3. 3squirepattonboggs.com 3squirepattonboggs.com
Agenda
8.30am Breakfast & Registration
9.00am Welcome & Introduction – Rob Elvin
9.05am Update on the legal Recruitment Sector – Michael Page Legal
9.15am Labour & Employment – key employment law developments – Paula Cole
9.45am Update on Competition Law – Diarmuid Ryan
10.05am Interpreting & Drafting Contracts in English Law – keeping up with the modern approach – Ben Holland
10.35am Coffee Break
10.50am Cyber Liability – Victoria Leigh and Sebastiaan Pronk
11.20am Speaking with confidence and influence – Esther Stanhope
12.15pm Questions & Conclusions
12.30pm – 1.30pm Networking Lunch
4. An update on the legal Recruitment Sector
Michael Page Legal
6. 6squirepattonboggs.com 6squirepattonboggs.com
Holiday Pay – a reminder of how we got here
Article 7 of the Working Time Directive – four weeks’ “paid” leave
Regulation 16 of the Working Time Regulations 1998 – a “week’s pay” for
each week’s leave is calculated in accordance with sections 221 – 224 of the
ERA 1996
ERA provisions are complicated and vary depending on whether an
employee works “normal working hours” or not
7. 7squirepattonboggs.com 7squirepattonboggs.com
Holiday Pay – a reminder of how we got here
“Normal working hours” – an employee is entitled to be paid his normal basic
weekly pay (Section 221) – would not normally include overtime (except
compulsory overtime), bonuses, commission, etc.
No “normal working hours” – an employee is entitled to be paid his average
weekly pay in the applicable 12 weeks (Section 224) – would include
overtime, bonuses, commission, etc.
8. 8squirepattonboggs.com 8squirepattonboggs.com
But then it all changed!
Case Ruling Status
BA Plc v Williams [2012]
Supreme Court ruled that workers
are entitled to receive their “normal
remuneration” during annual leave –
includes remuneration “intrinsically
linked to the performance of the
tasks”
Bear Scotland [2014]
EAT ruled that a worker’s holiday
pay should take into account non-
guaranteed overtime
Lock v British Gas Trading
Ltd [2015]
ECJ ruled that commission should
be taken into account for holiday
pay purposes
Leicester ET ruled that
WTR can be amended
so as to reflect
European law – decision
now being appealed to
the EAT
9. 9squirepattonboggs.com 9squirepattonboggs.com
Lock v British Gas – in more detail
ECJ’s decision: 4-week statutory holiday that derives from the Directive
should take into account commission payments
Leicester ET’s decision: WTR should be amended to include a provision
that “… a worker whose remuneration includes commission or similar
payment shall be deemed to have remuneration which varies with the amount
of work done…”
Lots of questions around commission still remain unanswered, including what
is the relevant reference period (12 weeks? 12 months?)
10. 10squirepattonboggs.com 10squirepattonboggs.com
Holiday Pay Update
So where does this leave employers?
What should now be included in holiday pay for WTR purposes?
Voluntary overtime?
• (NB Patterson v Castlereagh Borough Council, due to be heard in NI CA on 19 June)
Bonuses?
Allowances?
11. 11squirepattonboggs.com 11squirepattonboggs.com
Holiday Pay Update
So where does this leave employers?
What is the correct reference period for averaging pay?
Historical liability for unlawful deductions
Bear Scotland – any break of 3 months between deductions could break the chain
for time limit purposes
2-year cap on claims for backdated holiday pay – 1 July 2015
12. 12squirepattonboggs.com 12squirepattonboggs.com
Holiday Pay - What should employers be doing?
Employers should be:
Carrying out a review of their holiday pay arrangements in light of the recent
cases
Monitoring ongoing developments
Assessing potential risk/impact to business (forwards and backwards)
13. 13squirepattonboggs.com 13squirepattonboggs.com
Hot Employment Law Topics (Case Law)
Recent case law developments
USDAW v Ethel Austin, ECJ, 30 April 2015 (the “Woolworths case”)
Duty to collectively consult where 20 or more redundancies are proposed
“at one establishment” within a 90 day period
Previous EAT decision on meaning of “establishment”
ECJ’s decision – “‘Establishment’ means the entity to which the workers
made redundant are assigned to carry out their duties.”
14. 14squirepattonboggs.com 14squirepattonboggs.com
Hot Employment Law Topics (Legislation)
Recent legislative developments – effective 5 April 2015
Shared parental leave and pay
Age limit on unpaid parental leave increased from 5 to 18 years
Statutory adoption leave – now a “Day One” right and increase in amount of
Statutory Adoption Pay to bring into line with Statutory Maternity Pay
15. 15squirepattonboggs.com 15squirepattonboggs.com
Hot Employment Law Topics – On the horizon
Forthcoming legislative developments
New Government Fit for Work Service
Free health and wellbeing advice to assist with absence prevention
Free occupational health assessment
£500 per employee annual tax exemption
16. 16squirepattonboggs.com 16squirepattonboggs.com
Hot Employment Law Topics – On the horizon
Forthcoming legislative developments
Small Business, Enterprise and Employment Act 2015
Employers of 250 or more employees to be required to publish their gender pay
information
Outlawing exclusivity clauses in zero hours contracts
19. 19squirepattonboggs.com 19squirepattonboggs.com
Cartel offence
Galvanised Steel Tanks:
• Mr Peter Nigel Snee, Managing Director of Franklin Hodge Industries
Limited, pled guilty on 17 June 2014 to the criminal cartel offence
• Prosecution of Messers Dean and Stringer
Indicates successful prosecutions were possible under old test
20. 20squirepattonboggs.com 20squirepattonboggs.com
Inherited from OFT
Concluded
Sports Bras RPM – “no grounds for action”
Road Fuel Distribution in Western Isles – Ch.II (exclusive supply) commitments
Vehicle service etc platforms – Ch.II (switching restrictions) commitments
Hampshire estate agents – Ch.I (agreement not to advertise fees) fine £735K (10%
settlement discount and 5% compliance discount); 18 months probe (1 year to issue SO)
Mastercard/Visa Interchange Fees: on hold – December 2014 decision not to impose
interim measures; file closed May 2015 (administrative priorities)
Ongoing
Galvanised Steel Tanks
Paroxetine pay-for-delay (Ch.I and Ch.II)
Hotel online booking: OFT commitments decision quashed (Skyscanner) (ongoing)
Supply of Pharmaceutical Products (Ch.I and Ch.II)
CA98 enforcement 2014/2015
21. 21squirepattonboggs.com 21squirepattonboggs.com
CA98 enforcement 2014/2015
CMA originated
Ongoing
Bathroom fittings vertical agreements (Ch.I)
Commercial catering equipment vertical agreements (Ch.I)
Clothing/footwear/fashion conduct (Ch.I)
Healthcare sector (Ch.I)
Pharmaceutical sector (Ch.II)
Commentary:
Hardly any fines in Year 1
Improve robustness and speed of decision making (CMA annual plan)? too
early to say
Use of new powers (CMA annual plan): CMA has conducted compulsory
interviews; not yet imposed interim measures
Insufficient attention to extent of burden (esp. on small businesses)
22. 22squirepattonboggs.com 22squirepattonboggs.com
Market studies and investigations
Inherited from OFT/CC
Concluded investigations
Statutory audit services
Private motor insurance
Aggregates, cement and ready-mix concrete
Concluded studies
Residential property management services
Ongoing investigations
Payday lending (remedies)
Private healthcare: 15.12.14 CAT quashed CMA report (procedural error – failure to
re-consult on insured pricing analysis) and remitted to CMA
23. 23squirepattonboggs.com 23squirepattonboggs.com
Market studies and investigations
CMA originated
Concluded
Competition and regulation in higher education in England project
Commercial use of consumer data report
Ongoing
Groceries pricing super-complaint
Retail banking market investigation: provisional findings September 2015
Energy market investigation: provisional findings June 2015
Commentary
CMA is certainly taking on “strategically significant” cases
CMA’s ability to deliver high quality and robust reports within new statutory
time limits?
Concern about CMA willingness to impose divestiture remedies: “in
principle…the selling firm…should be indifferent between holding this asset
and selling it at a fair price ” Chisholm, September 2014
24. 24squirepattonboggs.com 24squirepattonboggs.com
Merger control
References
Closed
Pure Gym/The Gym (cancelled)
Pork Farm/Kerry (cleared)
Ongoing
Xchanging/Agency (provisionally cleared)
Reckitt Benckiser/K-Y (SLC provisional
finding)
Sonoco/Weidenhammer (provisionally
cleared)
Ashford and St Peter’s Hospitals/Royal
Surrey
Pennon/Sembcorp Bournemouth Water
Poundland/99p
BT/EE
UILs
Diageo/United Spirits
Immediate/Future Publishing
Motor Fuel/Murco
GTCR/Gorkana
Intercity Railways/Intercity East
Coast
Greene King/Spirit
25. 25squirepattonboggs.com 25squirepattonboggs.com
Mergers
Commentary
CMA response to statutory 40 working day Phase I review period – much
longer pre-notification process, much heavier information burden (new Merger
Notice)
Hold-separate regime for completed mergers much more intrusive and
effectively automatic
Represents significant cost on UK business – may have deterrent effect,
particularly on small mergers (CMA considering new guidance on de minimis
discretion)
Improved Phase I process (access to decision-maker)
26. 26squirepattonboggs.com 26squirepattonboggs.com
CMA before the courts
Some reverses
HCA –v- CMA (Dec 2014): HCA denied adequate opportunity to comment
Skyscanner (September 2014): no proper consideration of objections
AC Nielsen –v- CMA (July 2014): material error of fact
Eurotunnel (CA; May 2015): acquisition of assets not a “merger”
Some successes
AXA PPP Healthcare –v- CMA (March 2015): upholding exercise of CMAs
discretion that consultant groups did not lead to AEC
Tobacco (January 2015): Admin court refused to order CMA to repay Gallaher
fines (but highly critical of payment to TMR)
Ryanair; AkzoNobel
Commentary
CAT provides robust judicial review – great merit of UK system
Shows importance of effective systems/processes, particularly with new
accelerated statutory deadlines (market investigations; Phase I mergers)
30. 30squirepattonboggs.com 30squirepattonboggs.com
Summary of current law
Contractual interpretation is an OBJECTIVE exercise
The SUBJECTIVE intention of a party is IRRELEVANT to questions
of interpretation
The OBJECTIVE interpretation of a contract = REASONABLE
PERSON
REASONABLE PERSON with the factual background available to the
parties (including general commercial considerations)
Where a REASONABLE PERSON would consider that there was
more than one meaning, English law favours the construction
consistent with BUSINESS COMMON SENSE (or COMMERCIAL
SENSE)
31. 31squirepattonboggs.com 31squirepattonboggs.com
Traditional approach
Four corners of the contract
“nothing could be more dangerous than to go out of the four corners of a
contract, and endeavour to find out the meaning of the parties from other
circumstances not mentioned or alluded to in the contract itself” (Hall v Ross
[1813] 3 E.R. 672 – House of Lords)
Construction has a strong legal bias
Latin legal maxims as an aid to construction
32. 32squirepattonboggs.com 32squirepattonboggs.com
The new approach
Objective: The objective nature of interpretation (unchanged)
Contextual: Increased emphasis on context – the objective meaning
of the words set against “the factual background”
Commercial: A new policy of commercial sense (reasonable result)
Unitary exercise: The above is a single exercise
33. 33squirepattonboggs.com 33squirepattonboggs.com
Lord Hoffmann enters the House of Lords
Charter Reinsurance Co v Fagan [1997] AC 313
“actually paid” interpreted to mean “actually payable”
Lord Hoffmann said “the notion of words having a natural meaning is not a
very useful one. Because the meaning of words is not sensitive to syntax
and context…”
Mannai v Eagle Star Assurance [1997] AC 749
“12th
January” interpreted to mean “13th
January” in the context of an
otherwise invalid notice
Lord Hoffmann said “It is a matter of consistent experience that people can
convey their meaning unambiguously although they have used the wrong
words”
34. 34squirepattonboggs.com 34squirepattonboggs.com
Investors Compensation Scheme Ltd v West Bromwich
Building Society (No. 1) [1998] 1 W.L.R. 896
Clause in dispute:
“any claim (whether sounding in rescission for undue influence or otherwise)
that you have against the…society in which you claim an abatement of sums
which you would otherwise have to repay to the society…”
Should the clause be interpreted to mean:
“any claim sounding in rescission (whether for undue influence or otherwise)
…”?
35. 35squirepattonboggs.com 35squirepattonboggs.com
Investors Compensation Scheme Ltd v West Bromwich
Building Society (No. 1) [1998] 1 W.L.R. 896
Hoffmann sets out his 5 principles of contractual interpretation:
Interpretation is the ascertainment of the meaning which the document
would convey to a reasonable person having all of the background
knowledge that would reasonably have been available to the parties in the
situation in which they were at the time of the contract
Background (or factual matrix) includes absolutely everything which would
affect the way in which the language of the document would have been
understood by a reasonable man
English law excludes evidence of negotiations and subjective intent
The meaning which a document would convey to a reasonable man is not
the same thing as the meaning of its words
The “rule” that words should be given their “natural and ordinary meaning”
reflects the common sense proposition that we do not easily accept that
people have made linguistic mistakes
36. 36squirepattonboggs.com 36squirepattonboggs.com
Lord Hoffmann’s last big case
Chartbrook Limited v Persimmon Homes Limited [2009] UKHL 38
Confirmed objective nature of interpretation: negotiations are
irrelevant
Confirmed active approach to construction and interpretation:
“What is clear from these cases is that there is not, so to speak, a limit to
the amount of red ink or verbal rearrangement or correction which the
court is allowed. All that is required is that it should be clear that
something has gone wrong with the language and that it should be clear
what a reasonable person would have understood the parties to have
meant. In my opinion, both of these requirements are satisfied.”
37. 37squirepattonboggs.com 37squirepattonboggs.com
Rainy Sky v Kookmin Bank [2011] UKSC 50
In 1997, Lord Steyn wrote in “Contract law: Fulfilling the reasonable
expectations of honest men” 113 LQR 433, 441:
“Often there is no obvious or ordinary meaning of the language under
consideration. There are competing interpretations to be considered. In
choosing between alternatives a court should primarily be guided by the
contextual scene in which the stipulation in question appears. And speaking
generally commercially minded judges would regard the commercial purpose
of the contract as more important than niceties of language. And, in the
event of doubt, the working assumption will be that a fair construction best
matches the reasonable expectations of the parties.” (emphasis added)
38. 38squirepattonboggs.com 38squirepattonboggs.com
Rainy Sky v Kookmin Bank [2011] UKSC 50
“The language used by the parties will often have more than one
potential meaning. I would accept the submission made on behalf of the
appellants that the exercise of construction is essentially one unitary
exercise in which the court must consider the language used and
ascertain what a reasonable person, that is a person who has all the
background knowledge which would reasonably have been available to
the parties in the situation in which they were at the time of the contract,
would have understood the parties to have meant.
In doing so, the court must have regard to all the relevant surrounding
circumstances.
If there are two possible constructions, the court is entitled to prefer the
construction which is consistent with business common sense and to
reject the other.”
39. 39squirepattonboggs.com 39squirepattonboggs.com
Rainy Sky v Kookmin Bank [2011] UKSC 50
Supreme Court affirms the legacy of Lords Steyn and Hoffmann
Objectivity
Contextual
Commercial
Iterative process
Confirms importance of commercial sense
But when are there more than two meanings?
40. 40squirepattonboggs.com 40squirepattonboggs.com
Napier Park European Credit Opportunities Fund
v Harbourmaster [2014] EWCA Civ 984
Trial judge held that language was clear/unambiguous on its ordinary
meaning, so he did not need to go on to consider commercial
context
Court of Appeal held that, where possible, the court should test any
interpretation against the commercial consequences
Beware adopting an unduly narrow grammatical reading of the
clause or failing to take account of its obvious purpose and context
“It follows in my judgment that, where possible, the court should test
any interpretation against the commercial consequences. That is part
of the iterative exercise of interpretation. It is not merely a safety valve
in cases of absurdity.” (Lewison LJ)
Place the rival interpretations of a phrase within their commercial
setting and investigate their commercial consequences
So, how does this apply to recent contracts?
41. 41squirepattonboggs.com 41squirepattonboggs.com
The future: Greater judicial licence to intervene?
Using the commercial background to “create” more than one “natural
meeting” – “actually paid” interpreted to mean “actually payable”
Using commercial reasonableness to select the correct meaning
Extending commercial reasonableness beyond the express terms of
the contract through implied terms and a revised remoteness test
Rewriting each contract’s history?
Reconstructing the commercial “factual matrix” at a time and distance
from contract formation that makes the exercise inherently unreliable
42. 42squirepattonboggs.com 42squirepattonboggs.com
Drafting – Points to beware
Areas for particular care
Terms that may appear “uncommercial” to a third party at a time
and distance from when the contract is made
Reliance on traditional “legal” rules or maxims of construction to
give words meaning e.g. “consequential loss”
Is a “condition” a condition in law or is it an innominate term?
43. 43squirepattonboggs.com 43squirepattonboggs.com
Drafting – How to manage this new landscape
Drafting
Recording the commercial “background”: Recitals
Setting out your own meaning: Defined terms
Selecting your own “maxims”: “Interpretation clause”
Termination provisions that are a complete code (dealing with the
“condition” issue)
Deal management
Ambiguity gets the deal signed, but it creates risk: Absent clear
agreement with the counterparty there is a risk that a court will not
agree with your interpretation
Keep papers from deal, as some will help with “factual matrix”
46. TH
E
RIS
KRANKIN
G2011
LOSS OF CUSTOMERS/CANCELLED
ORDERS
TALENT AND SKILLS SHORTAGE
REPUTATIONAL RISK
CURRENCY FLUCTUATION
CHANGING LEGISLATION
COST AND AVAILABILITY OF
CREDIT
PRICE OF MATERIAL INPUTS
INFLATION
CORPORATE LIABILITY
EXCESSIVELY STRICT
REGULATION
1
2
3
4
5
6
7
8
9
10
1
2
3
4
5
6
7
8
9
10
HIGH TAXATION
LOSS OF CUSTOMERS/CANCELLED
ORDERS
CYBER RISK
PRICE OF MATERIAL INPUTS
EXCESSIVELY STRICT
REGULATION
CHANGING LEGISLATION
INFLATION
COST AND AVAILABILITY OF
CREDIT
RAPID TECHNOLOGICAL
CHANGES
INTEREST RATE CHANGES
201
3
Source: Lloyd’s board risk index – http://www.lloyds.com/news-and-insight/risk-insight/lloyds-
risk-index
CHANGES
IN
CYBER: A HOT TOPIC
47. VALUES AND BEHAVIOURS: TECH
TRENDS
Always on
Always available
Quick to deliver
Easy to adapt
DIGITAL SOCIETY EVERYTHING JOINS UP
Making use of big
data
BIG INSIGHTS
49. TH
E
THRE
ATACTORS
HACKTIVISM
HACKING INSPIRED BY
IDEOLOGYMOTIVATION: SHIFTING ALLEGIANCES – DYNAMIC,
UNPREDICTABLE
IMPACT TO BUSINESS: PUBLIC DISTRIBUTION,
REPUTATION LOSS
ORGANISED CRIME
GLOBAL, DIFFICULT TO TRACE AND
PROSECUTEMOTIVATION: FINANCIAL ADVANTAGE
IMPACT TO BUSINESS: THEFT OF INFORMATION
THE INSIDER
INTENTIONAL OR UNINTENTIONAL?
MOTIVATION: GRUDGE, FINANCIAL GAIN
IMPACT TO BUSINESS: DISTRIBUTION OR
DESTRUCTION, THEFT OF INFORMATION,
REPUTATION LOSS
STATE-SPONSORED
ESPIONAGE AND SABOTAGE
MOTIVATION: POLITICAL ADVANTAGE, ECONOMIC
ADVANTAGE, MILITARY ADVANTAGE
IMPACT TO BUSINESS: DISRUPTION OR
DESTRUCTION, THEFT OF INFORMATION,
REPUTATIONAL LOSS
CYBER: THREATS
50. • SECTORS: WHO IS BEING
TARGETED?
AUTOMOTI
VE
AEROSPAC
E
ENERGY
PROVIDERS
BANKS PROFESSIONA
L & LEGAL
SERVICES
DEFENCE ADVANCED
MANUFACTURI
NG
RENEWABLE
ENERGY
BUILDING
SOCIETIES
RESEARCH
INSTITUTES
PHARMACEUTICA
LS &
BIOTECHNOLOG
Y
MINING &
NATURAL
RESOURCES
COMMUNICATI
ONS
WIDER
FINANCIAL
SERVICES
ACADEMIA
50
51. WHAT IS BEING
STOLEN/LOS
T?
INFORMATION THAT IS
VALUABLE
BUSINESS CRITICAL
INFORMATION
CRITICAL TRANSACTIONS
INTELLECTUAL PROPERTY -
RESEARCH
BUSINESS PROCESSES – FINANCE
AND PERSONAL
PARTNERS, SUPPLIER AND STUDENT
DATA
CYBER: SECURITY
54. CYBER IN YOUR
SECTORS
The vectors remain the same but the risk rises exponentially
What are your ‘Crown
Jewels’ that do you need
to protect?
Are you investing your
money efficiently in your
cyber controls?
Who is accountable for
managing your cyber risk?
Do you know what
information is leaving your
business and how?
What are your regulatory
obligations and are you
compliant?
How do you balance digital
opportunity and cyber risk?
How do your cyber security
capabilities compare to your
peers?
How would you handle a cyber
breach or attack?
How are you managing your
suppliers to ensure they are
not a weak point in your
security?
CYBER: IN YOUR
COMPANY
57. 57squirepattonboggs.com 57squirepattonboggs.com
Why Data Loss Matters – UK Regulatory Regime
Europe - The Future
Network and Information Security Directive
General Data Protection Regulation
• Litigation Risks
10 Things Not To Do
Cyber Liability
INTRODUCTION
58. 58squirepattonboggs.com 58squirepattonboggs.com
ICO Sanctions
Fines of up to £500k per breach
Undertakings
Name and shame
Orders
– information notices
– assessment notices
– enforcement (‘stop-now’) orders
• Other Regulators – FCA, tPR
WHY DATA LOSS MATTERS
REGULATORY IMPACT
59. 59squirepattonboggs.com 59squirepattonboggs.com
• Claims
Credit card companies/banks
Individuals
• Damage to Data & Systems
• Business Interruption
• Increased Costs
• Loss of Reputation/Goodwill
Existing customers
New customer generation
Shareholder value
WHY DATA LOSS MATTERS
OTHER ISSUES INCLUDE
60. 60squirepattonboggs.com 60squirepattonboggs.com
• Currently under review and trialogue with Parliament, Council & Commission
• Possible Adoption 2015?
• Implementation in to Member State’ law 2017?
• Aims
• Approach
• Potential Impact
The Network and Information Security Directive
(NISD)
61. 61squirepattonboggs.com
What is it?
Single regulation planned to replace existing EU data protection laws
When will it come into force?
Still being debated in EU but may finally be passed in late 2015
2 years to implement if passed so 2017 at earliest
EU Draft General Data Protection Regulation
(‘GDPR’)
62. 62squirepattonboggs.com
Key Points
Significant increase in potential fines
Up to Euro1m and/or 2% of global turnover
Compulsory breach notifications
Regulator
Affected individuals
Extension to non-EU companies targeting EU
One-stop-shop for businesses operating across multiple EU countries
Mandatory data protection compliance officers
Privacy-by-design
Expanded ‘right to be forgotten’
EU Draft General Data Protection Regulation
(‘GDPR’)
63. 63squirepattonboggs.com 63squirepattonboggs.com
Litigation risks
• Increased regulatory scrutiny, both at domestic and EU level
• FCA Regulation – eg Zurich fined £2.27M
• Disclosure and Transparency Rules (DTR 2.2.1R)
• Section 92 Financial Services and Markets Act 2000
• Breach of contract – force majeure/frustration?
• Negligence – comply with "best practice" guidance
• UK claims – class actions/individuals v companies
• Consequential losses – eg NatWest and RBS Banking Services in 2012:
£125 million of customer compensation
• Ensuring business continuity – check the contract!
• Notification to ICO – serious breach?
• Intellectual property/knowledge risks
• Proceeds of Crime Act 2002
64. 64squirepattonboggs.com 64squirepattonboggs.com
No legal obligation to report breach but consider:
Potential detriment to data subjects (individuals)
Volume of personal data lost/released/corrupted
Sensitivity of data lost/released/corrupted
“Appropriate technical and organisational measures shall be taken against unauthorised or
unlawful processing of personal data and against accidental loss or destruction of or damage to
personal data” – 7th
Principle
ICO – To Report Or Not To Report
65. 65squirepattonboggs.com 65squirepattonboggs.com
1. LEAVE DATA BREACH PLANNING UNTIL YOU BREACH
• Data breaches never happen at convenient times
• Easy to forget things in heat of moment
• Immediate commercial decisions required
Notifications
PR position
• Assistance needed from third parties
e.g. insurers, PR agencies, forensic IT
• Staff need to be trained on responses
• Need plan to safeguard systems & preserve
evidence
TEN THINGS NOT TO DO
66. 66squirepattonboggs.com 66squirepattonboggs.com
2. FORGET WHAT DATA YOU HOLD
• Critical to assess risk/plan strategy following breach
• What data is held
Catalogue specifics e.g. if bank details or sensitive personal data
Problems can arise when data acquired but never assimilated
• Where is it held
Physical locations and systems
• How it is stored & protected
CSV file, proprietary format etc…
Encryption, password protection etc…
• Who holds/has access to it
Can assist in identifying cause of breach
TEN THINGS NOT TO DO
67. 67squirepattonboggs.com 67squirepattonboggs.com
3. KEEP UNENCRYPTED DATA ON YOUR LAPTOP/TABLET
• ICO’s bête noir & guaranteed fine generator
• Password protected ≠ encrypted
• Caution if data is transferred to any personal advice
• Ensure personal data is permanently deleted
Deleting from trashcan ≠ permanently deleted
• Dangerous locations/lengthy travel
Consider switching hard drives before travel
TEN THINGS NOT TO DO
68. 68squirepattonboggs.com 68squirepattonboggs.com
4. LEAVE SECURITY PLANNING TO THE IT TEAM
• ICO invariably asks for copies of security policies
• IT teams usually great at technical security.
Not necessarily so good at documenting it
• Consider in particular
Type & location of data
Physical security
Logical security
Security in flight and at rest
Access controls
Data destruction
TEN THINGS NOT TO DO
69. 69squirepattonboggs.com 69squirepattonboggs.com
5. LET MARKETING TEAMS/AGENCIES DO THEIR OWN THING
• Many breaches we have dealt with have come from marketing, particularly
use of external marketing agencies
• Tend to be less aware of issues/need for security than HR/finance
• Large numbers of external contractors involved
• Consider
Data security/use training & policies
Contracts with external providers
TEN THINGS NOT TO DO
70. 70squirepattonboggs.com 70squirepattonboggs.com
6. IGNORE LOW VALUE CONTRACTS
• Many breaches we have dealt with were due to lapses at contractors rather
than internal security.
• Data contracts can be low value but high risk
e.g. online payment gateways, customer verification services, apps, social media
management services
• Legal obligation to have written contract in place
• ICO will inevitably ask for contract details
• Importance of ongoing due diligence on suppliers
TEN THINGS NOT TO DO
71. 71squirepattonboggs.com 71squirepattonboggs.com
7. ACT BEFORE YOU HAVE A CLEAR VIEW OF THE SITUATION
• First instinct is frequently to assume the best – e.g.
there is no breach
breach poses no/little risk
little data involved
• Small changes in circumstances can have a large impact on actions
e.g. data encrypted vs unencrypted
• Difficulty in changing course once you go public/notify individuals
• If you decide to notify, ICO will require detailed information about breach
TEN THINGS NOT TO DO
72. 72squirepattonboggs.com 72squirepattonboggs.com
8. USE DEFAULT PASSWORDS/UNPROTECTED WIFI
• Default passwords
Much easier to retrieve
Change in accordance with password policy
Don’t use information easily obtained from social media sites – e.g. birthdays
Password length is key -
• Unprotected WIFI
Frequent source of hacks
Hard to track users
TEN THINGS NOT TO DO
73. 73squirepattonboggs.com 73squirepattonboggs.com
9. IGNORE IT – NO-ONE WILL EVER KNOW
• If unclear whether breach has occurred, suspect it has and investigate
Must be able to explain actions to ICO with justifiable reasons
If fail to investigate properly, immediately on back-foot with ICO
• People talk – particularly if they find themselves with information they
shouldn’t have
• Internal memos have a habit of leaking
• Delays in responding cause serious reputational
damage
TEN THINGS NOT TO DO
74. 74squirepattonboggs.com 74squirepattonboggs.com
10. MAKE A BAD THING WORSE
• Involvement of staff who do not have adequate data security training
• Own investigations can trigger further breaches
• Loss of privilege
• Failure to preserve evidence
TEN THINGS NOT TO DO
****DESIGN NOTE****
Please adjust lines according to the alignment of your presentation title. Size you title and subtitle text accordingly, align with each other.
I should own up at the start and say that I am not a data protection lawyer but a commercial litigator. This means I tend only see things when they have gone wrong. Whilst there are some steps which can be taken to stop a bad situation becoming worse after a cyber attack, prevention is better than cure and the best way to minimise your exposure to cyber risks is to think ahead about what might go wrong and how you can try and stop that happening. Either in the packs or to be emailed along with the slides to you is our Data Breach Checklist which will give you an idea of some of the things companies can do to manage and limit the risk of accidental and intentional data loss or destruction but in the short time available today I’m just going to run through very briefly a few issues to think about on both the preparation and response sides of the coin.
Agenda is…
Why data loss matters with a brief refresher on the UK regulatory regime
Proposed new European legislation
Some litigation risks; and, if time
10 things not to do
As Sebastiaan has already highlighted, there can be major regulatory sanctions for data breaches.
If you are an FCA regulated entity or dealing with pension scheme information, for example, then industry regulators will be interested in you but the overarching regulator for all industries in this jurisdiction is the ICO.
Set out on the slide there are a number of things the ICO can do – some of the most serious include issuing fines of up to £500k per breach (new guidance on monetary penalties was issued in April), requiring a company to give binding public undertakings to process information in a particular way, publicising action taken and issuing notices requiring you to stop processing data completely if it does not like the way you are doing things, which would pretty much be a killer for many businesses.
There have been a number of changes to the law so far this year which have meant that increased levels of damages can be awarded for data protection breaches and there is a greater likelihood of monetary penalties being imposed for breaches of the DPA 1998.
For example, the E – Privacy Regulations have been amended to allow the ICO to impose monetary penalties on a party which has committed a serious breach in relation to unsolicited calls/texts/emails (direct marketing) without having to prove substantial damage and distress has been caused to an individual.
The upper limit (£5k) on fines which magistrates courts may impose for breaches of the DPA has been removed.
The Court of Appeal also issued a judgement in March in relation to a claim involving Google that could make it much easier for individuals who are adversely affected by breaches of data protection law to bring claims for compensation. Previously, under s13(2) of the DPA 1998 an individual in the UK could only bring a claim for distress if they had also suffered pecuniary damage. However, the CA determined that the legislation had not properly transposed the Data Protection Directive in to UK law and so s13(2) should be disapplied. This judgement is subject to appeal to the Supreme Court but it paves the way not only for a group action against Google by millions of Britons but also the floodgates to compensation claims against data controllers where the individual has suffered distress but no pecuniary loss. Whilst compensation itself may be modest, data controllers may need to expend significant resource on defending such claims, especially if a number of individuals are affected.
The upshot is that companies should carefully assess their compliance with the DPA to make sure their risk profile is as low as possible. Addressing compliance issues now will also put companies in a much better position going forward as and when the new DP Regulation comes in to force.
Of course, there are not only regulator issues but other business issues as well. Again, the slide covers some of the key ones.
I’ve already mentioned claims by individuals. Those of you who operate in businesses that handle credit cards will be aware of the Payment Card Industry Data Security Standard but many businesses are still not compliant with it, despite being notified by banks a few years ago. Whilst the main terms of the card providers will be known to the businesses that sign up to use them, hidden in the detail, and often a surprise, are provisions which allow the card providers to appoint an auditor to review your systems if they suspect that fraudulent activity has been taking place. The first you will hear of this is a letter from the card provider telling you that this is happening. Worse still, you have to pay the costs of the auditor (even if it finds nothing wrong) and the report gets passed back to the card provider without being shown to you.
If you don’t get a clean bill of health and are not compliant with the standard then your bank will be subject to card scheme penalties and will pass through the cost of any fines to you. In addition, if the credit card provider has suffered a loss in having to refund a customer money for a fraudulent transaction then it may also look to you to for recompense for being out of pocket. Clearly, if there is a significant issue then these costs can mount up and make it a very expensive exercise.
One thing which we know some companies are doing where there has been a hack is offering customers a paid for credit card watching service. This can be reassuring and, whilst not obligatory, can often pull back some of the PR damage as well as limit any subsequent individual claims.
This is the EU’s attempt to legislate for a cyber security strategy, aimed at tacking network and information security incidents and risks across the EU and replacing the current voluntary cooperation between member states. It was proposed in 2013 and the current aim is to try and reach agreement on the text by the end of this month, although there is still a lot of disagreement between the European Parliament and national governments about which companies should be subject to the directive and which obligations should apply to them.
The Directive aims to ensure a high common level of network and information security and improve the security of the internet, private networks and information systems underpinning the functions of societies and economies. The directive is supposed to require member states to increase preparedness and improve co-operation with each other by requiring operators of critical infrastructure and public administrations to adopt steps to manage security risks and report serious incidents to a national competent authority. The draft requires member states to establish a network information security strategy, designate a national competent authority and set up a computer emergency response team to handle incidents and risks. These authorities are then supposed to liaise with each other across Europe.
There is a debate as to what type of business are going to be covered by the Directive but the current non-exhaustive list includes those operating in the energy, banking, health, transport and financial services sectors. Those operators which are covered are going to have to comply with mandatory security breach and incident notification requirements to CERT UK which was launched on 31 March 2014 and can be subject to investigations for non-compliance as well as sanctions (for that read fines as a % of turnover).
Authorities will be able to make the details of a breach public at its own discretion.
Companies must therefore minimise the risk of threats as far as possible if they wish to avoid reputational damage.
Better security is obviously a good thing but there are some potential negative impacts as the new reporting requirements can be burdensome and costly, diverting resources away from areas requiring greater investment. There is also some doubt at this stage as to how well this directive will cross over with the proposed General Data Protection Regulation as companies could face a situation where different types of reporting are required for different authorities for what is essentially the same issue.
The proposed draft General Data Protection Regulation has been in the offing for some time. Its purpose is to update the DP directive (which is now 20 years old), simplify the regulatory environment across the member state, allegedly cut red tape and save businesses E2.3 billion per year.
It is still being debated but current indications are that it may be finally past later on this year but will take another 2 years to implement. As it’s a regulation it is directly effective and does not need member states to implement it.
Some of the key points are on the slide here but the headline grabbing ones are the significant increase in value of fines, obligatory breach reporting and the mandatory appointment of a data protection compliance officer for each organisation.
The current draft provides for the imposition of sanctions of the greater of up to 2% of annual worldwide turnover or Euro 1m, although the fines are split into categories depending on the nature of the infringement. A seemingly minor infringement of not responding to a data subject access request in time can lead to a fine of up to 0.5% of annual worldwide turnover.
Another major change is that the reporting of data breaches will become compulsory. There will be a wider definition of what a personal data breach is, a data processor will have to notify the data controller of a breach and the controller in turn will have to notify both the data protection authority and affected individuals.
Something else new is that the regulation will impose a number of compliance obligations as well as sanctions directly on service providers. At the moment service providers do not have any direct obligations to comply with EU data protection laws and their obligations derive from their contracts with controllers. This is something that you should all be looking at now if you are negotiating any contracts with service providers to make sure they are future proof. Businesses should be carefully documenting the responsibilities of the parties, particularly as regards the implementation of security, carrying out data protection impact assessments and providing consent for sub-processing. If your business is in the process of acquiring a new IT system then you should be asking the supplier questions to make sure they are going to be compliant with the new regulations.
Obviously it goes without saying that once the Regulation has been implemented you should be reviewing all contracts to see how compliant they are and what might need changing.
Wanted to give a flavour of the litigation risk landscape:
Increased Regulation -
Imminent changes to the regulatory landscape will soon mean that businesses will not be able to keep data breaches a secret.
FCA
As already mentioned, industries regulated by the FCA will need to comply with the FCA handbook.
Obligations on regulated entities to take reasonable care to establish and maintain effective systems and controls for compliance with regulatory requirements and to counter the risk that the entity may be used to further financial crime.
In 2010, Zurich Insurance Plc was fined £2.27 Million for regulatory breaches by the then FSA. The fine was levied due to the loss of an unencrypted electronic storage media that was in the hands of a subcontractor. Zurich was obliged to sign an undertaking with regard to its future handling of back-up storage media.
DTR
Listed companies may have a duty to disclose cyber security breaches to the market under DTR 2.2.1R which provides that an issuer must notify a regulatory information service as soon as possible of any inside information which directly concerns the issuer.
An event of breach may constitute inside information - ie theft of business critical intellectual property is very likely to be price-sensitive, whereas a minor disruption to ancillary services for a short time may not be. [For example, Sony's announcement of the loss of PlayStation customer data in 2011 caused its share price to fall by 5.4% and that decline has continued. By contrast when Apple announced to the US market that it had been hacked in February 2013 its share price barely moved dropping just 0.2% and has continued to perform well since].
FSMA
Any issuer that publishes material that fails adequately to disclose cyber security events, and minimises their impact or down plays their significance may be at risk from claims from investors under Section 90 of FSMA.
There may be additional liability for misleading statements including liability for misrepresentation, negligence mis-statement or deceit.
Breach of contract
Even if the security breach does not lead to the loss of customer data, the business disruption can leave companies heavily exposed to claims for breach of contract if the disruption means they fail to fulfil, express contractual obligations.
For some businesses, the disruption itself maybe sufficient to breach express or implied contractual obligations to maintain adequate and functioning IT services. Force majeure clauses may assist.
A business may also try and argue that a cyber attack has caused the contract to be frustrated because a material change in circumstances has rendered it physically or commercially impossible to perform – although this is a difficult argument to run.
Negligence
A failure to exercise reasonable skill and care could result in liability to third parties - although the third party customer would need to prove the damage and losses that it suffered.
One way to minimise the potential for this type of claim is to ensure that the cyber security measures of the business comply with current best practice
September 2012, BIS guidance which provided guidance as to how businesses could best protect themselves from cyber attacks.
BIS's "Cyber Essentials" is also regarded as good practice to be utilised.
ISO requirements: Additionally, the Government will soon finalise the new organisational standard on cyber security based on the ISO2700 Series Standards.
UK Claims
I have already mention how the position here may now change given the recent Google case.
Large claims brought by third party card issuers/financial institutions currently represent a potentially more significant threat to UK businesses.
Consequential Losses
A major problem arising out of disruption to businesses is the potential for large claims to arise out of short-lived service interruptions, leading to escalating losses that can flow directly from a cyber security problem.
A good example was seen in 2012: following relatively prolonged disruption to the Natwest and RBS banking services in the wake of a software update.
The banks offered to refund customers for any late payments and overdraft fees incurred as a result of the system failure which resulted in £125,000,000 of compensation payments.
Although a voluntary reimbursement, this type of consequential loss would probably fall within the normal contractual or tortious assessments of damage.
This issue is acute for financial services and those operating in time-critical environments such as brokerage firms, where small delays are capable of substantial liability.
It is therefore important for a business' IT department to be able to report directly to the Board once it has identified a breach.
Business Continuity
Companies should consider whether their suppliers are contractually obliged to provide business continuity support following the event of a cyber attack.
If there is no such obligation, companies should decide whether to accept the risk, vary the contract, or look to a third party to provide such support.
ICO
There is no legal obligation on most companies to notify the Information Commissioner's Office of any breach of security that results in the loss of personal data. MOVE TO NEXT SLIDE
Intellectual Property
Some cyber attacks are specifically targeted at companies' intellectual property, which could negatively impact profitability and competitiveness.
Together with ensuring that a company's defences are as secure as possible, companies should ensure that all IP is properly registered/protected.
In addition, the company should implement policies concerning corrective measures and responses in the event of an attack (for example, a series of potential legal steps from "cease and desist" correspondence to full blow litigation).
POCA
Cyber attacks may result in criminal proceeds being obtained by the perpetrators.
May give rise to reporting obligations under the Proceeds of Crime Act 2002 for entities in the regulated sector that become aware of such proceeds.
For example, because funds have been have been stolen or moved through their systems during a cyber attack on them.
A business may also need to consider a report if its name, stationary or website is being used to add credibility to a scam.
There is no legal obligation to report a breach of the 7th Data Protection Principle. However, the ICO's guidance does state that serious breaches should be notified to the ICO.
"Serious breach" is not defined but the ICO has issued some guidance as to what to take into account:
Consider the potential detriment (which includes emotional distress as well as physical and financial damage) to the data subjects affected and the volume and sensitivity of personal data lost or corrupted. For example a stolen laptop properly encrypted or full of publically available information does not need to be reported but a large volume of unencrypted personal data would be. Loss of a marketing list of 100 names and addresses where there is no sensitivity about the product being marketed would not be reportable. The loss of a manual paper based filing system holding personal data of 50 individuals and their financial records would be reportable.
Businesses should generally be prepared to consider self-reporting incidents to the ICO, given that it has said that it is minded to treat businesses that self-report data breaches more favourably than those that don't when determining the level of penalty to levy or even whether to impose a fine at all.