Managing risk: a disputes perspective

This recent Herbert Smith Freehills conference, which was attended by over 90 clients, explored some key legal and compliance risks facing major corporates. After opening remarks by head of dispute resolution for London and New York Mark Shillito, there were presentations on class actions, preserving corporate reputation, top risks to avoid in agreeing dispute resolution clauses, document risk and cyber security.

A summary of the conference is below. You can jump down to read more detail on any of the sessions by clicking on the relevant heading.

Class actions – an increasing risk for corporates: Damien Byrne Hill and Kim Dietzel outlined some of the risks posed by class actions, particularly in the securities and competition areas, and how these risks can be managed.

Preserving corporate reputation: Alan Watts and Neil Blake spoke about some of the key threats to corporate reputation and how businesses can protect themselves.

How not to increase your risk – top points to avoid in agreeing dispute resolution clauses: Adam Johnson, Chris Parker and Dominic Roughton explored some common pitfalls in agreeing dispute resolution clauses and how parties can best protect their interests in case a dispute arises.

Dealing with document risk: James Farrell and Kirsten Massey spoke about risk management issues in dealing with the huge volumes of documents businesses create and considered how businesses can preserve, collate and disclose relevant documents efficiently and cost-effectively when a dispute arises.

Crisis management and cyber security: Andrew Moir and Andrew Procter outlined how organisations should respond to the cyber threat, what to do when attacked and how best to limit the financial and regulatory impact of an attack.

Class actions – Damien Byrne Hill and Kim Dietzel

• Class actions have been an increasing area of risk for corporates in recent years with businesses increasingly facing claims brought by large groups of claimants, including in the securities and competition areas. There are some very substantial cases going through the court at the moment.
• One important practical development that has led to a growth in these claims is that a number of law firms have geared themselves up to bring them. There are now more firms who are familiar with the issues involved in building a class, dealing with funding and managing the logistics of bringing a claim on behalf of perhaps tens of thousands of claimants.
• Another critical factor is funding. Litigation funders have been in the market in the UK a good many years and there has long been talk about the growth of litigation funding. But now there is genuinely more money available, greater interest on the part of funders, and a more aggressive attitude to risk, all of which enable these claims to be brought.
• Although we are seeing a gentle upward trend in such cases, there are reasons to be cautious about suggesting that we are going to face a wave of class actions. The total number of group litigation orders (or GLOs) that have been made to date is not so great. There is no exponential growth. Many of the factors that make the litigation environment in the US so favourably disposed to class actions do not apply here, eg no costs shifting, treble damages etc.
• Securities litigation in the UK involves both statutory claims, under section 90 (relating to prospectuses) or section 90A (relating to other published information) of the Financial Services and Markets Act 2000, and non-statutory claims, for example for breach of a common law duty of care or fiduciary duty.
• The best and most user-friendly cause of action from a claimant point of view is section 90, which allows those who have acquired securities to bring claims if they have suffered loss as a result of an untrue or misleading statement in a prospectus. The relevant standard is negligence. Section 90A allows claims by a wider class of claimants, as it can be anyone who buys, holds or sells shares in reliance on the information. However the standard is recklessness, which is much tougher to establish than negligence.
• An important advantage of section 90 is that there is no need for the claimant to prove reliance, as there is with section 90A. A large number of shareholders each having to prove reliance presents an obvious difficulty for running a successful claim.
• A key point to be aware of in defending securities actions is that privilege might not apply to what would otherwise be privileged material passing between the issuer and its legal advisers. The shareholders bringing the claim are not prevented from seeing the issuer's privileged material, save insofar as it relates to the dispute with the shareholders.
• In relation to competition claims, an important development is the introduction of the Consumer Rights Act from 1 October 2015. Although there had been a steady build-up of competition claims being brought in the English court, with claimants effectively clubbing together to bring claims without a formal class action procedure, the government felt there was a need for a new collective action in the Competition Appeal Tribunal (CAT) to bundle these claims in a more formal way and improve redress for competition law breaches.
• Although the new procedure relates only to competition law claims, there is some speculation as to whether it should be extended to other areas of law. Whether or not that happens may depend on how successful the competition procedure is perceived to be.
• The most controversial aspect of the new procedure is the fact that claims can be brought on an opt-in or opt-out basis subject to approval by the CAT. With an opt-out procedure, there is no need to identify individual claimants; claims can be brought on behalf of the entire class unless someone expressly opts out. That means damages are potentially much higher, and do not have to be calculated for each individual member of the class.
• Another feature that affects the economics of these claims is that unclaimed damages (which are often a large proportion of overall damages) have to be paid to a designated charity, the Access to Justice Foundation. They cannot be reclaimed by the defendant. That gives the defendant a huge incentive to settle.
• There are a number of safeguards with the new procedure, including certification, authorisation of the class representative, no exemplary damages, and a prohibition on damages based agreements / contingency fees for claims brought under the collective action procedure.
• To date there have not been any claims brought under the new procedure. This is thought to be because of some very unfavourable transitional provisions introduced at the eleventh hour. Leigh Day has however announced an intention to bring the first claim, which is in relation to mobility scooters where the relevant manufacturer was fined for resale price maintenance.
• Claimants are also increasingly invoking competition law arguments in commercial disputes, for example in relation to the interpretation of a contract clause, or to say a clause is invalid or should not be enforced.
• In terms of managing the risks, competition compliance and training programmes are key. If competition issues arise, it is important to be alive to the follow-on litigation risk, for example in negotiating leniency situations or settlements and also managing internal investigations in the best possible way to maximise privilege and restrict document creation.
• For more information and developments relating to class actions worldwide, see our recently launched Globalisation of Class actions hub.

Corporate reputation – Alan Watts and Neil Blake

• Reputation is something companies spend a great deal of time cultivating and protecting. A survey last year by Reputation Dividend estimated the value of reputation across the FTSE 350 at £620 billion.
• It should not be assumed that the media glare will always have negative impact. Sometimes a calm, confident, compassionate response to a story can have a positive impact on a company's reputation and give an opportunity to showcase the company's brand and values.
• Reputation-related issues are often "owned" by different parts of the business. For example an industrial accident might be owned by the operational side, a social media gaffe by the communications team, and a regulatory investigation by legal. Regardless of who owns it, it is important to ensure the in-house lawyer is across the issue in order to advise on the associated risks.
• In dealing with any kind of incident, the traditional PR approach (tell it all, tell it fast, tell it truthfully) has to be balanced with the traditional legal approach (circle the wagons, say nothing, deny liability). The correct balance depends on the particular circumstances, including: the nature of the issue; what is at stake; how quickly the issue is unfolding; any obligations to regulators or investigators; and of course the potential liabilities.
• Getting the balance wrong can have a major impact. For example, saying too much too early might damage the brand unnecessarily, particularly if the issue turns out to be less significant than first appears. On the other hand, saying nothing can leave a vacuum which others will fill, potentially with things that are untrue.
• It is crucial to ensure the communications team is monitoring various forms of media. That used to be a case of just getting press cuttings, but that is not enough in these days of social media. It is also important to be alive to negative coverage at particular times, eg when publishing financial results, if the business has a case in court, or if there are particular issues in the press that the business might be drawn into.
• In dealing with an incident, it is important to ensure there is close cooperation between the communications and legal teams. A spokesperson should be appointed who can talk meaningfully about the issue, and that person should be given media training. The media coverage should be carefully reviewed and policed to ensure it is fair and accurate.
• If a journalist is planning a story, it may be possible to shape the coverage by communicating with the journalist and giving your input. There are also regulatory tools to consider; for example, a licenced broadcaster will be required to comply with Broadcaster's Code, which contains requirements of accuracy and fairness. Pointing to these may help shape the coverage before publication.
• If it is not possible to prevent publication, or shape the coverage to a less negative angle, there are broadly three options: (i) seeking a right of reply, through a written statement or an interview; (ii) pre-empting the story by getting your version out first, whether by issuing a press release or by cooperating with a more sympathetic journalist; or (iii) seeking a pre-publication injunction, though that can be very difficult and may sometimes be counter-productive.
• If a negative story is published, it is essential to do something and do it quickly. If no action is taken, that may come back to haunt you in any subsequent litigation. If for example a story is allowed to sit on a third party website with no reaction for a week, it may ring hollow to argue in later proceedings that the business's reputation was gravely tarnished by it. 
• As well as seeking direct redress (eg an apology, clarification, damages and/or legal costs) it may be appropriate to complain to the relevant industry body (eg IPSO).
• There are also various causes of action that may be utilised, most obviously defamation. However, the law on defamation changed substantially two years ago to make it less claimant friendly. There is a new threshold requirement to establish serious harm to reputation. In the case of bodies that trade for profit, that means a need to show serious financial loss, which can be quite difficult. Other options include privacy claims in respect of person information protected under ECHR article 8, or breach of confidence in respect of commercially confidential information.
• There are pros and cons to issuing proceedings. On the positive side, there may be recovery of damages / costs and vindication of the company's reputation. But it is expensive and will take considerable time – it could be 18 months before judgment in any substantial defamation claim – and in that time the proceedings may simply bring more attention to the allegations when otherwise they would have sunk without trace.

Dispute resolution clauses – Adam Johnson, Chris Parker and Dominic Roughton

• There are three main issues in any international dispute: (i) Jurisdiction / arbitration: Which courts, or an arbitral tribunal, have jurisdiction to deal with the dispute? (ii) Applicable law: Which law governs the parties' obligations? (iii) Recognition / enforcement: In what circumstances will a judgment or award be recognised / enforced in England or elsewhere? All of these need to be carefully considered.
• A dispute resolution clause is not boilerplate. There is no "one size fits all" when it comes to deciding on the appropriate clause. It is necessary to consider the options carefully, look closely at what kinds of dispute might come out of a particular relationship, and try to draft accordingly. Choosing the appropriate clause can have a big impact on how any dispute is dealt with, and may mean the difference between winning and losing.
• Failing to include a choice of law / jurisdiction in a contract can lead to all sorts of difficulties, including uncertainty as to which jurisdiction any dispute might end up in and which law might be applied. There may also be a race to jurisdiction, with each party trying to gain an advantage. Ultimately it may not be possible to enforce any judgment, depending on the circumstances.
• It is essential to think about enforcement from the outset. Where are the counterparty's assets? Will that jurisdiction enforce relevant court judgments / arbitration awards? Are there restrictions on the types of judgment that will be enforced – eg only money judgments? It is important to be aware of local laws, customs, quirks or requirements which may affect enforceability, and to take local advice.
• If contracting with a state entity or international organisation it is important to think about immunity issues and consider appropriate waivers.
• One important consideration is whether to opt for litigation or arbitration. The most common reason to choose arbitration is ease of enforcement, depending where the relevant assets are located. A choice of arbitration does not guarantee the ability to enforce, as different countries will enforce the New York Convention to different degrees, but it gives an excellent legal starting point for enforcement in the 153 countries that have ratified the convention.
• Other factors include: opting for a neutral venue and avoiding "home court" advantage; confidentiality / privacy – arbitration may or may not be confidential, depending on the relevant venue, arbitral rules and contract terms, but it is generally private, in that details of the case are not available to the public as they may be in court proceedings; party autonomy, or an ability to select the tribunal and the procedure; and finality, as arbitration generally involves very limited grounds of appeal, which may of course be a good or bad thing. On the other hand, potential advantages of litigation include summary procedures, availability of appeals, and ease of dealing with consolidation/multiple parties.
• If opting for court jurisdiction, rather than arbitration, there are three basic choices. (i) Exclusive jurisdiction clauses provide maximum certainty but lack flexibility, for example if the counter-party moves its assets to a country which doesn't enforce judgments from the chosen jurisdiction. (ii) Non-exclusive jurisdiction clauses provide flexibility but also uncertainty, as other courts may take jurisdiction as well as the chosen court. (iii) One-way or unilateral clauses are also possible, so that one party is restricted to suing in the chosen jurisdiction, but the other party has a choice where to sue. In theory these provide the best of both worlds, but they do not always work. They have been held to be unenforceable for example in proceedings in France, Russia and China.
• Provisions relating to service of process should be considered if the counterparty has no presence in the relevant country (whether it is a jurisdiction or arbitration clause). That will avoid the need to serve any proceedings abroad, which can take time and add to the cost. Nominating an address for service within the jurisdiction or setting out some mechanism for service, which could even be service by email on some nominated individual, is easily done and can save a lot of time and hassle.
• An express choice of law should also be included. In the vast majority of cases a choice of law will be respected and given effect. However, there are some limitations which may apply, for example, if the chosen law differs from the parties' country of incorporation, or the jurisdiction in which the proceedings take place, or the place of performance of the contract. If any of these apply, advice should be taken before the contract is entered into.
• If opting for arbitration, it is very important to get the arbitration clause right. Fundamental features include: an unequivocal agreement to submit disputes to arbitration; the seat of arbitration; the institutional rules that will apply (it is possible to have a purely ad hoc arbitration, but generally institutions are worth the cost); the governing law of the arbitration agreement; the language of proceedings; and the number of arbitrators and how to select them.
• Where there are multiple parties or a suite of agreements, it is important to think about whether the clauses are consistent with one another, and also (where the choice is arbitration) empowering the tribunal to consolidate different proceedings or join different parties.

Document risk – James Farrell and Kirsten Massey

• A key area for a business in managing its document risk is understanding its obligations to retain certain document categories, and how long for, and in certain cases when not to retain them.
• There is, unfortunately, a wide range of legislation and regulation which sets out requirements for particular categories of documents. For multi-national businesses there is likely to be a similar range of legislation and regulation in each jurisdiction in which they operate. In addition, businesses in many sectors will have a range of sector-specific regulation which must be complied with.
• As far as obligations to destroy documents are concerned, the most important category in the UK relates to personal data about living individuals, eg employees, clients or third parties, which is covered by data protection regulation.
• Businesses must also consider what to do with the rest of their documents, for which there is no prescribed retention period. In many businesses this may well be the majority of the documents. The question often arises whether businesses are entitled to destroy such documents, when no litigation is contemplated, as part a robust housekeeping policy, for example to save on data storage costs.
• There is little or no guidance in the English court. The Australian decision in BAT v McCabe provides some comfort that there is no requirement to keep everything forever, and that an appropriate document retention policy should include appropriate provisions for document disposal. However, there is no "one size fits all" and each company needs to access its data management policies in accordance with its own commercial requirements, and the type of data it generates.
• A common recommendation is that general categories of commercial documents should be kept for the relevant limitation period, often six years, so that they are available to bring or defend proceedings. Different businesses do however adopt different time periods.
• A good document retention policy will need to be drafted by reference to the particular business, and the type of data that it generates and stores, as well as the sector it operates in and the regulation it is subject to. It is important to ensure that any policy is properly enforced, and for this reason it is important that the policy is both realistic and functional. Having a document retention policy which is widely ignored is probably worse than having nothing at all. 
• In addition to thinking about retention of existing documents, it is important for businesses to avoid creating unhelpful documents in the first place – though that is easier said than done. Educating the business is important to raise awareness, particularly regarding the permanency of digital communications and the risks of highly damaging documents coming to light at a later stage. Taking sensible precautions to maximise the protection of legal privilege is also important.
• Once a dispute is in contemplation, there is likely to be an obligation to preserve documents that are or may be relevant to the proceedings in question, though the precise nature of the obligation may vary depending on the particular proceedings and the jurisdiction.
• There are two broad strands: making sure individuals are aware of their obligations and are preserving anything they have that might be relevant; and making sure central document destruction policies are suspended to the necessary extent. What is needed will depend on various factors, including how much is in dispute, the cost of the relevant steps, and the likelihood that significant material will otherwise be lost.
• In terms of limiting the disclosure exercise, since the Jackson reforms, the courts have had greater flexibility in deciding what sort of disclosure is appropriate for the particular case, eg disclosure by reference to particular issues in the case. Parties should think carefully from the outset about what might be possible and appropriate.
• Even with standard disclosure, there are ways of limiting what needs to be reviewed to see whether it meets the test for disclosure. Typically, that is through establishing and agreeing with the opponent (or if necessary getting the approval of the court) relevant date ranges, custodians and keyword searches to narrow the field of documents to something approaching a reasonable review set.
• Another key way to control cost is to think creatively about how the review should be carried out. In recent years there have been significant moves toward hiving off the more document-heavy elements of a legal task, including disclosure review, to other teams in less costly locations. This can mean very significant costs savings, though it is important that those dealing with the litigation keep control over the process.
• Sophisticated technology, and in particular the great advances in "predictive coding", can also save time and cost in appropriate cases and when used appropriately. Predictive coding is an e-disclosure software tool that allows the review team to prioritise documents that are more likely to be relevant to the disputed issues and so reduces the overall number of documents that need to be reviewed.
• Predictive coding has so far been used more commonly in the US than in this jurisdiction, but it is certainly gaining ground, and that is likely to increase in light of recent endorsements in both the English and Irish courts. As a firm, we have used the technology in several cases.

Cyber security - Andrew Moir and Andrew Procter

• Cyber security is an ongoing process. The nature of the cyber threat is continually evolving. Businesses need to look at their processes to make sure they are still current and will still effectively guard against the evolving threats.
• It is impossible to reduce the risk of a cyber security incident to zero. Businesses need to look at their information assets and systems and concentrate on those that are most susceptible to breach and where the consequences of a breach will be most significant.
• Devising and implementing cyber security policies and procedures is not just an IT issue. It involves the whole organisation, from the board down. All staff must be adequately educated about cyber risk, including for example "phishing" attacks, and what to do in the event of a breach.
• If there is a breach, it is obviously important that the organisation knows as soon as possible that it has happened. The recent Mossack Fonseca hack, where documents were being passed to the BBC for many months while the attack was being perpetrated, is an example of where a breach had gone unnoticed for some time.
• The existing data protection regime under the Data Protection Act 1998 is expected to be replaced in May 2018 by the General Data Protection Regulation, which will toughen up the regulatory framework around data privacy. At the moment the maximum fine is £500,000. That will potentially increase to 4% of worldwide turnover for the most significant breaches. It also puts in place recommendations around encryption and vulnerability testing, and introduces mandatory notification to the ICO within 72 hours for any breach that meets a certain significance threshold.
• A cyber security breach is likely to involve lots of different legal issues across the board, eg data protection, employment, IP, litigation, regulatory fines and other investigation aspects, reputational issues and insurance. It will therefore require a multi-disciplinary team to deal with it. The issues may also be multi-jurisdictional; for example, if a multinational set of customer data has been compromised you may have regulatory or other obligations in each country the data touches.
• The legal response to the breach will include preservation of evidence and privilege, though that is made more difficult by the fast-paced nature of the incident response. Time will be of the essence for the technical teams to get to the bottom of what has happened. Trying to control the communication / document creation process too tightly might hold up the investigation. A balance needs to be struck.
• Potential liabilities need to be considered, as well as potential claims against suppliers if they are responsible for the breach. With a cyber security breach, however, neither the public nor the regulators tend to be interested in the niceties of whose fault it is. Thinking the business is protected because it has appropriate contractual warranties and indemnities may therefore give rise to a false sense of security; it is better not to have suffered the breach in the first place.
• In preparing for a cyber security incident, an important issue is figuring out who will make the decisions. This is a point that often arises in a crisis management situation, but it may be particularly acute in the cyber context. If the incident occurs outside of head office, should it be the local team or those in head office? What about if near shoring operations or vendors are involved? It's important to be clear on this.
• Notification requirements will vary between jurisdiction and regulator. For example, under the Singapore monetary authority rules, the business has one hour to make an initial report, and then just 14 days to give a full report on everything that's gone wrong. It is important to think in advance about information flows within the group to make sure the proper disclosures can be made.
• In regulated industries, it is generally no longer acceptable to take a defensive approach to a crisis, including a cyber security incident. The business is expected to be proactive in finding out what else is out there, what is the scope of the problem.
• IOSCO (the International Organisation of Securities Commissions) is proposing consistent international disclosure standards in relation to cyber issues, including the reasons why the issuer is subject to cyber risk, the source and nature of the risk, the possible outcomes of a cyber incident, and the adequacy of preventative measures – though an issuer is not expected to provide a "roadmap" to those seeking to infiltrate its security network.
• Things are moving very fast for example in relation to contractual warranties and insurance cover for cyber incidents. It is important to keep track of developments in the market; if businesses haven't reviewed these aspects for six months, chances are they are out of date.
• For more information on these issues, see our Crisis Prevention and Management hub which includes a focus on cyber security.