May 17th, 2013
Exciting times. The UK has launched its first cyber security export strategy. Cyber Security is an essential component of the £2 trillion global ICT market, and already worth £123 billion in its own right, growing by over 10% every year. The UK market is conservatively estimated at £3.9 billion, with 2,500 companies operating in the sector.
When it comes to exports, the US is the UK’s top destination, accounting for 31% of business. The UK Trade & Investment (UKTI) export strategy sets out the opportunities for UK businesses to further expand this £805 million export market and outlines government plans to support the UK cyber sector in finding new international customers.
Key actions promoted by the export strategy include:
- creating a UK catalogue of cyber specialists;
- preparing market insight reports on overseas opportunities for UK suppliers;
- developing of clear guidance on exports controls for cyber security products and services;
- ensuring a coherent whole-of-Government approach to working with the sector.
According to experts, the threat posed by cyber sabotage is becoming increasingly real. Whilst speaking at yesterday’s Westminster eForum’s CyberSecurity expert panel session, James Quinault, Director, Office of Cyber Security and Information Security, Cabinet Office, warned of imminent, ”deliberate attacks to degrade or destroy critical infrastructure and people’s assets” and clearly stated that maintaining security is essential to businesses’ survival.
Steve Purser, Head of Core Operations, ENISA and Jeff Parker, Director of Projects, International Cyber Security Protection Alliance (ICSPA) spoke at the Westminster e-Forum CyberSecurity event. Philip James, Partner at Pitmans, also spoke on an expert panel at the event, and comments, “One of the prevalent and more positive themes arising from the discussion was that ensuring good security is a business enabler. It creates value and jobs, builds trust and allows organisations to secure and recognise greater revenue from investment in intellectual property and R&D”.
As the global threat increases, so do the conditions for market growth. The UKTI export strategy has been devised to fully develop this opportunity, and will implement its key actions in close collaboration with the UK sector, including with the recently created Cyber Growth Partnership.
To view the UKTI export strategy document, please click here.
For more information on cyber security, please visit:
To discuss how we can help, please contact:
April 17th, 2013
Welcome to Pitmans’ Spring Technology Update
As the mercury rises and Spring enters stage left, our team has put together a rich variety of comment to welcome in the new season. As ever, let us know any feedback or if there are any particularly thorny issues which you’d like us to cover in our next edition.
Philip James, Partner
Google RIP: What Inactive Account Manager means for your will
Google Inactive Account Manager is a new feature which allows account holders to donate their digital assets to a nominated beneficiary, with implications for anyone writing their will. Read more
Research and Development: Collaborate with Care…
If you are considering collaborating with a competitor to develop a new technology, product or process, it is vital to ensure that any agreement you put in place in relation to your collaborative efforts complies with competition law, which is (in general terms) hostile to agreements between competitors. Read more
ReDigi – The Digital Second-Hand Shop
A US court has ruled that ReDigi’s sale of “second-hand” digital music online infringes Capitol Records’ copyright. Court grants summary judgment ruling that digital music cannot be resold. Is the distinction between the right to resell physical and digital products justified? Is this the end of Saturday Morning Swap Shop’s online comeback? Read more
Seller Beware – Liability for Pre-Contract Promises
Apart from establishing that Lulu the dog could get a degree, one of the key lessons to be learned from the case of BSkyB –v- EDS was the liability that could flow from over enthusiastic (a.k.a. fraudulent) sales pitches in the pre-contract phase of an IT project. Read more
Ability of a sub-licence to survive termination of its head license
A recent decision of Mr Justice Mann in VLM Holdings Limited v Ravensworth Digital Services Limited  EWHC 228 (Ch) held it is possible that termination of a head licence on insolvency of the licensor does not necessarily mean a sub-licence becomes ineffective. Read more
Considering consent and data collection in apps
IP & IT analysis: How far will the adoption of the EC’s Opinion (02/2013) on apps held on smart devices, which cites lack of transparency and free and informed consent, go in alleviating users’ and regulators’ concerns? Read more
Information Security and Reputation Management – ‘It’s a question of survival, not compliance’
On 7 February 2013, Pitmans hosted their second Annual Cyber Conference following the success of 2012′s event. This year’s conference focused on reputation management, cyber risk management and information security. Delegates were invited to interact with two expert cyber security panels to generate debates and identify the true issues that businesses and individuals are facing in todays digital world. Read more
Upcoming Technology Events
16 May 2013 – London
Westminster eForum – Cyber security in the UK and Europe: critical infrastructure, collaboration and skills
Following the launch of the EU’s ‘Cybersecurity Strategy’ and as the UK Government continues to spearhead ongoing initiatives to address both cyber security and protecting children online, delegates will examine the policy priorities as well as the development of innovation and skills for webspace that is secure and safe for UK citizens, business and government. For further information click here.
April 15th, 2013
If you are considering collaborating with a competitor to develop a new technology, product or process, it is vital to ensure that any agreement you put in place in relation to your collaborative efforts complies with competition law, which is (in general terms) hostile to agreements between competitors.
While anti-competitive agreements are generally prohibited, the European Commission recognises that cooperation between competitors on research and development (R&D) usually:
- helps to promote the exchange of know-how and technologies;
- facilitates technical and economic progress; and
- rationalises the manufacture and use of products that benefit consumers (among others).
R&D agreements may concern, for example, the acquisition of know-how, studies relating to new products or processes, the establishment of necessary facilities or the obtaining of the relevant intellectual property rights, or they may otherwise define and underpin relationships between collaborating entities.
The R&D block exemption
Under the Treaty on the Functioning of the European Union (TFEU), any agreement (unless it is an agreement of “minor importance” ) between competitors affecting trade between EU member states and which has as its object or effect the restriction, prevention or distortion of competition within the EU will fall within Article 101(1) of TFEU and be anti-competitive. The effect of the R&D block exemption regulation (Regulation 1217/2010, the Regulation) is to exempt from Article 101(1) not only agreements that have R&D as their primary object, but also all agreements directly related to and necessary for the implementation of cooperation in R&D (provided that the combined market share of the parties does not exceed 25% of the relevant market).
Exemption of agreements is subject to a number of conditions, including requirements that all the parties must have access to the results of the research, and that all the parties must be free to exploit the results. If the purpose of the agreement is limited to R&D, the parties must be free independently to exploit the results of such R&D. Any joint exploitation of results must be protected by intellectual property rights, or constitute know-how that is decisive for the manufacture or application of the end products.
The safe harbour’s limits
The Regulation does not apply to agreements that are unnecessary to attaining the positive effects mentioned above. Agreements that place certain serious restraints on competition (such as price fixing and limiting production) are still prohibited. Further, the Regulation lists a number of specific terms that will cause the protection offered by the Regulation to fall away, such as R&D agreements aimed directly or indirectly at:
- restricting the freedom of the participating undertakings to carry out R&D, either in a field unconnected with the field concerned or, after completion of the work provided for in the agreement, in the field to which it relates or in a connected field;
- prohibiting challenges to the validity of intellectual property rights held by the parties, whether exploited for the purposes of the R&D or arising from the R&D results; or
- preventing licences from being granted to third parties to manufacture the contract goods where exploitation of the R&D results is not provided for or does not take place.
If an agreement does not comply with Article 101(1), and does not fall within the parameters of the Regulation (or another applicable block exemption), the entire agreement is unlawful and unenforceable. In addition, the sanctions for breaching competition law are severe: the parties may be fined up to 10% of turnover, and third parties may also bring an action for damages if they have suffered loss.
For various commercial reasons, companies may decide that their collaboration should be carried out through the vehicle of a full-function joint venture company with its own identity, infrastructure and management.
However, this approach comes with its own set of challenges: parties will need to take into account the additional administrative burden and cost in running a separate commercial entity. They will need to examine whether the arrangement falls within the UK merger regime. They will also need to put the relevant paperwork in place to govern their relationships (it is usually necessary, for example, to put in place a detailed shareholders’ agreement to deal with the management and operation of the joint venture company). In addition, certain sectors, including the transport, energy and telecommunications industries, have their own rules surrounding joint venture companies which will need to be considered.
If you would like our assistance with any of the issues raised in this note, please contact Pitmans Technology team.
 Agreements of “minor importance” are exempt from TFEU, which is the case where the aggregate market shares of all participating parties do not exceed 10% of the relevant market for agreements between parties on the same level of the supply chain and 15% for agreement between parties on different levels of the supply chain.
April 15th, 2013
A recent decision of Mr Justice Mann in VLM Holdings Limited v Ravensworth Digital Services Limited  EWHC 228 (Ch) held it is possible that termination of a head licence on insolvency of the licensor does not necessarily mean a sub-licence becomes ineffective.
What was it all about?
VLM Holdings Limited (“VLM”) owned copyright in online software which was used to design printing materials. VLM granted an informal licence to its subsidiary, VLM UK Limited (“VLM UK”); this licence permitted the licensing of the software to other companies in the UK. A sub-licence was granted to the estate agent, Spicerhaart, to allow it to print property details. The reason Spicerhaart wanted the licence was to give itself some protection should supplies of printing from VLM UK be disrupted for whatever reason.
VLM UK went into liquidation which led VLM to terminate the informal licence between VLM and VLM UK. VLM then decided to grant an exclusive licence for the use of the software to Ravensworth Digital Services Limited (“Ravensworth”), which provided printing services to former clients of VLM UK. One of these clients was Spicerhaart and Ravensworth attempted to require Spicerhaart to purchase printing generated using the software licensed by VLM. However, Spicerhaart sought to rely on its continuing sub-licence and argued that it did not need authorisation from Ravensworth.
Ravensworth sought to claim that Spicerhaart’s supposed sub-licence negated its own exclusivity and claimed that this amounted to a material breach of the exclusivity agreement it had with VLM. The result was that Ravensworth stopped paying royalties and sought to terminate its licence with VLM. VLM counter-claimed that Ravensworth’s actions were in breach of contract.
The decision for the Court was whether or not Spicerhaart’s sub-licence with VLM was capable of surviving the termination of the informal head licence between VLM and VLM UK. If the sub-licence could be said to have survived, VLM would then be in breach of the terms of its exclusive licence with Ravensworth.
What was the result?
The judge did not agree with VLM’s submission that a sub-licence automatically terminates upon termination of a head licence. Mr Justice Mann said that as a licence was a permission to do something that would otherwise, in the absence of such a licence, be unlawful, the answer depended on a number of factors including the terms of the head licence, the terms of the sub-licence and consideration of what was actually terminated.
The judge was of the opinion that the implied authority of the licence between VLM and VLM UK was sufficiently wide to allow for the grant of a sub-licence to Spicerhaart which was capable of surviving any termination of the head license to VLM UK. The points which influenced his decision were that:
- VLM and VLM UK had common directors.
- VLM UK was the trading company and VLM’s directors allowed it to do what was necessary to exploit the software.
- The sub-licence with Spicerhaart was something that the directors of both VLM and VLM UK wished to have in place to exploit the software further.
- It was known to both VLM and VLM UK that the sub-licence was in place to protect Spicerhaart from disruption to its use of the software which was fundamental to its business. Immediate termination of the sub-licence would of course frustrate this intended purpose of the sub-licence.
- The terms of the sub-licence stated that VLM UK was the owner of the copyright. VLM allowed the directors of VLM UK to make this statement and were happy to do so.
What followed was an examination of the rules of agency and it was held that as Spcierhaart was unaware that VLM UK was not the owner of the copyright, VLM was to be treated as an undisclosed principal and therefore under normal agency rules the permission of the sub-licence to Spicerhaart should be treated as permission by both VLM UK and VLM.
The final conclusion of the judge was that the Spicerhaart licence could indeed survive and therefore Ravensworth’s actions could not be considered as a breach of contract as VLM had in fact breached its agreement with them by not offering them exclusivity.
Organisations need to pay special attention to any intra-group licensing agreements. More often than not these may not be recorded in writing; alternatively, insufficient care may be taken to ensure that they are effectively well-drafted. Any intra-group licence should be formalised in an agreement and should provide that sub-licences: (i) disclose the identity of the head licence and (ii) state expressly that the sub-licence will terminate upon termination of the head licence. In addition, as a licensor, when licensing a work to a publisher or distributor, care should be taken to provide expressly for what happens in the event that the head licence comes to an end or is terminated.
This issue is not restricted to English law. Some foreign courts have been more sympathetic to the obvious potential injustice in the strict application of the termination of a sub-licence upon a head licence being revoked. A notable case before the German Federal Court, ‘M2Trade’ (GRUR 2012 pg 916), determined that despite the fact a head licence was terminated due to non-payment of an agreed licence fee, the sub-licence was capable of surviving. The court took a different approach to VLM and was of the opinion that, unless there is an explicit agreement otherwise, a sub-licence should not automatically terminate upon the cancellation of a head licence. A way in which parties can protect their position is to ensure that any sub-licence agreement contains adequate provisions detailing what is to happen, should the head licence fall away for whatever reason.
Further, it is noted that sub-licences may continue to subsist despite the occurrence of an insolvency event. Insolvency advice and measures should therefore be tempered accordingly.
For further information please contact Pitmans Technology team.
April 11th, 2013
Apart from establishing that Lulu the dog could get a degree, one of the key lessons to be learned from the case of BSkyB –v- EDS was the liability that could flow from over enthusiastic (a.k.a. fraudulent) sales pitches in the pre-contract phase of an IT project.
Of course, the usual “entire agreement” clause could not assist EDS in that case because the law, as a matter of policy, does not allow parties to contract out of their own fraud.
In most cases, however, even if over zealous promises have been made it is unlikely that they will amount to fraud. In those circumstances, the party that has over promised will, you might think, be able to rely on the entire agreement clause to exclude liability for pre-contractual promises. Assuming that clause is comprehensively drafted, it should provide a way for vendors to protect themselves against reliance by buyers on the (commission driven) sales team’s excessively enthusiastic sales promises.
However, in a recent non-IT related but significant recent case, the Courts have highlighted another weapon available to the victims of over promising. Mr & Mrs Armstrong were independent financial advisors who agreed to join, and bring their book of business to, an organisation called Thinc Group. The Armstrongs were planning to retire in a few years and it was therefore of paramount importance to them that the payment they received for the goodwill (in other words the value of their list of 10,000 clients) could not be clawed back from them in any circumstances as long as they chose to remain with Thinc for at least 3 years. This was so important that they raised it again and again in the negotiations. There was then some delay whilst FSA approval was obtained and only at the end of the process were they given contracts to join Thinc and, a little while later, a contract purchasing the goodwill of their business. Needless to say the contract documents contained a raft of provisions in Thinc’s favour which entitled them to claw back the goodwill payment. They terminated the arrangement with the Armstrongs before the end of 3 years and duly claimed it back. Mr & Mrs Armstrong defended the case during which they had to admit, sadly, that they had not read the contract but had relied on the pre-contractual promises.
Happily for the Armstrongs, both the High Court and the Court of Appeal ruled in their favour, finding that the promises made in the negotiations amounted to a collateral contract, the terms of which prevailed over the contrary provisions in the signed written agreements. Both courts were rightly conscious about allowing promises made in negotiations to trump the written agreements but took into account that: the promise was critical to the deal, the promise was made repeatedly by a senior director and manager of Thinc, the contract wording was contained in two different documents and it was difficult to see how those worked together and, finally, that the Armstrongs placed great store in what they were told by people whom they believed they could trust.
As they say, sometimes the courts deliver law and sometimes they deliver justice. On this occasion they may have managed both.
Lessons for IT Contracting
In the context of IT contracts there are some pints to take away from this.
- Sales staff should be discouraged from over promising.
- Anyone entering into an agreement should make sure that it reflects the deal they are agreeing. Take a step back and make sure that it reflects the commercial understanding. In the case of the Armstrongs the court was heavily influenced by the possibility that Thinc could end up with the Armstrongs’ client base effectively free of charge, and concluded that could never have been the deal.
- Vendors should ensure that their contracts include a well drawn entire agreement clause. It is curious that there was little discussion of the law of misrepresentation in the Armstrongs’ case. There was a provision in the documents which excluded liability for pre-contractual representations. The implication is that the clause prevented a claim from being brought for misrepresentation (or that the representation was not a statement of fact which would give rise to a misrepresentation claim) but it is clear in any event that the clause was not well enough drafted even to allow an argument that it excluded or superseded liability under a collateral contract.
- All contracting parties should note that an oral statement made as part of the contractual negotiation can be treated as a contract or warranty collateral to the main transaction, particularly where one party refuses to enter the contract unless the other gives him an assurance on a certain point (or promises not to enforce a term in a written agreement). Vendors should pay close attention, therefore, to any circumstances where a buyer is insisting on certain conditions or insurances as those will have to be honoured.
For further information please contact Pitmans Technology Team.
February 13th, 2013
New cyber proposals on both sides of the Atlantic are today due to have a seismic shift upon the legal framework which governs notification of security incidents and information sharing to limit risk and improve security.
Personal data breaches – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data transmitted, stored or otherwise processed.
According to the Information Commissioner’s Office (ICO) the number of personal data breaches has increased by nearly ten times in the last 5 years. This is not widely publicised as currently only ‘public electronic communications service providers’ (PECNPs) (i.e. telcos) have a duty to notify breaches but a proposal by the EC is calling for increased obligations on organisations and greater transparency surrounding data breaches. In addition, the absence of contractual provisions requiring a supplier to notify a customer in the event of a breach can place an organisation in a difficult position when deciding when and how to notify authorities and its customers.
Data Breaches – what effect do they have?
A personal data breach can have a major impact on an organisation. Not only does it lead to negative PR and damage reputation, trust, brand and goodwill, it also affects consumer confidence and, ultimately, share price and investor relations. It is no wonder that companies try to conceal these breaches but the new Regulations specify transparency surrounding such events.
Data breaches effect even the largest organisations. In April 2011, Sony came under scrutiny as they were hacked into and the personal data of thousands of users was leaked. Users were furious that it took 6 days for them to be notified that their personal details were no longer secure.
In January 2012, the EC published a draft set of Data Protection Regulations (Regulations) to update the existing primary EU Directive which governs data protection law. The aim was to increase the burden on organisations to ensure that personal data is held securely. Due to the nature of the cyber world most breaches are likely to have a cross-border impact and this has led to the implementation of a single harmonised law across the EU.
Article 31 of the proposed Regulations, which is due to come into force in late 2014 or early 2015, specifies that every personal data breach, in all sectors, must be reported to the relevant supervisor, where feasible, within 72 hours (the original draft suggested 24 hours, but this was widely criticised; 72 hours is not much longer, but at least better) of the data controller having knowledge of the breach. In the UK the supervisor will be the Information Commissioner. If notification takes longer than 72 hours then a written explanation will also need to be sent. Further to this, those breaches that are “likely to affect the protection of the personal data or privacy of the individual” must be notified without further delay.
The nature of the notification differs depending on who is notified; a great level of detail is necessary when notifying the authorities. As a minimum the notification must detail the nature of the breach and the measures taken to mitigate any adverse effects that the breach may have.
The Regulations also introduce potential penalties for data breaches of up to 2% of an organisation’s global turnover. With these increased penalties proposed many companies are investing in improving data security and information assurance prior to the introduction of the Regulations.
These Regulations may seem particularly onerous, especially for smaller companies however the reality is that Europe are behind the time in protecting personal data. California took the lead in 2003 when they introduced a law regarding data breach notifications. Since then 46 states have followed suit and the US now has comprehensive laws governing data breaches.
New Cyber Security Rules On Both Sides Of Atlantic
The EU has just released a proposal concerning a Directive to ensure a high common level of network and information security across the Union, 2013/0027 (COD), (Cyber Directive). The aim of the proposed Directive is to ensure a high common level of network and information security (NIS). This means improving the security of the Internet and the private networks and information systems underpinning society and economies. The Directive will require Member States to cooperate and operators of critical national infrastructures (CNI), such as energy, transport, and key providers of information society services (e-commerce platforms, social networks, such as facebook and linkedin), as well as public administrations to adopt appropriate steps to manage security risks and report serious incidents to the national competent authorities. The new proposals therefore cast the net far, far wider than the current mandatory telco notification.
The Directive has three limbs:
- Member States must have in place a minimum level of capabilities by establishing competent authorities for NIS, setting up Computer Emergency Response Teams (CERTs), and adopting national NIS strategies and national NIS cooperation plans.
- National competent authorities should cooperate within a network enabling secure and effective coordination, including coordinated information exchange as well as detection and response at EU level. Through this network, Member States should exchange information and cooperate to counter NIS threats and incidents on the basis of the European NIS cooperation plan.
- Leveraging the existing Framework Directive for electronic communications to ensure that a culture of risk management develops and that information is shared between the private and public sectors.
Companies in the specific critical sectors outlined above and public administrations will be legally bound to assess the risks they face and adopt appropriate and proportionate measures to ensure NIS. These entities will be required to report to the competent authorities any incidents seriously compromising their networks and information.
On the other side of the pond, a US Cybersecurity Bill (aka, the Cyber Intelligence Sharing and Protection Act) (CISPA) is to be introduced today (13 February 2013). The Bill received significant resistance from lobbyists, privacy and human rights campaigners and proposes to be a landmark battleground for Congress and the US administration. CISPA is intended to prevent and limit the effect of cyber attack by facilitating information sharing about threats and malware with the intelligence community and the Department of Homeland Security. It seems that, in this regard, the US and EC legislators are fully aligned.
What should you do now?
There are many steps an organisation can take to manage the impact that these Regulations will have.
Organisations should have a dedicated Incident Response Team who have procedures in place should a breach occur. With the short timeframes introduced by the Regulations, companies need to have a process in place and those involved should know how to react.
Organisations should review their data protection policies and amend them if necessary. This involves looking at any contracts with contractors as well to ensure that personal data is safe if it is outsourced at any point. Contracts should also be reviewed for responsibility and where possible a company should endeavour to limit its liability for any breach by a contractor or sub-contractor.
Although the new Regulations and Cyber Directive will inevitably encourage companies to be more transparent there is a concern that other problems may be caused by the implementation of this law:
- The new Regulations and Cyber Directive may encourage excessive disclosure. For example, due to the time restrictions companies may decide to notify all those who have potentially been affected rather than waiting to establish who has actually been affected. This is likely to worry consumers and lead to bad publicity even if it then turns out that some of these individuals have not been affected.
- Notification will use up resources which could be working to rectify the problem. Fixing the problem should be the priority in these situations.
- There will be serious concerns raised by competitors when disclosing potentially sensitive information regarding information assets and confidential information and intellectual property. Careful consideration will need to be taken to ensure sufficient information is disclosed, whilst keeping it secure and limiting the extent to which it may be used and shared. Those who share should also benefit from receipt of reciprocal information. In contrast, those who refuse to do so, may be disadvantaged from not being part of the information security inner circle.
- Notification will cost money. In austere economic times, companies are looking to keep spending to a minimum but the introduction of the Regulations will undoubtedly force companies to spend more money on protecting the data they hold.
Only time will tell if the Regulations will help manage data breaches or just cause unnecessary worry and costs. Either way your business should be prepared and take precautions now to minimise the impact they will have.
If you would like further assistance on this matter please contact Pitmans’ Cyber Risk Management Team or
Pitmans SK Sport & Entertainment LLP
December 19th, 2012
Welcome to Pitmans’ December Technology Update
Our team has put together a rich medley of festive treats for your digital stocking including: incisive comment on the perils of social media demonstrated no better than the recent slurs made against Lord McAlpine, the do’s and don’ts of software licensing (from a litigator’s perspective), and the latest on the opportunities presented by Patent Box.
Philip James, Partner
Autonomy and Hewlett-Packard: the risks of technology M&A
Just over a year after completing the takeover of Autonomy, Hewlett Packard has gone public with claims that it may have been duped into paying too much and that the value of its investment was being written down. Is this about issues specific to HP and Autonomy, or does it tell us something about the risk inherent in mergers and acquisitions, and in the technology industry particularly? Read more
Getting your software licence right first time
Businesses entering into licences for specialist software should not underestimate the time and effort required to ensure that the licence documentation accurately reflects the commercial agreement: to do otherwise risks costly litigation and the threat of mission-critical software being withdrawn. Read more
Is half a loaf better than none?
Google has come under increasing pressure from both sides of the Atlantic to offer robust proposals to address what is seen by many as potential abuse of its market dominance. However, with only meager proposals being put forward by Google, the European Commission must determine whether the proposals should be accepted to reach a settlement rather than face a protracted legal battle. Read more
Innovative Intellectual Property Strategy: The Patent Box
Patents are commonly used as commercial instruments which give companies the edge over their competitors and encourage investment opportunities. Thanks to the introduction of the Patent Box in August this year, patents now have the added benefit of tax benefits. But how can your company benefit from this? Read more
Lord McAlpine and the Myth of a Luddite Legal System
On 2 November 2012, the BBC broadcast an edition of Newsnight which included allegations (subsequently established to be incorrect) by a former care home resident that during the 1980′s he had been abused by a prominent Conservative politician. The BBC did not name anyone within the story but subsequently a significant number of people speculated about those involved. Read more
WEEE wish you a Merry Christmas
Whether it is the latest phone, computer, tablet or kitchen device that you are after, electrical goods are sure to make an appearance on all our Christmas lists but what materials are used in them and are they legal? Read more
Upcoming Technology Events
7 February 2013 – London
Pitmans Annual Cyber Conference
This year’s event will focus on Reputation Management & Information Security. We are delighted to announce that Professor Sadie Creese and John Bassett OBE will be making opening and closing addresses. Register today
What to watch out for in 2013:
- the increased prevalence of crowdsourcing platforms
- the introduction of the CAP Code on Online Behavioural Advertising (OBA Code) which comes into force on 4 February 2013 (the rules do not guarantee compliance with the law)
- the outcome of the OFT’s consultation into Personalised Pricing which closes on 4 January 2013 (where prices are determined by a user’s profile)
- the success of the Cyber Incident Response Scheme (CIRS) having been launched by the Communications-Electronics Security Group (CESG, part of GCHQ) and the Centre for the Protection of National Infrastructure (CNII). CIRS is an initiative which forms part of the Government’s UK Cyber Security Strategy. If you want to know more, come along to Pitmans Annual Cyber Conference.
Finally, as the winter solstice approaches and we seek to stare into The Sky At Night to see what the future holds, we pay tribute to the life of astronomer, Sir Patrick Moore. Whilst undoubtedly controversial, Sir Patrick is said to have responded to criticism of his right-wing beliefs: “I may be accused of being a dinosaur, but I would remind you that dinosaurs ruled the Earth for a very long time.” Take from that what you will; regardless, we encourage you to look into the sky over the holiday season to see if you can spot a sleigh passing a new dinosaur constellation, following the broadcaster’s departure.
December 19th, 2012
Where we are now
We are living in a world where organisations are under constant attack from ever evolving cyber threats. Institutions around the world are struggling to operate securely in the cyber environment and are vulnerable to reputational, financial and competitive damage. According to a recent Cisco Security Intelligence Operations report , this is partly a result of the fundamental shift from mass spam attacks to more targeted and profitable attacks on organisations. These malicious attacks have quadrupled over the past year and they cost institutions globally US$1.29 billion in the last twelve months. Given the tough economic climate experienced over the last four years, many organisations have suffered budget cuts, and in many cases, security programs and their funding have diminished. Cyber criminals do not target organisations in specific sectors but target all sectors. The UK government, for example, now receives over 20,000 malicious attacks every month, according to George Osborne.
As organizations become increasingly reliant upon mobile devices, social networks and increased use of remote, outsourced, cloud based services, there is a growing concern that security progress will fall behind technological advance, leaving firms relatively vulnerable to cyber crime. Research shows that less than 40% of firms have security measures in place to protect mobile devices, the cloud and social media. Even less carry out any sort of robust, technical and operational due diligence checks upon service providers to verify security, both prior to and during engagement.
Other worries include cyber criminals finding new ways to bypass the virtual defences of organisations without a trace, to introduce malware within legitimate web content management software and to use increasingly complex ‘spearphishing’ email attacks. Recent commentators have also highlighted that individuals within organizations are likely to be targeted with greater frequency and influenced by monetary and blackmail incentives to assist in disclosure and access to sensitive information.
Why does this matter to your organisation?
The Pitmans Annual Cyber Conference will contain two keynote speeches and two panels about how to manage and prepare for breach incidents and thereby limit any resulting cost, liability and damage to your brand and reputation (and potentially share price). The conference is designed to help your organisation understand the threats and take advantage of achievable, commercial, preventative measures. The session will also set out ways in which relevant stakeholders can build a credible business case for investing sufficient resources in preparing against such threats. Carefully selected panelists will help you gain an insight into potential future threats to your institution’s security infrastructure and will advise of practical, cost effective, steps to reduce your attack surface and reduce risk exponentially. As partners, directors, board members and management, responsibility falls on your shoulders to understand these risks and to clarify the roles and responsibilities of those within organisation. Act now. This is not a dress rehearsal.
To learn more and register, attend Pitmans’ Annual Cyber Conference.
December 11th, 2012
Just over a year after completing the takeover of Autonomy, Hewlett Packard has gone public with claims that it may have been duped into paying too much and that the value of its investment was being written down. Is this about issues specific to HP and Autonomy, or does it tell us something about the risk inherent in mergers and acquisitions, and in the technology industry particularly?
Even after a couple of weeks, Hewlett Packard’s announcement about accounting write downs and complaints to the authorities arising from its takeover of Autonomy still seems extraordinary. Although with hindsight it looks possible to see how some of these problems arose, the scale of the figures being discussed and the size of the reputational risks being run on both sides of the dispute are breathtaking. And it certainly seems to highlight the difficulties and risks involved in public M&A transactions for the participants, particularly in the technology sector.
The facts so far are that HP has announced $8.8 billion of accounting impairment charges in its latest accounts, some $5 billion of which it says are related to the business of Autonomy, the UK listed software business it acquired in October 2011. It has also made complaints to the SEC in the US and the SFO in the UK against the former management of Autonomy. Its issues relate to alleged inflating of the revenues of Autonomy in the run-up to the HP takeover by various means. The clear implication from HP is that it has now discovered it paid too much. The Autonomy former management (particularly Mike Lynch, the former CEO and a prominent figure in the UK software industry) has strenuously rejected these suggestions of impropriety and the matter seems destined to head to the courts.
We will not know the full story for some time, but at the moment the picture seems to be boiling down to the following familiar scenario. An acquirer finds that its acquisition has not been as successful as hoped and blames the target’s former management. The former management then responds that it is more about the manner in which the acquirer has managed the integration process, or the clash of high profile corporate personalities on both sides, and that its accounting methods are perfectly sound. But while we have seen it before, this is not the way that M&A deals are meant to play out.
The context here needs to be properly understood. Autonomy was a publicly listed company before the takeover by HP. As such, the UK Takeover Code structure for such deals means that the buyer does not receive commercial warranties or indemnities from the selling shareholders in the target company, or from the directors of the target board. The buyer relies on the information supplied in the course of a pre-closing due diligence process (assuming the takeover is an agreed rather than hostile one). It will be able to seek redress if that information turns out to misrepresent the position, either damages or in the right (rare) circumstances even rescission.
As such this is very different from a private, unlisted company sale and purchase. In the latter case, the fully negotiated agreements for the transaction will routinely include warranties and indemnities from the seller shareholders, or a sub-set of them including those involved in management. These warranties will cover a wide range of issues including all aspects of the assets, liabilities, rights and obligations in the target business, and also specifically dealing with the reliability of the accounting information which the buyer will have looked at in due diligence before concluding the negotiations. Should any of them prove to be untrue then the buyer will (usually) seek to recover damages for breach of contract. The intention is that this proves a more direct route to recovery in relation to a problem uncovered after closing of the transaction.
Focus is particularly required in relation to certain common risk areas which are not unique to software businesses, but which can be of particular concern with them. The question of when you recognise (account for) the revenue in any business where the product or service is provided over the medium to long term, but the sale is committed to at the point of signing up a contract with the customer, is a well known pressure point for many businesses. Sales people incentivised by revenue targets which feed through into their remuneration, and also senior management under pressure to show increasing revenues, can sometimes be tempted to push the boundaries on this issue, resorting to accounting practices which have the result of front-ending the revenue. There are many different nuances to this area, but it is essential that the question is properly addressed in the context of the realities of the target company’s business and processes. Due diligence on these issues, backed up by properly tailored warranties, will be essential, or the buyer will pay more than the business is properly worth.
There are also issues of deal structure and the people management highlighted by the HP/Autonomy situation. Again, some of these are more easily dealt with in the private company situation than in the context of a public company takeover. In the former case, if certain risk items are identified in the course of negotiations, part of the sale proceeds which would otherwise go to the seller shareholders can instead be put into an escrow or retention account, and used by the buyer to absorb any of those risks that come home to roost in the period after closing. It is a good deal more difficult to achieve anything like this in a public company takeover situation.
On the people management side, many businesses are closely identified with, and even dependant on, the management which has been running them up to the point of closing of the sale. Buyers will usually be concerned to ensure that that management team continues to be committed to the business after closing, and incentivised to grow revenues and profits in the future. Leaving some of the sale consideration outstanding and dependant on achieving a certain level of profits in the target business over the follow year or more can often provide that incentive (although there are other down-sides to this approach for both sides). The more closely tied to the identity of a charismatic leader that a business is, the more of an issue this will be. Again, this is harder to deal with in a public company takeover.
In large part, this is all about successful post-deal integration. The failure to ensure this, for example through changes to IT, employee incentives at all levels, addressing cultural differences of other sorts and simply considering the need for integrating different office locations can mean that many of the hoped-for financial benefits from the transaction ebb away. The price paid for the business will at that point always look too large to the new shareholder or management team in the buyer.
At this point it may begin to seem remarkable that anyone embarks on M&A activity thinking that it is anything other than a liability minefield, and a quick route to destruction of shareholder value. But while the dangers are certainly there for the unprepared, particularly in the public company sphere, there are plenty of examples of how it can be done well, with the demonstrable result that the target business embeds into its new group and continues to add real value to the group financial results over time. Equally the target company’s management and employees can find that the new group offers improved opportunities for them in career and remuneration terms. The tax benefits in terms of capital gains treatment (and entrepreneurs relief) for selling a company as opposed to taking value out in remuneration or dividends also need to be taken into account.
But the larger the business, and the bigger the egos involved on both sides of the process, the more unpredictable the outcome can be. The record of companies trying to solve the need for strategic change in their core business, by acquiring a large new business in the hope that it will result in a transformation of the whole group, is at best patchy. In the HP/Autonomy scenario, the press seems to be suggesting that this may indeed have been a significant motive for HP. At present, the prospects for this happy outcome look very limited. Whether it was always going to work out this way is only going to become apparent in the months and years to come, as the dispute winds its way through the legal process.
December 11th, 2012
Whether it is the latest phone, computer, tablet or kitchen device that you are after, electrical goods are sure to make an appearance on all our Christmas lists but what materials are used in them and are they legal?
Christmas is almost upon us and of course the first thing you’ll be thinking about as you hit the shops is whether that gadget you’re forking out for has lead, mercury, cadmium, hexavalent chromium, polybrominated biphenyls or polybrominated diphenyl ether (together the “Restricted Substances”) in it and whether the quantities are acceptable.
What you might not be aware of is that the goods you buy for Christmas may not be legal in the EC a month later. This is because in the New Year the regulations which restrict the use of the substances listed above are changing.
You’d be surprised at the difference a definition makes
The key test for whether the restrictions apply to your product is whether it falls within the definition of electrical or electronic equipment. Electrical and electronic equipment (or “EEE”) used to be defined as “dependent” on electricity, and “dependent” meant that the device needed electricity to perform its primary function. In the UK from the 2nd January 2013 this last part is changing. The snappily entitled “Restriction of the Use of Certain Hazardous Substances in Electrical and Electronic Equipment Directive 2011” (the “New Directive”) came into force this year, and member states have until 3 January 2013 to implement it. The definition of dependent in the new directive now covers devices that are dependent on electricity, even if they are only dependent on electricity for their secondary function. This means that lots of devices which would not previously have fallen within the regulations will be caught if put onto the market in the New Year.
Manufacturers and importers of products that use electricity in any way will have to ensure that their device does not contain more than 0.1% of the Restricted Substances listed above (other than cadmium, which is restricted to 0.01%) in any component of homogenous material (and what constitutes a separate component of homogenous material is something which may need to be determined by legal compliance experts).
The definition of EEE is not the only thing to have broadened: further categories of devices now come under the scope of the regulations, the most crucial addition being a catch all category. This addition effectively means that any product which meets the definition outlined above will be subject to the regulations unless it falls within an exemption.
Am I exempt?
Given the general thrust of the above, to greater regulation, you will not be surprised to hear that the exemptions are being cut down as well. Here the main change is that exemptions to the above regulations will expire automatically and to renew the exemption an application must be made in advance.
This means that manufacturers that depend on one of the exemptions will have to be aware of the expiry date of that exemption, consider whether they wish to prepare an application for the continuance of that exemption (which may require teaming up with other companies that also rely on the exemption in order to share the cost of preparing the application) and prepare and plan for the potential expiry of the exemption which they rely upon.
Who is responsible?
Previously, the main party which had to worry about the regulations were the producers of the product. In an effort to ensure that there is always someone to be held to account, importers, distributors and authorised representatives now also have responsibilities alongside the manufacturers (who have to keep a register of non-conforming EEE and product recalls, and keep distributors informed of them in addition to the responsibilities listed below).
The responsibilities of manufacturers, importers, distributors and authorised representatives will include:
- Drawing up an EU Declaration of Conformity that must identify the EEE, give a name and address for the manufacturer, quote the directive that it relates to (which, from the start of 2013, will be the New Directive), refer to the standards or technical specifications that are relevant to conformity and be signed and dated;
- Drawing up other technical documentation;
- Keeping both the Declaration of Conformity and technical documentation for ten years;
- Ensuring that the CE marking is properly marked on the device; and
- Being able to produce the documentation and information necessary to show that they have conformed with the regulations.
The EC are clearly keen to reduce our dependence on the Restricted Substances and have nudged the statutory framework in this direction by including more devices within the remit of the regulations, making falling within an exemption less certain and potentially expensive and by making more parties responsible for compliance. The one area where they have not increased the ambit of the regulations is in the nature and amount of the Restricted Substances.