Posted in Telecoms

The New Electronic Communications Code….but still not actually law

The Digital Economy Act finally became law prior to the dissolution of parliament at the start of the general election campaign. The Act contains within its pages the new Electronic Communications Code, which has been awaited for years and which many argue is essential to ensure the law is equipped to deal with advances in technology.

However, not all of Act’s provisions have come into force immediately and indeed, the new Code will only start to operate once it is brought into effect by regulations made by the Secretary of State. Some regulations (The Digital Economy Act 2017 (Commencement) Regulations 2017) have recently been made, but these do not bring into force the new Code.

In that respect, our recent enquires with the Department for Culture, Media & Sport as to when the Code will become law elicited these responses:

“There are a number of factors to consider, including supporting regulations, Codes of Practice etc. We are considering all aspects of implementation in order to achieve the most swift and appropriate approach, and will update stakeholders on commencement in due course.

We are … bringing into force measures to improve digital connectivity across the UK, starting the implementation of the new electronic communications code to assist operators to develop new infrastructure…in summary we have commenced the code for the purpose of making regulations over the autumn. Once we have those in place full commencement will follow.”

Given the turmoil thrown up by the election result and the more immediate issues the government is facing, including Brexit, the new Code could still be some way off, meaning that the existing Code continues to regulate arrangements for the installation of telecoms equipment.

The new Code introduces (whenever it finally becomes law), inter alia:

  • Rents/compensation: it is thought that the new Code is likely to decrease the rents/compensation received by landowners from telecoms operators as the rents/compensation will be based on the land’s value to the landowner not the operator.
  • Site sharing and assigning: operators will have rights to assign agreements and to share or upgrade apparatus without requiring the consent of the landowner, thus reducing the landowner’s control.
  • Security of tenure: the new Code contains provisions to ensure there is no overlap between the security of tenure rights granted to business occupiers by the Landlord and Tenant Act 1954 and similar protection that telecoms operators can claim under the Code.
  • Dispute resolution: the new Code can provide for a more specific dispute resolution procedure where the parties cannot agree terms.
  • Conferral of Code rights: An operator will be able to apply to the Court for the grant of interim code rights for a certain period of time or until a certain event takes place.
  • Termination: new, more lengthy, notice procedures for terminating Code agreements.
  • Retrospectivity: existing agreements will not be covered by the new Code.

We will report further once the new Code finally comes into force…..

Rob Shaw, Senior Associate and Ben Rogers, Legal Director

Posted in Internet of Things

IOT Devices: Just Hardware or FCC Powder Keg?

With the meteoric proliferation of “Internet of Things” (IOT) devices, there are an increasing number of innovators and inventors bringing “smart” products to market that capitalize on connectivity in ways never before imagined. While a great deal of resources are typically applied to research and development, marketing, production, distribution and customer awareness, the essence of most IOT devices is wireless communications so attention must be given to the Federal Communications Commission (FCC) regulations on radio emissions.  Each year the FCC levies tens of millions of dollars in penalties for violations of its rules—rules that encompass activities and devices in ways that may not be immediately obvious.  We have set forth some basic guidelines to help start-ups, investors, and even established manufacturers make sense of the FCC’s requirements.

Without further ado, ten things the FCC cares about:

Things that intentionally emit radiofrequency (“RF”) energy.
This may seem obvious, but the FCC regulates devices that use RF intentionally, such as cellphones, walkie-talkies, and Wi-Fi, Bluetooth and Zigbee transmitters.  Such devices must comply with the FCC’s equipment authorization procedures that ensure that the device conforms with specified technical standards that help limit the potential for interference to other spectrum users.  Compliance with the FCC’s equipment authorization rules is most often demonstrated by a permanent label affixed to the device showing the FCC’s mark and the products FCC identifying number.

Things that unintentionally emit RF.
It’s fairly obvious that the FCC would have jurisdiction over the manufacture and marketing of wireless communications devices.  Less obvious is its authority to control the importation and marketing of devices that emit RF energy unintentionally.  Nearly all devices with digital componentry are implicated – computing devices, smart appliances, video monitors, power supplies, and similar products.  These devices must be tested by an accredited test lab facility to ensure compliance with applicable technical standards before they can be imported and marketed in the United States.

Things that incidentally emit RF.
There’s even a third category of devices that fall within the FCC’s purview.  Incidental radiators include devices that are not designed to intentionally use, generate or emit RF energy over 9 kHz.  Devices  such as AC motors and fluorescent lighting are exempt from FCC test requirements but manufacturers must still use good engineering practices to limit, to the extent possible, the interference effects from such devices.

Importation of RF devices.
While it is tempting to assume that someone else in the supply chain has ensured conformity with the FCC’s rules, companies need to be proactive regarding FCC compliance when importing radio products.  With only very limited exceptions, the FCC rules require that devices brought into the U.S. have appropriate FCC equipment approvals.  Failure to do so may result in critical components being seized at the border.  Even if the products are not stuck in a customs warehouse–with the amount of offshore manufacturing that is done today, there may be instances where products without appropriate approvals are delivered in the U.S. and escape customs notice–the subsequent sale of those devices in the U.S. will violate FCC regulations and may subject the seller to fines.

Modification of OEM RF devices (triggering new approvals).
Even where a company has obtained an equipment authorization from the FCC, appropriate attention has to be paid to the evolution of the product over time, since certain changes can require the manufacturer or seller to obtain a new authorization.  As a rule of thumb, changes that alter the physics of the RF emissions should be carefully reviewed under the FCC’s rules, as they often trigger the need to seek new approvals.  Complicating matters even further is the practice of integrating components that have received their equipment authorization as stand-alone modules.  The final assembled product may have its own testing and labeling requirements even though it is comprised of approved parts.

Marketing of RF devices.
Today, speed to market often means that companies would like to pre-market products—whether to support a crowd-funding initiative or as a means to capture market share.  In general, however, the FCC greatly restricts the marketing of RF devices before they complete the approval process.  The FCC has been known to walk the floors at trade shows to inspect whether new products are being displayed to potential customers impermissibly prior to receiving proper approvals.

Experimenting with RF devices.
Development of new products invariably requires experimentation, and when that experimentation involves radiation of radio energy, an FCC license is typically required.  While the FCC generally freely grants experimental licenses for private testing, the experimental rules impose added limitations on what can be done with experimental products when it comes to market tests and trials, which require special authorizations.

Spectrum compatibility.
Most innovators today would like to capitalize on a global product market, but RF regulations differ from country to country.  That being said, there are radio bands that are more or less standardized from region to region, and considering global regulatory issues at the initial stages of product development may save headaches down the road.  With its global telecommunications capabilities, DLA Piper’s telecom practice is able to assist with international compatibility and market entry surveys.

Transfer of RF manufacturing assets.
Whether you are an investor looking to fund a IOT venture, a business acquiring a start-up, or an innovator looking for equity backers, FCC regulated companies require special considerations.  To the extent a company has licenses, FCC consent or notice may be required—in some cases prior to closing—for transactions that involve transfers of control or assignment of assets.  In addition, FCC regulated companies implicate specialized due diligence in transactional scenarios.

Devices that create networks.
As a final matter, even if the RF components of a device are not FCC regulated—or are FCC regulated but the company taken appropriate actions—the FCC might be implicated in other ways.  Specifically, in addition to regulating radio, the FCC also regulates telecommunications—communications networks and network providers.  This becomes important because if IOT or connected products are sold bundled with communications capabilities acquired from third parties, the seller may be subjecting itself to regulation as a carrier—that may result in the need to obtain special authorizations, to pay into carrier-funded social programs like the Universal Service Fund, or other regulations.  DLA Piper’s telecommunications team routinely advises companies on structuring communications activities in ways that avoid carrier regulation by the FCC.

 

Posted in Cybersecurity

Colorado adopts new cybersecurity rules applicable to broker-dealers and investment advisors: key features

The Colorado Division of Securities has adopted new cybersecurity rules applicable to broker-dealers purchasing securities in the state and investment advisers who do business in the state.

The rules, which are substantially less prescriptive than the NYDFS Cybersecurity Regulations  came into effect on July 15.  The rules establish general guidelines for reasonable cybersecurity practices and mandate a number of specific practices.  Here are a few key features of the Colorado rules:

“Confidential Personal Information.” The Colorado rules require cybersecurity procedures to protect “Confidential Personal Information,” which is defined as first name or first initial and last name in combination with one or more of the following data elements: 1) Social Security number; 2)  driver’s license number or other identification card number;[1] 3) account number or credit or debit card number in combination a security code, access code or password allowing access to a Colorado resident’s financial account; 4) digitized or electronic signature of an individual; 5) user name, unique identifier or email address combined with a password, an access code, security questions or other authentication information for accessing an online account. Publicly available information, lawfully made available to the public from  government records or widely distributed media, are not Confidential Personal Information.

Reasonable cybersecurity practices. Broker-dealers and investment advisers are required to “establish and maintain written procedures reasonably designed to ensure cybersecurity.”  Factors that the Colorado Division of Securities may consider to determine whether a broker-dealer’s or investment adviser’s cybersecurity procedures are reasonable include the firm’s size; its relationship with third parties; its policies, procedures and employee training about cybersecurity practices; its authentication practices; its use of electronic communications; whether it automatically locks devices that have access to Confidential Personal Information; and its process for reporting lost or stolen devices.

Specific practices. In addition to these factors, broker-dealers’ and investment advisers’ cybersecurity procedures must include several specific practices:

Annual assessmentBroker-dealers and investment advisers must incorporate cybersecurity into their risk assessments.  Additionally, broker-dealers and investment advisers must conduct an annual assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of Confidential Personal Information.  The rules do not require that the risk assessment be conducted using an independent third party.            

Secure email. Broker-dealers’ and investment advisers’ cybersecurity procedures must provide for the use of secure email, including encryption and digital signatures, for any email containing Confidential Personal Information.

Authentication. Broker-dealers and investment advisers must adopt practices to authenticate both client instructions received via electronic communications, and employee access to electronic communications, data and media.  The rules do not specify what type of authentication must be used.

Disclosure. Finally, broker-dealers and investment advisers must disclose to clients the risks of using electronic communications, though no specific language is prescribed.

Comparison to the New York financial services cybersecurity rule

Overall, the Colorado cybersecurity rules represent a less prescriptive approach to cybersecurity regulation than the New York Department of Financial Services (NYDFS) cybersecurity rule, the only other broadly applicable state cybersecurity rule to date. Whereas the NYFDS prescribes detailed, rigorous cybersecurity practices, Colorado requires that cybersecurity practices be “reasonable” and establishes  only a handful of higher-level requirements.  The NYFDS rule, for example, requires conducting penetration testing and vulnerability assessments, whereas Colorado instead simply requires a  broker-dealer or investment advisor to include cybersecurity in its risk assessment.  While New York requires multi-factor authentication or risk-based authentication, Colorado, as noted above, simply requires authentication, without further parameters.

The reasonableness standard under the Colorado rules is consistent with FTC guidance on reasonable security, an approach which provides the flexibility to both innovate and adapt the requirements to the entity’s specific circumstances.

“Covered Entities.” Whereas the NYFDS rules apply to a wide range of regulated banking, insurance, and financial services companies (“Covered Entities”), the Colorado cybersecurity rules apply only to broker-dealers and investment advisers.  Additionally, the Colorado rules do not include requirements for third party vendor management.

Nonpublic Information vs. Confidential Personal Information. The NYFDS rule requires companies’ cybersecurity practices to protect all nonpublic information, which includes not only the kinds of “breach notice” personal data protected as Confidential Personal Information by the Colorado rules, but also certain health information and any nonpublic information that could affect a Covered Entity’s business, operations, or security in the event of a breach, which is a far greater universe of information.

Breach notification. Covered Entities must notify NYFDS within 72 hours of a breach.  After soliciting comments from the public and holding a hearing, Colorado removed the breach notification requirement originally included in the rules proposed in April.

Encryption. NYFDS requires nonpublic information to be encrypted both in transit and at rest.  The Colorado rules only explicitly require encryption when Confidential Personal Information is transmitted by email.

Key takeaways

The Colorado cybersecurity rules should not present broker-dealers and investment advisors with overly costly, detailed or burdensome changes.  There is ample flexibility under the rules allowing these entities to tailor their compliance based upon their business.  Finally, the overall approach under the rules does not deviate significantly from existing obligations pursuant to rules and guidance issued by federal functional financial regulators and the FTC.

 

[1] The rules do not limit the “identification card number” to government issued IDs.

LexBlog