Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
2AGENDA
Has existing law been fit for purpose? Hacking Electronic Signatures
What new laws and developments are on the horizon?
How will current and new law cope with new technological developments? Strong Authentication Breach Notification for financial services Artificial Intelligence Bitcoin/Blockchain
What is the future of law, can technology help?
4HAS EXISTING LAW BEEN FIT FOR PURPOSE?
How did the law cope with hacking?
R v Robert Schifreen and Steve Gold arrested in 1985 for using the password “1234” against account “2222222222” on Prestel, which gave them root access and allowed them to access certain accounts.
No specific law on hacking, attempts to use the Forgery and Counterfeiting Act 1981 failed on appeal “the Procrustean attempt to force the facts into the language of an Act not designed to fit them” should not be repeated
Introduction of the Computer Misuse Act 1990
5COMPUTER MISUSE LAW
Computer Misuse Act 1990 (“CMA”):
Criminal offences:
Unauthorised access to computer material (section 1(1), CMA).
Unauthorised access to computer materials with intent to commit or facilitate commission of further offences (section 2(1), CMA).
Unauthorised acts with intent to impair, or with recklessness as to impairing, the operation of a computer (section 3, CMA). (Including circulation of malware).
Making, supplying or obtaining articles for use in offences under section 1 or section 3 of the CMA (I.e. hacking tools).
Even modifying a URL could be an offence
6WAS THE COMPUTER MISUSE ACT FIT FOR PURPOSE?
Denial of service arguably not covered Specific office introduced by the Police and Justice Act 2006NB DPP v Lennon [2006]
But the Police and Justice Act also introduced:
“3A(2) A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3.”
“3A(3) A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.”
Kali / Backtrack ?
7WAS THE COMPUTER MISUSE ACT FIT FOR PURPOSE?
“The Computer Misuse Act does not prevent individuals from obtaining tools such as malware with the intention to personally commit a cyber crime.” Home Office Impact Assessment 2014
Specific offence introduced by the Serious Crime Act 2015
“3A(3) A person is guilty of an offence if he obtains any article with a view article –(a) intending to use it to commit, or to assist in the commission of,an offence under section 1, 3 or 3ZA, or(b) with a view to” its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.”
8HAS EXISTING LAW BEEN FIT FOR PURPOSE?
How did the law cope with Electronic Signatures?
UNCITRAL Model Law on Electronic Commerce – June 1996 Established accepted rules for electronic commerce, including defining the role of
electronic signatures
US Uniform Electronic Transactions Act (UETA) – July 1999 Permitting electronic legal documents and allowing electronic signature in evidence
EU Directive for Electronic Signatures (1999/93/EC) - December 1999 Defines two different kinds of electronic signatures: a “simple electronic signature”,
and an “advanced electronic signature” Technical standards were introduced in Commission Decision (2009/767/EC)
US Electronic Signatures in Global and National Commerce Act (E-Sign) – June 2000 Electronic signatures, records and contracts are not denied validity by being in
electronic form
UNICTRAL Model Law on Electronic Signatures – July 2001 Introduced support for certification and digital authentication for electronic
signatures
9HAS EXISTING LAW BEEN FIT FOR PURPOSE?
How did the law cope with Electronic Signatures?
UNCITRAL Model Law on Electronic Commerce – June 1996 Established accepted rules for electronic commerce, including defining the role of
electronic signatures
US Uniform Electronic Transactions Act (UETA) – July 1999 Permitting electronic legal documents and allowing electronic signature in evidence
EU Directive for Electronic Signatures (1999/93/EC) - December 1999 Defines two different kinds of electronic signatures: a “simple electronic
signature”, and an “advanced electronic signature” Technical standards were introduced in Commission Decision (2009/767/EC)
US Electronic Signatures in Global and National Commerce Act (E-Sign) – June 2000 Electronic signatures, records and contracts are not denied validity by being in
electronic form
UNICTRAL Model Law on Electronic Signatures – July 2001 Introduced support for certification and digital authentication for electronic
signatures
10EU DIRECTIVE FOR ELECTRONIC SIGNATURES (1999/93/EC)
Simple electronic signature: “data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication” They will not be denied legal effectiveness solely on the grounds that
they are: “in electronic form, not based upon a qualified certificate, not based upon a qualified certificate issued by an accredited certification service provider, or not created by a secure signature creation device”
NB But national law may deny legal effectiveness for other reasons
Advanced electronic signature: “An electronic signature, which a) is uniquely linked to the signatory; b) is capable of identifying the signatory; c) is created using means that the signatory can maintain under his sole control; and it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable” Advanced electronic signatures which are “based on a qualified
certificate and created by secure signature creation device” such as digital signatures are fully legally equivalent to handwritten signatures
11EU DIRECTIVE FOR ELECTRONIC SIGNATURES (1999/93/EC) II
This Directive contemplated the growth of a complex network of PKI’s providing electronic certificates for the recognition and development of advanced electronic signatures
The Directive provided that national law should require that certification authorities are liable, up to certain limits, for the damage caused to their customers who rely on a qualified certificate issued by them
A voluntary accreditation scheme was introduced and the Directive aimed to ensure that electronic signatures were not to hinder free trade across the European Union
Then:
13ELECTRONIC WRITING – CURRENT DEVELOPMENTS
Digital Agenda for Europe COM(2010) 245 Recommended a revision of the Electronic Signature
Directive and legal measures to ensure mutual recognition of e-Identification (e-ID) and e-Authentication as an objective
The Single Market Act identified the need for a Digital Single Market and the need for legislation to guarantee mutual recognition of electronic identification and authentication across the EU
On 4 June 2012, the European Commission adopted a proposal for a new Regulation "on electronic identification and trust services for electronic transactions in the internal market“ (the “e-ID and e-Signature Regulation”)
On 23 July 2014, Regulation 910/2014 (“eIDAS”) was passed!
14REGULATION 910/2014 (“EIDAS”)
eIDAS will:
Repeal the Electronic Signature Directive (1999/99/EC) Introduce “electronic identification” and “electronic identification
schemes” so that there is a consistent basis for identifying individuals allowing access to public services in other Member States
Introduce the concept of “trust services” and “trust service providers” who will be used to create, verify, validate and support electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services, website authentication and electronic certificates. There will be a new internal market for these services.
Re-introduce “electronic signatures” and “advanced electronic signatures”
Introduce “electronic seals” which are used to authenticate the origin and integrity of particular data
Introduce “electronic time stamps” which are used to authenticate the time and integrity of particular data
Introduce “electronic documents” which are to be equivalent to paper documents and “electronic delivery services” to assure the delivery of data.
15REGULATION 910/2014 (“EIDAS”) II
However,
eIDAS will not harmonise the position as to existing forms of electronic signature
eIDAS does not affect national or Union law related to the conclusion and validity of contracts or other legal or procedural obligations relating to form
A qualified electronic signature shall have the equivalent legal effect of a handwritten signature
But, …. it is for national law to define the legal effect of electronic signatures unless they are qualified electronic signatures
18NEW LAWS AND DEVELOPMENTS ON THE HORIZON
The text of the General Data Protection Regulation (‘GDPR’) has finally been formally adopted (14 April 2016). It will come into force on 25 May 2018.
e-Privacy Directive (2002/58/EC) which regulates, amongst other things the use of cookies on websites and consent for the use of location data on smartphones will be reviewed.
The Network and Information Security Directive ((EU) 2016/1148)introduces an information security obligation and data breach notification obligation on certain market operators.
The Payment Services Directive 2 (2013/0264(COD)) will introduce security obligations, data breach obligations and data access obligations in relation to payment services
The Trade Secret Directive ((EU) 2016/943) will standardise national laws against the unlawful acquisition, disclosure and use of trade secrets
The EU Charter of Fundamental Rights has gained prominence since the ECJ “Schrems” case
EU – U.S. Privacy Shield – has replaced the Safe Harbour but it is under review by the Article 29 Working Party and under challenge in the Courts
Brexit will take the EU out of Europe in 2019 and the GDPR will be replaced by a UK version pursuant to the Great Repeal Bill.
19GENERAL DATA PROTECTION REGULATION
Expanded scope Changes to the way you engage with individuals
- Transparency (Privacy Notices) and Consents- Additional Rights: Data portability, objections to ‘profiling’, ‘right
to be forgotten’, the right to restrict processing Changes to the way you run your business
- Data Protection Governance- Accountability and record keeping
- New rules for controllers and processors- and the impact on Supply and Customer agreements
- Security Requirements and Breach Notification Enhanced sanctions and litigation risk
- The level of fines will be increased to a maximum of 4% of worldwide turnover or 20,000,00 EUR, whichever is greater
- Much greater chance of litigation including quasi class actions
HOW WILL CURRENT AND NEW LAW COPE WITH NEW TECHNOLOGICAL DEVELOPMENTS?
Strong AuthenticationBreach Notification for financial services
Artificial IntelligenceBitcoin/Blockchain
21STRONG AUTHENTICATION
January 2013 SecurePay Recommendations on the security of internet payments (effective 1 February 2015) http://www.ecb.europa.eu/press/pr/date/2013/html/pr130131_1.en.html
December 2014 EBA Final guidelines on the security of internet payments (effective 1 August 2015) http://www.eba.europa.eu/regulation-and-policy/consumer-protection-and-
financial-innovation/guidelines-on-the-security-of-internet-payments Compliance table: http://www.eba.europa.eu/documents/10180/934179/EBA-
GL-2014-12+Compliance+Table-GL+security+of+internet+payments.pdf/34be3c3e-5521-4036-9805-3ee97162c4db
February 2017 EBA Final Report on Draft RTS on Strong Customer Authentication and common and secure communication under Article 98 of Directive 2015/2366 (PSD2) (effective November 2018 or later) https://www.eba.europa.eu/regulation-and-policy/payment-services-and-
electronic-money/regulatory-technical-standards-on-strong-customer-authentication-and-secure-communication-under-psd2
22STRONG CUSTOMER AUTHENTICATION II
Strong customer authentication (article 4(3)) A procedure based on the use of two or more of the following
elements categorised as knowledge, ownership and inherence: something only the user knows e.g. static password, code,
personal identification number something only the user possesses, e.g. token, smart card,
mobile phone something the user is, e.g. biometric characteristic, such as a
fingerprint Elements selected must be mutually independent
so that breach of one does not compromise the other(s) The strong authentication procedure should be designed in such
a way as to protect the confidentiality of the authentication data
Has this been implemented in a technology neutral way?
23STRONG CUSTOMER AUTHENTICATION III
The Authentication Code generated by the two elements: Can only be used once Is one way (i.e. the underlying elements cannot be determined) Cannot be used to generate a further authentication code Cannot be forged
For remote access: You cannot tell the user which element is wrong You must block after 5 or less attempts Sessions must time out after 5 minutes or less
Dynamic Linking: The payer must be aware of the amount The Authentication Code must be specific to the amount and the payee The amount and the payee must not be determinable from the authentication
process Personalised Security Credentials
Must be protected at all stages Must be masked when input by users Must be associated with the payment service user in a secure manner Must be delivered to securely and authentication software or devices must be
activated securely and using SCA if via the internet For smartphones or other multi-purpose devices
Separate secure execution environments must be used Mechanisms must be in place to mitigate the effect of the device being rooted
24BREACH NOTIFICATION FOR FINANCIAL SERVICESTitle Breach NotificationData Protection / Information Security Regulation
GDPR • Proposed requirement to notify the regulatory authority within 72 hours of breach, and affected individuals without undue delay.
• Processors to notify controllers.• No need to notify DPA where unlikely to result in a risk to the rights
and freedoms of natural persons.• Need to notify individuals where breach is likely to result in high risk
to rights and freedoms …
NIS • Providers must notify without undue delay their competent authority of any incidents having a significant impact on the security of essential services they provide.
Financial Services RegulationMarkets in Financial Instruments Directive 2014/65/EU (“MiFiDII)
• Implemented in national legislation: Broad notification requirements in respect of failure of systems and procedures.
PSD 2 • A PSP is required to notify regulators of a major operational security incident.
• A PSP is also required to notify a user if the incident has or may have an impact on that user’s financial interests.
25BREACH NOTIFICATION FOR FINANCIAL SERVICES II
“In the case of a major operational or security incident, PSPs shall, without undue delay, notify the competent authority. Where the incident has or may have an impact on the financial interests of its payment service users, the payment service provider shall, without undue delay, inform its payment service users of the incident and of all measures that they can take to mitigate the adverse effects of the incident.” (article 96)
December 2016 EBA Consultation on draft Guidelines on major incidents reporting under the PSD 2 (effective 14 January 2018) https://www.eba.europa.eu/regulation-and-policy/payment-services-and-
electronic-money/guidelines-on-major-incidents-reporting-under-psd2 “A singular event or a series of linked events which have or may have a
material adverse impact on the integrity, availability, confidentiality, authenticity and/or continuity of payment-related services.” (RTS article 13)
Initial notification to the Competent Authority – within 2 hours of initial detection or on categorisation as a major incident
Reports to be updated at least every 3 business days Final report, with a full root cause analysis within 2 weeks of the business
being back to normal
26ARTIFICIAL INTELLIGENCE
Intellectual Property The Copyright, Designs and Patents Act 1988 already provides for
the copyright in computer generated works - the author of that work will be the person that commissions the work.
Liability and Insurance The Vehicle Technology and Aviation Bill 2017 provides that car
insurance must cover the cost of self driving cars
Financial Products Financial Conduct Authority now has a division which will assist
companies who wish to provide “robo advice” or AI assisted financial recommendations
Commercial Contracts Lawyers are still wrestling with how to draft agreements for AI and
machine learning
27ARTIFICIAL INTELLIGENCE II
General Data Protection Regulation
“Every data subject should therefore have the right to know … the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing.”
28BITCOIN/BLOCKCHAIN
UK Government https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/
414040/digital_currencies_response_to_call_for_information_final_changes.pdf
ESMA http://www.esma.europa.eu/system/files/2015-
532_call_for_evidence_on_virtual_currency_investment.pdf NY BitLicence
http://www.dfs.ny.gov/about/press2014/pr1407171-vc.pdf EBA
https://www.eba.europa.eu/documents/10180/657547/EBA-Op-2014-08+Opinion+on+Virtual+Currencies.pdf
Parliament briefing paper www.parliament.uk/briefing-papers/POST-PN-475.pdf
HMT Consultation https://www.gov.uk/government/consultations/digital-currencies-call-for-
information/digital-currencies-call-for-information The 5th Anti Money Laundering Directive
http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/com/2016/0450/COM_COM(2016)0450_EN.pdf
The General Data Protection Regulation
29BITCOIN/BLOCKCHAIN II
The effect of the 5th AMLD
Virtual currency exchange platforms as well as custodian wallet providers will now be brought within the scope of Anti Money Laundering Legislation.
They will have to be registered They will need to track transactions They will need to do due diligence on their customers They will need to report suspicious transactions
The effect of the General Data Protection Regulation The right to be forgotten?
31ONLINE DISPUTE RESOLUTION
European Commission Online Dispute Resolution https://ec.europa.eu/consumers/odr/main/index.cfm?event=main.
home.show&lng=EN
32ONLINE DISPUTE RESOLUTION AND AI
Researchers from the University of Sheffield, the University of Pennsylvania and University College London used advances in Natural Language Processing and Machine Learning to analyse text from cases heard at the European Court of Human Rights (ECtHR) and predict the outcome of the judicial decision.
During tests, machine learning algorithm made predictions with 79 per cent accuracy. https://peerj.com/articles/cs-93/
33SMART CONTRACTS
Source: PwChttp://www.pwc.com/us/en/technology-forecast/blockchain/digital-business.html
34A SMART BONDcontract SimpleBond {
// An object to hold investor detailsobject Investor() {
string nameaddress walletAddress
}
// The term sheetfunction Setup() {
term = 5 years;coupon = 5%;Investors = return each Investor;
}
// Operative provisionsfunction PayCoupon() {
uint bal= this.balance;Investors.send((bal * percentageDistribution[Investor] / 100) * coupon);
function Redeem() {uint bal= this.balance;Investors.send((bal * percentageDistribution[Investor] / 100));terminate;
}
// Main loopon each new year {
if year < term { PayCoupon(); } else { Redeem(); }
}}
Pseudocode, but inspired by https://github.com/blockapps/bloc
35AI AND REPLACING THE LAWYER ENTIRELY
Artificial Intelligence in legal research (based on IBM’s Watson) http://www.rossintelligence.com/
Artificial Intelligence in e-discovery http://www.nexlp.com/
Artificial Intelligence in GDPR compliance https://www.exonar.com/gdpr/
Artificial Intelligence to review contracts https://www.lawgeex.com/
39% of jobs (114,000) in the legal sector stand to be automated in 10 years as the profession feels the impact of more “radical changes.” https://www2.deloitte.com/uk/en/pages/audit/articles/developing-
legal-talent.html
LAWYER BIO 36
Data Privacy and Cyber Security, London
Formerly a microelectronics engineer, Mr. Winton advises technology and IT companies, global financial institutions, large utility companies, multinational corporations and government and non-government agencies on technology, telecommunications, cyber security, intellectual property and antitrust matters with particular emphasis on European regulatory issues such as electronic money, payment systems, encryption and export control, data protection and privacy, technology transfer and e-commerce. He is a Fellow of the Ponemon Institute and the Chairman of the Data Protection Forum.
ASHLEY WINTON
[email protected]: +44 (0)20.3023.5121Mobile: +44 (0) 7788 676663
21 OfficesACROSS THE AMERICAS, ASIA,
AND EUROPE
1 Legal TeamTO INTEGRATE WITH THE STRATEGIC
GOALS OF YOUR BUSINESS
THE AMERICAS
AtlantaChicagoHouston
Los AngelesNew York
Orange County
Palo AltoSan Diego
San FranciscoSão Paulo
Washington, D.C.
ASIA
BeijingHong Kong
SeoulShanghai
Tokyo
EUROPE
BrusselsFrankfurtLondonMilanParis
37
www.paulhastings.com ©2016 Paul Hastings (Europe) LLP
OUR OFFICES 38
THE AMERICAS ASIA EUROPEAtlanta1170 Peachtree Street, N.E.Suite 100Atlanta, GA 30309t: +1.404.815.2400f: +1.404.815.2424
Chicago71 S. Wacker DriveForty-fifth FloorChicago, IL 60606t: +1.312.499.6000f: +1.312.499.6100
Houston600 Travis StreetFifty-Eighth FloorHouston, TX 77002t: +1.713.860.7300f: +1.713.353.3100
Los Angeles515 South Flower StreetTwenty-Fifth FloorLos Angeles, CA 90071t: +1.213.683.6000f: +1.213.627.0705
New York200 Park AvenueNew York, NY 10166t: +1.212.318.6000f: +1.212.319.4090
Orange County695 Town Center DriveSeventeenth FloorCosta Mesa, CA 92626t: +1.714.668.6200f: +1.714.979.1921
Palo Alto1117 S. California AvenuePalo Alto, CA 94304t: +1.650.320.1800f: +1.650.320.1900
San Diego4747 Executive DriveTwelfth FloorSan Diego, CA 92121t: +1.858.458.3000f: +1.858.458.3005
San Francisco55 Second StreetTwenty-Fourth FloorSan Francisco, CA 94105 t: +1.415.856.7000f: +1.415.856.7100
São Paulo Rua Funchal, 418, 34º andar Vila OlímpiaSão Paulo - SPBrazil 04551-060
Washington, D.C.875 15th Street, N.W.Washington, D.C. 20005t: +1.202.551.1700f: +1.202.551.1705
Beijing19/F Yintai Center Office Tower2 Jianguomenwai AvenueChaoyang DistrictBeijing 100022, PRCt: +86.10.8567.5300f: +86.10.8567.5400
Hong Kong21-22/F Bank of China Tower1 Garden RoadCentral Hong Kongt: +852.2867.1288f: +852.2526.2119
Seoul33/F West Tower Mirae Asset Center126, Eulji-ro 5-gil, Jung-gu, Seoul, 04539, Koreat: +82.2.6321.3800f: +82.2.6321.3900
Shanghai43/F Jing An Kerry Center Tower II1539 Nanjing West RoadShanghai 200040, PRCt: +86.21.6103.2900f: +86.21.6103.2990
TokyoArk Hills Sengokuyama Mori Tower40th Floor, 1-9-10 Roppongi Minato-ku, Tokyo 106-0032 Japant: +81.3.6229.6100f: +81.3.6229.7100
BrusselsAvenue Louise 480-5B1050 BrusselsBelgiumt: +32.2.641.7460f: +32.2.641.7461
FrankfurtSiesmayerstrasse 21D-60323 Frankfurt am MainGermanyt: +49.69.907485.0f: +49.69.907485.499
LondonTen Bishops SquareEighth FloorLondon E1 6EGUnited Kingdomt: +44.20.3023.5100f: +44.20.3023.5109
MilanVia Rovello, 120121 MilanoItalyt: +39.02.30414.000f: +39.02.30414.005
Paris96, boulevard Haussmann75008 ParisFrancet: +33.1.42.99.04.50f: +33.1.45.63.91.49
For further information, you may visit our home page atwww.paulhastings.com or email us at [email protected]