Archive for November, 2011

Independent Commission on Banking – contractual consequences of the ICB’s recommendations

This is an abridged version of an article that I have written for the Society for Computers and Law.

The Independent Commission on Banking (“ICB”) published its Final Report on 12 September, setting out recommendations on structural and non-structural reforms to improve stability and competition in UK banking. 

The recommendations broadly suggest that:

  • Banks need to improve their loss absorbency, by achieving more equity relative to their assets;
  • Competition needs to be encouraged; and
  • Retail banks should be ring-fenced from any wider corporate group and/or financial organisation of which they form part.

Earlier this month my Banking colleague Derek Arnott and I delivered presentations in Brodies’ Glasgow, Edinburgh and Aberdeen offices discussing the recommendations. 

Derek (a lawyer of formidable experience in this field, and a former Head of Group Legal Services at The Royal Bank of Scotland Group) discussed the recommendations from the perspective of a banking solicitor, while I focused on the implications of the retail ring-fence from the perspective of an IT/outsourcing/commercial contracts lawyer.

Recommendations of most significance to the IT/outsourcing/commercial contracts lawyer

I believe that the retail ring-fencing recommendations will have a direct impact on any lawyer who advises on corporate governance or commercial contracts.

The particular recommendations which are of most direct significance to the IT/IP/commercial contracts lawyer are broadly summarised in the following list:

  • Ring-fenced banks should be separate legal entities.
  • Ring-fenced banks should be prohibited from offering certain services and/or carrying out certain activities.
  • Any financial organisation owned or partly owned by a ring-fenced bank should conduct only activities permitted within a ring-fenced bank. Such a financial organisation’s balance sheet should also contain only assets and liabilities arising from these services and activities.
  • The wider corporate group should be required to put in place arrangements to ensure that the ring-fenced bank has continuous access to the entire infrastructure required to continue provision of its services and activities, irrespective of the financial health of the rest of the group.
  • All transactions (including secured lending and asset sales) between a ring-fenced bank and all other entities forming part of a wider corporate group should be conducted on a commercial arm’s-length basis.

Far-reaching consequences

These recommendations, and the overall concept of a ring-fence, are directly at odds with the present day corporate structures of many large banks and financial institutions.

Most financial institutions operate some form of shared service model, with one group entity contracting with suppliers on a basis that allows other group members to benefit from that contract.

The ring-fenced bank will either have to possess its own infrastructure or, if it is shared, then such infrastructure will have to be identified (which may be by no means a straightforward task) and then made available formally to the ring-fenced bank, via:

  • direct agreement with the supplier;
  • direct agreement with another member of the group; and/or
  • a member of the wider group, which contracts with suppliers, but is “bankruptcy-remote”.

Infrastructure separation of the type that is likely to be required by the ICB recommendations may feasibly involve:

  • drafting agreements to formalise supply of infrastructure services to the ring-fenced bank;
  • renegotiation of existing agreements to separate provision of infrastructure services;
  • novation or assignation of agreements to a well-capitalised, bankruptcy-remote shared service subsidiary (without assets or liabilities) to provide infrastructure services on behalf of the separated entities; and/or
  • partial or wholesale outsourcing of infrastructure provision.

Implementation

There are many questions still to be answered regarding the ICB recommendations.

The deadline that the ICB has set for implementation of its’ recommendations is 2019. George Osborne, the Chancellor of the Exchequer, has indicated that he intends to implement the recommendations and will “seek a legislative slot” in the 2012-13 parliamentary session.

What seems certain is that some sort of separation or segregation of retail banks is inevitable and, in this context, the deadline of 2019 is not that far away. Whether acting for financial institutions or their suppliers, from now on the IT/IP/commercial contracts lawyer should keep in mind what is on the horizon when negotiating or renegotiating agreements.

Embedding accessible design skills in the next generation of web developers

Last Monday I was in Dundee, speaking to final students at the University of Dundee’s School of Computing.

The School of Computing takes quite a holistic view of teaching computing, and one of the modules covers the “real world”. The School asks external experts to come in and talk to the students about things like identity theft and security standards (such as PCI-DSS), and other laws and regulations that may impact upon what they do when they get out into the working world.

The area that I talk to students about each November is disability discrimination laws and accessible design for websites and mobile apps, an area I’ve been involved with for a number of years (my honours dissertation was on this). This particular talk dovetails with the School’s technical expertise in relation to accessible and usable design.

Rather than bore the students with a dry lecture on The Law, I try to show them how it is relevant to the future careers, and why having a good understanding of the relevant laws will make them more employable, and give their future employers a competitive advantage.

There are a number of key messages that I try to get across:

  • if a website or app is not designed properly, it may be inaccessible to users with disabilities;
  • operators of websites and providers of mobile apps have, in their capacity as service providers educators, and employers, legal obligations not to discriminate on the grounds of disability;
  • failure to do this may lead to that organisation being sued and, perhaps more importantly for a big organisation, suffer damage to its reputation;
  • web and software designers will be responsible for designing and delivering those websites/apps;
  • even if you are working for an independent design company, that company will have contractual liability to the client, and if a site is poorly designed the client may have the right to sue;
  • public sector organisations have a legal obligation to ensure that their ITTs set out requirements in relation to accessibility – if the designer doesn’t have the skills, then it may not get the work;
  • therefore understanding accessible and usable design and the legal obligations applying to your employer/clients will give you a competitive edge – whether in the job market or in winning business.

If we are doing things right, then hopefully accessible and usable design will become second nature to the web and app designers of tomorrow.

If you are involved in commissioning a new website, or a mobile app, then I recommend that you read BS 8878, a new(ish) British standard on commissioning accessible websites. It’s not a technical document, but instead a process that organisations can follow to assist with appointing a designer with appropriate accessibility expertise, and to help ensure the final output is accessible to users with disabilities.

Updated 11 April 2012:The official slides on BS 8878 from its launch, together with other free information including case studies of organisations using BS 8878, detailed blogs on its use by SMEs, tools and training for applying the Standard, and news on its progress towards an International Standard can be found on the Hassell Inclusion website. If you have been put off from downloading BS8878 because of its cost, then this resource provides a good (and free) alternative to get you started.

News International and hard drive shredding – why its good information security practice

I read in the papers at the weekend that, following an office move, News International last year “shredded” most of the computers used by a large number of News of the World staff.

Leaving aside whether this was a prudent thing to do given the phone hacking allegations and court cases, shredding a hard drive is one of the best ways of securely destroying information. (I love the photos on that website – you really can shred metal).

I blogged about this last year. The problem with erasing data from a drive is that the data recovery people are becoming ever cleverer at reconstructing data. It’s essentially an arms race between data destruction and data reconstruction.

So if you want to make sure data definitely has been deleted then you need to either shred the drive or follow something like the US Department of Defense erase/rewrite standard.

Destruction of disks is something that should be addressed in an organisation’s information security policy, and appropriate requirements specified (or referenced) in any outsourcing or services agreement under which a supplier is processing personal or confidential information.

So whatever the News of the World’s other failings might have been over the years, it’s good to see that their information security policy is robust and ensures that data is properly and completely destroyed, such that it cannot ever be reconstituted.

When is it reasonable to withhold consent under a contract?

Contracts often state that a party must not unreasonably withhold its consent. Clients often ask us when it might be unreasonable to withhold consent…here’s a recent case that confirms the existing law and sets out some factors to consider.

In the case of Porton Capital Technology Funds and others v 3M UK Holdings Limited and 3M Company [2011] EWHC 2895 (Comm) the High Court applied existing law to determine whether or not consent had been unreasonably held by a party in a commercial situation.

In brief, the background to this particular case was a purchase by 3MUK of the entire shareholding of Acolyte by way of a share purchase agreement with Acolyte’s shareholders (Porton holding 60.4% of shares). Acolyte’s key, and indeed only, commercial product was ‘BacLite MRSA’ which is used to detect the hospital super-bug MRSA. The purchase price was an initial figure of £10.4 million coupled with a second payment based on net sales, with a (not inconsiderable) potential value of £41 million.

The share purchase agreement had a clause to the effect that Acolyte could only cease to develop and market the BacLite MRSA product if the vendors consented, such consent “not to be unreasonably withheld”. Acolyte did request consent to discontinue the product, but unsurprisingly – considering the potential £41 million payment – the vendors refused to consent. Or at least they said they would only consent if they received the £41 million. They were offered a payment of £1 million instead: deadlock, termination of the BacLite business and a breach of contract claim ensued.

The case considered the issue of whether or not it was reasonable for the vendors to have withheld consent, and made the following key findings:

  • the burden was upon 3M to show that the vendors’ refusal to consent to the closing of the BacLite business was unreasonable;
  • it was not for the vendors to show that their refusal of consent was right or justified, simply that it was reasonable in the circumstances;
  • in determining what is reasonable, the vendors were entitled to have regard to their own interests in earning as large a payment as possible;
  • the vendors were not required to balance their own interest with those of 3M, or to have any regard to the costs that 3M might be incurring in connection with the ongoing business of Acolyte.

The issue of reasonableness will always turn on the particular facts in question, however, the findings in this case do offer useful guidance when considering whether to accept an obligation not to act unreasonably, or when trying to assess your exposure before refusing consent. If there are specific circumstances that the parties think are unreasonable (or reasonable), then the parties should consider expressly setting these out in the contract.

Leigh Kirktpatrick

Legal responsibility for a robot’s actions

On Tuesday night I attended the launch of the Strathclyde Centre for Internet Law and Policy. The launch of the centre is in tandem with Strathclyde University’s rebranding of its renowned LLM in Information Technology Law and Telecoms (which yours truly completed in 2003), which is now known as the LLM in Internet Law and Policy.

Marking the launch was a lecture on “Regulating Robots: Re-Writing Asimov’s Three Laws in the Real World?” by Professor Alan Winfield, Director of the University of West of England Science Communication Unit, EPSRC Senior Media Fellow and Lilian Edwards, Professor of E-Governance at Strathclyde University.

The lecture sought to address legal responsibility for a robot’s actions, and whether, given the rapid advances in robotics, we need to legislate for Asimov’s Three Laws:
1. A robot may not injure a human being or, through inaction, allow a human being to come to harm.
2. A robot must obey orders given it by human beings except where such orders would conflict with the First Law.
3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.

I found the topic particularly interesting because I had just read an article called “Towards new recognition of liability in the digital world: should we be more creative?” in the International Journal of Law and Information Technology, which discussed the attribution of liability for “intelligent software”. I felt that the article raised a lot of interesting issues, but its conclusion – that we need some collective form of liability taking into account the role every party plays in producing the liability in question – was perhaps impractical.

I was therefore hoping that Professor Winfield and Professor Edwards might reach a different conclusion, and they didn’t disappoint.

It’s impossible to neatly summarise an hour-long lecture, but I think they were proposing that liability for robots should arguably mirror liability for software. This would mean that the party best placed to manage risk assumes it (and insures against it), and if that a robot is subsequently hacked and causes damage, then the hacker should probably be liable for any damage caused.

As for Asimov’s three laws, the Professors acknowledged that the laws were instructive, but proposed that they should be replaced with a new five-part ethical code.

Alan Winfield was very effective at making everybody in the room think differently about “robots”. I appreciate you have probably read to this point and found the confident way I’m talking about “robots” a bit silly.  Well, it turns out that robots are already all around us!  Alan pointed out, quite rightly, that nobody speaks about the “dish washer robot” – it’s just the dishwasher! (Disappointingly the montage of sci-fi robots in Alan’s introductory powerpoint slide didn’t include Optimus Prime, but since Alan bears more than a passing resemblance to the stately Patrick Stewart, I lacked the courage to complain!) The serious point here is that as society increases its use of (and reliance upon) robots, liability for their actions is something that lawyers will increasingly need to consider.

Overall it was a very enjoyable and thought provoking lecture, and I look forward to hearing more from these speakers on this subject in the future.

ICO personal undertaking from advocate highlights importance of data protection compliance by individual data controllers

The Office of the Information Commissioner (ICO) has this morning announced a third personal undertaking to be given by an individual. This follows hot on the heels of yesterdays’s announcement in relation to the Oliver Letwin MP “park bins” incident.

Why is this significant?
In many instances, the data controller will be a company, body corporate or other body (for example, a public authority). However, where an individual acts as a sole trader, or trades/carries out processing in an individual capacity (for example, an MP, barrister, or an accountant trading as a sole practioner), that individual will be the data controller.

This means that it is the individual that is responsible for the processing that he carries out (or that his employees or contractors may carry out on his behalf), and therefore that the individual is therefore also personally liable for any breach of data protection laws. Scary stuff.

What happened in the latest case?
The latest undertaking has been given by an advocate (the Scottish equivalent of a barrister), whose unencrypted laptop was stolen from her house whilst she was on holiday in September 2009.

As I noted in my blog on the Oliver Letwin incident, the Data Protection Act requires that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

The circumstances surrounding the theft are largely academic (the advocate had tradesmen in the house whilst she was away, but it’s not clear when or how the theft took place). What is important is that the laptop, which contained details of various cases that she was working on, was not encrypted. In particular, not withstanding that the theft took place, the ICO appears to be satisfied with the physical security measures that the advocate had in place. However, the failure to put in place adequate security measures in respect of the latop itself have led to the advocate being required to give a personal undertaking. A breach of an undertaking could lead to a fine, or an enforcement notice and ultimately prosecution.

What does the ICO require in respect of security measures?
It’s worth recounting the key parts of the undertaking in full, to re-emphasis what the ICO expects data controllers to be doing in relation to device encryption and security:

  • Portable and mobile devices including laptops and other portable media used to store and transmit
    personal data, the loss of which could cause damage or distress to individuals, are encrypted by 31 December 2011;
  • If personal data is to be stored overnight, other than securely within the data controller’s place of work, it shall be kept in a secure, locked storage place;
  • The data controller shall subscribe to any information security policies and procedures as and when they are implemented by the Faculty of Advocates or her stable [Scottish equivalent of a set of Chambers], and take all appropriate steps to comply with these at all times;
  • The data controller shall implement such other security measures as she deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.

I suspect that many individuals who act as data controllers have, to date, generally taken a laxer approach to information security than bodies corporate and public bodies (where information security is a key reputational issue). This undertaking (and yesterday’s undertaking from Oliver Letwin) highlight that there is no difference in the standard that the ICO expects. In instances where individual data controllers are processing personal data (as an advocate, barrister, MP or sole trader will do), it is essential that appropriate steps are taken to ensure that data is kept secure.

Creating a successful online business

Last month I attended a Glasgow Chamber of Commerce “Glasgow Talks” presentation by the former managing director of amazon.com in the UK, Glaswegian Brian McBride. I’ve finally found time to look at the notes I made.

Brian reflected on his career in business, and offered thoughts on leadership.

During the Q & A following Brian’s fascinating talk, debate amongst attendees inevitably turned  to the decline of the High Street, and how to create a successful online business.

Some great tips emerged:

  • Don’t be scared of playing with pricing to attract customers, even if it means offering a loss leader.
  • Make available as wide a selection as possible, at as competitive a price as possible.
  • Your website has to be transactional, and ideally should support transactions made via mobile devices.
  • “Classic” kind of products may yield great sales/higher margins than you think.
  • Your website has to be search engine optimised. If your site isn’t on the first page of a Google search result for the name of your business, or one of your principal products – then you’re in trouble.
  • If you haven’t yet read The Long Tail by Chris Anderson – then read it.
  • Don’t forget your legal obligations, not least the E-Commerce Regulations.

PS a short video about the event is here. It’s worth watching, if only to check out the really hunky guy who appears around 2:27.


Twitter: @BrodiesTechBlog feed

November 2011
M T W T F S S
« Oct   Dec »
 123456
78910111213
14151617181920
21222324252627
282930  

%d bloggers like this: