Computer laptop with ransomware malware virus key icon on red display background. Vector illustration technology data privacy and security concept.

The global WannaCry ransomware attack should be a wake up call for all companies about the threat ransomware poses. While WannaCry was one of the first highly publicized attacks in which ransomware was weaponized and used against numerous companies at once, there will undoubtedly be future attacks.  Companies can take proactive steps to reduce their chances of being hit by the next ransomware attack, and our team is working with companies around the world to help them be more resilient in light of these evolving threats.

Here are some key steps you can take to help your company protect itself from the next attack:

  1. Make sure software patches are routinely applied.
  2. If possible, only use supported operating systems and other software.
  3. Utilize antimalware and antivirus software tools and services.
  4. Back up your critical data.
  5. Train your employees on how to spot phishing emails.
  6. Create a cross-functional incident response plan.
  7. Practice responding to a ransomware attack in a table top exercise to be able to hit the ground running when this type of event occurs.
  8. Establish or enhance relationships with law enforcement and other critical partners.

In addition, we’ve compiled several resources to help you prepare for and respond to a ransomware incident:

SociallyAware_Vol8Issue1_Thumb2The latest issue of our Socially Aware newsletter is now available here.

In this edition,we examine a spate of court decisions that appear to rein in the historically broad scope of the Communications Decency Act’s Section 230 safe harbor for website operators; we outline ten steps companies can take to be better prepared for a security breach incident; we describe the implications of the Second Circuit’s recent opinion in Microsoft v. United States regarding the U.S. government’s efforts to require Microsoft to produce email messages stored outside the country; we explore the EU’s draft regulation prohibiting geo-blocking; and we take a look at UK Consumer Protection regulators’ efforts to combat undisclosed endorsements on social media.

All this—plus an infographic highlighting the most popular social-media-post topics in 2016.

Read our newsletter.

0329_JS_imageThe European Commission has published two draft directives on the supply of digital content and the online sale of goods that aim to help harmonise consumer law across Europe. In proposing these new laws, the European Union is making progress towards one of the main goals in its Digital Single Market Strategy (announced in May 2015), which is concerned with strengthening the European digital economy and increasing consumer confidence in online trading across EU Member States. According to the Commission, only 12% of EU retailers sell online to consumers in other EU countries, while more than three times as many sell online in their own country. The Commission has also announced a plan to carry out a fitness check of other existing European consumer protection laws.

This article outlines the potential implications of these latest developments, with a particular focus on the UK and Germany.


This is not the first time that the Commission has tried to align consumer laws across the EU: the Commission’s last attempt at a Common European Sales Law faltered in 2015. But the Commission has now proposed two new directives dealing with contracts for the supply of digital content (“Draft Digital Content Directive”) and sales of online goods (“Draft Online Goods Directive”) (together, the “Proposed Directives”). The Online Goods Directive will replace certain aspects of an Existing Sales of Consumer Goods and Associated Guarantees Directive (“Existing Goods Directive”), whereas the Digital Cotent Directive introduces a new set of rights for consumers when they buy digital content across the EU.

Part of the issue with previous EU legislative initiatives in this area is that “harmonised” has really meant “the same as long as a country doesn’t want to do anything different”. This time, the Proposed Directives have been drafted as so-called “maximum harmonisation measures”, which would preclude Member States from providing any greater or lesser protection for the matters falling within their scope. The Commission hopes that this consistent approach across Member States will encourage consumers to enter into transactions across EU borders, while also allowing suppliers to simplify their legal documentation by using a single set of terms and conditions for all customers within the EU.

The Proposed Directives will need to be adopted by the EU Parliament and Council before becoming law. Member States would then have two years to transpose the Proposed Directives into national law.

Continue Reading Digital Single Market Strategy Update: Europe Proposes Further Harmonisation of Consumer Protection Laws

iStock_000058091672_MediumIs an employer allowed to access an employee’s email account when the employee is on sick leave? To what extent is control permissible when an employee is suspected of illegal activities, e.g., of leaking trade secrets? In Germany, these questions are at the crossroads of data privacy and telecommunications law with their respective administrative and even criminal sanctions. The proper rules and best practice examples have been recapped in a guideline (the “Guideline”) issued in January 2016 by the Conference of Data Protection Authorities of the Federation and of the States in Germany (“DPA Conference”).

Private use excluded, employers may dispense with employee consent

To the extent that private email and Internet use is banned or restricted by the employer, only data privacy law applies.  Thus, concerns relating to the Telecommunications Act, employment law, or the Telemedia Act are not applicable if all private use is prohibited. Internet protocol data may be accessed without prior consent, e.g., in order to verify compliance with the restrictions on private use or to protect the network. However, access even to IP addresses should take into account the proportionality principle. According to the Guideline, the employer should, as a first step, evaluate Internet protocol data on an anonymous basis, followed by individual spot tests where necessary.

With regard to emails, the employer is not required to obtain the employee’s consent and may review the content of professional emails relevant to a specific business transaction or as pre‑defined by other specific categories. A constant review of all professional emails is not permissible. Consequently, for employees on leave, out of office messages are the method of choice to inform recipients that the individual may not respond (rather than having someone else check the emails). Alternatively, it is permissible to completely reroute emails if the demands of the workplace require such a solution. Full surveillance of an employee’s online activity is generally prohibited, unless there is a reasonable basis for believing that the employee’s use of the IT services violates the law and the proposed measures are proportional.

Private use of workplace IT triggers telecommunication secrecy consent requirement

Employers should carefully consider whether they wish to permit private use of their workplace IT systems or whether such use should be limited or banned altogether. To the extent that private use is permitted, the DPAs view employers as telecommunication service providers who are bound by the stringent rules of telecommunication secrecy. The chance that the employee’s inbox contains private emails (when private use is allowed) will prevent the employer from accessing the professional account altogether, unless such access is permitted by the employee on a case-by-case basis. Accordingly, to the extent that employees are entitled to use the Internet for private purposes, the employer is prohibited from reviewing the employee’s Internet usage (i.e., who accessed which website at what time and for how long). In contrast, where private use by employees is prohibited, the employer may review such Internet usage without prior consent of the employee.

While a number of lower courts disagree with the DPAs’ view, the question has not yet been decided by a German Federal Court, and employers should follow the DPAs’ interpretation. In practice, sanctions are limited to fines; however, in theory, improper access to private email or to an employee’s private use of the Internet could result in criminal liability.

Permission for private use may be construed where employers fail to sanction private use

The DPA Conference points out that failure to lay down the rules of use will often amount to permission for private use. The same is true for a ban of private use that is not effectively monitored and sanctioned. If an employer tolerates private use for a significant period of time, this conduct may give rise to an (unwritten) company practice, binding the employer for the future. As a consequence, the DPA Conference prompts employers to lay out the rules of workplace use of the IT services in writing, either in the employment contract, a corporate guideline, or, where a works council is established, in a works agreement. The employer may subject permission to specific conditions, e.g., limitations in time, rules of conduct, and general rules limiting the employer’s access to employee emails or Internet data.

Consent is valid only where it is genuinely free

The Guideline does not elaborate on the conditions of consent by the employee. On the European level, the Working Party 29 (WP 29) recognizes consent in the employment context to the extent that it is genuinely free (see Opinion 15/2011 on the definition of consent, dated July 13, 2011, p. 13). Notably, the WP 29 considers consent invalid where it is a condition of employment, such as consent required in the employment contract. Where it is provided in an ongoing employment relationship, consent is valid unless “it is not possible for the worker to refuse.” This conforms to a decision by the Federal Labor Court of December 11, 2014 (docket no. 8 AZR 1010/13, juris). In this decision, the Court held that employee consent provided in an ongoing employment relationship is valid unless concrete evidence indicates pressure or coercion or otherwise a lack of choice.

New Guideline dispenses with requirement of consent by third‑party communication partners

For access to an employee’s email account, the DPAs have, in the past, also required the thirdparty’s consent, i.e., the consent of the sender of an email to the employee. Interestingly, the DPA Conference has now confirmed in its Guideline that employers may dispense with consent of the third‑party sender or recipient, which is naturally hard to obtain in practice. When access to emails is required by the course of business, the DPA Conference states that the employer can rely solely on the employee’s consent.

The latest issue of our Socially Aware newsletter is now available here.

01_08__Jan_SociallyAware_COVER_v6In this issue of Socially Aware, our Burton Award-winning guide to the law and business of social media, we offer practical tips to help ensure the enforceability of website terms of use; we discuss the FTC’s ongoing efforts to enforce disclosure obligations in social media advertising; we examine efforts by top social media platforms to control cyber-harassment and explicit material; we take a look at four recently passed laws protecting Californians’ privacy rights; and we explore legal issues that UK brands need to consider when engaging in vlogger endorsements and social media marketing.

All this—plus an infographic listing 2015’s most popular social media trends.

Read our newsletter.