Rangers and Ticketus – some lessons for English lawyers, outsourcing and commercial contracts

Last week’s opinion by Lord Hodge in the latest chapter of Rangers FC’s administration, is worth reading. It looked at the validity of a claim by a company called Ticketus to future season ticket revenue at Ibrox stadium (in Scotland), in return for an up front payment of cash, under an English law contract entered into between Ticketus and Rangers last summer.

Whilst the decision does not create any new law, it does provide a very useful summary of Scots law on trusts, property, insolvency, agency and delict (tort). So much so, that I wouldn’t be surprised if one enterprising university created a new accelerated LLB based purely on being able to demonstrate an understanding of all issues in the case!

Insolvency and banking/security law experts will be better able to summarise the key issues in the case, but there are a few points that I think are worth highlighting for people involved in outsourcing and commercial contracts.

Some of these may come as a surprise to English lawyers.

Adminstrators can decide to ignore contractual obligations
Adminstrators have the right, in certain circumstances to decide not to perform a contract. (this is not a purely Scots law issue – it is also relevant under English insolvency law)

So in the case of an outsourcing arrangement, upon the administration of an outsourcing vendor the adminstrators may be entitled to decide not to continue providing the outsourced service, or to decide not to comply with an obligation to provide exit assistance. This may also mean that the administrators may decide not to comply with a contractual obligation to transfer dedicated assets/equipment/leases back to the customer if it can getter a better price for them elsewhere.

Whilst the customer may have a damages claim against the (insolvent) outsourcing vendor for breach of contract, that claim will sit alongside claims from all the vendor’s other unsecured creditors. In the meantime, if the service or assets in question are business critical, the customer will likely be suffering a lot of pain as it may neither be receiving service, nor be able to transfer the services to a third party. A damages claim is unlikely to provide much comfort.

For this reason, when drafting an outsourcing contract it’s important to think about what happens in the event of a supplier entering administration (or some other form of insolvency procedure), and (if possible) ensure that the customer has the right to terminate before adminstrators are appointed.
Think about which legal system governs property rights
Making the governing law of a contract English law does not mean that English law will therefore apply to the creation/interpretation of property rights dealt with under the contract where those rights arise (or purport to arise) outside of England.

So, for example, if as part of an outsourcing arrangement you are transferring certain assets in Scotland to the vendor, or entering into a contract under which you will get future revenues arising in Scotland, you need to think about Scots law in relation to any attempt to create a right of security over them.

Securities over intellectual property rights are another good example here – English securities will not work in relation to intellectual property rights owned by Scottish companies (see this previous Techblog for more on that).

If there is a possibility that Scottish property rights may be in scope then you should make sure you take Scots law advice on structuring.

Equity doesn’t apply in Scotland
Scots law does not recognise the concept of equitable interests*, relying instead on purely legal interests, so equity will not step in to “make things fair” (Scots law does have a concept of unjustified enrichment, but that will be of little comfort to Ticketus if Rangers goes into liquidation, as the claim would be against the liquidated company, and in any event provides nothing over the breach of contract claim).

As I say, none of this is new law, but it may come as a surprise to some people.

*The exception to this is a couple of House of Lords decisions where the law lords have effectively incorporated the concept of equity through the back door in order to give a “fair” decision. This is, however, the exception rather than the rule.

Is your business aware of competition law and the risks of non-compliance?

Would you like to meet with our competition law team free of charge for up to two hours to discuss your business and what you should do to comply?

Competition law should be a key priority for all businesses whatever their size or the nature of their activities, given the potential administrative and criminal sanctions for competition law breaches. Corporate governance standards, business profitability and local and international reputation can all be put at risk by an infringement of competition law. Breaches can also result in huge fines of up to 10% of global turnover, director disqualification for up to 15 years, prison sentences of up to five years and civil damages claims.

To find out more, follow this link .

Alternatively, you can jump straight to our questionnaire, to help establish whether your business is currently aware of its competition law obligations.

If you would like to speak with our competition law team then please contact Mark Clough or your usual TIO Group contact.

The Computer Misuse Act – a beginners guide

I’m sure I can’t be the only person who was surprised that an in-house lawyer at a national newspaper group was unaware of the Computer Misuse Act, and presumed that the only offence which might be triggered by a journalist hacking into someone’s email account is the “blagging” offence under the Data Protection Act (DPA).

So, never being one to miss a (#iPad, #iPhone, #Apple, #Android, #iPad) SEO friendly news story, here is the Brodies TechBlog Quick Guide To The Computer Misuse Act.

What does the Act say?
The Computer Misuse Act (CMA) was passed in 1990, following a long-running, but ultimately unsuccessful attempt to prosecute two people that hacked into BT’s systems in the early 1980s.

The main offence is section 1. Here’s what it says:

A person is guilty of an offence if—

(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured;
(b) the access he intends to secure, or to enable to be secured, is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.

This is quite a wide-ranging offence and covers not just systematic hacking (for example, using software to try multiple passwords), but also the unauthorised use of someone’s log-in details (where the hacker knows the user’s password) or an employee’sattempt to access systems to which he has not been given access.

The only requirement is that the person perpetrating the offence knows that his access is unauthorised. This is why you often see notices about unauthorised access when presented with a login screen on a computer (for example, my laptop displays a message when it boots to the hardware encryption password screen), and why employee IT acceptable use policies put the employee in notice about unauthorised system access.

Whilst the offence covers damage or destruction of data, there is no need for any damage to be caused, or data “stolen”. So, for example, it is an offence to use someone eles’s username and password to gain unauthorised access to their web-based email system or social networking page.

However, there is a distinction between unauthorised access and use of permitted access for unauthorised purposes. So no offence is committed where a user is authorised to access a system, but uses the data for a purpose that is not authorised.

As Mr Brett found out sadly a little late in the day, unlike the blagging offence under the DPA, there is no public interest defence under the CMA.

Denial of Service Attacks
The CMA also prohibits denial of service attacks, and the malicious spreading of viruses, Trojan horses and other malware.

Whilst this was not covered by the original legislation, the Act was amended in 2006, to make it clear that doing such things was an offence.

You can read John’s previous blog (in relation to the Wikileaks incident a couple of years ago) to find out more about this offence.

Does the law cover mobile phones?
The CMA does not define a “computer”.

With remarkable foresight (given that the CMA was passed in 1990), Parliament decided that it would be foolhardy to include a fixed definition. It has therefore been left to the courts to interpret.

The Crown Prosecution Service guidance points to a House of Lords case where Lord Hoffman defined a computer as “a device for storing, processing and retrieving information”. This definition would appear quite capable of covering smartphones and other devices. I have even heard it argued that it may cover Internet connected fridges.

Indeed, as Professor Lilian Edwards points out, the breadth of this definition means that even unauthorised access to voicemails is likely to be an offence under the CMA.

Jurisdiction
An offence occurs where either the individual perpetrating the unauthorised access or the target computer/system is located in the UK. So if I were to hack into the Pentagon’s computers in the US, I would be committing an offence. Similarly, if someone in America was to hack into Brodies’ servers, they too would be committing an offence under the Act.

This means that the jurisdiction provisions stand up pretty well to offshore hosted cloud services – provided the person committing the hacking is in the UK.

So there you have it. Unauthorised access to someone’s email account is a criminal offence, and not one that can be justified as being in the public interest.

Gill Grassie and Robert Buchan to join Brodies’ IP and technology litigation team

As you may have picked up in this morning’s papers, we’re delighted to announce that IP and technology litigation specialists Gill Grassie and Robert Buchan will be joining Brodies from Maclay Murray and Spens. Robert starts today, and Gill will join in the summer.

Both Gill and Robert are highly respected, with Legal 500 describing Gill as “outstanding… her knowledge and experience of contentious IPR and technology matters is clearly second to none.” Both are accredited as IP specialists.

You can find out more by following this link.

We believe that Gill and Robert’s appointment will give Brodies unparelleled expertise in the Scottish marketplace, so it goes without saying that we are all thoroughly chuffed with their arrival!

Sale of personal data by call centre staff provides timely reminder of importance of data security

The report (paywall) in yesterday’s Sunday Times that financial and medical data of UK citizens is for sale in India from prices as low as 2 pence per record are shocking, but (sadly) not that surprising.

For those of you who missed it, the report described how “corrupt” IT consultants working call centres in India had offered undercover reporters sample credit card and financial details for UK customers. The information had apparently obtained whilst working in Indian contact centres providing services to a number of well known UK companies. Credit card details included names, addresses, telephone numbers, card numbers, start and end dates as well as the three digit security codes from the back of the cards.

According to the claims in the report, the information was thought to be only days old. Personal data relating to mortgages, loans, bank accounts and even subscription details for satellite TV were also said to be available. Even more worryingly “medical admissions data” was also on offer.

If these reports are true then we should be worried. If this information is available on the marketplace then it’s only a matter of time before it gets into the wrong hands – unscrupulous marketing companies who want to be able to build up marketing databases on the cheap but also fraudsters who will use the information to carry out bank account or credit card fraud.

What should be done?
For individuals, unfortunately there is no easy fix.

As a matter of good practice the company/organisation whose security arrangements have been compromised should contact you to let you know. Unfortunately, they won’t always know and (as the report suggests) they won’t always tell you even if they do know because they are worried that negative publicity might cause them reputational damage. In the meantime, the advice is to regularly check your bank and credit card statements and if you see any suspicious transactions then contact your bank or credit card company immediately.

For organisations that have outsourced operations that involve the processing of data – particularly personal data – then these reports are a timely reminder that data security should always be a priority. The dangers are all the more acute when the operations are being conducted far afield in places such as India, partly because of the different cultures but mainly because of the distances involved.

Nevertheless, challenging though the supervision of these functions might be, that’s what the law requires.

What does the law require data controllers to do?
Where personal data is involved, the Data Protection Act 1998 requires that organisations who engage others to process data on their behalf take reasonable steps to ensure that the processor safeguards that data to the same standards as would be incumbent on the organisation itself.

Furthermore, where financial institutions are concerned, the Financial Services Authority’s view is that the outsourcing of data processing functions should not weaken the organisations’ internal systems of control. To ensure that the systems of control remain strong, institutions are expected to exercise effective oversight over the outsourced function and to ensure that the outsourced function does not make the institution susceptible as a conduit for fraud.

Responsible organisations should audit and inspect the companies that process their data to check that they are living up to the promises that were given that customer data would be kept secure. This doesn’t just mean checking IT arrangements – it also extends to checking that the processing companies adopt and deploy good staff vetting procedures and background checks on third parties who might be on site or have access to data.

Ultimately, it is may be that the various organisations named in the report will be able to demonstrate that they have discharged these responsibilities but, even if they can, the the report amply demonstrates the very important point that outsourcing data processing operations to places like India is not without reputational risk, regardless of where blame lies.

The ICO has now become involved. I imagine this is not the last we’re going to hear of this.

Free seminar on intellectual property strategies

As part of Brodies’ spring seminar series, we will be holding a series of free seminars in our Edinburgh, Glasgow and Aberdeen offices on strategies to best exploit and protect an organisation’s intellectual property assets.

The seminar will also introduce delegates to our new intellectual property audit toolkit, which can help to assist organisations in identifying its intellectual assets, and developing strategies.

For more information, see the TIO Events page.

Look forward to seeing you there!

Retailer apologises for misuse of Harris Tweed mark

The BBC is reporting that fashion chain Zara has had to apologise after misusing the mark “Harris Tweed” in relation to the description of a product on its website.

Harris Tweed
“Harris Tweed” is a registered trade mark of the Harris Tweed Authority (HTA), self-styled as the “custodians of the world famous Orb trademark which appears on every length of tweed that has been stamped as genuinely handwoven in the Outer Hebrides of Scotland.”

The HTA was established under an Act of Parliament in 1993 to promote and maintain the authenticity, standard and reputation of Harris Tweed. The HTA’s objects also include preventing the sale as Harris Tweed of material which does not fall within the definition set out in the Act. It was set up to prevent producers outside of the Western Isles (and using non-traditional production methods) from cashing in on the goodwill in the Harris Tweed name.

Whilst the HTA has statutory powers in the UK to take action (including the right to obtain court orders against people using the term in relation to material that does not fall within the statutory definition), those rights do not extend outside the UK.

For that reason, the HTA’s community and UK trade marks (the original trade mark was registered in 1909) are obviously an important part of its armour in preventing the sale of material that is not “Harris Tweed”.

The Harris Tweed mark is, by its nature, very descriptive, in that it includes a geographic indicator and the name of a commonly produced type of fabric. Indeed, it is quite unusual for a term like this to be granted registered trade mark protection – to do so you need to show that the mark has distinctive character at the time of registration.

Genericide
The problem with trade marks that are descriptive or used to describe goods or services that dominant in their respective market is that you have to fight quite hard to ensure that they are not subject to genericide. That is – that they lose their distinctiveness and, therefore, potentially their registered trade mark protection) because the mark is commonly used in relation to generic products.

This can be a particular issue if you are very successful and your product becomes ubiquitous. For example, people use the term “hoover” to describe a vacuum cleaner, a “biro” to describe a pen, and a “thermos” to describe a vacuum flask. (this page on Wikipedia has a list of trade marks that are in generic use/subject to genericide).

Google™ it and you’ll see what I mean.

This is why, as long ago as 2003, Google started taking action to protect its brand against genericide.

Back to Zara and Harris Tweed
In this case, it appears that Zara’s misuse of the term was not deliberate.

Indeed, it most probably arose because the person who created the description was unaware that the term “Harris Tweed” was a trade mark, and not a description that could be applied to any type of tweed in the syle of Harris Tweed (cf paisley pattern or argyle pattern, which are not registered trade marks).

That in itself explains why owners of registered trade marks that are descriptive and at risk of genericide have to be aggressive in asserting their rights.

PS there is a good history of the Harris Tweed trade mark on this website.

Techblogger article in Computing Magazine on employee use of smartphones

I’ve written an article for Computing Magazine entitled “are your smartphones in safe hands?”. Given the content, the title should perhaps be “are their smartphones in safe hands?”, because the article is mainly about the risks of letting employees use their own smartphones.

The content is hopefully quite thought-provoking, particularly if you are in charge of security or legal compliance at an organisation that is permitting, or considering permitting, employees to use their own smartphones for business purposes.

You can read the article in the new issue of Computing Magazine, or on their website here.

Brodies employment law blog launched

Our colleagues in Brodies’ top-rated employment and pensions practice have joined us in the blogosphere by launching an online forum for updates and comment from the team on topical employment law matters.

Recent updates include a summary of all the employment law changes that come into force in April (as part of the Government’s program of trying to consolidate business regulation to twice yearly updates), and a reminder of recent changes to the laws governing the use of agency staff.

As with Techblog, you can also follow the blog through WordPress, by subscribing for email updates, or by adding the RSS feed to your RSS reader or iGoogle page.

You can access the blog by following this link.

Law Society cloud computing guidance: extra tips

The Law Society of Scotland recently issued guidance on cloud computing services following consultation with law firms, in-house counsel and cloud providers.

While some of the guidance inevitably reflects the particular duties that law firms owe to clients and regulators, the advice is clear and legible, there are no rubbish cloud puns, and overall it’s a valid read for any individual or organisation considering the acquisition of cloud computing services.  

There are however a few extra tips which it won’t hurt to mention.

Applicable law

Surprisingly, the guidance doesn’t mention applicable law and/or jurisdiction. Even a largely favourable contract may not be worth the paper it’s written on if you have to travel to a foreign country to enforce it, and the vast majority of cloud providers will typically offer the law of a particular US state as the choice of law in their standard terms.

Choice of law is usually more significant for UK SMEs or corporate customers because, unlike consumers, they won’t necessarily be protected from terms imposing a foreign legal system. (A further disadvantage of contracting on terms governed by US law is that they usually contain very broad disclaimers of warranty and/or limitations of liability.)

Data back-up

The Law Society guidance refers to back-up of data, noting that “you should carefully examine the SLA for the frequency the cloud provider will back up your data to a separate site”. I would go slightly further and say that you should check whether there is an obligation on the provider to back up data at all!

Some providers state that data integrity will only be guaranteed where the customer has paid for additional backup services, while others expressly disclaim the fitness of their services for back-up purposes! It’s therefore important that you understand who is responsible for maintaining back-ups, and if the provider’s offering is not sufficient what alternative steps can be taken.

Encryption

Under the heading “responsibility for security” the Law Society guidance encourages firms to understand “the measures you can take to protect the security of your data “. Again, it may be necessary to go even further, and make sure that there are no express statements in provider terms which either disclaim any duty of confidentiality, or oblige the customer to use encryption.

If I have piqued your interest in the cloud, the Law Society is holding a Cloud Computing Glasgow event next Tuesday. I may see you there.