Date post: | 12-Jan-2017 |
Category: |
Recruiting & HR |
Upload: | michael-page |
View: | 555 times |
Download: | 1 times |
In House Lawyer SeminarIn association with Michael Page Legal
Thursday 25 June 2015Manchester Office
Welcome & Introduction
Rob ElvinOffice Managing PartnerSquire Patton Boggs
3squirepattonboggs.com 3squirepattonboggs.com
Agenda
8.30am Breakfast & Registration
9.00am Welcome & Introduction – Rob Elvin
9.05am Update on the legal Recruitment Sector – Michael Page Legal
9.15am Labour & Employment – key employment law developments – Paula Cole
9.45am Update on Competition Law – Diarmuid Ryan
10.05am Interpreting & Drafting Contracts in English Law – keeping up with the modern approach – Ben Holland
10.35am Coffee Break
10.50am Cyber Liability – Victoria Leigh and Sebastiaan Pronk
11.20am Speaking with confidence and influence – Esther Stanhope
12.15pm Questions & Conclusions
12.30pm – 1.30pm Networking Lunch
An update on the legal Recruitment Sector
Michael Page Legal
Labour & EmploymentKey employment law developments
Paula ColePartner, Squire Patton Boggs
6squirepattonboggs.com 6squirepattonboggs.com
Holiday Pay – a reminder of how we got here
Article 7 of the Working Time Directive – four weeks’ “paid” leave
Regulation 16 of the Working Time Regulations 1998 – a “week’s pay” for each week’s leave is calculated in accordance with sections 221 – 224 of the ERA 1996
ERA provisions are complicated and vary depending on whether an employee works “normal working hours” or not
7squirepattonboggs.com 7squirepattonboggs.com
Holiday Pay – a reminder of how we got here
“Normal working hours” – an employee is entitled to be paid his normal basic weekly pay (Section 221) – would not normally include overtime (except compulsory overtime), bonuses, commission, etc.
No “normal working hours” – an employee is entitled to be paid his average weekly pay in the applicable 12 weeks (Section 224) – would include overtime, bonuses, commission, etc.
8squirepattonboggs.com 8squirepattonboggs.com
But then it all changed!
Case Ruling Status
BA Plc v Williams [2012]
Supreme Court ruled that workers are entitled to receive their “normal remuneration” during annual leave – includes remuneration “intrinsically linked to the performance of the tasks”
Bear Scotland [2014] EAT ruled that a worker’s holiday pay should take into account non-guaranteed overtime
Lock v British Gas Trading Ltd [2015]
ECJ ruled that commission should be taken into account for holiday pay purposes
Leicester ET ruled that WTR can be amended so as to reflect European law – decision now being appealed to the EAT
9squirepattonboggs.com 9squirepattonboggs.com
Lock v British Gas – in more detail
ECJ’s decision: 4-week statutory holiday that derives from the Directive should take into account commission payments
Leicester ET’s decision: WTR should be amended to include a provision that “… a worker whose remuneration includes commission or similar payment shall be deemed to have remuneration which varies with the amount of work done…”
Lots of questions around commission still remain unanswered, including what is the relevant reference period (12 weeks? 12 months?)
10squirepattonboggs.com 10squirepattonboggs.com
Holiday Pay Update
So where does this leave employers?
What should now be included in holiday pay for WTR purposes?
Voluntary overtime?
• (NB Patterson v Castlereagh Borough Council, due to be heard in NI CA on 19 June)
Bonuses?
Allowances?
11squirepattonboggs.com 11squirepattonboggs.com
Holiday Pay Update
So where does this leave employers?
What is the correct reference period for averaging pay?
Historical liability for unlawful deductions
Bear Scotland – any break of 3 months between deductions could break the chain for time limit purposes
2-year cap on claims for backdated holiday pay – 1 July 2015
12squirepattonboggs.com 12squirepattonboggs.com
Holiday Pay - What should employers be doing?
Employers should be:
Carrying out a review of their holiday pay arrangements in light of the recent cases
Monitoring ongoing developments Assessing potential risk/impact to business (forwards and backwards)
13squirepattonboggs.com 13squirepattonboggs.com
Hot Employment Law Topics (Case Law)
Recent case law developments
USDAW v Ethel Austin, ECJ, 30 April 2015 (the “Woolworths case”)
Duty to collectively consult where 20 or more redundancies are proposed “at one establishment” within a 90 day period
Previous EAT decision on meaning of “establishment” ECJ’s decision – “‘Establishment’ means the entity to which the workers
made redundant are assigned to carry out their duties.”
14squirepattonboggs.com 14squirepattonboggs.com
Hot Employment Law Topics (Legislation)
Recent legislative developments – effective 5 April 2015
Shared parental leave and pay
Age limit on unpaid parental leave increased from 5 to 18 years
Statutory adoption leave – now a “Day One” right and increase in amount of Statutory Adoption Pay to bring into line with Statutory Maternity Pay
15squirepattonboggs.com 15squirepattonboggs.com
Hot Employment Law Topics – On the horizon
Forthcoming legislative developments
New Government Fit for Work Service
Free health and wellbeing advice to assist with absence prevention
Free occupational health assessment
£500 per employee annual tax exemption
16squirepattonboggs.com 16squirepattonboggs.com
Hot Employment Law Topics – On the horizon
Forthcoming legislative developments
Small Business, Enterprise and Employment Act 2015
Employers of 250 or more employees to be required to publish their gender pay information
Outlawing exclusivity clauses in zero hours contracts
Competition Law Update
Diarmuid RyanPartner (Antitrust & Competition)
18squirepattonboggs.com 18squirepattonboggs.com
Contents
Update on CMA enforcement activity 2014 – 2015 Cartel offence CA98 cases Market investigations Mergers
Update on European Commission activity
19squirepattonboggs.com 19squirepattonboggs.com
Cartel offence
Galvanised Steel Tanks: • Mr Peter Nigel Snee, Managing Director of Franklin Hodge Industries
Limited, pled guilty on 17 June 2014 to the criminal cartel offence• Prosecution of Messers Dean and Stringer
Indicates successful prosecutions were possible under old test
20squirepattonboggs.com 20squirepattonboggs.com
Inherited from OFTConcludedSports Bras RPM – “no grounds for action”Road Fuel Distribution in Western Isles – Ch.II (exclusive supply) commitmentsVehicle service etc platforms – Ch.II (switching restrictions) commitmentsHampshire estate agents – Ch.I (agreement not to advertise fees) fine £735K (10% settlement discount and 5% compliance discount); 18 months probe (1 year to issue SO)Mastercard/Visa Interchange Fees: on hold – December 2014 decision not to impose interim measures; file closed May 2015 (administrative priorities)OngoingGalvanised Steel TanksParoxetine pay-for-delay (Ch.I and Ch.II)Hotel online booking: OFT commitments decision quashed (Skyscanner) (ongoing)Supply of Pharmaceutical Products (Ch.I and Ch.II)
CA98 enforcement 2014/2015
21squirepattonboggs.com 21squirepattonboggs.com
CA98 enforcement 2014/2015
CMA originatedOngoingBathroom fittings vertical agreements (Ch.I)Commercial catering equipment vertical agreements (Ch.I)Clothing/footwear/fashion conduct (Ch.I)Healthcare sector (Ch.I)Pharmaceutical sector (Ch.II)
Commentary: Hardly any fines in Year 1 Improve robustness and speed of decision making (CMA annual plan)? too
early to say Use of new powers (CMA annual plan): CMA has conducted compulsory
interviews; not yet imposed interim measures Insufficient attention to extent of burden (esp. on small businesses)
22squirepattonboggs.com 22squirepattonboggs.com
Market studies and investigations
Inherited from OFT/CCConcluded investigationsStatutory audit servicesPrivate motor insuranceAggregates, cement and ready-mix concreteConcluded studiesResidential property management servicesOngoing investigationsPayday lending (remedies)Private healthcare: 15.12.14 CAT quashed CMA report (procedural error – failure to re-consult on insured pricing analysis) and remitted to CMA
23squirepattonboggs.com 23squirepattonboggs.com
Market studies and investigations
CMA originatedConcludedCompetition and regulation in higher education in England projectCommercial use of consumer data reportOngoingGroceries pricing super-complaintRetail banking market investigation: provisional findings September 2015 Energy market investigation: provisional findings June 2015
Commentary CMA is certainly taking on “strategically significant” cases CMA’s ability to deliver high quality and robust reports within new statutory
time limits? Concern about CMA willingness to impose divestiture remedies: “in
principle…the selling firm…should be indifferent between holding this asset and selling it at a fair price ” Chisholm, September 2014
24squirepattonboggs.com 24squirepattonboggs.com
Merger control
ReferencesClosedPure Gym/The Gym (cancelled)Pork Farm/Kerry (cleared)OngoingXchanging/Agency (provisionally cleared)Reckitt Benckiser/K-Y (SLC provisional finding)Sonoco/Weidenhammer (provisionally cleared)Ashford and St Peter’s Hospitals/Royal SurreyPennon/Sembcorp Bournemouth WaterPoundland/99pBT/EE
UILs Diageo/United Spirits Immediate/Future Publishing Motor Fuel/Murco GTCR/Gorkana Intercity Railways/Intercity East
Coast Greene King/Spirit
25squirepattonboggs.com 25squirepattonboggs.com
Mergers
CommentaryCMA response to statutory 40 working day Phase I review period – much longer pre-notification process, much heavier information burden (new Merger Notice)Hold-separate regime for completed mergers much more intrusive and effectively automaticRepresents significant cost on UK business – may have deterrent effect, particularly on small mergers (CMA considering new guidance on de minimis discretion)Improved Phase I process (access to decision-maker)
26squirepattonboggs.com 26squirepattonboggs.com
CMA before the courts
Some reversesHCA –v- CMA (Dec 2014): HCA denied adequate opportunity to commentSkyscanner (September 2014): no proper consideration of objectionsAC Nielsen –v- CMA (July 2014): material error of factEurotunnel (CA; May 2015): acquisition of assets not a “merger”
Some successesAXA PPP Healthcare –v- CMA (March 2015): upholding exercise of CMAs discretion that consultant groups did not lead to AECTobacco (January 2015): Admin court refused to order CMA to repay Gallaher fines (but highly critical of payment to TMR)Ryanair; AkzoNobelCommentaryCAT provides robust judicial review – great merit of UK systemShows importance of effective systems/processes, particularly with new accelerated statutory deadlines (market investigations; Phase I mergers)
27squirepattonboggs.com 27squirepattonboggs.com
European Commission
Continues to actively sanction cartels (envelopes; trucks)
Major abuse of dominance investigations: Google Gazprom Amazon
E-commerce sector enquiry
ECN
Directive on antitrust damages actions
Interpreting & Drafting Contractsin English Law
Ben HollandPartner, Squire Patton Boggs
29squirepattonboggs.com 29squirepattonboggs.com
Introduction
Summary of where we stand
Traditional approach - now passed
New approach - how it works
The future - where are we going
Examples from recent contracts
Drafting tips
30squirepattonboggs.com 30squirepattonboggs.com
Summary of current law
Contractual interpretation is an OBJECTIVE exercise The SUBJECTIVE intention of a party is IRRELEVANT to questions
of interpretation The OBJECTIVE interpretation of a contract = REASONABLE
PERSON REASONABLE PERSON with the factual background available to
the parties (including general commercial considerations) Where a REASONABLE PERSON would consider that there was
more than one meaning, English law favours the construction consistent with BUSINESS COMMON SENSE (or COMMERCIAL SENSE)
31squirepattonboggs.com 31squirepattonboggs.com
Traditional approach
Four corners of the contract
“nothing could be more dangerous than to go out of the four corners of a contract, and endeavour to find out the meaning of the parties from other circumstances not mentioned or alluded to in the contract itself” (Hall v Ross [1813] 3 E.R. 672 – House of Lords)
Construction has a strong legal bias Latin legal maxims as an aid to construction
32squirepattonboggs.com 32squirepattonboggs.com
The new approach
Objective: The objective nature of interpretation (unchanged)
Contextual: Increased emphasis on context – the objective meaning of the words set against “the factual background”
Commercial: A new policy of commercial sense (reasonable result)
Unitary exercise: The above is a single exercise
33squirepattonboggs.com 33squirepattonboggs.com
Lord Hoffmann enters the House of Lords
Charter Reinsurance Co v Fagan [1997] AC 313 “actually paid” interpreted to mean “actually payable” Lord Hoffmann said “the notion of words having a natural meaning is not a
very useful one. Because the meaning of words is not sensitive to syntax and context…”
Mannai v Eagle Star Assurance [1997] AC 749 “12th January” interpreted to mean “13th January” in the context of an
otherwise invalid notice Lord Hoffmann said “It is a matter of consistent experience that people can
convey their meaning unambiguously although they have used the wrong words”
34squirepattonboggs.com 34squirepattonboggs.com
Investors Compensation Scheme Ltd v West Bromwich Building Society (No. 1) [1998] 1 W.L.R. 896
Clause in dispute:
“any claim (whether sounding in rescission for undue influence or otherwise) that you have against the…society in which you claim an abatement of sums which you would otherwise have to repay to the society…”
Should the clause be interpreted to mean:
“any claim sounding in rescission (whether for undue influence or otherwise)…”?
35squirepattonboggs.com 35squirepattonboggs.com
Investors Compensation Scheme Ltd v West Bromwich Building Society (No. 1) [1998] 1 W.L.R. 896
Hoffmann sets out his 5 principles of contractual interpretation: Interpretation is the ascertainment of the meaning which the document
would convey to a reasonable person having all of the background knowledge that would reasonably have been available to the parties in the situation in which they were at the time of the contract
Background (or factual matrix) includes absolutely everything which would affect the way in which the language of the document would have been understood by a reasonable man
English law excludes evidence of negotiations and subjective intent The meaning which a document would convey to a reasonable man is not
the same thing as the meaning of its words The “rule” that words should be given their “natural and ordinary meaning”
reflects the common sense proposition that we do not easily accept that people have made linguistic mistakes
36squirepattonboggs.com 36squirepattonboggs.com
Lord Hoffmann’s last big case
Chartbrook Limited v Persimmon Homes Limited [2009] UKHL 38 Confirmed objective nature of interpretation: negotiations are
irrelevant Confirmed active approach to construction and interpretation:
“What is clear from these cases is that there is not, so to speak, a limit to the amount of red ink or verbal rearrangement or correction which the court is allowed. All that is required is that it should be clear that something has gone wrong with the language and that it should be clear what a reasonable person would have understood the parties to have meant. In my opinion, both of these requirements are satisfied.”
37squirepattonboggs.com 37squirepattonboggs.com
Rainy Sky v Kookmin Bank [2011] UKSC 50
In 1997, Lord Steyn wrote in “Contract law: Fulfilling the reasonable expectations of honest men” 113 LQR 433, 441:
“Often there is no obvious or ordinary meaning of the language under consideration. There are competing interpretations to be considered. In choosing between alternatives a court should primarily be guided by the contextual scene in which the stipulation in question appears. And speaking generally commercially minded judges would regard the commercial purpose of the contract as more important than niceties of language. And, in the event of doubt, the working assumption will be that a fair construction best matches the reasonable expectations of the parties.” (emphasis added)
38squirepattonboggs.com 38squirepattonboggs.com
Rainy Sky v Kookmin Bank [2011] UKSC 50
“The language used by the parties will often have more than one potential meaning. I would accept the submission made on behalf of the appellants that the exercise of construction is essentially one unitary exercise in which the court must consider the language used and ascertain what a reasonable person, that is a person who has all the background knowledge which would reasonably have been available to the parties in the situation in which they were at the time of the contract, would have understood the parties to have meant.
In doing so, the court must have regard to all the relevant surrounding circumstances.
If there are two possible constructions, the court is entitled to prefer the construction which is consistent with business common sense and to reject the other.”
39squirepattonboggs.com 39squirepattonboggs.com
Rainy Sky v Kookmin Bank [2011] UKSC 50
Supreme Court affirms the legacy of Lords Steyn and Hoffmann
ObjectivityContextualCommercialIterative process
Confirms importance of commercial senseBut when are there more than two meanings?
40squirepattonboggs.com 40squirepattonboggs.com
Napier Park European Credit Opportunities Fund v Harbourmaster [2014] EWCA Civ 984
Trial judge held that language was clear/unambiguous on its ordinary meaning, so he did not need to go on to consider commercial context
Court of Appeal held that, where possible, the court should test any interpretation against the commercial consequences
Beware adopting an unduly narrow grammatical reading of the clause or failing to take account of its obvious purpose and context
“It follows in my judgment that, where possible, the court should test any interpretation against the commercial consequences. That is
part of the iterative exercise of interpretation. It is not merely a safety valve in cases of absurdity.” (Lewison LJ)
Place the rival interpretations of a phrase within their commercial setting and investigate their commercial consequences
So, how does this apply to recent contracts?
41squirepattonboggs.com 41squirepattonboggs.com
The future: Greater judicial licence to intervene?
Using the commercial background to “create” more than one “natural meeting” – “actually paid” interpreted to mean “actually payable”Using commercial reasonableness to select the correct meaningExtending commercial reasonableness beyond the express terms of the contract through implied terms and a revised remoteness testRewriting each contract’s history?Reconstructing the commercial “factual matrix” at a time and distance from contract formation that makes the exercise inherently unreliable
42squirepattonboggs.com 42squirepattonboggs.com
Drafting – Points to beware
Areas for particular care
Terms that may appear “uncommercial” to a third party at a time and distance from when the contract is made
Reliance on traditional “legal” rules or maxims of construction to give words meaning e.g. “consequential loss”
Is a “condition” a condition in law or is it an innominate term?
43squirepattonboggs.com 43squirepattonboggs.com
Drafting – How to manage this new landscape
Drafting Recording the commercial “background”: Recitals Setting out your own meaning: Defined terms Selecting your own “maxims”: “Interpretation clause” Termination provisions that are a complete code (dealing with the
“condition” issue)
Deal management Ambiguity gets the deal signed, but it creates risk: Absent clear
agreement with the counterparty there is a risk that a court will not agree with your interpretation
Keep papers from deal, as some will help with “factual matrix”
Coffee Break
FEELFREEA NEW APPROACHTO CYBER SECURITY
Sebastiaan PronkKPMG Cyber
THE
RISK RANKING2011
LOSS OF CUSTOMERS/CANCELLED ORDERSTALENT AND SKILLS SHORTAGEREPUTATIONAL RISK
CURRENCY FLUCTUATION
CHANGING LEGISLATIONCOST AND AVAILABILITY OF CREDITPRICE OF MATERIAL INPUTS
INFLATION
CORPORATE LIABILITYEXCESSIVELY STRICT REGULATION
12345678910
12
345678910
HIGH TAXATIONLOSS OF
CUSTOMERS/CANCELLED ORDERS
CYBER RISKPRICE OF MATERIAL INPUTS
EXCESSIVELY STRICT REGULATION
CHANGING LEGISLATION
INFLATIONCOST AND AVAILABILITY OF
CREDITRAPID TECHNOLOGICAL
CHANGESINTEREST RATE CHANGES
2013
Source: Lloyd’s board risk index – http://www.lloyds.com/news-and-insight/risk-insight/lloyds-risk-index
CHANGES IN
CYBER: A HOT TOPIC
VALUES AND BEHAVIOURS: TECH TRENDS
Always onAlways available
Quick to deliverEasy to adapt
DIGITAL SOCIETY EVERYTHING JOINS UP
Making use of big data
BIG INSIGHTS
WHY
INFORMATION PROTECTION &
PRIVACY
48
HYPERCONNECTIVITYCLOUD
SOCIAL MEDIAMOBILE
BIG DATATHE INTERNET OF
THINGS CYBER?
CYBERSPACE DESIGNED FOR INFORMATION SHARINGLARGELY ANONYMOUS
MAY NOT KNOW YOU HAVE BEEN TARGETED
ATTRIBUTION IS NOT STRAIGHT FORWARD
CYBER: SECURITY
THETHREATACTORS
HACKTIVISMHACKING INSPIRED BY IDEOLOGYMOTIVATION: SHIFTING ALLEGIANCES – DYNAMIC, UNPREDICTABLEIMPACT TO BUSINESS: PUBLIC DISTRIBUTION, REPUTATION LOSSORGANISED CRIMEGLOBAL, DIFFICULT TO TRACE AND PROSECUTEMOTIVATION: FINANCIAL ADVANTAGEIMPACT TO BUSINESS: THEFT OF INFORMATION
THE INSIDERINTENTIONAL OR UNINTENTIONAL?MOTIVATION: GRUDGE, FINANCIAL GAINIMPACT TO BUSINESS: DISTRIBUTION OR DESTRUCTION, THEFT OF INFORMATION, REPUTATION LOSSSTATE-SPONSOREDESPIONAGE AND SABOTAGEMOTIVATION: POLITICAL ADVANTAGE, ECONOMIC ADVANTAGE, MILITARY ADVANTAGEIMPACT TO BUSINESS: DISRUPTION OR DESTRUCTION, THEFT OF INFORMATION, REPUTATIONAL LOSS
CYBER: THREATS
• SECTORS: WHO IS BEING TARGETED?
AUTOMOTIVE
AEROSPACE
ENERGY PROVIDERS
BANKS PROFESSIONAL & LEGAL SERVICES
DEFENCE ADVANCED MANUFACTU
RING
RENEWABLE ENERGY
BUILDING SOCIETIES
RESEARCH INSTITUTES
PHARMACEUTICALS &
BIOTECHNOLOGY
MINING & NATURAL
RESOURCES
COMMUNICATIONS
WIDER FINANCIAL SERVICES
ACADEMIA
50
WHAT IS BEINGSTOLEN/LOST?
INFORMATION THAT IS VALUABLE
BUSINESS CRITICAL INFORMATION
CRITICAL TRANSACTIONS
INTELLECTUAL PROPERTY - RESEARCHBUSINESS PROCESSES – FINANCE AND PERSONALPARTNERS, SUPPLIER AND STUDENT DATA
CYBER: SECURITY
CYBER: LEGAL
ico.Information Commissioner’s Office
EUR 810,000 or 10 percent of an organization’s annual worldwide turnover
Mandatory Breach Disclosure
REGULATIONS: PRO-ACTIVE ATTITUDE?
CYBER IN YOUR SECTORS
The vectors remain the same but the risk rises exponentially
What are your ‘Crown Jewels’ that do you need to protect?
Are you investing your money efficiently in your cyber controls?
Who is accountable for managing your cyber risk?
Do you know what information is leaving your business and how?
What are your regulatory obligations and are you compliant?
How do you balance digital opportunity and cyber risk?
How do your cyber security capabilities compare to your peers?
How would you handle a cyber breach or attack?
How are you managing your suppliers to ensure they are not a weak point in your security?
CYBER: IN YOUR COMPANY
THANKYOUPRESENTATION BYSebastiaan Pronk
Cyber Liability
Victoria LeighPartner, LitigationSquire Patton Boggs
57squirepattonboggs.com 57squirepattonboggs.com
Why Data Loss Matters – UK Regulatory Regime Europe - The Future
Network and Information Security Directive General Data Protection Regulation
• Litigation Risks 10 Things Not To Do
Cyber Liability
INTRODUCTION
58squirepattonboggs.com 58squirepattonboggs.com
ICO Sanctions Fines of up to £500k per breach Undertakings Name and shame Orders
– information notices– assessment notices– enforcement (‘stop-now’) orders
• Other Regulators – FCA, tPR
WHY DATA LOSS MATTERS
REGULATORY IMPACT
59squirepattonboggs.com 59squirepattonboggs.com
• Claims Credit card companies/banks Individuals
• Damage to Data & Systems• Business Interruption• Increased Costs• Loss of Reputation/Goodwill
Existing customers New customer generation Shareholder value
WHY DATA LOSS MATTERS
OTHER ISSUES INCLUDE
60squirepattonboggs.com 60squirepattonboggs.com
• Currently under review and trialogue with Parliament, Council & Commission• Possible Adoption 2015?• Implementation in to Member State’ law 2017?• Aims• Approach• Potential Impact
The Network and Information Security Directive (NISD)
61squirepattonboggs.com
What is it? Single regulation planned to replace existing EU data protection laws
When will it come into force? Still being debated in EU but may finally be passed in late 2015 2 years to implement if passed so 2017 at earliest
EU Draft General Data Protection Regulation (‘GDPR’)
62squirepattonboggs.com
Key PointsSignificant increase in potential fines
Up to Euro1m and/or 2% of global turnover
Compulsory breach notifications Regulator Affected individuals
Extension to non-EU companies targeting EUOne-stop-shop for businesses operating across multiple EU countriesMandatory data protection compliance officersPrivacy-by-designExpanded ‘right to be forgotten’
EU Draft General Data Protection Regulation (‘GDPR’)
63squirepattonboggs.com 63squirepattonboggs.com
Litigation risks
• Increased regulatory scrutiny, both at domestic and EU level• FCA Regulation – eg Zurich fined £2.27M • Disclosure and Transparency Rules (DTR 2.2.1R) • Section 92 Financial Services and Markets Act 2000• Breach of contract – force majeure/frustration?• Negligence – comply with "best practice" guidance • UK claims – class actions/individuals v companies• Consequential losses – eg NatWest and RBS Banking Services in 2012:
£125 million of customer compensation• Ensuring business continuity – check the contract!• Notification to ICO – serious breach? • Intellectual property/knowledge risks• Proceeds of Crime Act 2002
64squirepattonboggs.com 64squirepattonboggs.com
No legal obligation to report breach but consider:
Potential detriment to data subjects (individuals)
Volume of personal data lost/released/corrupted
Sensitivity of data lost/released/corrupted
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data” – 7th Principle
ICO – To Report Or Not To Report
65squirepattonboggs.com 65squirepattonboggs.com
1. LEAVE DATA BREACH PLANNING UNTIL YOU BREACH• Data breaches never happen at convenient times• Easy to forget things in heat of moment• Immediate commercial decisions required
Notifications PR position
• Assistance needed from third parties e.g. insurers, PR agencies, forensic IT
• Staff need to be trained on responses• Need plan to safeguard systems & preserve
evidence
TEN THINGS NOT TO DO
66squirepattonboggs.com 66squirepattonboggs.com
2. FORGET WHAT DATA YOU HOLD • Critical to assess risk/plan strategy following breach• What data is held
Catalogue specifics e.g. if bank details or sensitive personal data Problems can arise when data acquired but never assimilated
• Where is it held Physical locations and systems
• How it is stored & protected CSV file, proprietary format etc… Encryption, password protection etc…
• Who holds/has access to it Can assist in identifying cause of breach
TEN THINGS NOT TO DO
67squirepattonboggs.com 67squirepattonboggs.com
3. KEEP UNENCRYPTED DATA ON YOUR LAPTOP/TABLET• ICO’s bête noir & guaranteed fine generator• Password protected ≠ encrypted• Caution if data is transferred to any personal advice• Ensure personal data is permanently deleted
Deleting from trashcan ≠ permanently deleted
• Dangerous locations/lengthy travel Consider switching hard drives before travel
TEN THINGS NOT TO DO
68squirepattonboggs.com 68squirepattonboggs.com
4. LEAVE SECURITY PLANNING TO THE IT TEAM• ICO invariably asks for copies of security policies• IT teams usually great at technical security.
Not necessarily so good at documenting it• Consider in particular
Type & location of data Physical security Logical security Security in flight and at rest Access controls Data destruction
TEN THINGS NOT TO DO
69squirepattonboggs.com 69squirepattonboggs.com
5. LET MARKETING TEAMS/AGENCIES DO THEIR OWN THING• Many breaches we have dealt with have come from marketing, particularly
use of external marketing agencies• Tend to be less aware of issues/need for security than HR/finance• Large numbers of external contractors involved
• Consider Data security/use training & policies Contracts with external providers
TEN THINGS NOT TO DO
70squirepattonboggs.com 70squirepattonboggs.com
6. IGNORE LOW VALUE CONTRACTS• Many breaches we have dealt with were due to lapses at contractors rather
than internal security.• Data contracts can be low value but high risk
e.g. online payment gateways, customer verification services, apps, social media management services
• Legal obligation to have written contract in place• ICO will inevitably ask for contract details• Importance of ongoing due diligence on suppliers
TEN THINGS NOT TO DO
71squirepattonboggs.com 71squirepattonboggs.com
7. ACT BEFORE YOU HAVE A CLEAR VIEW OF THE SITUATION• First instinct is frequently to assume the best – e.g.
there is no breach breach poses no/little risk little data involved
• Small changes in circumstances can have a large impact on actions e.g. data encrypted vs unencrypted
• Difficulty in changing course once you go public/notify individuals• If you decide to notify, ICO will require detailed information about breach
TEN THINGS NOT TO DO
72squirepattonboggs.com 72squirepattonboggs.com
8. USE DEFAULT PASSWORDS/UNPROTECTED WIFI• Default passwords
Much easier to retrieve Change in accordance with password policy Don’t use information easily obtained from social media sites – e.g. birthdays Password length is key -
• Unprotected WIFI Frequent source of hacks Hard to track users
TEN THINGS NOT TO DO
73squirepattonboggs.com 73squirepattonboggs.com
9. IGNORE IT – NO-ONE WILL EVER KNOW• If unclear whether breach has occurred, suspect it has and investigate
Must be able to explain actions to ICO with justifiable reasons If fail to investigate properly, immediately on back-foot with ICO
• People talk – particularly if they find themselves with information they shouldn’t have
• Internal memos have a habit of leaking• Delays in responding cause serious reputational
damage
TEN THINGS NOT TO DO
74squirepattonboggs.com 74squirepattonboggs.com
10. MAKE A BAD THING WORSE
• Involvement of staff who do not have adequate data security training
• Own investigations can trigger further breaches
• Loss of privilege
• Failure to preserve evidence
TEN THINGS NOT TO DO
75squirepattonboggs.com 75squirepattonboggs.com
Contact
Victoria Leigh
Partner
+44 (0)161 830 50058
The Impact Coach – who gives you extra oomph!
@estherstanhope1
“Speaking with Confidence and Influence”
Questions & Close