In house lawyer seminar Squire Patton Boggs - Jun 2015

In House Lawyer SeminarIn association with Michael Page Legal

Thursday 25 June 2015Manchester Office

Welcome & Introduction

Rob ElvinOffice Managing PartnerSquire Patton Boggs

3squirepattonboggs.com 3squirepattonboggs.com

Agenda

8.30am Breakfast & Registration

9.00am Welcome & Introduction – Rob Elvin

9.05am Update on the legal Recruitment Sector – Michael Page Legal

9.15am Labour & Employment – key employment law developments – Paula Cole

9.45am Update on Competition Law – Diarmuid Ryan

10.05am Interpreting & Drafting Contracts in English Law – keeping up with the modern approach – Ben Holland

10.35am Coffee Break

10.50am Cyber Liability – Victoria Leigh and Sebastiaan Pronk

11.20am Speaking with confidence and influence – Esther Stanhope

12.15pm Questions & Conclusions

12.30pm – 1.30pm Networking Lunch

An update on the legal Recruitment Sector

Michael Page Legal

Labour & EmploymentKey employment law developments

Paula ColePartner, Squire Patton Boggs


Holiday Pay – a reminder of how we got here

Article 7 of the Working Time Directive – four weeks’ “paid” leave

Regulation 16 of the Working Time Regulations 1998 – a “week’s pay” for each week’s leave is calculated in accordance with sections 221 – 224 of the ERA 1996

ERA provisions are complicated and vary depending on whether an employee works “normal working hours” or not


Holiday Pay – a reminder of how we got here

“Normal working hours” – an employee is entitled to be paid his normal basic weekly pay (Section 221) – would not normally include overtime (except compulsory overtime), bonuses, commission, etc.

No “normal working hours” – an employee is entitled to be paid his average weekly pay in the applicable 12 weeks (Section 224) – would include overtime, bonuses, commission, etc.


But then it all changed!

Case Ruling Status

BA Plc v Williams [2012]

Supreme Court ruled that workers are entitled to receive their “normal remuneration” during annual leave – includes remuneration “intrinsically linked to the performance of the tasks”

Bear Scotland [2014] EAT ruled that a worker’s holiday pay should take into account non-guaranteed overtime

Lock v British Gas Trading Ltd [2015]

ECJ ruled that commission should be taken into account for holiday pay purposes

Leicester ET ruled that WTR can be amended so as to reflect European law – decision now being appealed to the EAT


Lock v British Gas – in more detail

ECJ’s decision: 4-week statutory holiday that derives from the Directive should take into account commission payments

Leicester ET’s decision: WTR should be amended to include a provision that “… a worker whose remuneration includes commission or similar payment shall be deemed to have remuneration which varies with the amount of work done…”

Lots of questions around commission still remain unanswered, including what is the relevant reference period (12 weeks? 12 months?)


Holiday Pay Update

So where does this leave employers?

What should now be included in holiday pay for WTR purposes?

Voluntary overtime?

• (NB Patterson v Castlereagh Borough Council, due to be heard in NI CA on 19 June)

Bonuses?

Allowances?


Holiday Pay Update

So where does this leave employers?

What is the correct reference period for averaging pay?

Historical liability for unlawful deductions

Bear Scotland – any break of 3 months between deductions could break the chain for time limit purposes

2-year cap on claims for backdated holiday pay – 1 July 2015


Holiday Pay - What should employers be doing?

Employers should be:

Carrying out a review of their holiday pay arrangements in light of the recent cases

Monitoring ongoing developments Assessing potential risk/impact to business (forwards and backwards)


Hot Employment Law Topics (Case Law)

Recent case law developments

USDAW v Ethel Austin, ECJ, 30 April 2015 (the “Woolworths case”)

Duty to collectively consult where 20 or more redundancies are proposed “at one establishment” within a 90 day period

Previous EAT decision on meaning of “establishment” ECJ’s decision – “‘Establishment’ means the entity to which the workers

made redundant are assigned to carry out their duties.”


Hot Employment Law Topics (Legislation)

Recent legislative developments – effective 5 April 2015

Shared parental leave and pay

Age limit on unpaid parental leave increased from 5 to 18 years

Statutory adoption leave – now a “Day One” right and increase in amount of Statutory Adoption Pay to bring into line with Statutory Maternity Pay


Hot Employment Law Topics – On the horizon

Forthcoming legislative developments

New Government Fit for Work Service

Free health and wellbeing advice to assist with absence prevention

Free occupational health assessment

£500 per employee annual tax exemption


Hot Employment Law Topics – On the horizon

Forthcoming legislative developments

Small Business, Enterprise and Employment Act 2015

Employers of 250 or more employees to be required to publish their gender pay information

Outlawing exclusivity clauses in zero hours contracts

Competition Law Update

Diarmuid RyanPartner (Antitrust & Competition)


Contents

Update on CMA enforcement activity 2014 – 2015 Cartel offence CA98 cases Market investigations Mergers

Update on European Commission activity


Cartel offence

Galvanised Steel Tanks: • Mr Peter Nigel Snee, Managing Director of Franklin Hodge Industries

Limited, pled guilty on 17 June 2014 to the criminal cartel offence• Prosecution of Messers Dean and Stringer

Indicates successful prosecutions were possible under old test


Inherited from OFTConcludedSports Bras RPM – “no grounds for action”Road Fuel Distribution in Western Isles – Ch.II (exclusive supply) commitmentsVehicle service etc platforms – Ch.II (switching restrictions) commitmentsHampshire estate agents – Ch.I (agreement not to advertise fees) fine £735K (10% settlement discount and 5% compliance discount); 18 months probe (1 year to issue SO)Mastercard/Visa Interchange Fees: on hold – December 2014 decision not to impose interim measures; file closed May 2015 (administrative priorities)OngoingGalvanised Steel TanksParoxetine pay-for-delay (Ch.I and Ch.II)Hotel online booking: OFT commitments decision quashed (Skyscanner) (ongoing)Supply of Pharmaceutical Products (Ch.I and Ch.II)

CA98 enforcement 2014/2015


CA98 enforcement 2014/2015

CMA originatedOngoingBathroom fittings vertical agreements (Ch.I)Commercial catering equipment vertical agreements (Ch.I)Clothing/footwear/fashion conduct (Ch.I)Healthcare sector (Ch.I)Pharmaceutical sector (Ch.II)

Commentary: Hardly any fines in Year 1 Improve robustness and speed of decision making (CMA annual plan)? too

early to say Use of new powers (CMA annual plan): CMA has conducted compulsory

interviews; not yet imposed interim measures Insufficient attention to extent of burden (esp. on small businesses)


Market studies and investigations

Inherited from OFT/CCConcluded investigationsStatutory audit servicesPrivate motor insuranceAggregates, cement and ready-mix concreteConcluded studiesResidential property management servicesOngoing investigationsPayday lending (remedies)Private healthcare: 15.12.14 CAT quashed CMA report (procedural error – failure to re-consult on insured pricing analysis) and remitted to CMA


Market studies and investigations

CMA originatedConcludedCompetition and regulation in higher education in England projectCommercial use of consumer data reportOngoingGroceries pricing super-complaintRetail banking market investigation: provisional findings September 2015 Energy market investigation: provisional findings June 2015

Commentary CMA is certainly taking on “strategically significant” cases CMA’s ability to deliver high quality and robust reports within new statutory

time limits? Concern about CMA willingness to impose divestiture remedies: “in

principle…the selling firm…should be indifferent between holding this asset and selling it at a fair price ” Chisholm, September 2014


Merger control

ReferencesClosedPure Gym/The Gym (cancelled)Pork Farm/Kerry (cleared)OngoingXchanging/Agency (provisionally cleared)Reckitt Benckiser/K-Y (SLC provisional finding)Sonoco/Weidenhammer (provisionally cleared)Ashford and St Peter’s Hospitals/Royal SurreyPennon/Sembcorp Bournemouth WaterPoundland/99pBT/EE

UILs Diageo/United Spirits Immediate/Future Publishing Motor Fuel/Murco GTCR/Gorkana Intercity Railways/Intercity East

Coast Greene King/Spirit


Mergers

CommentaryCMA response to statutory 40 working day Phase I review period – much longer pre-notification process, much heavier information burden (new Merger Notice)Hold-separate regime for completed mergers much more intrusive and effectively automaticRepresents significant cost on UK business – may have deterrent effect, particularly on small mergers (CMA considering new guidance on de minimis discretion)Improved Phase I process (access to decision-maker)


CMA before the courts

Some reversesHCA –v- CMA (Dec 2014): HCA denied adequate opportunity to commentSkyscanner (September 2014): no proper consideration of objectionsAC Nielsen –v- CMA (July 2014): material error of factEurotunnel (CA; May 2015): acquisition of assets not a “merger”

Some successesAXA PPP Healthcare –v- CMA (March 2015): upholding exercise of CMAs discretion that consultant groups did not lead to AECTobacco (January 2015): Admin court refused to order CMA to repay Gallaher fines (but highly critical of payment to TMR)Ryanair; AkzoNobelCommentaryCAT provides robust judicial review – great merit of UK systemShows importance of effective systems/processes, particularly with new accelerated statutory deadlines (market investigations; Phase I mergers)


European Commission

Continues to actively sanction cartels (envelopes; trucks)

Major abuse of dominance investigations: Google Gazprom Amazon

E-commerce sector enquiry

ECN

Directive on antitrust damages actions

Interpreting & Drafting Contractsin English Law

Ben HollandPartner, Squire Patton Boggs


Introduction

Summary of where we stand

Traditional approach - now passed

New approach - how it works

The future - where are we going

Examples from recent contracts

Drafting tips


Summary of current law

Contractual interpretation is an OBJECTIVE exercise The SUBJECTIVE intention of a party is IRRELEVANT to questions

of interpretation The OBJECTIVE interpretation of a contract = REASONABLE

PERSON REASONABLE PERSON with the factual background available to

the parties (including general commercial considerations) Where a REASONABLE PERSON would consider that there was

more than one meaning, English law favours the construction consistent with BUSINESS COMMON SENSE (or COMMERCIAL SENSE)


Traditional approach

Four corners of the contract

“nothing could be more dangerous than to go out of the four corners of a contract, and endeavour to find out the meaning of the parties from other circumstances not mentioned or alluded to in the contract itself” (Hall v Ross [1813] 3 E.R. 672 – House of Lords)

Construction has a strong legal bias Latin legal maxims as an aid to construction


The new approach

Objective: The objective nature of interpretation (unchanged)

Contextual: Increased emphasis on context – the objective meaning of the words set against “the factual background”

Commercial: A new policy of commercial sense (reasonable result)

Unitary exercise: The above is a single exercise


Lord Hoffmann enters the House of Lords

Charter Reinsurance Co v Fagan [1997] AC 313 “actually paid” interpreted to mean “actually payable” Lord Hoffmann said “the notion of words having a natural meaning is not a

very useful one. Because the meaning of words is not sensitive to syntax and context…”

Mannai v Eagle Star Assurance [1997] AC 749 “12th January” interpreted to mean “13th January” in the context of an

otherwise invalid notice Lord Hoffmann said “It is a matter of consistent experience that people can

convey their meaning unambiguously although they have used the wrong words”


Investors Compensation Scheme Ltd v West Bromwich Building Society (No. 1) [1998] 1 W.L.R. 896

Clause in dispute:

“any claim (whether sounding in rescission for undue influence or otherwise) that you have against the…society in which you claim an abatement of sums which you would otherwise have to repay to the society…”

Should the clause be interpreted to mean:

“any claim sounding in rescission (whether for undue influence or otherwise)…”?


Investors Compensation Scheme Ltd v West Bromwich Building Society (No. 1) [1998] 1 W.L.R. 896

Hoffmann sets out his 5 principles of contractual interpretation: Interpretation is the ascertainment of the meaning which the document

would convey to a reasonable person having all of the background knowledge that would reasonably have been available to the parties in the situation in which they were at the time of the contract

Background (or factual matrix) includes absolutely everything which would affect the way in which the language of the document would have been understood by a reasonable man

English law excludes evidence of negotiations and subjective intent The meaning which a document would convey to a reasonable man is not

the same thing as the meaning of its words The “rule” that words should be given their “natural and ordinary meaning”

reflects the common sense proposition that we do not easily accept that people have made linguistic mistakes


Lord Hoffmann’s last big case

Chartbrook Limited v Persimmon Homes Limited [2009] UKHL 38 Confirmed objective nature of interpretation: negotiations are

irrelevant Confirmed active approach to construction and interpretation:

“What is clear from these cases is that there is not, so to speak, a limit to the amount of red ink or verbal rearrangement or correction which the court is allowed. All that is required is that it should be clear that something has gone wrong with the language and that it should be clear what a reasonable person would have understood the parties to have meant. In my opinion, both of these requirements are satisfied.”


Rainy Sky v Kookmin Bank [2011] UKSC 50

In 1997, Lord Steyn wrote in “Contract law: Fulfilling the reasonable expectations of honest men” 113 LQR 433, 441:

“Often there is no obvious or ordinary meaning of the language under consideration. There are competing interpretations to be considered. In choosing between alternatives a court should primarily be guided by the contextual scene in which the stipulation in question appears. And speaking generally commercially minded judges would regard the commercial purpose of the contract as more important than niceties of language. And, in the event of doubt, the working assumption will be that a fair construction best matches the reasonable expectations of the parties.” (emphasis added)



“The language used by the parties will often have more than one potential meaning. I would accept the submission made on behalf of the appellants that the exercise of construction is essentially one unitary exercise in which the court must consider the language used and ascertain what a reasonable person, that is a person who has all the background knowledge which would reasonably have been available to the parties in the situation in which they were at the time of the contract, would have understood the parties to have meant.

In doing so, the court must have regard to all the relevant surrounding circumstances.

If there are two possible constructions, the court is entitled to prefer the construction which is consistent with business common sense and to reject the other.”



Supreme Court affirms the legacy of Lords Steyn and Hoffmann

ObjectivityContextualCommercialIterative process

Confirms importance of commercial senseBut when are there more than two meanings?


Napier Park European Credit Opportunities Fund v Harbourmaster [2014] EWCA Civ 984

Trial judge held that language was clear/unambiguous on its ordinary meaning, so he did not need to go on to consider commercial context

Court of Appeal held that, where possible, the court should test any interpretation against the commercial consequences

Beware adopting an unduly narrow grammatical reading of the clause or failing to take account of its obvious purpose and context

“It follows in my judgment that, where possible, the court should test any interpretation against the commercial consequences. That is

part of the iterative exercise of interpretation. It is not merely a safety valve in cases of absurdity.” (Lewison LJ)

Place the rival interpretations of a phrase within their commercial setting and investigate their commercial consequences

So, how does this apply to recent contracts?


The future: Greater judicial licence to intervene?

Using the commercial background to “create” more than one “natural meeting” – “actually paid” interpreted to mean “actually payable”Using commercial reasonableness to select the correct meaningExtending commercial reasonableness beyond the express terms of the contract through implied terms and a revised remoteness testRewriting each contract’s history?Reconstructing the commercial “factual matrix” at a time and distance from contract formation that makes the exercise inherently unreliable


Drafting – Points to beware

Areas for particular care

Terms that may appear “uncommercial” to a third party at a time and distance from when the contract is made

Reliance on traditional “legal” rules or maxims of construction to give words meaning e.g. “consequential loss”

Is a “condition” a condition in law or is it an innominate term?


Drafting – How to manage this new landscape

Drafting Recording the commercial “background”: Recitals Setting out your own meaning: Defined terms Selecting your own “maxims”: “Interpretation clause” Termination provisions that are a complete code (dealing with the

“condition” issue)

Deal management Ambiguity gets the deal signed, but it creates risk: Absent clear

agreement with the counterparty there is a risk that a court will not agree with your interpretation

Keep papers from deal, as some will help with “factual matrix”

Coffee Break

FEELFREEA NEW APPROACHTO CYBER SECURITY

Sebastiaan PronkKPMG Cyber

THE

RISK RANKING2011

LOSS OF CUSTOMERS/CANCELLED ORDERSTALENT AND SKILLS SHORTAGEREPUTATIONAL RISK

CURRENCY FLUCTUATION

CHANGING LEGISLATIONCOST AND AVAILABILITY OF CREDITPRICE OF MATERIAL INPUTS

INFLATION

CORPORATE LIABILITYEXCESSIVELY STRICT REGULATION

12345678910

12

345678910

HIGH TAXATIONLOSS OF

CUSTOMERS/CANCELLED ORDERS

CYBER RISKPRICE OF MATERIAL INPUTS

EXCESSIVELY STRICT REGULATION

CHANGING LEGISLATION

INFLATIONCOST AND AVAILABILITY OF

CREDITRAPID TECHNOLOGICAL

CHANGESINTEREST RATE CHANGES

2013

Source: Lloyd’s board risk index – http://www.lloyds.com/news-and-insight/risk-insight/lloyds-risk-index

CHANGES IN

CYBER: A HOT TOPIC

VALUES AND BEHAVIOURS: TECH TRENDS

Always onAlways available

Quick to deliverEasy to adapt

DIGITAL SOCIETY EVERYTHING JOINS UP

Making use of big data

BIG INSIGHTS

WHY

INFORMATION PROTECTION &

PRIVACY

48

HYPERCONNECTIVITYCLOUD

SOCIAL MEDIAMOBILE

BIG DATATHE INTERNET OF

THINGS CYBER?

CYBERSPACE DESIGNED FOR INFORMATION SHARINGLARGELY ANONYMOUS

MAY NOT KNOW YOU HAVE BEEN TARGETED

ATTRIBUTION IS NOT STRAIGHT FORWARD

CYBER: SECURITY

THETHREATACTORS

HACKTIVISMHACKING INSPIRED BY IDEOLOGYMOTIVATION: SHIFTING ALLEGIANCES – DYNAMIC, UNPREDICTABLEIMPACT TO BUSINESS: PUBLIC DISTRIBUTION, REPUTATION LOSSORGANISED CRIMEGLOBAL, DIFFICULT TO TRACE AND PROSECUTEMOTIVATION: FINANCIAL ADVANTAGEIMPACT TO BUSINESS: THEFT OF INFORMATION

THE INSIDERINTENTIONAL OR UNINTENTIONAL?MOTIVATION: GRUDGE, FINANCIAL GAINIMPACT TO BUSINESS: DISTRIBUTION OR DESTRUCTION, THEFT OF INFORMATION, REPUTATION LOSSSTATE-SPONSOREDESPIONAGE AND SABOTAGEMOTIVATION: POLITICAL ADVANTAGE, ECONOMIC ADVANTAGE, MILITARY ADVANTAGEIMPACT TO BUSINESS: DISRUPTION OR DESTRUCTION, THEFT OF INFORMATION, REPUTATIONAL LOSS

CYBER: THREATS

• SECTORS: WHO IS BEING TARGETED?

AUTOMOTIVE

AEROSPACE

ENERGY PROVIDERS

BANKS PROFESSIONAL & LEGAL SERVICES

DEFENCE ADVANCED MANUFACTU

RING

RENEWABLE ENERGY

BUILDING SOCIETIES

RESEARCH INSTITUTES

PHARMACEUTICALS &

BIOTECHNOLOGY

MINING & NATURAL

RESOURCES

COMMUNICATIONS

WIDER FINANCIAL SERVICES

ACADEMIA

50

WHAT IS BEINGSTOLEN/LOST?

INFORMATION THAT IS VALUABLE

BUSINESS CRITICAL INFORMATION

CRITICAL TRANSACTIONS

INTELLECTUAL PROPERTY - RESEARCHBUSINESS PROCESSES – FINANCE AND PERSONALPARTNERS, SUPPLIER AND STUDENT DATA

CYBER: SECURITY

CYBER: LEGAL

ico.Information Commissioner’s Office

EUR 810,000 or 10 percent of an organization’s annual worldwide turnover

Mandatory Breach Disclosure

REGULATIONS: PRO-ACTIVE ATTITUDE?

CYBER IN YOUR SECTORS

The vectors remain the same but the risk rises exponentially

What are your ‘Crown Jewels’ that do you need to protect?

Are you investing your money efficiently in your cyber controls?

Who is accountable for managing your cyber risk?

Do you know what information is leaving your business and how?

What are your regulatory obligations and are you compliant?

How do you balance digital opportunity and cyber risk?

How do your cyber security capabilities compare to your peers?

How would you handle a cyber breach or attack?

How are you managing your suppliers to ensure they are not a weak point in your security?

CYBER: IN YOUR COMPANY

THANKYOUPRESENTATION BYSebastiaan Pronk

Cyber Liability

Victoria LeighPartner, LitigationSquire Patton Boggs


Why Data Loss Matters – UK Regulatory Regime Europe - The Future

Network and Information Security Directive General Data Protection Regulation

• Litigation Risks 10 Things Not To Do

Cyber Liability

INTRODUCTION


ICO Sanctions Fines of up to £500k per breach Undertakings Name and shame Orders

– information notices– assessment notices– enforcement (‘stop-now’) orders

• Other Regulators – FCA, tPR

WHY DATA LOSS MATTERS

REGULATORY IMPACT


• Claims Credit card companies/banks Individuals

• Damage to Data & Systems• Business Interruption• Increased Costs• Loss of Reputation/Goodwill

Existing customers New customer generation Shareholder value

WHY DATA LOSS MATTERS

OTHER ISSUES INCLUDE


• Currently under review and trialogue with Parliament, Council & Commission• Possible Adoption 2015?• Implementation in to Member State’ law 2017?• Aims• Approach• Potential Impact

The Network and Information Security Directive (NISD)

61squirepattonboggs.com

What is it? Single regulation planned to replace existing EU data protection laws

When will it come into force? Still being debated in EU but may finally be passed in late 2015 2 years to implement if passed so 2017 at earliest

EU Draft General Data Protection Regulation (‘GDPR’)

62squirepattonboggs.com

Key PointsSignificant increase in potential fines

Up to Euro1m and/or 2% of global turnover

Compulsory breach notifications Regulator Affected individuals

Extension to non-EU companies targeting EUOne-stop-shop for businesses operating across multiple EU countriesMandatory data protection compliance officersPrivacy-by-designExpanded ‘right to be forgotten’

EU Draft General Data Protection Regulation (‘GDPR’)


Litigation risks

• Increased regulatory scrutiny, both at domestic and EU level• FCA Regulation – eg Zurich fined £2.27M • Disclosure and Transparency Rules (DTR 2.2.1R) • Section 92 Financial Services and Markets Act 2000• Breach of contract – force majeure/frustration?• Negligence – comply with "best practice" guidance • UK claims – class actions/individuals v companies• Consequential losses – eg NatWest and RBS Banking Services in 2012:

£125 million of customer compensation• Ensuring business continuity – check the contract!• Notification to ICO – serious breach? • Intellectual property/knowledge risks• Proceeds of Crime Act 2002


No legal obligation to report breach but consider:

Potential detriment to data subjects (individuals)

Volume of personal data lost/released/corrupted

Sensitivity of data lost/released/corrupted

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data” – 7th Principle

ICO – To Report Or Not To Report


1. LEAVE DATA BREACH PLANNING UNTIL YOU BREACH• Data breaches never happen at convenient times• Easy to forget things in heat of moment• Immediate commercial decisions required

Notifications PR position

• Assistance needed from third parties e.g. insurers, PR agencies, forensic IT

• Staff need to be trained on responses• Need plan to safeguard systems & preserve

evidence

TEN THINGS NOT TO DO


2. FORGET WHAT DATA YOU HOLD • Critical to assess risk/plan strategy following breach• What data is held

Catalogue specifics e.g. if bank details or sensitive personal data Problems can arise when data acquired but never assimilated

• Where is it held Physical locations and systems

• How it is stored & protected CSV file, proprietary format etc… Encryption, password protection etc…

• Who holds/has access to it Can assist in identifying cause of breach



3. KEEP UNENCRYPTED DATA ON YOUR LAPTOP/TABLET• ICO’s bête noir & guaranteed fine generator• Password protected ≠ encrypted• Caution if data is transferred to any personal advice• Ensure personal data is permanently deleted

Deleting from trashcan ≠ permanently deleted

• Dangerous locations/lengthy travel Consider switching hard drives before travel


http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://www.gettyimages.co.uk/detail/photo/unlocked-laptop-high-res-stock-photography/111035047&ei=q2trVNOpCszWPIqMgcAH&bvm=bv.79908130,d.ZWU&psig=AFQjCNGCE1KgGvm-81pyz7bHoS0lxaEe4A&ust=1416412458237575


4. LEAVE SECURITY PLANNING TO THE IT TEAM• ICO invariably asks for copies of security policies• IT teams usually great at technical security.

Not necessarily so good at documenting it• Consider in particular

Type & location of data Physical security Logical security Security in flight and at rest Access controls Data destruction



5. LET MARKETING TEAMS/AGENCIES DO THEIR OWN THING• Many breaches we have dealt with have come from marketing, particularly

use of external marketing agencies• Tend to be less aware of issues/need for security than HR/finance• Large numbers of external contractors involved

• Consider Data security/use training & policies Contracts with external providers



6. IGNORE LOW VALUE CONTRACTS• Many breaches we have dealt with were due to lapses at contractors rather

than internal security.• Data contracts can be low value but high risk

e.g. online payment gateways, customer verification services, apps, social media management services

• Legal obligation to have written contract in place• ICO will inevitably ask for contract details• Importance of ongoing due diligence on suppliers



7. ACT BEFORE YOU HAVE A CLEAR VIEW OF THE SITUATION• First instinct is frequently to assume the best – e.g.

there is no breach breach poses no/little risk little data involved

• Small changes in circumstances can have a large impact on actions e.g. data encrypted vs unencrypted

• Difficulty in changing course once you go public/notify individuals• If you decide to notify, ICO will require detailed information about breach



8. USE DEFAULT PASSWORDS/UNPROTECTED WIFI• Default passwords

Much easier to retrieve Change in accordance with password policy Don’t use information easily obtained from social media sites – e.g. birthdays Password length is key -

• Unprotected WIFI Frequent source of hacks Hard to track users



9. IGNORE IT – NO-ONE WILL EVER KNOW• If unclear whether breach has occurred, suspect it has and investigate

Must be able to explain actions to ICO with justifiable reasons If fail to investigate properly, immediately on back-foot with ICO

• People talk – particularly if they find themselves with information they shouldn’t have

• Internal memos have a habit of leaking• Delays in responding cause serious reputational

damage



10. MAKE A BAD THING WORSE

• Involvement of staff who do not have adequate data security training

• Own investigations can trigger further breaches

• Loss of privilege

• Failure to preserve evidence



Contact

Victoria Leigh

Partner

+44 (0)161 830 50058

[email protected]

The Impact Coach – who gives you extra oomph!

@estherstanhope1

[email protected]

“Speaking with Confidence and Influence”

Questions & Close

Recruiting & HR

In house lawyer seminar Squire Patton Boggs - Jun 2015