Posted
By

The General Affairs Council, on 23 July 2013, adopted a regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the Internal Market. Until the new regulation, the E-Signatures Directive (1999/93/EC) provided the only EU rules relating to e-signatures and said nothing about trust services.  The E-Signatures Directive is to be repealed with effect from July 2016 when, with some exceptions, the new regulation will start to apply.

The new regulation sets out rules for cross-border electronic trust services (electronic identification schemes) within the EU (the new rules will only cover cross-border aspects of electronic identification; issuing means of electronic identification remains a national prerogative. The general position at English law remains unchanged – sophisticated electronic signatures are not necessary for the formation of a binding contract) and creates a legal framework for:

  • electronic signatures,
  • seals and time stamps,
  • electronic documents,
  • electronic registered delivery services, and
  • certificate services for website authentication.

Continue reading

Posted
By

At a recent conference, the Twelfth Annual Corporate Accountability Conference, 12 June 2014, Cercle National Des Armées, Paris, Pierre Poret, Counsellor, Directorate for Financial and Enterprise Affairs at the The Organisation for Economic Co-operation and Development, told the audience, referring to the OECD’s Risk Management and Corporate Governance report, that “too often, in the enterprise, there was little or no board-level responsibility, with the burden (and oversight responsibility) [for risk management] effectively stopping at the level of the line manager“.  According to Monsieur Poret, the OECD’s findings showed that companies’ boards often played only a very limited role in risk management and that risk management standards were often set at too high a level, with outsourcing and supplier-related risk a key but much overlooked risk.

Continue reading

Posted
By

The head of the UK’s Financial Conduct Authority, Chief Executive Martin Wheatley,

used a speech at Bloomberg, London given on 3 June 2014 to promote the FCA’s Project Innovate (the drafted text of Martin Wheatley’s speech can be read at http://www.fca.org.uk/news/making-innovation-work).  The FCA is the regulatory body that,

following reforms introduced by the Financial Services Act 2012, succeeded the Financial Services Authority. It has supervisory powers over the conduct of over 50,000 financial services firms in the UK, and authority to regulate the prudential standards of those firms not covered by the Prudential Regulation Authority. The PRA regulates deposit takers, insurers and significant investment firms.

Continue reading

Posted
By

In Part 1, we noted that financial institutions could find themselves potentially liable for committing an alleged Unfair, Deceptive, or Abusive Act or Practice (UDAAP) as a result of the actions of certain types of external service providers, particularly those that interface directly with customers.  In this Part 2, we will discuss how financial institutions can mitigate the risk of UDAAP enforcement actions through their contracting strategies with their service providers.

A New Wrinkle of Risk

In some ways, the CFPB’s UDAAP authority resembles other regulatory regimes in that it places compliance obligations on both the issuer of the product as well as the third-party service provider that helps effectuate a transaction involving such a product.  For example, export control laws place Office of Foreign Assets Control compliance obligations on both parties to a transaction.  Data protection laws apply both to the controller as well as the processor of data.  HIPAA protections for health information apply to the covered entity and its business associates.

Continue reading

Posted
By

With the number of (internet) connected devices rapidly surpassing the number of internet people (actually, all people whether or not connected), we take this opportunity to explore some of the legal complexity brought about by all of this connectivity.

First, some background:

Continue reading
By
Posted In: Industry Trends
Posted
Updated:

Posted
By

Database marketing outsourcing is a strategic transaction for retailers. This type of outsourcing can facilitate the integration of diverse marketing channels e.g., web, social media, catalog and in-store sales) and enable more targeted and effective marketing to consumers.

Database marketing encompasses a potentially broad array of services, including:

  • Implementation and hosting of a CRM database marketing solution;
Continue reading

Posted
By and

We recently completed a major renegotiation of a very large, longstanding infrastructure outsourcing contract. As is typical with renegotiations, there were areas of the contract that required changes and areas the client wanted to leave alone. In this case, scope (and the presumed current solution) was to be left alone as the focus of concern was thought to be on other areas of the relationship. However, the need to update a seemingly simple exhibit – the Key Supplier Personnel list – told the client they had reason to be a lot more concerned about the supplier’s current solution.

Like most IT outsourcing contracts, this one had the typical provisions around Key Supplier Personnel (KSP) (e.g., full-time,

employees of the supplier, rules about replacing the KSP, commitments to tenure on the account, etc.).  When asked to update the KSP exhibit, the supplier came back with three names – the Account Executive, Deputy Account Executive and the Business Manager (yep, the person in charge of billing the client).  That was it.  Not a single person with technical knowledge of the client’s critical systems or technologies.  Nobody involved with actually running the client’s IT environment on a day-to-day basis.

Continue reading

Posted
By

The security community has been abuzz this week with the US. District Court of New Jersey’s April 7 ruling in Federal Trade Commission v. Wyndham Worldwide Corporation, et al. (see http://www.adlawaccess.com/wp-content/uploads/sites/137/2014/04/Opinion.pdf). Wyndham had asserted in a motion to dismiss that the Federal Trade Commission (“FTC”) did not have the authority to pursue enforcement actions against the hotelier related to data security. The District Court denied the motion and held that the FTC may in fact pursue claims related to data security under Section 5(a) of the FTC Act’s prohibition on unfair or deceptive acts or practices affecting commerce (see 15 U.S.C. 45(a)). While the significance of the holding is being debated in the legal community, this week’s decision highlights the Federal Government’s increasing emphasis on requiring certain baseline cybersecurity practices by the private sector.

The background facts of the case are fairly straightforward. The FTC brought suit against Wyndham Worldwide, Corp. in the wake of three separate security breaches that occurred between 2008 and 2011 and resulted in the theft of guests’ personal information (e.g., payment card account numbers, expiration dates, and security codes). The FTC alleges that after the initial two security incidents, Wyndham failed to implement reasonable and appropriate security measures which exposed consumers’ personal information to unauthorized access and resulted in consumer injury. Specifically, the FTC alleges that there were several problems with the Wyndham’s information security practices including wrongly configured software, weak passwords, and insecure computer servers.

So what does the Court’s holding mean for the private sector? Since, up until this case, the FTC’s data security actions have been settled out of court, this case marks the first time that the courts have ruled on the merits of the FTC’s authority related to data security actions. Fundamentally, the decision affirms that the FTC has the power to pursue enforcement actions for unreasonable cybersecurity practices under existing laws. The Court, however, cautioned that “this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” It is also important to note that the Court’s decision did not include a verdict on Wyndham’s liability in the matter (interested parties should continue to watch as the matter continues).

Continue reading

Posted
By

Most business clients would rather be in the dentist’s chair than sit through negotiation of the indemnity and liability provisions of their agreement. Admit it: your eyes glaze over, time appears to visibly slow down, and you wonder at how the lawyers can find this stuff interesting enough to argue about.

As dull as they appear to be, there are some significant issues that can arise from the indemnity clause. One issue that I see more often than not is that suppliers try to put a financial limit on their indemnification obligations.

Sometimes the supplier will agree to remove the limitation, but not always. What are the consequences of having a limitation on an indemnification obligation,

Continue reading

Posted
By

In a recent judgement, the Court of Appeal of England and Wales held that an electronic database was not a chose in possession or a chattel but a chose in action (see our earlier blog regarding the grant of leave to appeal in this case). In other words, a database is intangible property, not goods which can be possessed. This means that when the parties to a database hosting contract are silent about what happens to the database when the contract ends, the service provider cannot exercise a common law lien over the database so as to force full payment of its fees, and must return the database to its customer.

In giving the lead judgement in the Court of Appeal, Lord Justice Moore-Bick, quoted extensively from the judgment of Lord Justice Diplock in Tappenden v Artus (Tappenden v Artus [1964] 2 Q.B. 185). Tappenden is a case with which most first year law students in the UK will be familiar. In that case, a van owner allowed a customer to use the van pending the completion of a hire-purchase agreement. The van then broke down and was repaired by the defendant garage, but the price of the repairs was not paid. The question arose whether the garage could exercise a lien over the van against the owner. In finding that it could, Diplock L.J emphasised “actual possession of goods” as necessary for the self-help remedy of possessory lien to arise under the common law.

Referring to another leading case, Moore-Bick LJ went on to state that “[a]s OBG v Allan makes clear… the common law draws a sharp distinction between tangible and intangible property…”, which leads to the conclusion that “it is [not] possible to have actual possession of an intangible thing …[and that] it is [not] open to this court to recognise the existence of a possessory lien over intangible property …”

Continue reading