The Communications Act 2003 provides the legislative framework for the security of public electronic communications networks and services. The Act has been amended several times over the years to deal with the developing EU legal framework. The most recent changes were made by the Telecommunications (Security Act) 2001.
So, lets break this down a little. What are public electronic communications networks and services?
Let’s start with the definitions in section 32, 32A, 135 and 151:
An “electronic communications network” is a system for the conveyance of signals of any description by electrical, magnetic or electro-magnetic energy and the related network apparatus, software, data and other network resources (section 32).
The idea of signals includes speech, must, sounds, visual images, communication of data and the impartation of anything between people, between people and things and between things, or the impartation of anything to use and control network apparatus (section 32).
An “electronic communications service” is an internet access service, or a number-based interpersonal communications service, or services such as transmission services for machine-to-machine services or broadcasting (section 32). A number-based interpersonal service is one that relies on a national or international number plan, which means phone numbers (section 32A).
A public electronic communications network or service are ones that are provided to the public (see section 151)
Tying this together, we arrive at the following positions:
Making phone calls, sending emails, browsing the web and using IoT devices falls within the idea of conveyance of signals.
Messaging services such as WhatsApp do not fall within the idea of a number-based interpersonal service. This is because they are categorised as “number-independent” (section 135). Therefore, WhatsApp (etc.) does not constitute a public electronic communications service.
Content services are not electronic communications services either (section 32). This means that a streaming service such as Netflix or Spotify isn’t covered. Neither are websites.
Webmail isn’t covered either. Ordinary email is, because it constitutes an internet access service (section 32).
Now that we understand what is, or is not, a public electronic communications network or service, we can apply the security rules, which are contained in sections 105A-Z. To clarify the rules apply only to the providers of a public electronic communications network or service, not to services such as WhatsApp, Netflix or websites.
In the order that they appear in the legislation, the rules are as follows:
Network and and service providers must take appropriate and proportionate measures for identifying reducing and preparing for the risks of security compromises. The operational requirements of the CIA Triad form part of these duties.
Network and service providers must take appropriate and proportionate measures for preventing and mitigating the adverse effects of security compromises.
The Secretary of State can issue regulations and codes of practice, to specify appropriate and proportionate security measures for the above purposes. See The Electronic Communications (Security Measures) Regulations 2022.
Codes of practice are subject to public consultation.
Codes of practice are admissible in evidence in legal proceedings and OFCOM must have regard to them during the performance of its regulatory duties.
A notification procedure applies where OFCOM suspects that a network or service provider has failed to comply with a Code.
Where there is a significant risk of a security compromise, the network and service providers must give reasonable and proportionate notice to users who may be adversely affected, providing information about the risk and steps for mitigation.
Network and service providers must inform OFCOM of actual or potential security compromises, where they meet the statutory thresholds of seriousness. Notification must be as soon as reasonably practicable.
OFCOM has duties and powers to notify others of security compromises that meet the relevant thresholds of seriousness.
OFCOM has a general duty to ensure compliance with the security and notification duties.
OFCOM has a power to assess compliance with the security and notification duties. This power is supported by the issuance of “assessment notices”. Rules are included for cases of urgency. Network and service providers can challenge assessment notices in court.
OFCOM must issue an annual report, to provide a statement about the number of times it entered premises following the issuance of an assessment notice.
OFCOM can take enforcement action, if the security duties are not complied with. Depending on the contravention, daily fines of between £50,000 to £100,000 per day can be imposed. Fines for failing to comply with a code of practice are capped at £10 million.
OFCOM can require a network or service provider to take interim steps pending the completion of enforcement action, where the security duties are not complied with, or there has been a security compromise, or where there is an imminent risk of a security compromise.
Breach of the security or notification duties is actionable by every person affected by the contravention.
There are carve-outs from the duties for various law enforcement, national security and similar purposes.
OFCOM is required to publish a policy statement concerning its functions.
OFCOM must also provide the Secretary of State with an annual security report, to assist the SoS with policy development.
So, in conclusion, the providers of public electronic communications networks and services are subject to security duties, which can be enforced by OFCOM. The security duties can be developed by the Secretary of State, through regulations and codes of practice.
Read my blogs on where to find the detail of security law, to understand how the concept of “appropriate and proportionate measures” will work in practice.
Easy!
