Managing risk: A disputes perspective (2018)

Herbert Smith Freehills recently held its annual disputes client conference exploring some key legal and compliance risks facing major corporates. The event was attended by close to 100 clients. After opening remarks by Damien Byrne Hill, head of dispute resolution for the UK and US, there were presentations on GDPR, emerging technologies, cyber insurance, reputation management, arbitration, sanctions for third party enablers of tax evasion and avoidance, dealing with document requests, and historic investigations.

A summary of the conference is below – if reading the full version of this post, you can jump down to read more detail on any of the sessions by clicking on the relevant heading.

GDPR – is your organisation ready? Miriam Everett outlined the enhanced requirements under the EU General Data Protection Regulation (GDPR) and looked at what businesses should be doing to make sure they are compliant, as well as how the new rules could affect disputes.

Emerging technology risks – what may go wrong in the future? Andrew Moir considered the risks facing organisations from new technologies, focusing in particular on the examples of artificial intelligence, data analytics and block chain, and considered how businesses should respond to these risks.

Cyber insurance – how to protect your organisation: Greig Anderson considered practical steps organisations can take to understand what cover they need for cyber incidents, identify any cover they already have in their existing insurance programme, and address any gaps.

Reputation management in the online world: Joel Smith and Neil Blake looked at how to approach reputational issues in the online world, including practical tips for mitigating risk.

Options to arbitrate – addressing enforcement risk: Nick Peacock looked at the extent to which Brexit might affect the enforceability of English judgments around the EU, and looked at some issues relating to arbitration for businesses considering that option.

Tax evasion and avoidance – sanctions for third parties: Heather Gething outlined the new regimes imposing sanctions for third parties who assist others to evade or avoid tax, and considered how businesses can protect themselves.

Dealing with document requests – addressing the challenges: Julian Copeman looked at the challenges of dealing with the huge numbers of documents generated by any modern business, and considered the extent to which recent proposals to reform the court rules on disclosure are likely to reduce the burden.

Investigations into historic allegations: Brian Spiro looked at some of the challenges that arise in investigating historic allegations, including when and how to report to authorities, and how to protect whistle-blowers.

GDPR – is your organisation ready?

• GDPR will apply from 25 May 2018 across all EU Member States, replacing the Data Protection Directive which has been in place since 1995.
• The new regime was proposed in January 2012 but was not agreed for another four years. It was reportedly the most heavily lobbied piece of legislation in European Parliament history, which reinforces how important data has become to both businesses and individuals.
• One of the key objectives of GDPR is to harmonise data protection procedures and enforcement across the EU, in contrast to the Directive which was implemented in different ways in different Member States. There are, however, a number of aspects that are left to national legislation, including some exemptions, derogations and enforcement powers. So if a business operates in numerous Member States it needs to be aware of the national rules as well.
• Most of the practical implications for businesses come down to people, paper and processes; it is important to get all of these aspects right in order to be fully compliant. It is not enough to have policies in place, if no one is aware of them and there are no proper processes to support them. Staff awareness and training is crucial and GDPR is a whole of business issue.
• There is a new requirement for some organisations to appoint a data protection officer (DPO), so it is important to think about whether the test is met and a DPO is needed. This is an area that can vary between Member States, ie some Member States may require a DPO even if an organisation does not meet the test for a DPO under the GDPR, so it is important not to lose sight of national requirements.
• Demonstrating compliance with GDPR may require a lot of paperwork, eg an appropriate privacy policy, privacy impact assessment, and security risk assessment. Even where an organisation has concluded that it does not need to take certain steps, such as appointing a DPO, it should document why it has reached that conclusion.
• To date there has been only limited guidance on the operation of GDPR. There are lots of questions outstanding, which makes it very difficult for organisations to be confident that they are fully compliant.
• One difficult area relating to privacy policies is how to balance the requirement to give large amounts of information to individuals regarding the use of their data with the requirement for such policies to be concise and use plain English. The general market approach is to aim for a happy medium, including a reasonable level of detail but not too much – though what is reasonable will depend on the type of organisation and the type of data it holds.
• Another controversial area is whether to write to customers asking for refreshed consents. We are seeing different approaches in the market to this issue. Refreshing consents is only necessary where an organisation is seeking to rely on consent as its lawful basis for processing data going forward and doesn't have GDPR standard consents in place. Alternatively, it may be possible to rely on the legitimate interests condition instead of consent.
• It is generally accepted that we are likely to see more disputes as a result of GDPR. Given the potential for large fines (€20 million or 4% of worldwide turnover) there are likely to be more appeals against fines and disputes with regulators. There are likely to be more individuals exercising their data subject rights, given the enhanced awareness arising from GDPR, which is likely to lead to more disputes. There are likely to be more individuals seeking compensation for data breaches, particularly as GDPR contains an explicit right to compensation for non-material damage, so individuals can sue for distress even if there is no financial loss. And there are likely to be more commercial disputes, for example between data controllers and processors over liability for data breaches.

Emerging technology risks – what may go wrong in the future?

• Artificial intelligence (AI) raises difficult issues around intellectual property (IP), for example the question of who owns the IP when copyright works are created by AI. The question of whether a non-human can hold copyright is currently being litigated in the US in the "monkey selfie" case. In the UK, the Copyright, Designs and Patents Act 1988 specifically contemplates computer generated works, and deems that the author is effectively the person that arranged for the computer to generate those works.
• In relation to patenting inventions created by AI, for example where AI is used to create a new drug, it is not clear whether a court would consider there to be an "inventive step" which is sufficiently non-obvious to allow it to be patented where the task was effectively one of automated data analysis.
• Issues also arise around infringement, for example if an AI engine is directed to a copyright work to learn from it and produce something based on it.
• How can organisations manage these risks? One thing to do to assist in obtaining IP protection is to ensure there is continued human involvement, but that will only work for so long; in the context of patents, eventually the human controlling an AI engine will have no idea how an invention was actually devised. Hopefully by then the law will have caught up.
• There may also be ways of doing business that don't depend on the need for IP protection – eg technology companies who give software away for free and find other ways of monetising it.
• In terms of infringement, training R&D staff is key, so that for example they don’t point their AI engine at copyrighted works. And it may be possible to rely purely on open source information, information in particular jurisdictions where a "fair use" or similar doctrine can be relied on, or data which has been commercially licensed.
• Big data analytics is leading to disputes already, usually due to a perceived inequity where a company is compelled to license data it creates to an analytics company, which then learns from it and sells it not only back to the company that originally licensed it, but also to third parties.
• This raises issues around collateral usage rights, ie whether the company is able to use the data to provide other services, and whether what is created is a derivative work based on the data, or whether that link is broken by mixing it with other data.
• There are also issues around GDPR, for example the "right to be forgotten" – if data is used to train an AI engine, how can you make sure that data can be deleted?
• How can organisations manage these risks? The best solution is through clear contractual protections, eg to ensure licences permit training an AI engine and subsequent collateral use. Getting appropriate licenses in place at the inception of a project is important; once the project is a commercial success, negotiating the necessary licences is likely to become more expensive.
• It may also be possible to build in technical compliance, for example to comply with "right to be forgotten" requirements by ageing out the information relied on by an AI system – eg it may be designed so as not to rely on any data that is more than two weeks old.
• Keeping control of third party data processors, and appropriate training of technical staff, are also crucial.
• Class actions around data breach issues are likely to be a major area of risk, particularly given the specific right under GDPR to bring claims for distress. Such actions may be an attractive proposition; whilst each claim might be modest individually in terms of damages, it may be worthwhile for a claimant law firm to pursue if there are large numbers of similar claims brought together.
• Blockchain can also give rise to risks. Although it’s often said to be very secure, that is only true if it is implemented correctly. Vulnerabilities can lead to losses if exploited by hackers, but large amounts of cryptocurrency have also been lost by accident, through coding errors.
• There are also risks arising from the anonymity which is a feature of blockchain, which can be a problem for example for "know your client" requirements, and from its immutability, which gives rise to difficulties in terms of GDPR compliance and the "right to be forgotten".
• Smart contracts coded into blockchain can also give rise to risks, for example if two businesses think they’ve agreed something, but it’s coded incorrectly into a smart contract. There may be complications in applying conventional contractual principles in this context. And there is also the risk of fraud.
• It is likely that regulators around the world will introduce specific measures to deal with these issues, particularly around security requirements, but there is a balance to be struck between waiting for greater regulatory certainty and losing commercial advantage as a result of delay.

Cyber insurance – how to protect your organisation:

• Cyber insurance and cyber risk generally are issues that are increasingly on the board agenda.
• A cyber insurance policy is not a policy that covers all of the risks arising from a cyber event; it is a policy that fills in some of the gaps that other policies cannot fill in relation to cyber events.
• A cyber peril, such as a system failure or data breach, can cause a number of different types of loss. These may include the costs of notifying regulators and affected customers, and of forensic investigations to determine what happened. There may also be property damage as well as loss of business/revenue, compensation claims from customers, legal costs, reputational damage, and fines and penalties.
• A number of these losses may be covered under existing policies, through so-called "silent cover", where the policy does not mention cyber cover but it is not excluded either. For example, a professional indemnity policy might cover claims from customers who can’t get on to an online banking system; a property policy might cover damage to an oil rig targeted by a cyber attack, and the business interruption losses may be covered as consequential losses on that policy.
• There may, however, be "gaps" in cover, which a stand-alone cyber policy can plug. For example, if there is a data breach, even if the customer claims are covered by a professional indemnity policy, it may not cover the incident response costs or PR expenses incurred as a result. Those are typically covered under cyber. Similarly, if there is a loss of business resulting from a cyber attack where there is no damage to physical property, that may not be covered by a property policy, and so cyber insurance may fill that gap.
• Insurers have been warned by the PRA that they need to be aware of their silent cyber exposure. That may lead to greater clarity in some policies as to what is and is not covered.
• The uptake of cyber insurance has been increasing in recent years and that is likely to accelerate further as a result of GDPR, and in particular the introduction of mandatory notifications to regulators and, in some cases, affected persons. When mandatory notifications were introduced in the US a decade or so ago, that drove uptake in the US market; it seems likely that the same will happen here.
• In buying cyber insurance, businesses should consider their data and systems "crown jewels", ie what they most want to protect, and their potential exposure in these areas, then consider the scope of cover under existing policies and the gaps that need to be filled.
• The cyber insurance should be structured around the existing cover, so that businesses are not paying double premiums for overlapping cover which will only lead to disputes later.
• It is important to ensure the policy details are appropriate: eg getting the exclusions right, making sure the sub-limits are appropriate, making sure the provisions on notifications and settlement aren’t so draconian that even a minor breach can result in loss of coverage.
• Pre-inception disclosure is also critical, both because a failure in disclosure can have adverse consequences for policy coverage, and because some policies may have exclusions that relate back to the pre-inception disclosure.
• Insurance issues should be built into an organisation's crisis management strategy, so that insurance is not forgotten when a crisis hits. That can result in inadvertently prejudicing a policy that would have responded, eg by making broad promises of compensation. It may ultimately be the right response in some situations, but it should be a business decision made taking into account the impact on insurance coverage.
• Notifications and consents are crucial, eg obtaining insurers' consent before costs are incurred or claims are settled, as is ensuring that the organisation can demonstrate to insurers what went wrong and what steps have been taken so as to be able to evidence a claim.

Reputation management in the online world:

• For an organisation seeking to manage its reputation in the online world, as in other contexts, the legal responses cannot be divorced from the wider communications strategy. Indeed, whether a legal response is appropriate in any given context is often a matter of very careful judgment.
• Whether an organisation does wish to consider a legal response, it is helpful to take a cross-disciplinary approach, considering traditional tools designed to protect reputation and privacy, such as defamation and breach of confidence, as well as IP claims based for example on copyright and trade mark infringement.
• The reputational risks faced by organisations online can come from numerous sources, including: campaigns conducted via social media platforms; "mirror" websites using an organisation's branding and imagery which are designed to fool the public into spending money; competing online businesses selling counterfeit and grey import products via online platforms using keyword advertising to divert business from an established organisation.
• Where an organisation is faced with a negative online campaign, it is important to consider the desired outcome before taking any action, in particular whether that is to engage with and seek to moderate the campaign or seek to shut it down. This will depend on many factors including the subject matter of the campaign.
• It may be possible to seek remedies via defamation or malicious falsehood claims, but in many cases the individuals behind the campaigns may not be readily identifiable. In those circumstances, an organisation may seek to direct its efforts against the social media platform on which the campaign is conducted.
• English law in this area has become more restrictive in recent years. Claimants are expected to take action against the author, editor or publisher of a defamatory statement before anyone else; an internet intermediary will only be liable once it is on notice of the defamatory content and has failed after a reasonable time to take it down. In addition, it may be difficult to enforce an English defamation judgment abroad, due to blocking statutes in a number of jurisdictions (eg New York and California).
• A further burden for a corporate claimant bringing a case in defamation is that it must show serious harm to reputation as a result of the statement in question, and in the case of a body that trades for profit, that means serious financial loss. In many cases it will be difficult to establish a clear causal link between the relevant statement and a likelihood of financial loss.
• Defamation and malicious falsehood claims are unlikely to help if the objective is to shut down a campaign quickly. The primary remedy is damages, which can be obtained only after a trial. Obtaining an interim injunction based on such claims is very difficult.
• It may be possible to take action based on IP rights such as trade marks or copyright, if an online campaign or "mirror" website is using a logo, imagery or content which belongs to the organisation. Interim injunctions may be difficult to obtain, however, particularly where a campaign is able to argue that it is engaging in legitimate public protest. Further, for a trade mark claim, there may be a question mark as to whether a campaign is using the trade marks in the course of trade, unless for example it has some business purpose, such as a shareholder activism campaign.
• An organisation may also be able to rely on the "take down" procedures of the relevant social media platform, based on either defamation or IP infringement. Once taken down, however, the content may go back up either on the original site or a new one.
• If a campaign or "mirror" site is using a URL similar to an organisation's, there are domain name dispute resolution procedures that can be followed, in order to seek the return of the domain name. However, these tend to be quite slow. The courts may be willing to take action in such circumstances, particularly where the domain name is effectively being used as an instrument of fraud (which may be more likely in examples where consumers are being misled deliberately).
• There may be challenging jurisdictional issues, particularly where a "mirror" site, or a site selling counterfeit goods, is operating from a jurisdiction where it is difficult to litigate and/or enforce English judgments. In those circumstances, the best route may be against the hosting site or service provider.
• An important recent development is the use of blocking injunctions requiring internet service providers to block access to sites that sell counterfeit goods, as established in the high-profile case brought by Richemont (the owner of Cartier) against a number of service providers. Similar principles had been established where service providers were aware of copyright infringement (in the music streaming cases in particular); this development is important in expanding the expectation to take action in cases of trade mark infringement and also against different categories of service provider (host, online platform and perhaps payment provider).

Options to arbitrate – addressing enforcement risk:

• In entering into a contract, parties have a basic choice as to the jurisdiction in which to have any disputes resolved, whether by national court jurisdiction or by arbitration. If the contract is silent, the parties are effectively choosing court litigation; one or more national courts will undoubtedly have jurisdiction over the disputes, though there may be a fight as to which one. In contrast, arbitration requires consent.
• There are a number of reasons why a party might wish to choose arbitration, but the chief reason is enforcement, particularly in the context of emerging markets business where it may not be easy to enforce an English (or other) court judgment.
• The uncertainties around Brexit are encouraging some parties to look again at arbitration when they might not previously have considered it. In particular, there is some uncertainty as to how English court judgments will be enforced around the EU once the current rules under the recast Brussels Regulation no longer apply.
• These uncertainties should not be over-stated: it is likely that there will be some form of transition agreement extending current enforcement rules in some circumstances post-Brexit, and during the transition period the UK may be able to reach agreement with the EU for a bespoke arrangement going forward, or for the UK to join the Lugano Convention which contains similar rules to the current regime. In any event, the UK has said it will sign up to the Hague Convention on choice of court agreements (it is currently a member by virtue of EU membership), which means judgments obtained pursuant to an exclusive English jurisdiction clause should be enforceable in other signatory states (which includes the EU), though there are some technicalities around implementation. And if all else fails, EU27 states may enforce English judgments applying their own national rules.
• These uncertainties have, however, caused some organisations to look again at the use of arbitration, given that Brexit will have no impact on arbitration agreements and the enforcement of arbitral awards, which are governed by the New York Convention.
• Parties opting for arbitration may agree an arbitration clause which applies in all circumstances, or may consider agreeing an option to arbitrate, eg where the parties agree to the exclusive jurisdiction of the English courts but with an option allowing one or both parties at a certain point to decide the dispute should go to arbitration instead. Such options are typically unilateral; a multilateral option may increase the risk of "game playing", given that once a dispute arises, there is often only one party that is interested in an efficient resolution of that dispute.
• Option clauses require very clear drafting, in particular as to who has the option and in what circumstances it can be exercised. Whilst the English courts will recognise and enforce option clauses, the same may not be true everywhere particularly where the option is unilateral. Courts in Russia and France have refused to give effect to such clauses in some circumstances, just to give two examples.
• For parties considering arbitration, it is worth understanding how arbitration mechanisms have changed in recent years to address some of the concerns some parties have expressed relating to arbitration.
• One common reservation about arbitration (especially in the context of financial services contracts) is the lack of summary procedures. It is still the case that there is no possibility of an award by default, but there is increasingly a power for a tribunal to determine issues on a summary basis, either because that is specifically drafted in to the arbitration agreement or because arbitration institutions are beginning to include such powers explicitly in their rules.
• It is also possible to write into an arbitration clause a requirement that the arbitration be concluded and the award issued within a defined period (ie "expedited" arbitration). Such clauses should be used with caution, however. Arbitrators may be reluctant to take on an appointment if the period is too short, and if the tribunal fails to meet the set timetable there will be grounds for challenging an award issued after the deadline. It may therefore be advisable, if including a deadline, to allow the time to be extended by agreement or by the arbitral tribunal where necessary.
• The possibility of appointing an emergency arbitrator is included in the rules of most major institutions these days. This means that if there is a need for an injunction or other interim relief before the arbitral tribunal is appointed, and there is no available court to grant that relief, the relevant party can ask the institution to appoint an emergency arbitrator to hear an early interim application pending formation of the full tribunal.
• Parties can also allow for multi-party and multi-contract scenarios to be dealt with in a single arbitration, through careful drafting of the relevant clauses. With advance consent, issues around joinder of parties, and consolidation of related arbitrations, can be accommodated to allow a single set of arbitration proceedings to deal efficiently with related disputes arising from a suite of inter-related contracts.

Tax evasion and avoidance – sanctions for third parties:

• There have been three developments which increase the risks for third parties relating to attempts by others to evade or avoid tax. These are: a new corporate criminal offence of failing to prevent facilitation of tax evasion; new civil sanctions for those who facilitate evasion; and new civil sanctions for those who facilitate avoidance.
• Under the criminal regime, there are two new corporate offences which came into effect from 30 September 2017: failure to prevent facilitation of UK tax evasion and failure to prevent facilitation of foreign tax evasion. The only nexus there must be with the UK for HMRC to prosecute is that, for the UK offence, there is UK tax evaded, and for the foreign offence, part of the evasion or facilitation of the evasion took place in the UK. These offences can lead to a criminal conviction and an unlimited fine for the corporate.
• These are strict liability offences. Where a taxpayer has been convicted of criminally evading tax, and an associated person of the corporate (an employee, agent or any person who provides services for it) has criminally facilitated the evasion, the corporate will have committed the relevant offence unless it can demonstrate that it has reasonable prevention procedures.
• What amounts to reasonable prevention procedures will depend on the timing after the introduction of the offence. In September 2017, HMRC indicated that it understood that procedures would need to be rolled out and enhanced and developed over time, but it expected corporates to have commenced the process of assessing and documenting the risk, documenting procedures to minimise the risk, and putting in place controls where appropriate.
• The second category, civil penalties for enabling evasion, came into force on 1 January 2017. These penalties apply where a taxpayer is convicted of criminally evading tax, the enabler encouraged, assisted or otherwise facilitated commission of the offence, and the enabler knew his actions would, or were likely to, enable the taxpayer to evade tax. The offences relate to offshore income, profits, gains and assets.
• The penalties can be very onerous. There are fines of up to 50% of value of the asset where the offence relates to a transfer of offshore assets, and in all other cases 100% of the tax sought to be evaded subject to a floor of £3,000, and there is the potential for "naming and shaming" by HMRC in some circumstances.
• The third category, civil penalties for enablers of avoidance, applies to arrangements implemented from November 2017. Here there is no criminal conduct, but rather taxpayers who have put in place arrangements to which HMRC has successfully applied the "general anti-abuse rule" (GAAR). An arrangement will be in scope if a main purpose of the arrangement, objectively viewed, is to obtain an abusive tax advantage – which requires HMRC to demonstrate that, in all the circumstances, the arrangement cannot reasonably be regarded as a reasonable course of action (the "double reasonableness test"). A relevant factor will be whether the tax advantage obtained fails to mirror the economic reality of the situation, eg if there is a tax loss when in fact the taxpayer made a profit.
• Those who may be subject to penalties as enablers include those who design and promote arrangements of this sort, managers of the arrangements (eg trustees of an employee share scheme), marketers, "enabling participants" (anyone whose participation enabled the tax advantage to accrue), and "financial enablers" (those providing one of a range of financial products). The scope is therefore very wide.
• A penalty cannot be imposed unless the HMRC obtains an opinion from the GAAR advisory panel that the double reasonableness test is satisfied. To date, however, the GAAR advisory panel is taking a very broad approach. Where the GAAR opinion is forthcoming, there will be a 60% automatic fine for the taxpayer and fiscal penalties for the enabler equivalent to the fees it received, and again there may be naming and shaming in some circumstances.

Dealing with document requests - addressing the challenges:

• The amount of data produced by organisations is expanding at an ever-increasing rate, which gives rise to huge challenges for organisations dealing with document production obligations either in litigation or in response to demands from a regulator.
• Organisations need to give serious thought to what documents should be kept and what should not be kept. There will be legal and regulatory obligations to retain certain categories of documents for particular periods, which may differ between jurisdictions, and there will be other drivers for keeping documents such as applicable limitation periods. Apart from these considerations, it is perfectly acceptable that an organisation will want to get rid of material; you can't keep everything forever, for reasons of both cost and practicality, and there are obligations under data protection legislation to ensure that personal data is not kept for longer than necessary.
• It is also important to think about where and how to keep documents, including considering the jurisdiction(s) in which any electronic storage is backed up, and what laws the organisation may end up being subject to as a result.
• The key is to have a good document retention policy, which is tailored and appropriate to the type of data that the business generates and stores, as well as the sector it operates in and the regulation it is subject to, and to ensure that the policy is properly enforced.
• In the context of English litigation, there have been successive attempts over the past 25 years or more to try to make the disclosure process more manageable, and less costly, in a world of ever-increasing numbers of electronic documents generated by businesses.
• In 1999, the Woolf reforms replaced the very broad pre-CPR "train of enquiry" approach with the (then) new concept of "standard disclosure", which meant parties had to disclose only the documents on which they relied or which supported or adversely affected any party’s case. That was meant to control costs, but in fact it didn't work because it is often cheaper just to produce everything than to spend time working out what is genuinely helpful or harmful.
• The Jackson reforms, introduced from April 2013, again tried to solve the problem, this time by replacing the presumption of standard disclosure with a "menu" of disclosure options from which the court would choose, tailoring the disclosure order to the requirements of the case at hand.
• But for all its good intentions, the menu approach did not succeed in that aim; the menu was largely ignored, with parties opting for standard disclosure in most cases.
• A disclosure working group, chaired by Lady Justice Gloster, was set up in 2016 to address concerns around this issue. The working group's proposals were published in November and there was a consultation that continued until the end of February. It is expected that revised draft rules will go before the Civil Procedure Rule Committee with a view to running a two year pilot in the Business and Property Courts, probably from early in 2019.
• The proposals would replace the disclosure menu with a number of "models" that can be requested, ranging from no disclosure to (exceptionally) full pre-CPR "train of enquiry" disclosure. In fact the proposed models are quite similar to the existing menu options, but the new proposals differ from the current position in a number of ways: first, nothing is referred to as "standard"; secondly, the new rule operates on the basis of a disclosure model for each issue in the case; thirdly, there are clear signs steering the parties, and the court, to be restrained in their approach to disclosure.
• The working group has been clear that what's needed, if there is to be a major departure from current practice, is "wholesale cultural change", with a change in professional attitudes and a shift towards more pro-active case management by judges. It remains to be seen whether this will happen.
• We have raised a couple of particular concerns regarding the detail of the new rules, which we understand are being looked at, both in relation to the requirement to disclose "known adverse documents", which gives rise to obvious questions where the disclosing party is a large corporate or other organisation (eg whose knowledge is relevant and what sort of knowledge is required), and a requirement to explain "with reasonable precision" the grounds on which privileged documents are withheld, which is very unclear.
• Apart from rule change, a key way to control costs is to think creatively about how a document review should be carried out. Clients should consider: who should be reviewing the documents, and in particular whether a review team in a lower-cost location can be used, such as our global alternative legal services (ALT) team; and what technologies are available to make the process more efficient, in particular whether predictive coding can be used to help prioritise documents for review.

Investigations into historic allegations:

• The "Me Too" campaign has made individuals feel empowered to come forward and complain about events that happened many years ago. This can have devastating effects on an organisation, and it is important for corporations to be aware that this may become an issue.
• The starting point in investigating any allegation is to sit down and scope the investigation and decide on the important issues before jumping in.
• Some organisations already have template investigation plans in place, but of course those are only templates; they need to be shaped and moulded to fit particular circumstances. If there is no template then the organisation is starting from scratch.
• The issues to consider include, obviously, identifying who the complaints are being made against, and who is going to investigate the complaints. There may be cases where there is overlap, ie the complaint is made against senior managers who would ordinarily be involved in the investigation, but clearly that cannot happen. A decision will need to be taken as to how that is managed.
• Other issues for the initial scoping exercise include whether the allegations are potentially criminal in nature, whether they need to be reported to a regulator or enforcement authority, who is going to be informed that an investigation has commenced, what response will be given in relation to any media interest, and whether anyone should be suspended pending the investigation.
• It is also important to consider at the outset what is the overall objective of the investigation, and what will be done depending on whether the conclusion is that the complaint is well or ill-founded.
• Particular issues may arise in relation to historic allegations, for example because those complained against are no longer at the organisation, or potential witnesses are no longer at the organisation. There may also be particular issues and challenges in relation to documentary evidence where the allegations are historic: are the documents still available, where are they, and in what format?
• There are particular difficulties in relation to obtaining the benefit of legal professional privilege for investigations, particularly as a result of the high-profile ENRC case which is going to the Court of Appeal in July.
• In historic allegations it will invariably be the case that the complaint has emanated from a whistleblower, either direct to the corporate entity or through the media or through a combination of the two. It is important to ensure that the organisation has whistleblower protection policies in place, and that they are appropriate and compliant with law and with the organisation’s ethical attitude and other employment policies. There is a new European Commission proposal relating to whistleblower protection, which is at the consultation stage, which may introduce a new EU-wide standard in relation to whistleblowers who report breaches of EU law.
• One question that is often asked at the outset is whether there is a duty to report a complaint of criminal conduct to law enforcement authorities. In the UK there is no legal obligation to report suspected criminal behaviour, with the exceptions of money laundering, terrorist financing and child protection, but for those in the regulated sector there may be regulatory obligations to report. There are also criminal offences of obstructing or perverting the course of justice. Accordingly, if in the course of an investigation evidence of a crime is discovered, it is imperative to preserve that evidence.
• Investigations can be lengthy and expensive, so it is important to identify at the outset whether there are insurance policies that may provide relevant cover, such as a D&O policy, and what notifications are required to ensure that coverage is not prejudiced. It is worth noting that D&O policies are ordinarily "claims made" policies, so that the relevant date is the date the claim is made, not when the activity occurred. Therefore, there may be cover even where the allegation relates to historic conduct.