCPA order partially upheld and partially set aside

Data Protection Report - Norton Rose Fulbright

On March 16, 2018, the U.S. Court of Appeals for the District of Columbia Circuit issued its decision on the Federal Communications Commission (FCC) omnibus order of 2015, relating to challenges to four of the FCC’s determinations relating to cell phones.  The appellate court upheld the FCC’s determinations that consumers can revoke consent to receive marketing calls by “any reasonable means” that clearly expresses the desire to receive no further messages from the caller, and an exception for certain “emergency” healthcare-related calls.  On the other hand, the court set aside the FCC’s decision regarding the definition of an “automatic telephone dialing system” (ATDS), and how callers can deal with reassigned numbers where the previous owner had consented to receive marketing calls. Continue reading

Singapore PDPC responds to feedback on public consultation on approaches to managing personal data

Data Protection Report - Norton Rose Fulbright

On 1 February 2018, Singapore Personal Data Protection Commission (PDPC) released its response to feedback on its public consultation on approaches to managing personal data in the digital economy, which took place in Q3 2017 (the Public Consultation). The purpose of  the Public Consultation, was to seek public feedback on proposed changes to Singapore’s data protection regime, the Personal Data Protection Act (PDPA).  The key proposed changes to the PDPA include the relaxation of the consent requirement to collect, use and disclose personal data in Singapore and the introduction of a mandatory data breach notification regime.

We set out below a summary of the key points that you should know about the public feedback and PDPC’s response.

Continue reading

Uber as a HIPAA business associate

Norton Rose Fulbright - Data Protection Report blog

Uber recently announced the launch of Uber Health, a non-emergency ride service that allows healthcare providers to schedule and pay for transportation for their patients. The stated purpose of the service is to expand medical transportation to traditionally underserved areas. Roughly 3.6 million Americans miss medical appointments each year due to lack of reliable transportation, contributing to the roughly $150 billion per year the healthcare industry loses due to missed appointments.   Continue reading