what's in the news

Exciting times. The UK has launched its first cyber security export strategy. Cyber Security is an essential component of the £2 trillion global ICT market, and already worth £123 billion in its own right, growing by over 10% every year. The UK market is conservatively estimated at £3.9 billion, with 2,500 companies operating in the sector.

When it comes to exports, the US is the UK’s top destination, accounting for 31% of business. The UK Trade & Investment (UKTI) export strategy sets out the opportunities for UK businesses to further expand this £805 million export market and outlines government plans to support the UK cyber sector in finding new international customers.

Key actions promoted by the export strategy include:

• creating a UK catalogue of cyber specialists;
• preparing market insight reports on overseas opportunities for UK suppliers;
• developing of clear guidance on exports controls for cyber security products and services;
• ensuring a coherent whole-of-Government approach to working with the sector.

According to experts, the threat posed by cyber sabotage is becoming increasingly real. Whilst speaking at yesterday’s Westminster eForum’s CyberSecurity expert panel session, James Quinault, Director, Office of Cyber Security and Information Security, Cabinet Office, warned of imminent, ”deliberate attacks to degrade or destroy critical infrastructure and people’s assets” and clearly stated that maintaining security is essential to businesses’ survival.

Steve Purser, Head of Core Operations, ENISA and Jeff Parker, Director of Projects, International Cyber Security Protection Alliance (ICSPA) spoke at the Westminster e-Forum CyberSecurity event. Philip James, Partner at Pitmans, also spoke on an expert panel at the event, and comments, “One of the prevalent and more positive themes arising from the discussion was that ensuring good security is a business enabler.  It creates value and jobs, builds trust and allows organisations to secure and recognise greater revenue from investment in intellectual property and R&D”.

As the global threat increases, so do the conditions for market growth. The UKTI export strategy has been devised to fully develop this opportunity, and will implement its key actions in close collaboration with the UK sector, including with the recently created Cyber Growth Partnership.

To view the UKTI export strategy document, please click here.

For more information on cyber security, please visit:

Cyber Risk Management
Information Technology

To discuss how we can help, please contact:

Philip James
Partner and Joint Head of Technology
T: 020 7634 4655
E: pjames@pitmans.com

New cyber proposals on both sides of the Atlantic are today due to have a seismic shift upon the legal framework which governs notification of security incidents and information sharing to limit risk and improve security.

Introduction

Personal data breaches – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data transmitted, stored or otherwise processed.

According to the Information Commissioner’s Office (ICO) the number of personal data breaches has increased by nearly ten times in the last 5 years.  This is not widely publicised as currently only ‘public electronic communications service providers’ (PECNPs) (i.e. telcos) have a duty to notify breaches but a proposal by the EC is calling for increased obligations on organisations and greater transparency surrounding data breaches. In addition, the absence of contractual provisions requiring a supplier to notify a customer in the event of a breach can place an organisation in a difficult position when deciding when and how to notify authorities and its customers.

Data Breaches – what effect do they have?

A personal data breach can have a major impact on an organisation. Not only does it lead to negative PR and damage reputation, trust, brand and goodwill,  it also affects consumer confidence and, ultimately, share price and investor relations. It is no wonder that companies try to conceal these breaches but the new Regulations specify transparency surrounding such events.

Data breaches effect even the largest organisations. In April 2011, Sony came under scrutiny as they were hacked into and the personal data of thousands of users was leaked. Users were furious that it took 6 days for them to be notified that their personal details were no longer secure.

In January 2012, the EC published a draft set of Data Protection Regulations (Regulations) to update the existing primary EU Directive which governs data protection law. The aim was to increase the burden on organisations to ensure that personal data is held securely. Due to the nature of the cyber world most breaches are likely to have a cross-border impact and this has led to the implementation of a single harmonised law across the EU.

New laws

Article 31 of the proposed Regulations, which is due to come into force in late 2014 or early 2015, specifies that every personal data breach, in all sectors, must be reported to the relevant supervisor, where feasible, within 72 hours (the original draft suggested 24 hours, but this was widely criticised; 72 hours is not much longer, but at least better) of the data controller having knowledge of the breach. In the UK the supervisor will be the Information Commissioner.  If notification takes longer than 72 hours then a written explanation will also need to be sent. Further to this, those breaches that are “likely to affect the protection of the personal data or privacy of the individual” must be notified without further delay.

The nature of the notification differs depending on who is notified; a great level of detail is necessary when notifying the authorities. As a minimum the notification must detail the nature of the breach and the measures taken to mitigate any adverse effects that the breach may have.

The Regulations also introduce potential penalties for data breaches of up to 2% of an organisation’s global turnover. With these increased penalties proposed many companies are investing in improving data security and information assurance prior to the introduction of the Regulations.

These Regulations may seem particularly onerous, especially for smaller companies however the reality is that Europe are behind the time in protecting personal data.  California took the lead in 2003 when they introduced a law regarding data breach notifications.  Since then 46 states have followed suit and the US now has comprehensive laws governing data breaches.

New Cyber Security Rules On Both Sides Of Atlantic

The EU has just released a proposal concerning a Directive to ensure a high common level of network and information security across the Union, 2013/0027 (COD), (Cyber Directive).  The aim of the proposed Directive is to ensure a high common level of network and information security (NIS). This means improving the security of the Internet and the private networks and information systems underpinning society and economies. The Directive will require Member States to cooperate and operators of critical national infrastructures (CNI), such as energy, transport, and key providers of information society services (e-commerce platforms, social networks, such as facebook and linkedin), as well as public administrations to adopt appropriate steps to manage security risks and report serious incidents to the national competent authorities. The new proposals therefore cast the net far, far wider than the current mandatory telco notification.

The Directive has three limbs:

• Member States must have in place a minimum level of capabilities by establishing competent authorities for NIS, setting up Computer Emergency Response Teams (CERTs), and adopting national NIS strategies and national NIS cooperation plans.

• National competent authorities should cooperate within a network enabling secure and effective coordination, including coordinated information exchange as well as detection and response at EU level. Through this network, Member States should exchange information and cooperate to counter NIS threats and incidents on the basis of the European NIS cooperation plan.

• Leveraging the existing Framework Directive for electronic communications to ensure that a culture of risk management develops and that information is shared between the private and public sectors.

Companies in the specific critical sectors outlined above and public administrations will be legally bound to assess the risks they face and adopt appropriate and proportionate measures to ensure NIS. These entities will be required to report to the competent authorities any incidents seriously compromising their networks and information.

On the other side of the pond, a US Cybersecurity Bill (aka, the Cyber Intelligence Sharing and Protection Act) (CISPA) is to be introduced today (13 February 2013). The Bill received significant resistance from lobbyists, privacy and human rights campaigners and proposes to be a landmark battleground for Congress and the US administration.  CISPA is intended to prevent and limit the effect of cyber attack by facilitating information sharing about threats and malware with the intelligence community and the Department of Homeland Security. It seems that, in this regard, the US and EC legislators are fully aligned.

What should you do now?

There are many steps an organisation can take to manage the impact that these Regulations will have.

Organisations should have a dedicated Incident Response Team who have procedures in place should a breach occur. With the short timeframes introduced by the Regulations, companies need to have a process in place and those involved should know how to react.

Organisations should review their data protection policies and amend them if necessary. This involves looking at any contracts with contractors as well to ensure that personal data is safe if it is outsourced at any point. Contracts should also be reviewed for responsibility and where possible a company should endeavour to limit its liability for any breach by a contractor or sub-contractor.

Potential Problems

Although the new Regulations and Cyber Directive will inevitably encourage companies to be more transparent there is a concern that other problems may be caused by the implementation of this law:

• The new Regulations and Cyber Directive may encourage excessive disclosure.  For example, due to the time restrictions companies may decide to notify all those who have potentially been affected rather than waiting to establish who has actually been affected. This is likely to worry consumers and lead to bad publicity even if it then turns out that some of these individuals have not been affected.

• Notification will use up resources which could be working to rectify the problem. Fixing the problem should be the priority in these situations.

• There will be serious concerns raised by competitors when disclosing potentially sensitive information regarding information assets and confidential information and intellectual property. Careful consideration will need to be taken to ensure sufficient information is disclosed, whilst keeping it secure and limiting the extent to which it may be used and shared. Those who share should also benefit from receipt of reciprocal information. In contrast, those who refuse to do so, may be disadvantaged from not being part of the information security inner circle.

• Notification will cost money. In austere economic times, companies are looking to keep spending to a minimum but the introduction of the Regulations will undoubtedly force companies to spend more money on protecting the data they hold.

Only time will tell if the Regulations will help manage data breaches or just cause unnecessary worry and costs.  Either way your business should be prepared and take precautions now to minimise the impact they will have.

If you would like further assistance on this matter please contact Pitmans’ Cyber Risk Management Team or

Philip James
Partner & Joint Head of Technology
T: 0207 634 4655
E: pjames@pitmans.com

Pitmans SK Sport & Entertainment LLP

Welcome to Pitmans’ December Technology Update

Our team has put together a rich medley of festive treats for your digital stocking including: incisive comment on the perils of social media demonstrated no better than the recent slurs made against Lord McAlpine, the do’s and don’ts of software licensing (from a litigator’s perspective), and the latest on the opportunities presented by Patent Box.
Philip James, Partner

Autonomy and Hewlett-Packard: the risks of technology M&A
Just over a year after completing the takeover of Autonomy, Hewlett Packard has gone public with claims that it may have been duped into paying too much and that the value of its investment was being written down.  Is this about issues specific to HP and Autonomy, or does it tell us something about the risk inherent in mergers and acquisitions, and in the technology industry particularly? Read more

Getting your software licence right first time
Businesses entering into licences for specialist software should not underestimate the time and effort required to ensure that the licence documentation accurately reflects the commercial agreement: to do otherwise risks costly litigation and the threat of mission-critical software being withdrawn. Read more

Is half a loaf better than none?
Google has come under increasing pressure from both sides of the Atlantic to offer robust proposals to address what is seen by many as potential abuse of its market dominance. However, with only meager proposals being put forward by Google, the European Commission must determine whether the proposals should be accepted to reach a settlement rather than face a protracted legal battle. Read more

Innovative Intellectual Property Strategy: The Patent Box
Patents are commonly used as commercial instruments which give companies the edge over their competitors and encourage investment opportunities. Thanks to the introduction of the Patent Box in August this year, patents now have the added benefit of tax benefits. But how can your company benefit from this? Read more

Lord McAlpine and the Myth of a Luddite Legal System
On 2 November 2012, the BBC broadcast an edition of Newsnight which included allegations (subsequently established to be incorrect) by a former care home resident that during the 1980′s he had been abused by a prominent Conservative politician. The BBC did not name anyone within the story but subsequently a significant number of people speculated about those involved. Read more

WEEE wish you a Merry Christmas
Whether it is the latest phone, computer, tablet or kitchen device that you are after, electrical goods are sure to make an appearance on all our Christmas lists but what materials are used in them and are they legal? Read more

Upcoming Technology Events

7 February 2013 – London
Pitmans Annual Cyber Conference
This year’s event will focus on Reputation Management & Information Security. We are delighted to announce that Professor Sadie Creese and John Bassett OBE will be making opening and closing addresses. Register today

What to watch out for in 2013:

• the increased prevalence of crowdsourcing platforms
• the introduction of the CAP Code on Online Behavioural Advertising (OBA Code) which comes into force on 4 February 2013 (the rules do not guarantee compliance with the law)
• the outcome of the OFT’s consultation into Personalised Pricing which closes on 4 January 2013 (where prices are determined by a user’s profile)
• the success of the Cyber Incident Response Scheme (CIRS) having been launched by the Communications-Electronics Security Group (CESG, part of GCHQ) and the Centre for the Protection of National Infrastructure (CNII). CIRS is an initiative which forms part of the Government’s UK Cyber Security Strategy. If you want to know more, come along to Pitmans Annual Cyber Conference.

Finally, as the winter solstice approaches and we seek to stare into The Sky At Night to see what the future holds, we pay tribute to the life of astronomer, Sir Patrick Moore. Whilst undoubtedly controversial, Sir Patrick is said to have responded to criticism of his right-wing beliefs: “I may be accused of being a dinosaur, but I would remind you that dinosaurs ruled the Earth for a very long time.” Take from that what you will; regardless, we encourage you to look into the sky over the holiday season to see if you can spot a sleigh passing a new dinosaur constellation, following the broadcaster’s departure.

Philip James
Partner
T: 0207 634 4655
E: pjames@pitmans.com

Tim Clark
Partner
T: 0118 957 0264
E: tclark@pitmans.com

Where we are now

We are living in a world where organisations are under constant attack from ever evolving cyber threats. Institutions around the world are struggling to operate securely in the cyber environment and are vulnerable to reputational, financial and competitive damage. According to a recent Cisco Security Intelligence Operations report , this is partly a result of the fundamental shift from mass spam attacks to more targeted and profitable attacks on organisations. These malicious attacks have quadrupled over the past year and they cost institutions globally US$1.29 billion in the last twelve months. Given the tough economic climate experienced over the last four years, many organisations have suffered budget cuts, and in many cases, security programs and their funding have diminished. Cyber criminals do not target organisations in specific sectors but target all sectors. The UK government, for example, now receives over 20,000 malicious attacks every month, according to George Osborne.

Key vulnerabilities

As organizations become increasingly reliant upon mobile devices, social networks and increased use of remote, outsourced, cloud based services, there is a growing concern that security progress will fall behind technological advance, leaving firms relatively vulnerable to cyber crime. Research shows that less than 40% of firms have security measures in place to protect mobile devices, the cloud and social media. Even less carry out any sort of robust, technical and operational due diligence checks upon service providers to verify security, both prior to and during engagement.

Other worries include cyber criminals finding new ways to bypass the virtual defences of organisations without a trace, to introduce malware within legitimate web content management software and to use increasingly complex ‘spearphishing’ email attacks. Recent commentators have also highlighted that individuals within organizations are likely to be targeted with greater frequency and influenced by monetary and blackmail incentives to assist in disclosure and access to sensitive information.

Why does this matter to your organisation?

The Pitmans Annual Cyber Conference will contain two keynote speeches and two panels about how to manage and prepare for breach incidents and thereby limit any resulting cost, liability and damage to your brand and reputation (and potentially share price). The conference is designed to help your organisation understand the threats and take advantage of achievable, commercial, preventative measures. The session will also set out ways in which relevant stakeholders can build a credible business case for investing sufficient resources in preparing against such threats. Carefully selected panelists will help you gain an insight into potential future threats to your institution’s security infrastructure and will advise of practical, cost effective, steps to reduce your attack surface and reduce risk exponentially. As partners, directors, board members and management, responsibility falls on your shoulders to understand these risks and to clarify the roles and responsibilities of those within organisation. Act now. This is not a dress rehearsal.

To learn more and register, attend Pitmans’ Annual Cyber Conference.

Fraud, a betrayal of trust

White collar business fraud in the UK sadly continues to be a by product of corporate life. Rather like car accidents or physical crime most of us think “it will never happen to me”. Fraud inevitably takes its victims by surprise and is often a tragic breach of trust by friends, co-workers or business colleagues who are well known to the victim. In the case of pension fraud, it can have serious implications for the scheme and its members as pension schemes are, by their very nature, the custodians of large amounts of assets both in terms of cash and information.

Fraud is the betrayal of trust. Its prevention and detection requires transparency and accountability. Both trustees and scheme managers should be initiating and complying with strict checks and controls, but it is also important to use common sense and keep an open mind so that when a fraud is discovered, the scheme can move quickly to protect its funds, data and members’ interests.

Prevention, not cure

Under pensions legislation and the Pension Regulator’s (tPR’s) Code of Practice on Internal Controls it is essential that trustees and schemes have a dedicated fraud risk management plan in place for the safe custody and security of pension scheme assets. The first 24 hour period after discovering fraud is crucial and the checklist of action to take should include: scheme objectives for the outcome; a dedicated investigation team; possible suspension of the wrongdoer if appropriate; evidence should be protected, gathered and assessed; insurance check and notification; and management of the publicity as well as perhaps, in some circumstances, notifying members of the issue. Reporting fraud to a law enforcement agency may be required, but in itself may not lead to recovering any loss. But there are a range of civil recovery measures in place for that. The first step must be to protect the current position. A Court order can be obtained quickly to prevent transactions or to freeze assets. A search order allows entry into premises to look for, preserve and copy evidence.

Who to pursue?

Who should a claim for recovery be against? The perpetrator, or the party in possession?  Or, maybe against the party who failed in their duty of care, such as a scheme administrator, a trustee or a professional advisor to the scheme. A simple request for repayment in some cases may suffice. Otherwise, insolvency proceedings may be the most effective tool to use. A trustee in bankruptcy can be appointed to investigate the extent of wrongdoing, while a similar role can be played by an insolvency practitioner where a company is put into liquidation. Whatever options considered, always consult an expert legal team first.

GP Noble Trustees Limited

A recent example of a major fraud of pension scheme monies and serious breaches of trust involved GP Noble Trustees Limited.  GP Noble manager, Graham Pitcher, was convicted of conspiracy to defraud and given a jail sentence of eight years for transferring £52m from nine pension schemes into two offshore accounts, to invest in buying land for development in Thailand, an on line bookmaker in Australia and finance a Hollywood movie project.  All of the people involved were able to hide their fraudulent activities from the parent company and regulatory authorities, and denied their part in the fraud in court.  Whilst some of the people involved were cleared, the main instigators, who were jailed, held positions of responsibility and trust within GP Noble Trustees Limited.

The GP Noble case may seem extreme however; the principles behind pensions fraud, the prevention and recourse are equally the same whether there has been a fraud on a major scale or on a smaller scale.  The effect of fraud on a pension scheme can cause major issues and have catastrophic consequences for the members, the future of the scheme, the trustees and sponsoring employer.

Risk assessment

Trustees need to ensure they have a risk assessment and risk register in place which is reviewed regularly, that any custodians and any key persons are risk assessed and all mandated personnel whether on bank accounts, investments and assets are also risk assessed.  The Trustee may wish to consider recruitment screening of key personnel especially those who monitor cash transactions and allow basic and random checks, including regular supervisory review of their working.  Also a rotation of jobs within an organisation may not be popular but does make it more difficult for an employee to become ensconced and start to operate a system to their personal financial advantage.  In terms of professional advisers we have listed the safeguards that trustees can take under our article detailing duties under the Data Protection Act.

If in doubt, get legal advice

If you are a trustee, scheme administrator, pensions manager, the employer or any other person related to pension schemes and the management of pension scheme assets, you have a duty to report any breaches, even if these are ultimately unfounded.  If in doubt, we can assess the merits of a potential fraud and lead you through the process to ensure the safe custody of pension scheme assets for your members.

Parminder Latimer
Director, Pensions
T: 0118 957 0324
E: platimer@pitmans.com

The Scottish Borders Council has recently been fined £250,000 for breaching its data protection duties under the Data Protection Act 1998 (Act). Failing to keep personal data secure in this way also has significant implications for pension schemes and in particular fraud in pension schemes.

In this case, the data in question had been outsourced to a contractor to process but the contractor failed to dispose of the hard copy records in the appropriate manner.  The data contained files with the Council employees’ names, addresses, national insurance numbers, salaries and bank details.  As the Council failed to secure a contract with the offending company, it was held liable for the incident.  Yet, loss, disclosure or theft of data is not confined to physical records.  Digital records present an even greater risk given the ease with which large volumes of data may be extracted on an electronic medium.

Why are Trustees and, potentially also, Scheme Administrators at risk?

The Act governs the collection, processing and use of personal data. Both processing and personal data are widely defined and include information collected in the context of the governance and administration of occupational pension schemes.  Poor governance of pension schemes which includes poor internal controls and record keeping is more important during the economic downturn where there can be a higher risk of fraud and dishonesty amongst scheme administrators, trustees, employers or other related advisers.

The Pensions Regulator (tPR) has set a deadline of 31 December 2012 by which tPR expects all occupational pension schemes to achieve “100% of ‘common’ data – such as name, address and date of birth” for members who have been in an occupational pension scheme since June 2010 and a 95% standard for members who have been in an occupational pension scheme before June 2010.  The need for and use of increased member data can lead to higher risks of fraud.  If proper systems are not in place to maintain the security of data, the trustees and/or scheme administrators of a pension scheme could be liable under a breach of trust, a breach of data protection or a breach of pensions legislation.

“Data Controller” v “Data Processor”

In most cases, pension scheme trustees will be “data controllers” for the purposes of the Act and therefore will take on the same responsibilities. Trustees will often use external administrators to process the information on their behalf.  As was shown in the Scottish Borders Council case, trustees will be held responsible for any breaches by third parties unless they have taken adequate measures to protect members’ personal data and keep it secure.

Trustees must notify the Information Commissioner’s Office (ICO) that they are a data controller and register the personal data that they control.  Any failure to notify is a criminal offence for which trustees may be liable, unless they are exempt. The only exemption generally available is if the individual is the sole member and the sole trustee of an occupational pension scheme.

Administrators of a scheme will usually be “data processors” under the Act as they will be processing members’ personal data on behalf of trustees.  However, where administrators are independently, or jointly, determining the purposes for which members’ personal data may be processed, they may also be held to be data controllers and therefore be primarily liable under the Act.

Changes in the pipeline

In January this year new draft EU Regulations were published which will potentially introduce a number of changes in relation to data protection.  These include an obligation on companies to report any serious data breach to the authorities within 24 hours and the maximum fine will be capped at 2% of the annual worldwide turnover of the company or firm involved.  Another change that scheme administrators should be aware of is that data processors, as well as data controllers, may also be held primarily liable for breaches of the Act.  This change is aimed at sharing the responsibility amongst all parties involved rather than the data controller being solely responsible and is a landmark step change in data protection regulation.

ICO Powers

The ICO can issue fines of up to £500,000 for any serious breach of the Act.

In order to be found liable the ICO must prove that the data controller deliberately or knowingly failed to take reasonable steps to prevent the breach.  The fine imposed depends on the seriousness of the breach.

How can Trustees and Scheme Administrators minimise their risk?

To achieve compliance, reduce fraud, protect the reputation and brand of a pension scheme and minimise the potential costs of a breach, trustees and, where relevant when acting as data controllers, scheme administrators should:

- use third parties who have safeguards in place to maintain data security;
- check that all contracts with third parties include data security clauses;
- check all liability caps in the contracts to ensure that the third party will pay the whole amount should a breach occur;
- undertake due diligence on third parties;
- perform regular audits to check compliance;
- review insurance cover and exclusions;
- be ready to manage breaches if they occur; and
- devise and put in place a contingency plan to determine what to do in the event of an incident.

If you would like any assistance in safeguarding your pension scheme against these risks, please contact either:

Parminder Latimer
Director, Pensions
T: 0118 957 0324
E: platimer@pitmans.com

Philip James
Partner and Joint Head of Technology
T: 0207 634 4655
E: pjames@pitmans.com

If you require any further information regarding data protection or are interested in undertaking a Cyber Asset Audit please see:

Data Privacy

Cyber Asset Audit

The Article 29 Working Party has adopted a working document (see here) on Binding Corporate Rules (“BCRs”) for data processors. The BCRs, aimed at both the private sector and data protection authorities, contain the key legal principles covering transfers of personal data from the European Union. They are intended to operate as internal policies and rules concerning data privacy and security for multinational companies.  The working document also contains a full checklist of the requirements for BCR processors, including the requirements of BCRs and details of the information to be presented to a data protection authority in a BCR application.

The Working Party hopes to meet the expectations of companies acting as data processors by giving them the opportunity to benefit from the protection offered by BCRs in the context of international transfers of personal data, for example in the context of outsourcing activities or cloud computing. Official approval of a set of BCRs grants processors the status of “safe processor” that, in turn, will allow the processor’s customers to overcome data-transfer limitations under EU data-protection laws.

The new rules are partly due to the previous success of the Working Party’s BCRs for controllers, as well as proposals to explicitly include BCRs for both processors and controllers in the future legislative framework of the European Union.

Carolyn Butler, a solicitor at Pitmans LLP, said that “since the BCRs are intended to provide a “toolbox” of practical measures data processors could take to fulfil their data-protection obligations, they will be a great help to responsible organisations seeking clarification of how compliance may be most effectively achieved”.

The Working Party has promised to follow up the working document with a European coordination procedure, similar to the existing procedure for BCRs for controllers, and an EU application form.

Philip James
Partner
T: 0207 634 4655
E: pjames@pitmans.com

Carolyn Butler
Solicitor
T: 0118 957 0234
E: cbutler@pitmans.com

Non-payment for goods supplied is an ever increasing risk for business. A validly drafted and effectively incorporated express clause providing for reservation of legal title to goods supplied is a useful method of protection for non-payment in solvent and distressed situations alike. A valid retention of title clause will:

(i) provide quasi security in the event of the buyer’s insolvency in respect of the goods supplied; and

(ii) absent insolvency allow the seller to recover the goods supplied if they have not been paid for.

Such clauses, if enforceable, can greatly increase a creditor’s bargaining position and, as such, prospects of payment.

Retention of Title clauses range from, a basic clause providing that legal title to particular goods sold (on an order-by-order basis) does not pass to the buyer until the goods have been paid for in full, to an “all monies” clause, which does not permit title to pass in any goods supplied at any time until all sums owed – for any goods that have been supplied by the seller – have been paid in full.

The addition of a mixed goods clause is advisable in situations where the goods supplied are to be subject to a manufacturing process (where they are combined with other goods owned by third parties) to create a new product. Such a clause is only effective in law where the goods supplied retain their identity and can be easily removed from the manufactured product without causing damage.

Similarly, it is often necessary to consider the effect of a valid retention of title clause where there is likely to be a sub-sale to an end user and, in particular, the frequently found addition of a clause which aims to attach a claim to the proceeds of sale paid on a sub-sale of the goods. Such a clause will often be drafted so widely as to create a charge which may be invalid if it is not registered as a legal charge.

Further, where it is intended that finished goods are to be supplied for the purpose of an immediate on-sale by the buyer to its customers it is possible that an “all monies clause” may be considered ineffective unless an express provision has been made for the re-sale of the goods.

A well drafted retention of title clause should provide for the seller to gain access to the buyer’s premises to repossess the goods. However, where the buyer is a company in administration, no steps can be taken to repossess any goods supplied without first obtaining the permission of the appointed Administrators’ or an Order of the Court.

The law relating to retention of title is constantly evolving and changing. It is, therefore, important that parties seeking to rely upon the terms of a retention of title clause ensure that such provisions are regularly reviewed and updated. The key is to ensure that such clauses are not drafted so widely so as to render them unenforceable in any moment of need.

If you have concerns or queries about any of the issues dealt with in this article please contact:

Adrian Wilmot
Director, Insolvency & Restructuring
T: 0118 957 0595
E: awilmot@pitmans.com

Suzanne Brooker
Partner
T: 0118 957 0516
E: sbrooker@pitmans.com

STOP PRESS: The ICO’s moratorium on enforcing the new EC Privacy Directive (“Directive”) expired on 26 May 2012. The Directive requires website operators to gain consent before storing or accessing ‘information’ on a user’s or subscriber’s device. While the Directive applies to any form of information stored or accessed, the main application has been in the use of web browser cookies.

What’s the status of the current law?

Termed by many as the Cookie Directive, the change in law actually took effect some twelve months ago. However, the Information Commissioner’s Office (ICO) decided it would allow businesses a year to get their act together before commencing pro-active enforcement. Previously website operators and app publishers could merely provide an option to opt out of the cookies used on their site. Now, they must gain the consent of users before cookies are stored or accessed via user’s devices, after providing clear and comprehensive information explaining why such cookies are used. The exception to this is that consent is not required where cookies are used solely to promote a service requested by the user or to enable transmission over a network.

What’s the anticipated reaction by business?

It is inevitable that many websites will not comply following the 26 May 2012 deadline. Those that fail to comply could face fines of up to £500,000. Although it is highly unlikely that any fine would be anywhere near this amount, the main risk remains damage to brand, loss of consumer trust and the embarrassment of being subjected to enforcement action for not respecting users’ privacy. Regardless, conducting an audit of your organisation’s digital real estate is prudent and the Directive provides a genuine incentive to see what’s really going on under your site’s or app’s hood.

What guidance has been issued?

The ICO has recognised that many organisations are unlikely to comply and has issued updated guidance to assist organisations to comply. In addition, Dave Evans of the ICO has released a blog and video with further specific guidance. For further details see here.

The ICO is not intending suddenly to “launch a torrent of enforcement action” but will instead seek to use enforcement notices to encourage compliance. Christopher Graham has said that the ICO’s enforcement approach is to do with risk to peoples’ privacy, and the more intrusive the cookie is, the more likely it is to risk sanction. The level of penalty imposed will be worked out using a sliding scale.

What are cookies?

Cookies are parcels of data which are stored on users’ devices when users browse particular website or use an app. The use of cookies has raised concerns over an individual’s privacy because cookies are able to store personal data which is then used in a way to track an individual’s browsing habits, target marketing based on this data and ultimately build user profiles. In addition, certain types of cookie (known as ‘flash cookies’) may be impervious to browser settings; in other words, they can be persistent and remain on a user’s device regardless of how that user has set their preferred browser settings.

Websites often use cookies simply to enhance user experiences when they visit their site, such as remembering log in details (e.g. shopping basket preferences and customisation of sites to facilitate ease of use to recognise a returning (or loyal) user of that site). Tracking cookies for the purposes of behavioural advertising are considered more intrusive, while analytical cookies (such as Google Analytics) do not necessarily raise significant data privacy concerns.

The ICO has intimated that websites operating the less intrusive analytical cookies will not be met with a fine on 27 May 2012; instead only those sites showing wilful contravention of the law will face tougher enforcement action. Aside from the fine mentioned above, being seen to infringe your users’ data privacy is likely to have a negative impact on your brand reputation.

There are simple steps that website operators can take now to show that they comply with the principles of the Cookie Directive:

1. Review your privacy policy; websites need to provide users with upfront and comprehensive information about their use of data and cookies.
2. Carry out an audit; understand what cookies are used on your website and what data they store and access. However, this shouldn’t be confined to just cookies – the Directive applies to any information stored or accessed on a user’s device; also search, for example, for scripts of code that can be used to track a user such as web beacons and URL tracking.
3. Privacy Impact Assessment (PIA); consider the extent to which the information concerned may infringe a user’s privacy and whether any pose a risk of enforcement action. Third party cookies (from an affiliate) are more likely to be seen to be invasive than first party cookies (i.e. those placed by your own site’s editorial).
4. Display a prominent link to your privacy policy and information on the use of cookies and similar tracking information. Explain to users how they may adjust their browser settings to determine whether to accept cookies.
5. Consider gaining active consent of users; an opt-in system is best practice but can prejudice usability and data metrics used on your site. Consider other practical ways to gain consent from users and ensure that your website is being seen to respect users’ privacy (bearing in mind that paying pure lip service may be insufficient).
6. Respect user preferences; once a user has chosen his/her preferences, respect those preferences.

If your website or app uses cookies you should be taking the steps above to ensure that your use of cookies complies with the legislation to preserve your brand integrity and avoid enforcement action.

For further information and advice on your use of cookies, please contact Philip James or a member of Pitmans’ Data Privacy & Information Law team.

Philip James
Partner, Pitmans SK Sport & Entertainment LLP
T: 0207 634 4655
E: pjames@pitmans.com

The Article 29 (A29) Working Party has recently published their opinion paper on the rise of facial recognition technology and the concerns that this brings for the protection of personal data online. This note looks at the issues of online privacy and the concerns for data privacy as facial recognition software becomes more widely available.

The A29 Working Party is the European body which comprises leading representatives from each data protection supervisory authority in the EU (in the UK, this is the Information Commissioner’s Office); its opinions are therefore particularly influential, if not binding.

Last year Pitmans published a briefing explaining the issues of privacy at the time Facebook changed their ‘tagging’ service for photographs to incorporate facial recognition technology. For further information, click here.

Since then, the availability and application of the technology has grown exponentially; as its accuracy and deployment expands, this technology could be used for the most routine events in every day life – but also by advertising companies, collecting market information based on attendance monitoring and profiling to tailor targeted advertising messages.

The A29 Working Party has identified facial recognition technology as being used for authentication or verification for devices or online services. However, the application of this technology may be naturally extended from the online to the offline world. From a defence and security perspective, retinal scans and other biometric data access are already in use at a number of airports and conditional access facilities; in addition, full facial recognition systems are reportedly already used by security agencies to identify known criminals at sporting and live events by using the technology to identify particular faces amongst the crowd (e.g. known hooligans at a football match or members of the public at the London Olympics).

Similarly, access to live events, venues and concerts has become more sophisticated than merely paper tickets – organisers continue to explore ways in which they may combat the growing grey market in second hand ticket sales which diverts income, and brand value, away from events and the artists. Methods include tickets containing photographs, bar codes or employing near field communication (NFC) technology. Fully automated facial recognition technology is a natural technological progression for those industries where secure access is an essential requirement.

But such applications raise data privacy concerns and consequently companies controlling or processing the data may be in breach of data privacy laws, unless such measures and new technologies are balanced against an individual’s right to privacy. While the A29 Working Party’s opinion on facial recognition focuses on online and mobile, the principles apply equally to anyone collecting and using data for facial recognition services.

The A29 Working Party consider that where a digital image contains an individual’s face, which is clearly visible and allows identification of the individual then such an image would be considered personal data. Therefore, where a reference template is created from an individual’s image, this template will also be personal data if it contains a set of distinctive features of an individual’s face which can be linked to the specific individual and stored for later use. The only instance where a template is likely not to be considered personal data, would be where it was not associated with an individual’s record, profile or original image – but clearly this would limit the application of the technology. Importantly, the template and corresponding profile (or personal details) of the data subject in question do not need to be held by the same entity – it may still constitute personal data where a data controller has the means to access the corresponding information needed to identify that individual (even where held by a third party supplier).

Directive 95/46/EC states the conditions by which the processing of personal data must comply. Article 6 states that images and templates must be relevant, and not excessive, for the purposes of facial recognition processing. As the images constitute biometric data, the processing of the personal data may only be performed if the informed consent of the individual is obtained prior to commencing processing or if another exception is satisfied under the Directive (e.g. for legitimate purposes pursued by the data controller – such as security for the venue in the light of perceived terrorist threats – provided it does not prejudice the rights of the individual concerned). The A29 Working Party note that some elements of processing may be necessary before consent is obtained, i.e. to verify existing records, but this should only be for the strictly limited purpose, and the information deleted immediately.

The digital images or templates stored must be used only for the specified purpose for which the have been provided – and for which consent has been sought or where another relevant exemption applies (as, for instance, in the case of the legitimate use exemption described above). The greater the sensitivity of the personal data concerned the more likely explicit consent will be required.

The A29 Working Party considers that technical controls should be implemented to ensure that third parties do not gain access to the data and use it in an unauthorised manner. As trials of cashless technology grow for events, it may be that this technology is used by individuals to purchase items using credit stored against their profile, for instance drinks or merchandise. Controllers should be aware of the parameters of consent and that data stored against a user’s profile, including data used for, or available from, facial recognition data, can be valuable information for advertising or marketing agencies profiling consumers.

Similarly, controllers and processors will need to guard against security breaches which may result in unauthorised access to the data. The A29 Working Party advises that technical measures such as encryption will need to be used for data storage and data transit. One method suggested by the A29 Working Party is for biometric encryption techniques themselves to be used so that the cryptographic key is directly bound to biometric data and is only re-created where correct live biometric sample is presented on verification.

To reduce such concerns the Working Party recommends minimising the data so that the images or templates stored do not contain more data than necessary to perform the specified purpose. Similarly, templates should not be transferable between facial recognition systems. Organisations developing or deploying such technology should also carry out Privacy Impact Assessments (PIA) and follow development methodologies based on Privacy by Design (PbD).

The everyday use of facial recognition software in society to improve security checks for employees, visitors or customers may soon become common place when using even the simplest of access control systems.

Data controllers and data processors should be aware of the law in this area as the technology becomes more prevalent. But consequently it appears the law may also need to keep abreast of various ways in which the software can be exploited to monitor and profile individuals using a range of services and ensure adequate protection for data subjects as the technology advances.

For further information please contact Philip James or a member of Pitmans’ Data Privacy & Information Law team.

Philip James
Partner, Digital Media, Technology and Data
T: 0207 634 4655
E: pjames@pitmans.com