Managing risk: a disputes perspective (2017)

Herbert Smith Freehills recently held its annual disputes client conference exploring some key legal and compliance risks facing major corporates. The event was attended by close to 100 clients. After opening remarks by Mark Shillito, head of dispute resolution for the UK and US, there were presentations on cyber security, Brexit, insurance, class actions, decision analysis, privilege and internal investigations.

A summary of the conference is below - if reading the full version of this post, you can jump down to read more detail on any of the sessions by clicking on the relevant heading.

Cyber security – keeping pace with emerging technologies: Andrew Moir explored the new threats facing organisations with the proliferation of new technologies and trends, focusing in particular on the "Internet of Things", connected vehicles and big data analytics, and looking at how organisations should respond to minimise the risks.

Brexit – how it affects your disputes risk: Andrew Cannon and Gary Milner-Moore considered the impact of Brexit from a disputes perspective, including the disputes that are likely to arise, the impact on the dispute resolution options parties may wish to choose, and the steps parties can take to protect themselves.

Insurance – do you have hidden assets that could assist in a dispute? Paul Lewis and Sarah McNally outlined some of the key policies and developing coverages which clients might not be aware of but which might assist in the event of a dispute or investigation, and looked at practical steps to maximise recoveries.

Competition class actions in the UK – where are we now? Kim Dietzel outlined developments relating to the controversial new collective redress regime for competition claims which was introduced in October 2015, including the first two attempts to launch "opt-out" class actions under the new regime, and their implications for businesses.

Decision analysis for disputes – helping you evaluate risk: Alex Oddy and Donny Surtani outlined how a quantitative approach, combining legal analysis with an evaluation of probabilities and other financial factors, can help clients to evaluate the risk inherent in each dispute, and to weigh their options accordingly.

Privileged (or not) – why the risk to business has just increased: James Norris-Jones outlined the recent High Court decision in the RBS Rights Issue Litigation, which has applied a very narrow interpretation of which communications are protected by privilege, and looked at how businesses can put themselves in the best position to obtain the protection of privilege.

Internal Investigations: Karen Anderson, Andrew Procter and Jenny Stainsby outlined some of the key challenges that arise in internal investigations including: putting in place proper governance; dealing with witness interviews; and preserving and retrieving evidence.

Cyber security – keeping pace with emerging technologies

• The internet of things (IoT) refers to the interconnection via the internet of electronic devices embedded in everyday objects, for example: connected fridges; smart meters; and remote monitoring of processes or equipment in the industrial sector.
• IoT devices present a number of risks as well as opportunities. They can be used to help launch cyber attacks, or they can themselves be the target of cyber attacks. For example, Andrew cited a real example of ransomware being installed onto connected thermostats, so that customers would have to pay the hacker (typically in bitcoins) to be able to turn on their heating.
• Connected vehicles also present obvious risks. Combining internet connectivity with elements of vehicle automation – eg adaptive cruise control and assisted parking, which require computer control of brakes, steering, etc – leads to potential security issues if hackers are able to take control of these. In 2015, for example, Chrysler had to recall 1.4 million vehicles for a software update when they discovered hackers could remotely control the brakes and steering via the vehicle’s cellular connection.
• Ensuring technical security of IoT / connected devices is a legal issue as well as a technical one. It is important for legal teams to join up with technical teams to ensure (i) security is built into devices by design, ensuring potential vulnerabilities are identified during product design and patched at the point of manufacture; and (ii) steps taken at the design phase are properly documented in case a dispute later arises and the company needs to defend what was done.
• Data analytics also presents challenges and risks, including most obviously around data security. Most of the cyber security breaches we hear about in the news every day are data breaches.
• The Data Protection Act 1998 (DPA) currently requires appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
• The forthcoming General Data Protection Regulation (GDPR), which will come into force in May 2018, will beef up the requirements, including by placing a direct obligation on all those who process data (eg outsourced cloud providers of data management services) to implement security measures. This is important to bear in mind in negotiating contracts with outsourced providers.
• The GDPR will also significantly increase potential fines for breaches of data protection requirements, increasing from the current maximum of £500,000 to up to €20 million (or 4% annual worldwide turnover) or €10 million (or 2% annual worldwide turnover) depending on the nature of the breach.
• The GDPR requires data controllers to implement both "security by design", implementing data security as part of the design phase of the product, and "security by default", ensuring that personal data is processed only to the extent necessary.
• There can be some friction between the "security by default" requirements, requiring companies to minimise the data collected, and a manufacturer's desire to future-proof its devices, if for example later product developments will require certain types of data to have been collected. In practice, a balance tends to be struck.
• Supply chain risk is also an important issue. Contractual language should include a clear description of the role of the supplier and a clear division of responsibilities for implementing security. It should also ensure there is a focus on engendering the right behaviours in the event of an incident, where cooperation between the different elements of the chain is likely to be crucial in order to contain an incident.
• Contracts should also, of course, deal with the allocation of liability, including appropriate terms excluding and limiting liability. The key point in this regard is to seek to ensure liability only covers actions or omissions that are under your control, and also ties in so far as possible with available insurance cover.

Brexit – how it affects your disputes risk

• There is a range of possible outcomes to the Brexit negotiations from, at one end, a bespoke free trade agreement to, at the other, only the WTO rules applying. The transition period is also going to be very important – if there is a long transition period this will mean change is easier to manage compared to the other extreme, the so called cliff-edge.
• As negotiations have not yet started, we have no detail, and for now all we can do is focus on key areas of disputes risk, which we have identified as: uncertainty in the law; jurisdiction and related matters; long term contracts; and new procedures.
• The Great Repeal Bill will adopt EU law into UK law at the moment of exit, and secondary legislation will deal with situations where that law will not function sensibly. The Bill will need to deal with practical issues such as what bodies will replace EU bodies named in legislation, as well as more philosophical issues such as how rulings of the CJEU post-Brexit are to be treated when they concern former EU laws. All of this gives rise to potential inconsistencies and challenges.
• There is also the potential for great uncertainty in the substantive law, though this is more of an issue in some areas than others. Contract, tort and civil procedure will be largely unaffected, but there will be much greater impact and therefore uncertainty in areas where there is substantial EU legislation such as financial services, employment and consumer protection.
• The advantages of English law in a commercial context will not change post Brexit. The core principles of English contract law are based on the common law and will not change. If English law was a good choice before Brexit then it will remain an equally good choice post-Brexit.
• Brexit will not affect the law applied by EU member state courts, which will continue to give effect to a choice of English law.
• The advantages of English jurisdiction, such as a skilled impartial judiciary and procedures that allow evidence to be robustly tested, will also remain post-Brexit.
• There will be little if any impact on the choice of London as a seat of arbitration or the advantages of arbitrating in London. Arbitration is outside of EU law and enforcement of awards is governed by the New York Convention 1958.
• There are uncertainties concerning how UK judgments will be enforced in the EU post-Brexit as we do not know what, if anything, will replace the Recast Brussels Regulation. If we become a party to the Lugano Convention there will be little change to the current position. Failing that, if we become a party in our own right to the Hague Convention on Choice of Court Agreements (which should be a largely administrative process), there should be little change where the English court has jurisdiction under an exclusive jurisdiction agreement. If no agreement is reached, the enforceability of an English judgment will be subject to local law in each member state.
• In relation to long-term contracts, Brexit may mean a contract is no longer advantageous to a party and it may want to exit it, but whether it can do so will depend upon the particular contract and the context.
• To date, force majeure and material adverse change clauses and the doctrine of frustration have been narrowly construed and the courts have not allowed them to be used to escape bad bargains.
• Consideration should, however, be given to future-proofing new contracts.
• Any bespoke free trade agreement will need to include a dispute resolution method, and there is currently no clear answer as to what that will be although there are a number of possibilities discussed in the Government's white paper.
• If the dispute resolution mechanism is only state-to-state, then businesses would need to lobby the Government to bring claims that affect them. It is possible, however, that investment agreement provisions would be included giving individuals direct rights. That has been the model followed in recent concluded and draft agreements such as the EU-Canada agreement (CETA) and the EU-US draft agreement (TTIP).

Insurance – do you have hidden assets that could assist in a dispute?

• For many businesses, insurance does not get very high up the agenda in terms of Board focus, but as soon as there is a big loss all focus turns to the policy and when / whether it will pay out.
• It is important for in-house lawyers to know some key things: what insurance policies the business buys; in broad terms what each policy covers; whether the cover is consistent with the risk profile and risk appetite of the business; and the key obligations relating to notification and reporting under the policy.
• A business may have many types of cover that are not immediately obvious. For example, a property damage policy may include cover if supply chain property is damaged. A public liability policy may include loss mitigation cover. Lots of existing policies may have cover for certain types of cyber incident.
• One area that may typically be overlooked is cover for investigation costs. More and more these days regulatory intervention leads to huge bills being racked up. Often businesses do not turn their attention early enough to whether those costs could be recovered from somewhere in their insurance programme.
• Cover for investigation costs could be lurking in professional indemnity policies, D&O liability policies, or pension trustee liability policies, just to give a few examples. The policy might cover costs incurred by the entity or by the relevant individuals. In the latter case, it will be important to ensure that, if the company is paying the costs, they are incurred on behalf of the relevant individuals so as to ensure cover is available.
• In all types of policy where costs are covered, whether for litigation or investigations, it is likely to be a condition of cover that the prior written consent of the insurer is obtained before costs are incurred. This is something that can be missed in a crisis situation.
• Major corporates will generally be able to agree with insurers the corporate's choice of law firm. Insurers may be willing to pre-agree a panel of firms the insured can use, so it may be a good idea to have that dialogue in advance. Getting the law firms, teams and rates pre-approved will mean you can move very quickly to get consent when an issue comes up.
• Another important area for organisations to think about these days is cover for cyber losses. A business should think carefully about the cover it needs and may wish to obtain stand-alone cyber cover. However, there may already be some elements of "silent" cyber cover within traditional policies the business already has, ie because there may be no exclusion for losses arising from a cyber attack (though such exclusions are common).
• It is also important to consider whether the business might have cover under a policy taken out by a third party, for example a construction all risks policy, or a property policy covering landlord and tenant, or policies covering lenders. This potential avenue may allow you to avoid litigation altogether, and so should not be overlooked.
• Cover for loss mitigation is another helpful area. Most policies require that you have actually incurred the relevant liability or actually suffered the relevant damage before the insurance will pay out. Equally you can't be reckless, so if you know (say) that your building is going to fall down, and you will incur losses and liabilities, you can't just wait for it to do so and then claim under your insurance. You need to take reasonable steps to avoid the loss. But unless you have express cover for mitigation costs, you are likely to find that the cost of taking those steps is not covered.
• If you are in a situation where you might be considering mitigating the position it is vital that you align your conduct with the mitigation costs cover. It will frequently require that the costs are being incurred for the dominant purpose of mitigating the prospective damage and not, for example, to avoid reputational damage. Ensuring the evidence is there to support such a claim is vital.

Competition class actions, where are we now?

• The Consumer Rights Act 2015 introduced a new class action procedure from 1 October 2015 for breaches of EU/UK competition law, permitting for the first time claims on an opt-out basis brought in the Competition Appeal Tribunal (CAT).
• In part due to unfavourable transitional provisions on limitation introduced at the 11th hour have meant there have not been as many claims brought under the regime as originally anticipated. There have, however, been two cases brought to date, against Pride Mobility Scooters and MasterCard, which have reached the certification hearing stage.
• A preliminary judgment has been given in Pride so we have guidance on some issues, though the decision left open whether certification should be granted (and, since our seminar, the claim has been withdrawn, reportedly on the basis that anticipated costs are likely to exceed damages). Judgment on certification is awaited in MasterCard.
• Both cases are outliers – not the types of case anticipated at the time of the introduction of the regime. The Pride case is brought on behalf of some 30,000 seeking damages of around £3.5 million. MasterCard, at the other end of the spectrum, is brought on behalf of around 46 million consumers claiming some £14 billion.
• The certification stage is critical. If certification is refused, that is effectively the end of the case. If it is granted then the matter is on a timetable to trial with potentially large sums at stake.
• If the case goes to trial, unclaimed damages, which are often a large proportion of overall damages, have to be paid to a designated charity, the Access to Justice Foundation, and cannot be reclaimed by the defendant. That gives the defendant a huge incentive to settle, as then unclaimed sums can be returned to the defendant on settlement.
• At certification, the court will consider whether the claims raise the same, similar or related issues (commonality), whether the claims are suitable to be brought in collective proceedings, whether it is just and reasonable for the applicant to act as class representative, and whether the proceedings should be opt-in or opt-out.
• Some issues have been resolved by Pride, including that the regime applies (as expected) to causes of action arising before 1 October 2015, and that an applicant may be given permission to amend its case pre-certification.
• The CAT has also made it clear that the certification stage involves Canada-style not US-style scrutiny, so the court will not hold a mini-trial, but it is sufficient that the claimant demonstrates a sound and proper basis for the claim. In this case that meant some preliminary economic evidence and limited disclosure was allowed, but no witness evidence. Claimants' costs to certification amounted to around £500,000.
• Pride has clarified a number of other points regarding certification, including that: regulatory findings regarding impact on competition will be relevant; the nature of the class members may be relevant (vulnerable consumers in this case); where the commonality test is met, it may be relatively easy to establish that an opt-out claim is appropriate (at least in a "follow-on" case based on a regulator's infringement decision); the class representative need not have litigation experience and the impetus for the claim can come from the lawyers; and the fact that ATE insurance does not cover the defendant's full estimated costs may not be fatal.
• A key area that remains uncertain is how the commonality test will be applied – in particular, to what extent are differences between class members in the level of loss suffered, and difficulties in reflecting this on distribution, fatal.
• Another area that remains unresolved is the extent to which the CAT can order that unclaimed funds be paid to a litigation funder. This is going to be an important issue both in settlement discussions and in relation to the success of the regime, and is at issue in the MasterCard case.
• In terms of risk management, the possibility of class actions being brought under this regime increases risk, though to what extent will be shown by how the first claims are resolved (and, as mentioned above, the Pride case has been withdrawn since our conference). Individual, rather than collective, competition claims remain the bigger risk for now, but overall, the possibility of competition class actions  underline the need for effective competition law compliance regimes (in particular in consumer-facing businesses)
• Longer term, if the regime is successful in the competition sphere, it may be extended to other areas.

Decision analysis for disputes – helping you evaluate risk

• In the course of virtually every dispute, the parties have to take decisions with financial consequences. But extensive research shows that individuals routinely display over-confidence in their decision-making in a range of every day choices, including in commercial disputes. 
• At the same time we are all under pressure to explain increasingly complex situations quickly and simply, eg to give a percentage chance of winning, when in fact that involves a series of complex and interlinked questions.
• We have developed a rigorous approach to analysing and representing disputes decision making in financial terms to assist clients with this process, building decision trees to support commercial decision making. To this end we've put together a team in London with highly experienced commercial disputes lawyers who have also got a financial background. 
• The decision analysis team does not predict the results of cases, but rather models the uncertainties and decision points in a logical manner, and seeks to improve the pricing of downside risk. Clients are finding the results of the analysis very valuable in taking good decisions and in helping to calibrate their appetite for risk. It can also be deployed in a range of advocacy contexts as well including in mediation. 
• The analysis involves: isolating the correct series of factual and legal questions that the tribunal will address, in the order it is likely to address them; assigning probabilities to each question depending on the underlying legal analysis as well as in the context of outcomes on previous questions; mapping out the financial outcomes; and identifying which are the critical issues that can affect the financial outcomes.
• Depending on the nature of the dispute, the model may also take into account other risks, such as enforcement risk and appeal risk, and it can be updated through the life of the matter as the understanding of the issues and merits evolves
• The model also involves sensitivity analysis, to illustrate the level of variation in outcomes if the analysis becomes more or less optimistic in relation to different issues. This helps to identify the key issues which have the most impact on the financial outcome, which can be important to guide decision making on resource allocation and negotiation strategy.

Privileged (or not) – why the risk to business has just increased

• The decision of the High Court in the RBS Rights Issue Litigation last December (summarised here) found that interviews conducted by a bank's solicitors with its employees were not covered by legal advice privilege as the employees in question did not form part of the "client" for privilege purposes, and (as is well established) legal advice privilege applies only to lawyer / client communications.
• The judge took the view that he was bound to reach this conclusion, applying the narrow interpretation of "client" from the notorious Three Rivers No 5 decision of the Court of Appeal relating to the Bank of England.
• In the 13 years since Three Rivers No 5, everyone knew that the decision was out there and could be applied by the courts. But there was a suspicion that perhaps the same approach wouldn't be applied to ordinary companies, or the decision could be limited to its own rather unusual facts, particularly as the decision had been widely criticised and had not been followed in other common law jurisdictions including Australia, Singapore and Hong Kong.
• The RBS case has, however, made clear that what might have been considered a theoretical risk is in fact a real risk, as it seems the courts now are inclined to adopt a narrow definition of client following Three Rivers No 5, and may indeed feel constrained to do so. That can put an organisation in a difficult position where communications it expected would attract legal advice privilege will not in fact attract legal advice privilege because the court applies a narrow definition of client.
• The decision is likely to result in increased challenges to privilege, particularly where one party to the litigation has most of the documents and so the opponent may see some tactical advantage in seeking to minimise the scope for privilege protection.
• It has also been the case for some time that regulators have been more inclined to challenge assertions of privilege, or at least take a dim view of assertions of privilege. The RBS decision encourages regulators, or in the criminal context the SFO, to take a much harder line on these sorts of points. This has been subsequently demonstrated by the recent decision in ENRC (summarised here).
• In RBS, the judge said he could see force in the criticisms of Three Rivers No 5, but concluded that the effect of the decision is to limit the meaning of the "client" to those who are authorised to seek and receive legal advice on behalf of a client organisation. Authority to provide information to the lawyers, as opposed to seeking and obtaining legal advice, is not sufficient for these purposes.
• The judge went on to say he was inclined to the view that the client comprised only the organisation's "directing mind and will". If that concept were to be applied in the same way as in a corporate attribution context, this would narrow the definition of client down to a very narrow group of individuals at Board level and would be completely unworkable. It appears from discussions during the RBS hearing that this is not what the judge was suggesting; he seems to have had in mind a concept of directing mind and will for the purpose of obtaining advice, in which case it may not add much to the analysis. But there is a risk that another judge, or an appeal court, could expand and apply that point from the judgment.
• The RBS decision means that client organisations need to consider carefully who within the organisation is likely to be considered the "client" before they start engaging in communications they intend should be subject to legal advice privilege. In broad terms, this means considering who is the core team responsible for instructing the lawyers on the particular matter, and making sure so far as possible that communications are directly between that group and the lawyers.
• The key risk relates to communicating information from the client. It may be that there are lots of people in the business who have information that needs to get to the lawyers so they can advise, but they are not the people who are authorised to seek and obtain the advice. That leads to difficult situations.
• There is no certain way to get round this problem. In some circumstances, it may be possible to have oral discussions with the individual who has the relevant information and to ensure the information is then recorded only in the form of a lawyer / client communication. As a matter of principle, that communication should be protected by legal advice privilege. If however it is done in an artificial way, there may be arguments that privilege should not apply. Or there may be particular considerations in the regulatory context or where the SFO is involved which may mean that this is not practicable.
• In terms of document review, it may be legitimate to challenge the RBS decision and take a broader view of privilege, so long as that is made clear to the opponent and to the court. Clients will need to weigh up the costs and benefits of the different approaches, including the likelihood of disputed applications, possibly up to the higher courts, if a broader view is taken.
• Whatever approach is taken, it may be sensible to ensure a clear audit trail on any document review exercise, so that if further case law emerges before the exercise is complete, or the cost benefit analysis shifts so that a different approach is desirable, the whole exercise does not have to be repeated.
• Another aspect of the RBS decision is to make it clear that a lawyer's note of a non-privileged discussion will only be privileged if it betrays the trend of the legal advice. The court found it is not enough that the notes reveal the lawyers' "mental impressions" or the "train of enquiry". It is therefore likely to be harder than previously thought to establish that lawyers' notes of non-privileged discussions are privileged.

Internal investigations

• Regulators, and the SFO, are increasingly expressing scepticism about the value of internal investigations and whether they have credibility. In recent years it has become common for them to request some form of assurance or attestation, eg that everything the company should have reviewed in the context of the investigation has been reviewed.
• To be able to give that kind of attestation, and persuade the regulator that it can rely on the company's own investigation, it is necessary to demonstrate the quality of that investigation – in particular to show that there has been proper governance throughout the investigation, with properly conducted interviews and strong document management.
• There is no single approach to governance, but for key investigations it will generally be advisable to put in place a structure which includes a steering committee. That committee will bring together key stakeholders to monitor the progress of investigation, ensure internal conflicts are properly managed, oversee communications, and ensure lessons are learned.
• Where a regulator has an interest in the investigation, you will likely want to consult them at an early stage about the scope of the investigation and/or its terms of reference, and to speak to them in advance before commencing interviews. It may be that the regulator will want or expect to have the first discussions with interviewees. 
• It is important to put together an interview plan, which will also help in demonstrating rigour at a later stage. That will involve thinking about who should be interviewed and in what order, and what information is needed to prepare for the interviews. 
• It is also important to think about how the interviewees should be contacted to invite them to interview, what they should be told, and to pre-empt what questions they might ask, including for example whether can they have their own lawyer in attendance and whether they can see documents in advance. It is also sensible to inform interviewees straight away that they should treat the matter confidentially; a warning given at interview may be too late, as they may already have spoken to friends or colleagues.
• Another point to think about, particularly where the interview is led by lawyers, is whether the interviewee should be given an "Upjohn warning". This means letting the interviewee know that the lawyer acts for the company, the privilege in the interview (if there is any) belongs to the company, and the company may decide to waive that privilege without consultation with the interviewee. That may be important to prevent the individual later claiming that he or she is entitled to privilege and therefore seeking to prevent the company sharing the information with third parties. 
• It is essential to secure and preserve the relevant documents at the outset of an investigation. The organisation may need to move very quickly if there is a risk of evidence being destroyed, but that needs to be balanced against ensuring the correct information is retained – too wide a hold can have logistical and cost implications.  
• If there is a regulator or the SFO involved then they are very likely to serve a document preservation notice anyway. It could be a criminal offence to obstruct the investigation or to conceal, destroy or dispose of documents that might be relevant the investigation. 
• Where an investigation relates to historic matters, it should not be assumed that the organisation no longer has relevant documents just because an applicable document retention policy provides suggests they will already have been destroyed. Such an assumption may lead to inaccurate statements being made, if in fact materials have been preserved for other litigation or investigations. 
• It is important to keep a proper audit trail of steps taken to preserve material, for example requiring individuals to acknowledge receipt of a document hold notice and to confirm what they have done in response to it.
• There is likely to be an enormous wealth of material that is held electronically, including worksites, network drives, calendars, diaries, emails, attachments, recorded calls, voicemails, texts, WhatsApp, internal and external chatrooms, social media, etc. In many circumstances, it will be advisable to involve a forensic expert to make sure the underlying metadata is not altered inadvertently.