3. 3squirepattonboggs.com 3squirepattonboggs.com
Agenda
8.30am Breakfast & Registration
9.00am Welcome & Introduction â Rob Elvin
9.05am Update on the legal Recruitment Sector â Michael Page Legal
9.15am Labour & Employment â key employment law developments â Paula Cole
9.45am Update on Competition Law â Diarmuid Ryan
10.05am Interpreting & Drafting Contracts in English Law â keeping up with the modern approach â Ben Holland
10.35am Coffee Break
10.50am Cyber Liability â Victoria Leigh and Sebastiaan Pronk
11.20am Speaking with confidence and influence â Esther Stanhope
12.15pm Questions & Conclusions
12.30pm â 1.30pm Networking Lunch
4. An update on the legal Recruitment Sector
Michael Page Legal
6. 6squirepattonboggs.com 6squirepattonboggs.com
Holiday Pay â a reminder of how we got here
ď§ Article 7 of the Working Time Directive â four weeksâ âpaidâ leave
ď§ Regulation 16 of the Working Time Regulations 1998 â a âweekâs payâ for
each weekâs leave is calculated in accordance with sections 221 â 224 of the
ERA 1996
ď§ ERA provisions are complicated and vary depending on whether an
employee works ânormal working hoursâ or not
7. 7squirepattonboggs.com 7squirepattonboggs.com
Holiday Pay â a reminder of how we got here
ď§ âNormal working hoursâ â an employee is entitled to be paid his normal basic
weekly pay (Section 221) â would not normally include overtime (except
compulsory overtime), bonuses, commission, etc.
ď§ No ânormal working hoursâ â an employee is entitled to be paid his average
weekly pay in the applicable 12 weeks (Section 224) â would include
overtime, bonuses, commission, etc.
8. 8squirepattonboggs.com 8squirepattonboggs.com
But then it all changed!
Case Ruling Status
BA Plc v Williams [2012]
Supreme Court ruled that workers
are entitled to receive their ânormal
remunerationâ during annual leave â
includes remuneration âintrinsically
linked to the performance of the
tasksâ
Bear Scotland [2014]
EAT ruled that a workerâs holiday
pay should take into account non-
guaranteed overtime
Lock v British Gas Trading
Ltd [2015]
ECJ ruled that commission should
be taken into account for holiday
pay purposes
Leicester ET ruled that
WTR can be amended
so as to reflect
European law â decision
now being appealed to
the EAT
9. 9squirepattonboggs.com 9squirepattonboggs.com
Lock v British Gas â in more detail
ď§ ECJâs decision: 4-week statutory holiday that derives from the Directive
should take into account commission payments
ď§ Leicester ETâs decision: WTR should be amended to include a provision
that â⌠a worker whose remuneration includes commission or similar
payment shall be deemed to have remuneration which varies with the amount
of work doneâŚâ
ď§ Lots of questions around commission still remain unanswered, including what
is the relevant reference period (12 weeks? 12 months?)
10. 10squirepattonboggs.com 10squirepattonboggs.com
Holiday Pay Update
So where does this leave employers?
ď§ What should now be included in holiday pay for WTR purposes?
ď§ Voluntary overtime?
⢠(NB Patterson v Castlereagh Borough Council, due to be heard in NI CA on 19 June)
ď§ Bonuses?
ď§ Allowances?
11. 11squirepattonboggs.com 11squirepattonboggs.com
Holiday Pay Update
So where does this leave employers?
ď§ What is the correct reference period for averaging pay?
ď§ Historical liability for unlawful deductions
ď§ Bear Scotland â any break of 3 months between deductions could break the chain
for time limit purposes
ď§ 2-year cap on claims for backdated holiday pay â 1 July 2015
12. 12squirepattonboggs.com 12squirepattonboggs.com
Holiday Pay - What should employers be doing?
Employers should be:
ď§ Carrying out a review of their holiday pay arrangements in light of the recent
cases
ď§ Monitoring ongoing developments
ď§ Assessing potential risk/impact to business (forwards and backwards)
13. 13squirepattonboggs.com 13squirepattonboggs.com
Hot Employment Law Topics (Case Law)
Recent case law developments
ď§ USDAW v Ethel Austin, ECJ, 30 April 2015 (the âWoolworths caseâ)
ď§ Duty to collectively consult where 20 or more redundancies are proposed
âat one establishmentâ within a 90 day period
ď§ Previous EAT decision on meaning of âestablishmentâ
ď§ ECJâs decision â ââEstablishmentâ means the entity to which the workers
made redundant are assigned to carry out their duties.â
14. 14squirepattonboggs.com 14squirepattonboggs.com
Hot Employment Law Topics (Legislation)
Recent legislative developments â effective 5 April 2015
ď§ Shared parental leave and pay
ď§ Age limit on unpaid parental leave increased from 5 to 18 years
ď§ Statutory adoption leave â now a âDay Oneâ right and increase in amount of
Statutory Adoption Pay to bring into line with Statutory Maternity Pay
15. 15squirepattonboggs.com 15squirepattonboggs.com
Hot Employment Law Topics â On the horizon
Forthcoming legislative developments
New Government Fit for Work Service
ď§ Free health and wellbeing advice to assist with absence prevention
ď§ Free occupational health assessment
ď§ ÂŁ500 per employee annual tax exemption
16. 16squirepattonboggs.com 16squirepattonboggs.com
Hot Employment Law Topics â On the horizon
Forthcoming legislative developments
ď§ Small Business, Enterprise and Employment Act 2015
ď§ Employers of 250 or more employees to be required to publish their gender pay
information
ď§ Outlawing exclusivity clauses in zero hours contracts
19. 19squirepattonboggs.com 19squirepattonboggs.com
Cartel offence
ď§ Galvanised Steel Tanks:
⢠Mr Peter Nigel Snee, Managing Director of Franklin Hodge Industries
Limited, pled guilty on 17 June 2014 to the criminal cartel offence
⢠Prosecution of Messers Dean and Stringer
ď§ Indicates successful prosecutions were possible under old test
20. 20squirepattonboggs.com 20squirepattonboggs.com
ď§ Inherited from OFT
Concluded
ď§Sports Bras RPM â âno grounds for actionâ
ď§Road Fuel Distribution in Western Isles â Ch.II (exclusive supply) commitments
ď§Vehicle service etc platforms â Ch.II (switching restrictions) commitments
ď§Hampshire estate agents â Ch.I (agreement not to advertise fees) fine ÂŁ735K (10%
settlement discount and 5% compliance discount); 18 months probe (1 year to issue SO)
ď§Mastercard/Visa Interchange Fees: on hold â December 2014 decision not to impose
interim measures; file closed May 2015 (administrative priorities)
Ongoing
ď§Galvanised Steel Tanks
ď§Paroxetine pay-for-delay (Ch.I and Ch.II)
ď§Hotel online booking: OFT commitments decision quashed (Skyscanner) (ongoing)
ď§Supply of Pharmaceutical Products (Ch.I and Ch.II)
CA98 enforcement 2014/2015
21. 21squirepattonboggs.com 21squirepattonboggs.com
CA98 enforcement 2014/2015
ď§ CMA originated
Ongoing
ď§Bathroom fittings vertical agreements (Ch.I)
ď§Commercial catering equipment vertical agreements (Ch.I)
ď§Clothing/footwear/fashion conduct (Ch.I)
ď§Healthcare sector (Ch.I)
ď§Pharmaceutical sector (Ch.II)
Commentary:
ď§ Hardly any fines in Year 1
ď§ Improve robustness and speed of decision making (CMA annual plan)? too
early to say
ď§ Use of new powers (CMA annual plan): CMA has conducted compulsory
interviews; not yet imposed interim measures
ď§ Insufficient attention to extent of burden (esp. on small businesses)
22. 22squirepattonboggs.com 22squirepattonboggs.com
Market studies and investigations
ď§ Inherited from OFT/CC
Concluded investigations
ď§Statutory audit services
ď§Private motor insurance
ď§Aggregates, cement and ready-mix concrete
Concluded studies
ď§Residential property management services
Ongoing investigations
ď§Payday lending (remedies)
ď§Private healthcare: 15.12.14 CAT quashed CMA report (procedural error â failure to
re-consult on insured pricing analysis) and remitted to CMA
23. 23squirepattonboggs.com 23squirepattonboggs.com
Market studies and investigations
ď§ CMA originated
Concluded
ď§Competition and regulation in higher education in England project
ď§Commercial use of consumer data report
Ongoing
ď§Groceries pricing super-complaint
ď§Retail banking market investigation: provisional findings September 2015
ď§Energy market investigation: provisional findings June 2015
Commentary
ď§ CMA is certainly taking on âstrategically significantâ cases
ď§ CMAâs ability to deliver high quality and robust reports within new statutory
time limits?
ď§ Concern about CMA willingness to impose divestiture remedies: âin
principleâŚthe selling firmâŚshould be indifferent between holding this asset
and selling it at a fair price â Chisholm, September 2014
24. 24squirepattonboggs.com 24squirepattonboggs.com
Merger control
ď§ References
Closed
ď§Pure Gym/The Gym (cancelled)
ď§Pork Farm/Kerry (cleared)
Ongoing
ď§Xchanging/Agency (provisionally cleared)
ď§Reckitt Benckiser/K-Y (SLC provisional
finding)
ď§Sonoco/Weidenhammer (provisionally
cleared)
ď§Ashford and St Peterâs Hospitals/Royal
Surrey
ď§Pennon/Sembcorp Bournemouth Water
ď§Poundland/99p
ď§BT/EE
ď§ UILs
ď§ Diageo/United Spirits
ď§ Immediate/Future Publishing
ď§ Motor Fuel/Murco
ď§ GTCR/Gorkana
ď§ Intercity Railways/Intercity East
Coast
ď§ Greene King/Spirit
25. 25squirepattonboggs.com 25squirepattonboggs.com
Mergers
Commentary
ď§CMA response to statutory 40 working day Phase I review period â much
longer pre-notification process, much heavier information burden (new Merger
Notice)
ď§Hold-separate regime for completed mergers much more intrusive and
effectively automatic
ď§Represents significant cost on UK business â may have deterrent effect,
particularly on small mergers (CMA considering new guidance on de minimis
discretion)
ď§Improved Phase I process (access to decision-maker)
26. 26squirepattonboggs.com 26squirepattonboggs.com
CMA before the courts
Some reverses
ď§HCA âv- CMA (Dec 2014): HCA denied adequate opportunity to comment
ď§Skyscanner (September 2014): no proper consideration of objections
ď§AC Nielsen âv- CMA (July 2014): material error of fact
ď§Eurotunnel (CA; May 2015): acquisition of assets not a âmergerâ
Some successes
ď§AXA PPP Healthcare âv- CMA (March 2015): upholding exercise of CMAs
discretion that consultant groups did not lead to AEC
ď§Tobacco (January 2015): Admin court refused to order CMA to repay Gallaher
fines (but highly critical of payment to TMR)
ď§Ryanair; AkzoNobel
Commentary
ď§CAT provides robust judicial review â great merit of UK system
ď§Shows importance of effective systems/processes, particularly with new
accelerated statutory deadlines (market investigations; Phase I mergers)
27. 27squirepattonboggs.com 27squirepattonboggs.com
European Commission
ď§ Continues to actively sanction cartels (envelopes; trucks)
ď§ Major abuse of dominance investigations:
ď§ Google
ď§ Gazprom
ď§ Amazon
ď§ E-commerce sector enquiry
ď§ ECN
ď§ Directive on antitrust damages actions
30. 30squirepattonboggs.com 30squirepattonboggs.com
Summary of current law
ď§ Contractual interpretation is an OBJECTIVE exercise
ď§ The SUBJECTIVE intention of a party is IRRELEVANT to questions
of interpretation
ď§ The OBJECTIVE interpretation of a contract = REASONABLE
PERSON
ď§ REASONABLE PERSON with the factual background available to the
parties (including general commercial considerations)
ď§ Where a REASONABLE PERSON would consider that there was
more than one meaning, English law favours the construction
consistent with BUSINESS COMMON SENSE (or COMMERCIAL
SENSE)
31. 31squirepattonboggs.com 31squirepattonboggs.com
Traditional approach
ď§ Four corners of the contract
ânothing could be more dangerous than to go out of the four corners of a
contract, and endeavour to find out the meaning of the parties from other
circumstances not mentioned or alluded to in the contract itselfâ (Hall v Ross
[1813] 3 E.R. 672 â House of Lords)
ď§ Construction has a strong legal bias
ď§ Latin legal maxims as an aid to construction
32. 32squirepattonboggs.com 32squirepattonboggs.com
The new approach
ď§ Objective: The objective nature of interpretation (unchanged)
ď§ Contextual: Increased emphasis on context â the objective meaning
of the words set against âthe factual backgroundâ
ď§ Commercial: A new policy of commercial sense (reasonable result)
ď§ Unitary exercise: The above is a single exercise
33. 33squirepattonboggs.com 33squirepattonboggs.com
Lord Hoffmann enters the House of Lords
ď§ Charter Reinsurance Co v Fagan [1997] AC 313
ď§ âactually paidâ interpreted to mean âactually payableâ
ď§ Lord Hoffmann said âthe notion of words having a natural meaning is not a
very useful one. Because the meaning of words is not sensitive to syntax
and contextâŚâ
ď§ Mannai v Eagle Star Assurance [1997] AC 749
ď§ â12th
Januaryâ interpreted to mean â13th
Januaryâ in the context of an
otherwise invalid notice
ď§ Lord Hoffmann said âIt is a matter of consistent experience that people can
convey their meaning unambiguously although they have used the wrong
wordsâ
34. 34squirepattonboggs.com 34squirepattonboggs.com
Investors Compensation Scheme Ltd v West Bromwich
Building Society (No. 1) [1998] 1 W.L.R. 896
ď§ Clause in dispute:
âany claim (whether sounding in rescission for undue influence or otherwise)
that you have against theâŚsociety in which you claim an abatement of sums
which you would otherwise have to repay to the societyâŚâ
ď§ Should the clause be interpreted to mean:
âany claim sounding in rescission (whether for undue influence or otherwise)
âŚâ?
35. 35squirepattonboggs.com 35squirepattonboggs.com
Investors Compensation Scheme Ltd v West Bromwich
Building Society (No. 1) [1998] 1 W.L.R. 896
ď§ Hoffmann sets out his 5 principles of contractual interpretation:
ď§ Interpretation is the ascertainment of the meaning which the document
would convey to a reasonable person having all of the background
knowledge that would reasonably have been available to the parties in the
situation in which they were at the time of the contract
ď§ Background (or factual matrix) includes absolutely everything which would
affect the way in which the language of the document would have been
understood by a reasonable man
ď§ English law excludes evidence of negotiations and subjective intent
ď§ The meaning which a document would convey to a reasonable man is not
the same thing as the meaning of its words
ď§ The âruleâ that words should be given their ânatural and ordinary meaningâ
reflects the common sense proposition that we do not easily accept that
people have made linguistic mistakes
36. 36squirepattonboggs.com 36squirepattonboggs.com
Lord Hoffmannâs last big case
ď§ Chartbrook Limited v Persimmon Homes Limited [2009] UKHL 38
ď§ Confirmed objective nature of interpretation: negotiations are
irrelevant
ď§ Confirmed active approach to construction and interpretation:
âWhat is clear from these cases is that there is not, so to speak, a limit to
the amount of red ink or verbal rearrangement or correction which the
court is allowed. All that is required is that it should be clear that
something has gone wrong with the language and that it should be clear
what a reasonable person would have understood the parties to have
meant. In my opinion, both of these requirements are satisfied.â
37. 37squirepattonboggs.com 37squirepattonboggs.com
Rainy Sky v Kookmin Bank [2011] UKSC 50
ď§ In 1997, Lord Steyn wrote in âContract law: Fulfilling the reasonable
expectations of honest menâ 113 LQR 433, 441:
âOften there is no obvious or ordinary meaning of the language under
consideration. There are competing interpretations to be considered. In
choosing between alternatives a court should primarily be guided by the
contextual scene in which the stipulation in question appears. And speaking
generally commercially minded judges would regard the commercial purpose
of the contract as more important than niceties of language. And, in the
event of doubt, the working assumption will be that a fair construction best
matches the reasonable expectations of the parties.â (emphasis added)
38. 38squirepattonboggs.com 38squirepattonboggs.com
Rainy Sky v Kookmin Bank [2011] UKSC 50
âThe language used by the parties will often have more than one
potential meaning. I would accept the submission made on behalf of the
appellants that the exercise of construction is essentially one unitary
exercise in which the court must consider the language used and
ascertain what a reasonable person, that is a person who has all the
background knowledge which would reasonably have been available to
the parties in the situation in which they were at the time of the contract,
would have understood the parties to have meant.
In doing so, the court must have regard to all the relevant surrounding
circumstances.
If there are two possible constructions, the court is entitled to prefer the
construction which is consistent with business common sense and to
reject the other.â
39. 39squirepattonboggs.com 39squirepattonboggs.com
Rainy Sky v Kookmin Bank [2011] UKSC 50
ď§Supreme Court affirms the legacy of Lords Steyn and Hoffmann
ď§Objectivity
ď§Contextual
ď§Commercial
ď§Iterative process
ď§Confirms importance of commercial sense
ď§But when are there more than two meanings?
40. 40squirepattonboggs.com 40squirepattonboggs.com
Napier Park European Credit Opportunities Fund
v Harbourmaster [2014] EWCA Civ 984
ď§ Trial judge held that language was clear/unambiguous on its ordinary
meaning, so he did not need to go on to consider commercial
context
ď§ Court of Appeal held that, where possible, the court should test any
interpretation against the commercial consequences
ď§ Beware adopting an unduly narrow grammatical reading of the
clause or failing to take account of its obvious purpose and context
âIt follows in my judgment that, where possible, the court should test
any interpretation against the commercial consequences. That is part
of the iterative exercise of interpretation. It is not merely a safety valve
in cases of absurdity.â (Lewison LJ)
ď§ Place the rival interpretations of a phrase within their commercial
setting and investigate their commercial consequences
ď§ So, how does this apply to recent contracts?
41. 41squirepattonboggs.com 41squirepattonboggs.com
The future: Greater judicial licence to intervene?
ď§Using the commercial background to âcreateâ more than one ânatural
meetingâ â âactually paidâ interpreted to mean âactually payableâ
ď§Using commercial reasonableness to select the correct meaning
ď§Extending commercial reasonableness beyond the express terms of
the contract through implied terms and a revised remoteness test
ď§Rewriting each contractâs history?
ď§Reconstructing the commercial âfactual matrixâ at a time and distance
from contract formation that makes the exercise inherently unreliable
42. 42squirepattonboggs.com 42squirepattonboggs.com
Drafting â Points to beware
ď§ Areas for particular care
ď§ Terms that may appear âuncommercialâ to a third party at a time
and distance from when the contract is made
ď§ Reliance on traditional âlegalâ rules or maxims of construction to
give words meaning e.g. âconsequential lossâ
ď§ Is a âconditionâ a condition in law or is it an innominate term?
43. 43squirepattonboggs.com 43squirepattonboggs.com
Drafting â How to manage this new landscape
ď§ Drafting
ď§ Recording the commercial âbackgroundâ: Recitals
ď§ Setting out your own meaning: Defined terms
ď§ Selecting your own âmaximsâ: âInterpretation clauseâ
ď§ Termination provisions that are a complete code (dealing with the
âconditionâ issue)
ď§ Deal management
ď§ Ambiguity gets the deal signed, but it creates risk: Absent clear
agreement with the counterparty there is a risk that a court will not
agree with your interpretation
ď§ Keep papers from deal, as some will help with âfactual matrixâ
46. TH
E
RIS
KRANKIN
G2011
LOSS OF CUSTOMERS/CANCELLED
ORDERS
TALENT AND SKILLS SHORTAGE
REPUTATIONAL RISK
CURRENCY FLUCTUATION
CHANGING LEGISLATION
COST AND AVAILABILITY OF
CREDIT
PRICE OF MATERIAL INPUTS
INFLATION
CORPORATE LIABILITY
EXCESSIVELY STRICT
REGULATION
1
2
3
4
5
6
7
8
9
10
1
2
3
4
5
6
7
8
9
10
HIGH TAXATION
LOSS OF CUSTOMERS/CANCELLED
ORDERS
CYBER RISK
PRICE OF MATERIAL INPUTS
EXCESSIVELY STRICT
REGULATION
CHANGING LEGISLATION
INFLATION
COST AND AVAILABILITY OF
CREDIT
RAPID TECHNOLOGICAL
CHANGES
INTEREST RATE CHANGES
201
3
Source: Lloydâs board risk index â http://www.lloyds.com/news-and-insight/risk-insight/lloyds-
risk-index
CHANGES
IN
CYBER: A HOT TOPIC
47. VALUES AND BEHAVIOURS: TECH
TRENDS
Always on
Always available
Quick to deliver
Easy to adapt
DIGITAL SOCIETY EVERYTHING JOINS UP
Making use of big
data
BIG INSIGHTS
49. TH
E
THRE
ATACTORS
HACKTIVISM
HACKING INSPIRED BY
IDEOLOGYMOTIVATION: SHIFTING ALLEGIANCES â DYNAMIC,
UNPREDICTABLE
IMPACT TO BUSINESS: PUBLIC DISTRIBUTION,
REPUTATION LOSS
ORGANISED CRIME
GLOBAL, DIFFICULT TO TRACE AND
PROSECUTEMOTIVATION: FINANCIAL ADVANTAGE
IMPACT TO BUSINESS: THEFT OF INFORMATION
THE INSIDER
INTENTIONAL OR UNINTENTIONAL?
MOTIVATION: GRUDGE, FINANCIAL GAIN
IMPACT TO BUSINESS: DISTRIBUTION OR
DESTRUCTION, THEFT OF INFORMATION,
REPUTATION LOSS
STATE-SPONSORED
ESPIONAGE AND SABOTAGE
MOTIVATION: POLITICAL ADVANTAGE, ECONOMIC
ADVANTAGE, MILITARY ADVANTAGE
IMPACT TO BUSINESS: DISRUPTION OR
DESTRUCTION, THEFT OF INFORMATION,
REPUTATIONAL LOSS
CYBER: THREATS
50. ⢠SECTORS: WHO IS BEING
TARGETED?
AUTOMOTI
VE
AEROSPAC
E
ENERGY
PROVIDERS
BANKS PROFESSIONA
L & LEGAL
SERVICES
DEFENCE ADVANCED
MANUFACTURI
NG
RENEWABLE
ENERGY
BUILDING
SOCIETIES
RESEARCH
INSTITUTES
PHARMACEUTICA
LS &
BIOTECHNOLOG
Y
MINING &
NATURAL
RESOURCES
COMMUNICATI
ONS
WIDER
FINANCIAL
SERVICES
ACADEMIA
50
51. WHAT IS BEING
STOLEN/LOS
T?
INFORMATION THAT IS
VALUABLE
BUSINESS CRITICAL
INFORMATION
CRITICAL TRANSACTIONS
INTELLECTUAL PROPERTY -
RESEARCH
BUSINESS PROCESSES â FINANCE
AND PERSONAL
PARTNERS, SUPPLIER AND STUDENT
DATA
CYBER: SECURITY
54. CYBER IN YOUR
SECTORS
The vectors remain the same but the risk rises exponentially
What are your âCrown
Jewelsâ that do you need
to protect?
Are you investing your
money efficiently in your
cyber controls?
Who is accountable for
managing your cyber risk?
Do you know what
information is leaving your
business and how?
What are your regulatory
obligations and are you
compliant?
How do you balance digital
opportunity and cyber risk?
How do your cyber security
capabilities compare to your
peers?
How would you handle a cyber
breach or attack?
How are you managing your
suppliers to ensure they are
not a weak point in your
security?
CYBER: IN YOUR
COMPANY
57. 57squirepattonboggs.com 57squirepattonboggs.com
ď§ Why Data Loss Matters â UK Regulatory Regime
ď§ Europe - The Future
ď Network and Information Security Directive
ď General Data Protection Regulation
⢠Litigation Risks
ď§ 10 Things Not To Do
Cyber Liability
INTRODUCTION
58. 58squirepattonboggs.com 58squirepattonboggs.com
ď§ ICO Sanctions
ď Fines of up to ÂŁ500k per breach
ď Undertakings
ď Name and shame
ď Orders
â information notices
â assessment notices
â enforcement (âstop-nowâ) orders
⢠Other Regulators â FCA, tPR
WHY DATA LOSS MATTERS
REGULATORY IMPACT
59. 59squirepattonboggs.com 59squirepattonboggs.com
⢠Claims
ď Credit card companies/banks
ď Individuals
⢠Damage to Data & Systems
⢠Business Interruption
⢠Increased Costs
⢠Loss of Reputation/Goodwill
ď Existing customers
ď New customer generation
ď Shareholder value
WHY DATA LOSS MATTERS
OTHER ISSUES INCLUDE
60. 60squirepattonboggs.com 60squirepattonboggs.com
⢠Currently under review and trialogue with Parliament, Council & Commission
⢠Possible Adoption 2015?
⢠Implementation in to Member Stateâ law 2017?
⢠Aims
⢠Approach
⢠Potential Impact
The Network and Information Security Directive
(NISD)
61. 61squirepattonboggs.com
ď§ What is it?
ď§ Single regulation planned to replace existing EU data protection laws
ď§ When will it come into force?
ď§ Still being debated in EU but may finally be passed in late 2015
ď§ 2 years to implement if passed so 2017 at earliest
EU Draft General Data Protection Regulation
(âGDPRâ)
62. 62squirepattonboggs.com
Key Points
ď§Significant increase in potential fines
ď§ Up to Euro1m and/or 2% of global turnover
ď§Compulsory breach notifications
ď§ Regulator
ď§ Affected individuals
ď§Extension to non-EU companies targeting EU
ď§One-stop-shop for businesses operating across multiple EU countries
ď§Mandatory data protection compliance officers
ď§Privacy-by-design
ď§Expanded âright to be forgottenâ
EU Draft General Data Protection Regulation
(âGDPRâ)
63. 63squirepattonboggs.com 63squirepattonboggs.com
Litigation risks
⢠Increased regulatory scrutiny, both at domestic and EU level
⢠FCA Regulation â eg Zurich fined ÂŁ2.27M
⢠Disclosure and Transparency Rules (DTR 2.2.1R)
⢠Section 92 Financial Services and Markets Act 2000
⢠Breach of contract â force majeure/frustration?
⢠Negligence â comply with "best practice" guidance
⢠UK claims â class actions/individuals v companies
⢠Consequential losses â eg NatWest and RBS Banking Services in 2012:
ÂŁ125 million of customer compensation
⢠Ensuring business continuity â check the contract!
⢠Notification to ICO â serious breach?
⢠Intellectual property/knowledge risks
⢠Proceeds of Crime Act 2002
64. 64squirepattonboggs.com 64squirepattonboggs.com
ď§ No legal obligation to report breach but consider:
ď§ Potential detriment to data subjects (individuals)
ď§ Volume of personal data lost/released/corrupted
ď§ Sensitivity of data lost/released/corrupted
âAppropriate technical and organisational measures shall be taken against unauthorised or
unlawful processing of personal data and against accidental loss or destruction of or damage to
personal dataâ â 7th
Principle
ICO â To Report Or Not To Report
65. 65squirepattonboggs.com 65squirepattonboggs.com
1. LEAVE DATA BREACH PLANNING UNTIL YOU BREACH
⢠Data breaches never happen at convenient times
⢠Easy to forget things in heat of moment
⢠Immediate commercial decisions required
ď Notifications
ď PR position
⢠Assistance needed from third parties
ď e.g. insurers, PR agencies, forensic IT
⢠Staff need to be trained on responses
⢠Need plan to safeguard systems & preserve
evidence
TEN THINGS NOT TO DO
66. 66squirepattonboggs.com 66squirepattonboggs.com
2. FORGET WHAT DATA YOU HOLD
⢠Critical to assess risk/plan strategy following breach
⢠What data is held
ď Catalogue specifics e.g. if bank details or sensitive personal data
ď Problems can arise when data acquired but never assimilated
⢠Where is it held
ď Physical locations and systems
⢠How it is stored & protected
ď CSV file, proprietary format etcâŚ
ď Encryption, password protection etcâŚ
⢠Who holds/has access to it
ď Can assist in identifying cause of breach
TEN THINGS NOT TO DO
67. 67squirepattonboggs.com 67squirepattonboggs.com
3. KEEP UNENCRYPTED DATA ON YOUR LAPTOP/TABLET
⢠ICOâs bĂŞte noir & guaranteed fine generator
⢠Password protected â encrypted
⢠Caution if data is transferred to any personal advice
⢠Ensure personal data is permanently deleted
ď Deleting from trashcan â permanently deleted
⢠Dangerous locations/lengthy travel
ď Consider switching hard drives before travel
TEN THINGS NOT TO DO
68. 68squirepattonboggs.com 68squirepattonboggs.com
4. LEAVE SECURITY PLANNING TO THE IT TEAM
⢠ICO invariably asks for copies of security policies
⢠IT teams usually great at technical security.
Not necessarily so good at documenting it
⢠Consider in particular
ď Type & location of data
ď Physical security
ď Logical security
ď Security in flight and at rest
ď Access controls
ď Data destruction
TEN THINGS NOT TO DO
69. 69squirepattonboggs.com 69squirepattonboggs.com
5. LET MARKETING TEAMS/AGENCIES DO THEIR OWN THING
⢠Many breaches we have dealt with have come from marketing, particularly
use of external marketing agencies
⢠Tend to be less aware of issues/need for security than HR/finance
⢠Large numbers of external contractors involved
⢠Consider
ď Data security/use training & policies
ď Contracts with external providers
TEN THINGS NOT TO DO
70. 70squirepattonboggs.com 70squirepattonboggs.com
6. IGNORE LOW VALUE CONTRACTS
⢠Many breaches we have dealt with were due to lapses at contractors rather
than internal security.
⢠Data contracts can be low value but high risk
ď e.g. online payment gateways, customer verification services, apps, social media
management services
⢠Legal obligation to have written contract in place
⢠ICO will inevitably ask for contract details
⢠Importance of ongoing due diligence on suppliers
TEN THINGS NOT TO DO
71. 71squirepattonboggs.com 71squirepattonboggs.com
7. ACT BEFORE YOU HAVE A CLEAR VIEW OF THE SITUATION
⢠First instinct is frequently to assume the best â e.g.
ď there is no breach
ď breach poses no/little risk
ď little data involved
⢠Small changes in circumstances can have a large impact on actions
ď e.g. data encrypted vs unencrypted
⢠Difficulty in changing course once you go public/notify individuals
⢠If you decide to notify, ICO will require detailed information about breach
TEN THINGS NOT TO DO
72. 72squirepattonboggs.com 72squirepattonboggs.com
8. USE DEFAULT PASSWORDS/UNPROTECTED WIFI
⢠Default passwords
ď Much easier to retrieve
ď Change in accordance with password policy
ď Donât use information easily obtained from social media sites â e.g. birthdays
ď Password length is key -
⢠Unprotected WIFI
ď Frequent source of hacks
ď Hard to track users
TEN THINGS NOT TO DO
73. 73squirepattonboggs.com 73squirepattonboggs.com
9. IGNORE IT â NO-ONE WILL EVER KNOW
⢠If unclear whether breach has occurred, suspect it has and investigate
ď Must be able to explain actions to ICO with justifiable reasons
ď If fail to investigate properly, immediately on back-foot with ICO
⢠People talk â particularly if they find themselves with information they
shouldnât have
⢠Internal memos have a habit of leaking
⢠Delays in responding cause serious reputational
damage
TEN THINGS NOT TO DO
74. 74squirepattonboggs.com 74squirepattonboggs.com
10. MAKE A BAD THING WORSE
⢠Involvement of staff who do not have adequate data security training
⢠Own investigations can trigger further breaches
⢠Loss of privilege
⢠Failure to preserve evidence
TEN THINGS NOT TO DO
****DESIGN NOTE****
Please adjust lines according to the alignment of your presentation title. Size you title and subtitle text accordingly, align with each other.
I should own up at the start and say that I am not a data protection lawyer but a commercial litigator. This means I tend only see things when they have gone wrong. Whilst there are some steps which can be taken to stop a bad situation becoming worse after a cyber attack, prevention is better than cure and the best way to minimise your exposure to cyber risks is to think ahead about what might go wrong and how you can try and stop that happening. Either in the packs or to be emailed along with the slides to you is our Data Breach Checklist which will give you an idea of some of the things companies can do to manage and limit the risk of accidental and intentional data loss or destruction but in the short time available today Iâm just going to run through very briefly a few issues to think about on both the preparation and response sides of the coin.
Agenda isâŚ
Why data loss matters with a brief refresher on the UK regulatory regime
Proposed new European legislation
Some litigation risks; and, if time
10 things not to do
As Sebastiaan has already highlighted, there can be major regulatory sanctions for data breaches.
If you are an FCA regulated entity or dealing with pension scheme information, for example, then industry regulators will be interested in you but the overarching regulator for all industries in this jurisdiction is the ICO.
Set out on the slide there are a number of things the ICO can do â some of the most serious include issuing fines of up to ÂŁ500k per breach (new guidance on monetary penalties was issued in April), requiring a company to give binding public undertakings to process information in a particular way, publicising action taken and issuing notices requiring you to stop processing data completely if it does not like the way you are doing things, which would pretty much be a killer for many businesses.
There have been a number of changes to the law so far this year which have meant that increased levels of damages can be awarded for data protection breaches and there is a greater likelihood of monetary penalties being imposed for breaches of the DPA 1998.
For example, the E â Privacy Regulations have been amended to allow the ICO to impose monetary penalties on a party which has committed a serious breach in relation to unsolicited calls/texts/emails (direct marketing) without having to prove substantial damage and distress has been caused to an individual.
The upper limit (ÂŁ5k) on fines which magistrates courts may impose for breaches of the DPA has been removed.
The Court of Appeal also issued a judgement in March in relation to a claim involving Google that could make it much easier for individuals who are adversely affected by breaches of data protection law to bring claims for compensation. Previously, under s13(2) of the DPA 1998 an individual in the UK could only bring a claim for distress if they had also suffered pecuniary damage. However, the CA determined that the legislation had not properly transposed the Data Protection Directive in to UK law and so s13(2) should be disapplied. This judgement is subject to appeal to the Supreme Court but it paves the way not only for a group action against Google by millions of Britons but also the floodgates to compensation claims against data controllers where the individual has suffered distress but no pecuniary loss. Whilst compensation itself may be modest, data controllers may need to expend significant resource on defending such claims, especially if a number of individuals are affected.
The upshot is that companies should carefully assess their compliance with the DPA to make sure their risk profile is as low as possible. Addressing compliance issues now will also put companies in a much better position going forward as and when the new DP Regulation comes in to force.
Of course, there are not only regulator issues but other business issues as well. Again, the slide covers some of the key ones.
Iâve already mentioned claims by individuals. Those of you who operate in businesses that handle credit cards will be aware of the Payment Card Industry Data Security Standard but many businesses are still not compliant with it, despite being notified by banks a few years ago. Whilst the main terms of the card providers will be known to the businesses that sign up to use them, hidden in the detail, and often a surprise, are provisions which allow the card providers to appoint an auditor to review your systems if they suspect that fraudulent activity has been taking place. The first you will hear of this is a letter from the card provider telling you that this is happening. Worse still, you have to pay the costs of the auditor (even if it finds nothing wrong) and the report gets passed back to the card provider without being shown to you.
If you donât get a clean bill of health and are not compliant with the standard then your bank will be subject to card scheme penalties and will pass through the cost of any fines to you. In addition, if the credit card provider has suffered a loss in having to refund a customer money for a fraudulent transaction then it may also look to you to for recompense for being out of pocket. Clearly, if there is a significant issue then these costs can mount up and make it a very expensive exercise.
One thing which we know some companies are doing where there has been a hack is offering customers a paid for credit card watching service. This can be reassuring and, whilst not obligatory, can often pull back some of the PR damage as well as limit any subsequent individual claims.
This is the EUâs attempt to legislate for a cyber security strategy, aimed at tacking network and information security incidents and risks across the EU and replacing the current voluntary cooperation between member states. It was proposed in 2013 and the current aim is to try and reach agreement on the text by the end of this month, although there is still a lot of disagreement between the European Parliament and national governments about which companies should be subject to the directive and which obligations should apply to them.
The Directive aims to ensure a high common level of network and information security and improve the security of the internet, private networks and information systems underpinning the functions of societies and economies. The directive is supposed to require member states to increase preparedness and improve co-operation with each other by requiring operators of critical infrastructure and public administrations to adopt steps to manage security risks and report serious incidents to a national competent authority. The draft requires member states to establish a network information security strategy, designate a national competent authority and set up a computer emergency response team to handle incidents and risks. These authorities are then supposed to liaise with each other across Europe.
There is a debate as to what type of business are going to be covered by the Directive but the current non-exhaustive list includes those operating in the energy, banking, health, transport and financial services sectors. Those operators which are covered are going to have to comply with mandatory security breach and incident notification requirements to CERT UK which was launched on 31 March 2014 and can be subject to investigations for non-compliance as well as sanctions (for that read fines as a % of turnover).
Authorities will be able to make the details of a breach public at its own discretion.
Companies must therefore minimise the risk of threats as far as possible if they wish to avoid reputational damage.
Better security is obviously a good thing but there are some potential negative impacts as the new reporting requirements can be burdensome and costly, diverting resources away from areas requiring greater investment. There is also some doubt at this stage as to how well this directive will cross over with the proposed General Data Protection Regulation as companies could face a situation where different types of reporting are required for different authorities for what is essentially the same issue.
The proposed draft General Data Protection Regulation has been in the offing for some time. Its purpose is to update the DP directive (which is now 20 years old), simplify the regulatory environment across the member state, allegedly cut red tape and save businesses E2.3 billion per year.
It is still being debated but current indications are that it may be finally past later on this year but will take another 2 years to implement. As itâs a regulation it is directly effective and does not need member states to implement it.
Some of the key points are on the slide here but the headline grabbing ones are the significant increase in value of fines, obligatory breach reporting and the mandatory appointment of a data protection compliance officer for each organisation.
The current draft provides for the imposition of sanctions of the greater of up to 2% of annual worldwide turnover or Euro 1m, although the fines are split into categories depending on the nature of the infringement. A seemingly minor infringement of not responding to a data subject access request in time can lead to a fine of up to 0.5% of annual worldwide turnover.
Another major change is that the reporting of data breaches will become compulsory. There will be a wider definition of what a personal data breach is, a data processor will have to notify the data controller of a breach and the controller in turn will have to notify both the data protection authority and affected individuals.
Something else new is that the regulation will impose a number of compliance obligations as well as sanctions directly on service providers. At the moment service providers do not have any direct obligations to comply with EU data protection laws and their obligations derive from their contracts with controllers. This is something that you should all be looking at now if you are negotiating any contracts with service providers to make sure they are future proof. Businesses should be carefully documenting the responsibilities of the parties, particularly as regards the implementation of security, carrying out data protection impact assessments and providing consent for sub-processing. If your business is in the process of acquiring a new IT system then you should be asking the supplier questions to make sure they are going to be compliant with the new regulations.
Obviously it goes without saying that once the Regulation has been implemented you should be reviewing all contracts to see how compliant they are and what might need changing.
Wanted to give a flavour of the litigation risk landscape:
Increased Regulation -
Imminent changes to the regulatory landscape will soon mean that businesses will not be able to keep data breaches a secret.
FCA
As already mentioned, industries regulated by the FCA will need to comply with the FCA handbook.
Obligations on regulated entities to take reasonable care to establish and maintain effective systems and controls for compliance with regulatory requirements and to counter the risk that the entity may be used to further financial crime.
In 2010, Zurich Insurance Plc was fined ÂŁ2.27 Million for regulatory breaches by the then FSA. The fine was levied due to the loss of an unencrypted electronic storage media that was in the hands of a subcontractor. Zurich was obliged to sign an undertaking with regard to its future handling of back-up storage media.
DTR
Listed companies may have a duty to disclose cyber security breaches to the market under DTR 2.2.1R which provides that an issuer must notify a regulatory information service as soon as possible of any inside information which directly concerns the issuer.
An event of breach may constitute inside information - ie theft of business critical intellectual property is very likely to be price-sensitive, whereas a minor disruption to ancillary services for a short time may not be. [For example, Sony's announcement of the loss of PlayStation customer data in 2011 caused its share price to fall by 5.4% and that decline has continued. By contrast when Apple announced to the US market that it had been hacked in February 2013 its share price barely moved dropping just 0.2% and has continued to perform well since].
FSMA
Any issuer that publishes material that fails adequately to disclose cyber security events, and minimises their impact or down plays their significance may be at risk from claims from investors under Section 90 of FSMA.
There may be additional liability for misleading statements including liability for misrepresentation, negligence mis-statement or deceit.
Breach of contract
Even if the security breach does not lead to the loss of customer data, the business disruption can leave companies heavily exposed to claims for breach of contract if the disruption means they fail to fulfil, express contractual obligations.
For some businesses, the disruption itself maybe sufficient to breach express or implied contractual obligations to maintain adequate and functioning IT services. Force majeure clauses may assist.
A business may also try and argue that a cyber attack has caused the contract to be frustrated because a material change in circumstances has rendered it physically or commercially impossible to perform â although this is a difficult argument to run.
Negligence
A failure to exercise reasonable skill and care could result in liability to third parties - although the third party customer would need to prove the damage and losses that it suffered.
One way to minimise the potential for this type of claim is to ensure that the cyber security measures of the business comply with current best practice
September 2012, BIS guidance which provided guidance as to how businesses could best protect themselves from cyber attacks.
BIS's "Cyber Essentials" is also regarded as good practice to be utilised.
ISO requirements: Additionally, the Government will soon finalise the new organisational standard on cyber security based on the ISO2700 Series Standards.
UK Claims
I have already mention how the position here may now change given the recent Google case.
Large claims brought by third party card issuers/financial institutions currently represent a potentially more significant threat to UK businesses.
Consequential Losses
A major problem arising out of disruption to businesses is the potential for large claims to arise out of short-lived service interruptions, leading to escalating losses that can flow directly from a cyber security problem.
A good example was seen in 2012: following relatively prolonged disruption to the Natwest and RBS banking services in the wake of a software update.
The banks offered to refund customers for any late payments and overdraft fees incurred as a result of the system failure which resulted in ÂŁ125,000,000 of compensation payments.
Although a voluntary reimbursement, this type of consequential loss would probably fall within the normal contractual or tortious assessments of damage.
This issue is acute for financial services and those operating in time-critical environments such as brokerage firms, where small delays are capable of substantial liability.
It is therefore important for a business' IT department to be able to report directly to the Board once it has identified a breach.
Business Continuity
Companies should consider whether their suppliers are contractually obliged to provide business continuity support following the event of a cyber attack.
If there is no such obligation, companies should decide whether to accept the risk, vary the contract, or look to a third party to provide such support.
ICO
There is no legal obligation on most companies to notify the Information Commissioner's Office of any breach of security that results in the loss of personal data. MOVE TO NEXT SLIDE
Intellectual Property
Some cyber attacks are specifically targeted at companies' intellectual property, which could negatively impact profitability and competitiveness.
Together with ensuring that a company's defences are as secure as possible, companies should ensure that all IP is properly registered/protected.
In addition, the company should implement policies concerning corrective measures and responses in the event of an attack (for example, a series of potential legal steps from "cease and desist" correspondence to full blow litigation).
POCA
Cyber attacks may result in criminal proceeds being obtained by the perpetrators.
May give rise to reporting obligations under the Proceeds of Crime Act 2002 for entities in the regulated sector that become aware of such proceeds.
For example, because funds have been have been stolen or moved through their systems during a cyber attack on them.
A business may also need to consider a report if its name, stationary or website is being used to add credibility to a scam.
There is no legal obligation to report a breach of the 7th Data Protection Principle. However, the ICO's guidance does state that serious breaches should be notified to the ICO.
"Serious breach" is not defined but the ICO has issued some guidance as to what to take into account:
Consider the potential detriment (which includes emotional distress as well as physical and financial damage) to the data subjects affected and the volume and sensitivity of personal data lost or corrupted. For example a stolen laptop properly encrypted or full of publically available information does not need to be reported but a large volume of unencrypted personal data would be. Loss of a marketing list of 100 names and addresses where there is no sensitivity about the product being marketed would not be reportable. The loss of a manual paper based filing system holding personal data of 50 individuals and their financial records would be reportable.
Businesses should generally be prepared to consider self-reporting incidents to the ICO, given that it has said that it is minded to treat businesses that self-report data breaches more favourably than those that don't when determining the level of penalty to levy or even whether to impose a fine at all.