what's in the news

Courtesy of Thames Valley Business Magazine February 2012

What could 2012 offer you and your business? For many Thames Valley-based businesses, 2012 is a year for optimism, opportunity, growth and investment, writes Patrick Long, Banking & Finance Partner, Pitmans LLP.
 
Respondents to Pitmans “Funding your Business” Survey , conducted in December 2011, clearly felt the UK economy’s recovery would remain in recession for the majority of 2012, but it is against this backdrop that over 60% of Thames Valley based respondents said that they anticipate a year of steady growth in 2012. This is a marked contrast to respondents from businesses which lie outside of the Thames Valley region, who predominantly forecast trade at similar levels as 2011.

The Thames Valley has long been labelled the economic powerhouse of the UK, thanks largely to its diversity, strong skills based and excellent infrastructure – attracting top talent and global businesses from software, manufacturing, pharmaceutical, utility and construction sectors.

Click here to view the summary of Pitmans “Funding your Business” Survey.

For further information on the survey, please contact Pitmans Banking & Finance team.

Patrick Long
Partner
T: +44 (0) 118 957 0488
E: plong@pitmans.com

Award winning law firm Pitmans LLP has acted on behalf of David Macrae, the Managing Director of Popshots Studios Limited, a distributor of 3D pop-up greetings cards, stationery and promotional and marketing materials in Henley-on-Thames, Oxfordshire. He has acquired Popshots Studios Limited in a management buy-out from the Up With Paper group of companies, based in Mason, Ohio, USA, for an undisclosed consideration.

The transaction was led by Pitmans’ Corporate Partner Philip Weaver, Corporate Partner Adam Dowdney, Corporate solicitor Carolyn Butler, and Banking solicitor Mark Metcalfe.

Commenting on the transaction, David Macrae said “We were referred to Pitmans by an associate and were delighted with the speed and thorough handling of our time-sensitive purchase.”

Adam Dowdney, Pitmans’ Corporate Partner said: “We were delighted to assist David in this management buy-out of a business in which he has been involved for some time. The deal was completed in a very short time-frame, which reflects the flexibility and strength in depth of the Corporate and Banking teams we have here at Pitmans. We wish David every success for the future.”

This article was published by Asset Finance International

The new Bribery Act (the “Act”), is a wholesale reform of the old bribery laws which were a complicated and confusing combination of statutory and common law offences from more than 100 years of legal development in this area.

The need for reform was widely acknowledged, however, the final result may have alarming consequences for corporate entities, including asset lenders and equipment leasing companies operating in and outside the UK, as many law abiding businesses could inadvertently break the new rules if they are not properly prepared. Therefore, it is important for organisations to consider now what the Act means for them and what actions they need to take as a result.

To read more, please click here.

The survey is now closed.

The results will be published in January 2012.

For your copy, please email poppy@pitmans.com

This article was published by Workbooks.com

Philip James, Partner, and Carolyn Butler, Solicitor at Pitmans LLP examine some of the legal issues you should consider when moving to cloud computing and selecting a vendor.

1. Know the flight plan (negotiation and contract)

Carefully review the terms on which you are intending to contract with your cloud provider. Is the contract open to negotiation or are you expected to contract on the cloud provider’s standard terms? If the former, consider your specific requirements, and ensure your contract:
 
• adequately reflects your requirements in unambiguous language in a layout that’s easy to follow (in other words, don’t bury your specifications across numerous schedules);
• clearly delineates the roles and responsibilities of both the cloud provider and your organisation; and
• has quantifiable metrics or KPIs to verify the performance of your cloud provider.

If the latter, review the terms carefully to ensure, firstly, that they are fair and that there are no unpleasant surprises lurking and, secondly, that they cover everything you need them to. If not, seek to vary the standard terms with your cloud provider accordingly.

Look at the extent of the remedies available under the contract. The contract will probably contain limitations of liability, so if you are intending to outsource critical internal infrastructure, check whether those limitations adequately reflect the allocation of liability to your cloud provider.

• What limitation should apply?
• Are there risks for which liability should or should not be excluded? E.g. does the supplier exclude liability for loss of data (this is not much good if you are outsourcing your CRM database!)

In some cases, damages for breach of contract may not be a sufficient remedy if things go wrong, and you may wish to set out alternative, more appropriate remedies under the contract. Other key issues to look out for in your contract are explored in more detail below. In all cases, always seek specific legal advice if you are unsure about the effect of any element of your contract.

Before negotiating a contract with a cloud provider, the European Network and Information Security Agency’s Information Assurance Framework for Cloud Computing, which sets out questions that an organisation should ask a cloud provider, is essential reading¹.

2. First class, business class or economy class? (service levels)

Service levels need to be agreed upfront, and should be expressed in the service-level agreement in terms that are both clear and measurable, including maximum periods of downtime, the relative importance to the business of different elements of the service and processes for remedying defaults. While many businesses look to cloud providers as part of their business continuity strategy, it is also necessary to consider what would happen if the cloud provider’s operations become disrupted. How does your cloud provider manage its response to incidents such as natural disasters or security breaches to ensure disruption is kept to a minimum?

Before you sign up, ask your cloud provider about any extra costs and charges, work out which of these are relevant to your business and budget accordingly. You should also ensure your future as well as your present needs are taken into account: find out how quickly and by how much your cloud provider can scale up the services it provides, and, if you plan to expand your business abroad, whether your provider has the capabilities to meet your needs in other jurisdictions.

It is important that the ramifications of failing to meet the agreed service levels are clearly set out (often a service credits mechanism is used) and that the parties agree a process of escalating remedies in the event that problems supplementary to the agreed remedial mechanisms arise. The resolution of disputes can be a costly and time-consuming exercise, and it is in the interests of both parties to have workable and effective escalation processes in place to ensure problems are worked out amicably, the business relationship is preserved and any disruption is kept to a minimum.

3. Security checkpoints (security and data protection)

It is essential to verify with your cloud provider what responsibilities for security lie within the remit of your organisation and which are their responsibility.

While your cloud provider may be unable to give you precise details about the security measures it has in place (since a detailed disclosure of the systems in use could impair their integrity), a high-level description of those measures should be given, for example, the extent to which data encryption is used, whether anomaly detection systems are applied, the protocols in place to deal with the theft of user credentials and the physical security used to protect the locations where data is stored. Your cloud provider should also be able to tell you whether it meets any of the existing web standards² and give you details of the security features on offer for users, such as user authentication and authorisation/administration controls. Find out whether your cloud provider offers any guarantees that customer resources are fully isolated from one another, and to what degree data, metadata or other traces of use by your organisation is erased before machines are reallocated. You should request sufficient information to allow you to make a sensible judgement about the adequacy of the security measures offered by your cloud provider, whether additional measures are required and need to be agreed in your contract.

Further, your cloud provider may intend to outsource or subcontract any of the operations that it is contracted to supply to you, and, if they do, find out who those third parties are, where they are based, what procedures are used to verify and monitor the quality of services they provide, and the security controls in place to protect your data. For instance, it is not much use having contractual protections in your agreement with your provider if the ‘subbie’ to whom the service is sub-contracted is not subject to the same terms agreed with your supplier (you may also not have conducted due diligence in respect of that subbie).

4. Final destination (location)

Just as importantly, find out where your cloud provider will physically hold your data. Your data should be stored in a jurisdiction where an acceptable level of protection is mandated by law. Data protection standards vary from one jurisdiction to another and, although efforts are being made to harmonise the requirements across the EU as a whole, outside of the EU they may be non-existent. Nevertheless, if you are a business based in the UK, and the data in question is being processed in the context of that business, the full extent of the UK rules will most likely apply.

Further, if you are intending to store personal data in the cloud, such as HR records, take note that the transfer of personal data to a country or territory outside of the EEA is prohibited, unless equivalent protection in that country or territory is assured (and in this respect, if it is to be stored outside the EEA, seek specific legal advice on this issue as there are a number of compliance requirements which may need to be dealt with). Where this is concerned, it is always easier from a data privacy compliance perspective to engage a supplier whose data centre is located in the UK or Europe than enter into an arrangement with a supplier whose servers are in the US or China (or worse still, in a virtual data centre i.e. you don’t know where it is stored!).

Note also that, where HR data is concerned, it is also likely to contain sensitive personal data. As such, there are a number of more stringent restrictions as to how this type of data may be processed and specific consents may need to be obtained from the data subjects (i.e. the person to which such personal data relates). Ideally, find a cloud provider based in your jurisdiction that can provide assurances that data (and at the bare minimum, personal data) will not be transferred outside of the EEA.

It is important to ensure your contract with your cloud provider clearly states the choice of territorial jurisdiction (that is, the country in which any dispute in relation to the country will be heard) and the choice of law that the courts will apply in determining any dispute. Ideally, this should be a jurisdiction in which your organisation operates. If a dispute arises, and the choice of law and jurisdiction has not been specified, under EU law a defendant may be sued where they live, or where the contractual obligation was performed. The applicable law, however, will be the law with the closest connection to your contract. It is easy to see how this can create problems in a cloud computing environment where there are cloud providers all over the globe eager for your business, and where your data could potentially be stored anywhere in the world, so explicitly state in the contract what’s intended.

5. Take a moment to find the nearest exit (transitioning)

Although it may feel like a remote prospect, before you enter into a cloud contract it is necessary to anticipate how you intend to exit those arrangements. Care should be taken to ensure the portability of your data, including your metadata. Review your contract to determine what events could trigger a right to terminate the agreement by either you or your cloud provider. Ask what procedures are in place to export your data (in an orderly fashion) if you change cloud providers or in the event that the agreement is terminated. Find out whether those procedures are regularly tested to ensure that they work.

Also, if there is a specific format in which you expect to receive your ported data, you should try and specify that (to the extent that is possible) in your contract with your supplier. Please note: there may be additional costs associated with ensuring your data is in a format which is compatible with your systems. The ownership of intellectual property (IP) can be a particularly contentious issue in the cloud environment. Examine the IP provisions in the agreement with your cloud provider to determine how data ownership is dealt with, and whether those provisions are acceptable to you. IP is a technical area of law; as such, therefore, if in doubt, always seek specific legal advice to ensure you are adequately protected.

Once you have moved your data, you will no doubt be seeking assurances from your cloud provider that all traces of your data will be deleted as soon as possible. So, before you commit to a particular cloud provider, find out whether this is a realistic prospect: it may take a number of weeks for your data to be deleted if it is stored in more that one place (for example, if it is copied on to back-up tapes) and it may be impossible to destroy your data completely if your cloud provider allows you to share disk space with other customers. If that’s not good enough, give your cloud provider the opportunity to put satisfactory processes in place for you.

For further information in relation to the issues raised by this note, please contact:

Philip James
Partner
pjames@pitmans.com
+44 (0) 207 634 4655

Carolyn Butler
Solicitor
cbutler@pitmans.com
+44 (0) 118 957 0234

¹ http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assurance-framework/?searchterm=assurance framework

² Such as ISO27001 (http://www.27001-online.com/), which implements OECD (Organisation for Economic Cooperation and Development) principles governing security of information and network systems, and the SAS70 auditing standard (http://sas70.com/)

PLEASE NOTE: This note has been prepared to provide general guidance on the benefits as well as some of the risks associated with cloud computing. As such, it should not be relied on. Always seek specific legal advice in relation to your specific circumstances in question.

Award winning Thames Valley law firm Pitmans LLP has been recognised for its exceptional deal making achievements in Experian’s league table of Corporate Finance Advisers HY2011. Ranked 4th by volume of deals, Pitmans LLP joins the league for the first time in the South East and is ranked alongside much larger firms including Linklaters, Ashurst and Pinsent Masons.

Pitmans LLP has an award winning corporate team of 6 partners and 5 solicitors led by Andrew Peddie. Over the last 6 months the team has advised on a variety of deals ranging from Technology companies, pharmaceuticals, transport and food manufacturers.  Philip Weaver deserves particular recognition having completed 4 deals in 10 days in June.

Commenting on the achievement, Managing Partner Christopher Avery said “I’m thrilled that once again the achievements of Pitmans corporate team have been recognised. Pitmans is a hotbed of talent and this ranking is clear recognition from our clients and from the market that Pitmans leads the pack in getting deals done in the Thames Valley”.  

Click here to view the League Table online

Click here to download PDF

Award winning law firm Pitmans LLP has acted on behalf of Maudesport Limited, one of the Uk’s leading mail order suppliers of sports and leisure equipment and team wear, on the sale of their company to DEMCO UK Limited for an undisclosed consideration. The transaction was led by Pitmans’ Corporate Partner, Philip Weaver, and Corporate solicitor, Carolyn Butler. They were assisted by Property Partner, Sally Sharp.

Maudesport limited supplies 60 Local Authorities with equipment for their schools, colleges and other establishments. It also supplies HM Prisons, NHS and MOD establishments as well as Youth Centres, Special Needs Units, leading fitness and leisure companies and the general public.

Commenting on the transaction, John Maude, the Owner and Managing Director of Maudesport Limited said “I was most satisfied in the manner that my corporate and legal advisors brought this sale to completion. Although intense as the final stages played out, Pitmans kept me informed and helped me through a process with which I was unfamiliar. In particular property issues, a difficult hurdle to overcome, were negotiated through to both parties satisfaction.”

Philip Weaver, Pitmans Corporate Partner added: “We were very pleased to bring this sale to a successful conclusion. Although the purchaser was a UK company, the decisions were made by its parent. We had noted from previous transactions (and this sale proved to be no exception) that US purchasers are often more concerned about some areas than a typical UK purchaser, such as environmental concerns.”

DEMCO UK Limited supplies materials, including laboratory equipment, chemicals and consumables to the eductation sector. The company also owns Technology Supplies Limited and Timstar Laboratory Supplies Limited (which it acquired in July 2009). DEMCO UK Limited is ultimately owned by Wall Family Enterprise Inc in the United States, a family-owned group of eight independent businesses that generates annual revenues of more than $200 million (£125 million).

Award winning law firm Pitmans LLP has acted on behalf of Kinetic Facilities Limited, part of the Panalux Group, in its acquisition of the Direct Lighting business from Metro Imaging Limited for an undisclosed consideration.  The transaction was led by Pitmans Corporate Partner, Stephanie Perry.

Panalux offers the world of film and television production the very best in lighting rental Equipment and facilities.  With bases located throughout the United Kingdom, this vast production resource is home to a huge inventory of modern equipment maintained by a team of highly skilled, experienced professionals.

A small selection of their portfolio of credits include: X-Men: First Class; Clash of the Titans 1 & 2; Pirates of the Caribbean; Quantum of Solace; Harry Potter Series; Dr Who; Casualty; Holby City.

Commenting on the transaction, Steve Smith, Managing Director of Panalux Worldwide said: “We are immensely proud to have worked alongside Pitmans in order to extend our presence in the photographic market through the acquisition of the UK’s largest photographic rental facility, Direct Lighting, and the subsequent inception of our new brand, Direct Photographic. I have no doubt that we will continue to obtain Pitmans invaluable assistance as we develop and expand all our operations both in the United Kingdom and overseas”.

Stephanie Perry, Pitmans Corporate Partner added: “The Kinetic team are long-standing clients of the firm and we were delighted to help them with this “bolt on” acquisition which will enable the business to expand further”.

Created by Panalux, Kinetic Facilities Limited provides a flexible, competitive service combining an extensive range of cameras, lights and expendables with the support of experienced, friendly staff.

Direct Lighting has a long history of hiring lighting equipment for a range of productions.  Contracts comprise television commercials, broadcast television and feature films, with a small selection including: Prime Suspect 6: The Last Witness; The Inbetweeners; Auf Wiedersehen Pet: Series 4 & Christmas Special; and Two Pints of Lager and a Packet of Crisps. Direct Lighting is a patron sponsor of the British Society of Cinematographers, and an approved lighting contractor to both the BBC and ITV.

Award winning law firm Pitmans LLP has acted on behalf of John Wright and Barbara Wood, the sellers of Thames Travel Limited, a local bus company based in Wallingford, Oxfordshire. The company has been purchased by Go-Ahead plc, one of the UK’s biggest providers of rail and bus services, for an undisclosed consideration. The transaction was led by Pitmans’ Corporate Partner, Philip Weaver, and Corporate solicitor, Carolyn Butler.

Commenting on the transaction, John Wright said “We are very pleased to been able to place the business with one of the UK’s leading public transport operators so that the business can continue to grow and prosper into the future. We would like to thank Philip Weaver and his team for successfully guiding us through a very exacting ‘due diligence’ and would recommend Pitmans to anyone considering a business sale.”

Philip Weaver, Pitmans’ Corporate Partner said: “It was a great pleasure to achieve a successful outcome for John Wright and Barbara Wood. The sale was completed in a short timescale thanks, in part, to my clients’ speed of response when under significant due diligence pressure from Go-Ahead and the demands of continuing to run the business.”

David Brown, Deputy Chief Executive, of Go-Ahead said: “Thames Travel is a strong business with a proud tradition of providing high quality services to the local community. We are delighted that the company will be joining the Go-Ahead family. With the resources of Go-Ahead behind Thames Travel, the business will be in a stronger position to grow over the years ahead.”

In line with Go-Ahead’s devolved business strategy, the company will continue to be run and managed locally. The bus fleet will retain its existing livery and branding and the existing fare structure will remain.

Courtesy of Data Protection Law & Policy – May 2011

Last November, the EU Commission set out its aims to modernise the 1995 EU Data Protection Directive in a November 2010 Communication. Philip James, Partner at Pitmans, reviews some of the responses to the Commissioner’s consultation in relation to a particular conundrum facing the Commission – data portability.

This long-overdue overhaul of the existing data protection framework is intended to address some of the key challenges facing current data privacy regulation, namely: the collection and use of personal data via new technologies, harmonisation and simplification of notification throughout the EU, and globalisation and cross-border data flows.

The purpose is to reinforce an individual’s right to privacy, whilst on the other, to harmonise and simplify data privacy regulation. The Commission has indicated that the revised framework may include a possible EU-wide notification process, involving a central EU Information Commissioner.
 
A key part of this harmonisation process will depend upon the establishment of precedents, template data processing agreements and fair processing notices. In addition, organisations will be required to adopt Privacy Impact Assessments (PIA) and Privacy by Design (PbD) into new technologies from inception through to implementation and day-to-day operation, rather than immediately prior to launch. In short, privacy is to be embedded into the development of business and technology from the word go.

A Refresher of the Review

Key objectives of the modernised data privacy strategy are to:

- Strengthen individuals’ rights and clarify what types of information will fall into the definition of ‘personal data’, such as user profile information.

- Increase transparency for data subjects, for example, by introducing mandatory personal data breach notification.

- Create new responsibilities for data controllers by making the appointment of an independent Data Protection Officer mandatory.

- Place a duty on data controllers to carry out PIA where appropriate, and promote the use of Privacy Enhancing Technologies (PET) and the PbD model of system design.

- Enhance individuals’ control over their data including the socalled ‘right to be forgotten’ and empower users with a right to port their personal information, otherwise known as data portability.

- Raise and finance public awareness and promote the application of approved ‘privacy seals’ for organisations which meet certain minimum privacy standards.

- Ensure informed and free consent (and, in so doing, provide pre-approved data privacy notices on EU standard forms).

- Harmonise the conditions for processing sensitive data and review the categories of information which may be classed as sensitive.

- Make remedies and sanctions more effective and promote an active infringement policy.

- Clarify and simplify the rules for international data transfers.

- Encourage self-regulatory initiatives.

Data Portability

Cloud providers and social network providers will need to pay particular attention to the proposed right for users to port their personal information to an alternative provider, as well as their right to erase their digital footprints, pursuant to their right to be forgotten. It may not have gone unnoticed that Google has recently launched a range of Chrome laptops, in conjunction with Acer and Samsung, which provides users with a suite of solely cloud-based applications, i.e. just the barebones on the machine itself; applications aren’t installed locally but accessed remotely. The service is a direct challenge to Microsoft’s enterprise offering. What is clear is that cloud-based computing isn’t going away anytime soon.

The right for consumers to port their data to a new provider will also be of a specific concern to social networks whose servers continue to brim over with usergenerated content.

In theory, the right for users to require providers to transfer their data to a new provider should promote cloud shopping. This, in turn, will promote greater competition between providers. One of the most effective weapons customers have in their armoury is to switch providers. Permitting users to transfer their personal portfolios of friends, photos and documents to an alternative supplier offering greater control and security will be a powerful means of promoting privacy. This is an ideal that should be pursued.

Data Liberation

Notably, Google is supporting this initiative by means of its Data Liberation campaign. This is to be welcomed, although it remains uncertain whether the genuine motive is to relieve its competitors of their data buckets, rather than liberate its customers’ own data. This will come as no surprise, given the continuing data and PR battle between the digital woolly mammoths, Facebook and Google.

In practice, the story is somewhat different. There are some significant hurdles to truly liberal customer data migration policy. The Commission asked organisations and interested sector groups to respond to its consultation in relation to the Directive review by 15 January 2011. There is a wealth of feedback, and after reviewing some select responses, the following were of particular interest.

Microsoft’s response to the Commissioner’s consultation is particularly helpful on this issue. In recognising the brand value of winning customers’ trust, the report starts with ’Microsoft’s success depends on users having confidence in our ability to responsibly manage and protect their data’ and continues the theme in Section C. (Enhancing control over one’s own data): ’An essential element of a user’s control over that data is the ability to retrieve that data in a simple and costefficient way….Microsoft strives to build capabilities into those services to give the user that control’.

Practical Challenges

However, at the same time, the response outlines the practical and commercial realities that may inhibit data portability:
 
- Any right must draw a distinction between a user’s own data and underlying applications or related metadata or stats generated by use of the service.

- The right should be limited to data held by the provider.

- Any data transferred will depend on the format of the data and APIs (application programme interfaces) in question. Whilst there are industry standard formats and APIs, few service providers store data in the preferred format for data exchange.

- In addition, the richer the data format, the harder it may be to transfer data to a new provider.

The more raw the data, the easier the transfer.

In short, there are significant, technical challenges and users cannot have it both ways – have a specialised, slick user interface, then expect to be able to click a button and transfer their whole data suitcase to a new data ‘hotel’.

The risks of data portability cannot be understated. In Nokia’s response, the risks of failing to identify correctly the user who is requesting the data transfer are significant (page 10). One recommendation is to ensure that only ‘identified individuals’ can exercise their rights. In addition, there may be some benefit to limiting the frequency with which a user can exercise this right.

Promoting a Privacy Market

Cloud customers often marry at haste and repent at their leisure. In other words, unless users are provided with clear information about what will happen to their data at the end of the relationship (call it a ‘data pre-nup’ if you will), privacy is likely to suffer. In reality, a limited number of data oligarchs are likely to retain market control over customers’ data, based on first mover advantage, rather than necessarily providing the most effective platform for maintaining their customers’ privacy. Facilitating data portability will in itself generate healthy competition in relation to privacy enhancing technologies and empower customers’ with control over their data. Comparisons can be drawn with the mobile network market and the ability of customers to switch provider. For a long time, there was great resistance which was eventually overcome.

Industry Standards

Requiring providers to allow competitors access to their technology to produce compatible exchange interfaces and promoting common, standard industry data exchange formats (where reasonably practical) should assist users in migrating to a new provider. However, as ever, where there are associated costs of porting data, such costs should be reasonable and users should be informed of what these costs are in advance of ‘moving in’.

What Questions Should I Ask?

Google has succinctly distilled the questions a user should ask before signing up to a cloud service, in its Data Liberation site, as: 

- Can I get my data out at all?

- How much is it going to cost to get my data out?

- How much of my time is it going to take to get my data out?

These are questions both consumers and businesses should be asking before they embrace the economically attractive cloudbased services on offer. It may come as no surprise that many cloud services offer low introductory fees, whilst the costs to switch to a new provider in the future may be astronomical.

Directive or Regulation?

The Commission will propose legislation this year. It should be borne in mind that the option remains open to the Commission to introduce new legislation in the form of a Regulation, rather than as a Directive. The upshot of this being that the law would be directly applicable and there may be a genuine opportunity for the Commission to achieve greater harmonisation within the EU.

Philip James
Media & Entertainment Partner
+44 (0)207 634 4655
pjames@pitmanssk.com