Managing risk: A disputes perspective (2019)

Herbert Smith Freehills recently held its annual disputes client conference exploring some key legal and compliance risks facing major corporates. The event was attended by close to 100 clients. After opening remarks by Damien Byrne Hill, head of dispute resolution for the UK and US, there were presentations on the impact of data on disputes, data loss, privilege, LIBOR discontinuation, climate change, the impact of Brexit on contracts and smart legal contracting.

A summary of the conference is below – if reading the full version of this post, you can jump down to read more detail on any of the sessions by clicking on the relevant heading.

The impact of data on disputes: Sarah McNally and Christine Young considered the issues that arise in handling data in the context of disputes, including in relation to monitoring employee emails, the use of data subject access requests to get advance disclosure, and dealing with personal data in the context of a disclosure exercise.

Data loss and its consequences: Andrew Moir, Joel Smith and Andrew Taggart explored a typical data loss scenario to illustrate the issues that arise and how businesses should respond to incidents of data loss.

Privilege – continuing challenges: Julian Copeman discussed the challenges posed by a number of recent decisions which make significant inroads into the ability of commercial parties to obtain the protection of privilege when seeking legal advice or dealing with litigation, and considered practical steps commercial parties can take to address the challenges.

LIBOR discontinuation – not just an issue for banks: Harry Edwards looked at the litigation risks that will arise for corporates from the discontinuation of the London Inter-bank Offered Rate, or LIBOR, from 2021 and how businesses can prepare for those risks.

Climate change – the risks for corporates: Simon Clarke and Silke Goldberg considered the significant litigation and regulatory risks for corporates arising from both the physical effects of climate change and the risks inherent in transitioning to a lower carbon emission environment, including the implications for directors' duties and corporate disclosures.

Brexit – the impact on contracts: Andrew Cannon looked at the implications of Brexit for particular aspects of parties’ contractual relationships, including questions relating to jurisdiction and enforcement of judgments and the potential for termination.

Smart legal contracts – managing risk with next generation contracts: Rachel Lidgate and Charlie Morgan considered the outlook for "smart legal contracting" and how automated contractual performance may affect disputes and dispute resolution in the future.

The impact of data on disputes

• The amount of data organisations are dealing with is ever-increasing and is taking on different forms. In the context of a dispute, the focus used to be on emails, but other forms of communication (eg instant messaging, Whatsapp, social media) may be equally or more significant in many cases. Organisations must keep up to date with current forms of communication to make sure they are able to retrieve the information they need for the purposes of investigations and litigation.
• Historically for many companies it would have been easy to go to one or a small number of locations to retrieve all relevant documents from an easily identifiable client or transaction file. Now it is more likely that relevant information will be held in multiple locations which will need to be searched. It is important for companies to manage their data appropriately, thinking about how documents are held and by whom, so that material can be located when required without undue difficulty or expense.
• It is also important to be aware of the tools available to enable huge volumes of data to be identified, processed and sorted. Companies will want to make use of such technologies (eg predictive coding software) in appropriate cases to manage the time, risk and cost involved.
• Challenges arise from the increasing practice of employees using personal devices at work under so-called BYOD policies. Companies need to make sure they have appropriate policies in place to allow them flexibility to access the data they need for an investigation or for litigation particularly where that data is not backed up on their own servers (eg instant messaging, Whatsapp etc).
• There are clearly risks to a company if it is unable to comply with orders for disclosure, or to evidence its claims, for lack of documents. However, those risks need to be balanced against the risks arising from non-compliance with data protection legislation (most importantly the GDPR) if a company goes to the other extreme and inappropriately retains or processes data eg of employees or customers.
• GDPR obligations need to be kept in mind when conducting an investigation or disclosure exercise, which will inevitably involve the processing of personal data. It is essential that the process is transparent and that employees have notice of it (existing privacy notices may give sufficient notice). Companies should ensure that their privacy policies and notices make it clear upfront that employee data can be processed for this purpose.
• Monitoring employee communications also gives rise to challenges, particularly where work systems are used for personal communications. Companies should ensure their policies are up to date so that employees know what is being monitored and they are only monitoring what they are legally permitted to.
• The informality of communications can cause difficulties, as there is the potential for confidential information being disclosed or inappropriate comments being made which can themselves result in litigation. There is also the risk of material being created through these channels that can be unhelpful when a dispute arises. Proper education and training is key.
• Data subject access requests can be used as a litigation tactic, commonly in employment litigation but also in commercial litigation where there is an individual claimant (or an individual within a corporate party who has been involved in the relevant events and can submit a request). An individual has a right to see their personal data, not documents, so companies should think carefully about what is provided.
• The Morrisons case (considered here) illustrates the risks associated with the increasing practice of employees working from home or agile working, and the increased scope this gives for furtive conduct. In that case a disgruntled internal auditor downloaded payroll information for around 100,000 employees onto a USB stick and posted it onto a file sharing site. The Court of Appeal found Morrisons vicariously liable, despite the activity having taking place on a personal computer outside working hours and having been done maliciously in order to cause damage to Morrisons, though the case is subject to an appeal to the Supreme Court.
• As an overall point, modern organisations deal with a wealth of data that can be very helpful and can be very unhelpful in the context of a dispute. It is crucial to ensure that there is compliance with data protection obligations to avoid such issues being used as a sideshow to distract from the substantive issues in any litigation.

Data loss and its consequences

• Data can be lost in multiple ways, including through employee negligence (eg a briefcase left on a train) or a failure in IT systems. It is increasingly the case, however, that data incidents are caused by deliberate activities, whether that is the activities of employees or contractors, or external parties hacking into a company's systems whether individually or through state-sponsored hacking or corporate espionage.
• In any data loss scenario, there are several stages the company should work through in its response to the incident, particularly where there is a cyber or regulatory element: detect; assess; contain; investigate; remediate; review. The first three (detect; assess; contain) are time critical to prevent any further data loss. The later stages are about finding out what went wrong and what can be done to prevent it happening again.
• It will be important at the outset to establish an appropriate internal investigation team. This should contain representatives from in-house legal (if there is an internal legal function, or if not external legal advice should be considered), IT, compliance and HR. It may also be desirable to have a representative from the business line affected and to obtain early PR involvement.
• A communication protocol should be agreed, to limit the creation of new documents which may be unhelpful in any litigation or regulatory investigation, and to ensure that all relevant functions know what the others are doing.
• The company will need to assess the nature of the information that has been taken and the risks posed, including the risks to the organisation itself and to its customers (or other relevant individuals, eg employees, depending on the type of data that has been lost). Assessing that risk will be crucial to determining what needs to be done from a regulatory perspective.
• Where the incident arises from employee activity, careful thought should be given to how to deal with the employee(s) involved. Often where there is misconduct the initial instinct will be to suspend and/or dismiss the individual straight away, but that may not always be the best course of action in the long term, as the individual's cooperation may be needed in assessing and containing the incident.
• Early attention will need to be given to whether there is a need to make a notification of the data loss, eg to the Information Commissioner's Office, other regulators, the police and customers. Where customers are to be notified, that gives rise to obvious issues of publicity and reputation management.
• So far as regulators are concerned, the focus will typically be on identifying any failures in systems and controls which contributed to the incident or may have prevented it. There is a risk of regulatory action/fines against the company if there is found to have been a breach of data protection obligations. There is also the risk of class actions, and in the data protection context there is no need to establish financial loss to be able to claim.
• A regulator will be interested in how the company has dealt with and contained the incident. In this context it will be important to keep contemporaneous notes of decisions taken and the basis for them. It will also be important to show what's being done to prevent a recurrence of the issue, eg by changing policies and procedures, which should be done proactively rather than in response to regulatory intervention.
• As part of the effort to contain the situation, it may be appropriate to seek an interim injunction to prevent further use of the information by the wrongdoer (eg an employee who has disclosed a customer list to a competitor) and any third parties who have received it. Or if there is not enough evidence to seek an injunction straight away, it may be possible to obtain for example a search order, or an order permitting external forensic expert review. A freezing injunction may also be possible, if there is evidence that the defendant may dissipate its assets.
• All of these remedies are discretionary, and it will be essential to move very quickly as the court must be convinced there is genuine urgency. If there is a risk of destruction of evidence, these remedies can be pursued without notice, subject to an obligation to give full and frank disclosure to the court.

Privilege – continuing challenges

• There are a number of recent English court decisions that have been very unhelpful from the perspective of commercial parties wishing to obtain the protection of privilege when seeking legal advice or dealing with litigation.
• For legal advice privilege to apply, there needs to be a lawyer/client communication; communications with third parties are not privileged (unless litigation is in contemplation and the test for litigation privilege is met). So the question of who counts as the "client" is very important in the context of legal advice privilege.
• A run of recent cases, culminating in SFO v ENRC (considered here), have considered this question. The difficulties hark back to the decision in Three Rivers No 5 fifteen years ago where the Court of Appeal decided that "client" for purposes of legal advice privilege was not the whole organisation (the Bank of England) but only a small group of individuals who were liaising with the external lawyers on behalf of the Bank.
• Recent decisions, including the Court of Appeal's decision in ENRC, have applied Three Rivers No 5 strictly to find that that the client comprises only those within the client company who are tasked with instructing the lawyers and obtaining their advice on behalf of the organisation.
• The Court of Appeal in ENRC said it would have decided otherwise if free to do so – in particular because the current approach is unfair to large corporations, in that there is more likely to be a mismatch between those instructing the lawyers and those who have the relevant factual information – but as a previous Court of Appeal decision Three Rivers No 5 was binding on them. Accordingly, any challenge to the correctness of the decision will have to go the Supreme Court in some future case.
• The upshot is that where a company wants to have the benefit of legal advice privilege, careful thought should be given to who is advising and who is likely to be considered their client for the purposes of that advice.
• There may be some benefit in making a non-exhaustive list of the relevant individuals, though it may reduce flexibility if you later want to argue that others should be considered part of the client.
• If information needs to be obtained from "mere employees" think about whether that can be done orally and the information recorded in a privileged lawyer/client email.
• Litigation privilege has also become much less straightforward in light of some recent cases – most importantly WH Holding v E20 (considered here) in which the Court of Appeal held that emails between Board members discussing potential settlement proposals were not privileged because they were not prepared for the dominant purpose of obtaining advice or information in relation to the conduct of the litigation. It was not sufficient that they were for the dominant purpose of conducting litigation, in a broader sense.
• The court did accept, however, that litigation privilege will apply if advice or information obtained for the conduct of litigation cannot be disentangled from a document, or it would otherwise reveal the nature of such advice or information.
• The decision has caused major difficulties in applying litigation privilege in practice, as there may be many communications or documents which are for the purpose of conducting litigation but which do not fall within the category of obtaining advice or evidence. As well as settlement, which is the context of this case, other areas could include discussing litigation strategy, or reputation management relating to the litigation, or the funding of the litigation, or controlling the costs of the litigation.
• Another risk highlighted by the decision, but which does not come out clearly from it, is that the court appears to suggest that litigation privilege will not cover internal corporate communications, as opposed to communications passing between lawyer and client or either of them and a third party. This part of the decision is not at all clear, but there is some risk that this point could be developed further in the case law.
• In light of the decision, companies should think about whether communications that might fall foul of the decision can be restructured as lawyer/client communications that are subject to legal advice privilege, or perhaps whether privileged advice/information can be threaded through the document so that it can't be disentangled – though caution is advised, as a court might consider that the privileged material should be redacted and the remainder disclosed.

LIBOR discontinuation – not just an issue for banks

• The London Inter-bank Offered Rate, or LIBOR, will likely cease to exist from 2021. Given the widespread use of LIBOR as an interest rate benchmark in commercial contracts, this gives rise to significant issues for corporates. It is not just an issue for banks.
• The demise of LIBOR will affect any corporate with financing arrangements, or which holds debt as an asset class. It will also impact on any hedging arrangements, as interest rate (and some other) derivative contracts are typically pegged to LIBOR. Corporates who access the debt capital markets will be affected as the notes they issue will often be linked to LIBOR. References to LIBOR are also commonly found in many other commercial contracts, typically in order to set the rate of interest for late payment. The move away from LIBOR will also give rise to difficult valuation and accounting issues, for example where assets on a company's balance sheet are linked to cash flows that are affected by the change from LIBOR.
• Different markets are coming up with different solutions as to what should replace LIBOR. In the UK the preferred replacement rate is SONIA (Sterling Overnight Interbank Average Rate). Its most significant difference from LIBOR is that, since it is an overnight rather than term rate, there is little or no credit risk priced into it and so it is typically lower than LIBOR. That means a straightforward substitution from one rate to the other won't work, as it would result in a value transfer from one party to the other.
• A key question for corporates to consider is what should happen to existing contracts that reference LIBOR. Standard documentation in different markets includes different fallback provisions that are intended to operate if LIBOR is temporarily unavailable, but these were not devised for a situation in which LIBOR is permanently discontinued and none of them are likely to operate smoothly on a permanent discontinuation of LIBOR.
• Amendments to address existing fallbacks will not be straightforward, however. Taking the loan market as a convenient example, banks are likely to approach clients to seek to amend legacy contracts, but there are difficulties with that process. Changes will likely need the unanimous consent of lenders and borrowers. Given the value transfer issue, it will mean a renegotiation of the margin on the loan. That risks opening up the commercial negotiation of the deal, and there is a risk of parties opportunistically seeking to use the opportunity to extract other concessions in other areas of the contract.
• As a result of these issues, it seems likely that there will be a rump of contracts that are not amended in time. In loan markets, there may be arguments as to how the contract should be interpreted, given the fallbacks which exist, or whether some other term should be implied. Where it is held that a relevant fallback should be applied, there may be disputes as to how that should operate (eg where the fallback is based on the lender's cost of funding the loan, there may be challenges to lender's calculation). All of these issues could lead to litigation.
• With regard to the derivatives market, ISDA has sought to deal with the problem by promising a protocol to allow market participants to agree to move to new fallback language by adopting changes to the definition of LIBOR. But given the need for both parties to agree, and the number of derivatives contracts in the market, there will almost inevitably be contracts which are not amended. Again, the court may be asked to interpret the contract or imply terms to keep the contract alive. Alternatively, there could be a scenario in which these contracts are found to be frustrated, potentially leaving parties without effective hedging arrangements in place.
• In the bond market, similar issues arise but the problems will be particularly acute where the fallback results in a fixed interest rate. That would, for example, lead to disruption if certain types of fund would have to sell the bonds because they are unable to hold fixed rate bonds under their mandates.
• The fact that each market is approaching this issue from its own perspective gives rise to particular risks. So, for example, a corporate may typically have a loan with an associated interest rate hedge using a derivative. If the replacement rates are different for the two products, or if the move to a replacement rate is triggered by different events, the whole purpose of the hedge could be undermined. This means corporates can't merely take a product by product approach to the issue.
• Corporates will need to do their due diligence to manage these risks, considering what contracts are affected and what fallbacks they contain and engaging early with the banks to address the issues.
• These issues should also be considered when entering into new documentation – this is very uncertain at the moment given that replacement rates are not yet settled. Corporates should take advice before entering new contracts which give rise to these problems and will need to be amended in due course.

Climate change – the risks for corporates

• The approach of the financial services regulators in relation to climate change is of broader interest to other sectors, in part because it is likely to be copied by regulators in other industries, and in part because the approach of the financial services regulators offers a framework which may be useful when thinking about other businesses.
• The financial regulators divide the risks arising from climate change into two categories: (i) the physical effects, including damage to property, disruption to supply chains and falls in productivity; and (ii) the risks of transitioning to a lower-carbon economy, including the fall in demand for fossil fuels, and the need for massive infrastructure investment and investment in renewables and energy efficiency.
• The PRA has noted that the risks from climate change have four distinctive features: (i) they are far-reaching in breadth and magnitude; (ii) they have uncertain and extended time horizons; (iii) the magnitude of impact is dependent on short-term actions taken today; and (iv) they are of a foreseeable nature. It is worth businesses evidencing that they are having regard to these features in planning actions to address the risks.
• The regulators are addressing the financial risks from climate change through a traditional framework of: governance, embedding consideration of risks from climate change into governance and strategy; risk management, incorporating these risks into existing risk management practice; scenario analysis, identifying exposures in a range of climate change outcomes; and disclosure, considering whether further disclosures are necessary to enhance transparency.
• Although the high level expectations have been formulated, there is currently a lack of guidance as to the specific assumptions that businesses should be adopting in their planning, or specific actions which need to be taken. It is recognised that views on best practice will evolve over time, but businesses are expected to determine an approach which meets expectations in a way which is appropriate for the nature and scale of their operations and the risks they face.
• Directors need to consider climate change issues in ensuring that they comply with their statutory duties under relevant company legislation. For directors of UK companies, the duties under section 172 and 174 of the Companies Act 2006 are particularly relevant, but for directors in regulated industries there may be more specific duties that arise under the regulated frameworks.
• Under section 172, directors have a duty to act in good faith to promote the success of the company for the benefit of its members. To do so a director must take into account a number of factors, including the likely long term consequences of any decision, the need to foster the company's business relationships and the impact of the company's operations on the communities and the environment.
• The good faith aspect of this duty is very important in the context of climate change. The director must have a bona fide and honest belief that they are acting in the best interests of the company, and it must be based on factual details that the director has taken into consideration. A director may be liable under section 172 if they act in ignorance, or based on political beliefs, or a failure to obtain or consider expert evidence.
• It is important to ensure there is a balance. If the directors only consider climate change and environmental risk to the exclusion of everything else, that will go too far. Directors also need to have regard to the financial health of the company in the long term.
• Under section 174, directors have a duty to exercise reasonable care, skill and diligence. To comply with this duty, they need to educate themselves about the impact of climate change on their company in particular. Where climate change issues are delegated to a committee, it is important that the committee is properly supervised and any recommendations fed back to be considered at Board level. Failure to do so may be a failure of the directors' duty.
• It is important to remember that standards in relation to climate change are evolving, so directors need to keep educating themselves and consider the actions being taken by competitors and the market generally.

Brexit – the impact on contracts

• At the moment, and during any transition period if the draft Withdrawal Agreement is entered into, an English judgment is and will be enforceable in other EU Member States with relative ease under the recast Brussels Regulation. That will no longer be the case, however, if the UK leaves the EU with no deal.
• The Hague Convention on Choice of Court Agreements 2005 provides for similar rules on enforcement to those in the recast Brussels Regulation. The UK is currently a member of the Hague Convention through the EU. That will come to an end when the UK leaves the EU, but in the event of a no deal Brexit, the UK will re-join the Convention in its own right from the day after Brexit occurs, so currently 1 November 2019.
• Hague, however, applies only where there is an exclusive jurisdiction agreement in favour of the courts of a contracting state which was concluded after the Convention's entry into force for that state. And it is not entirely clear whether for the UK that means 1 October 2015, when the UK became bound as a member of the EU, or 1 November 2019, when the UK will accede in its own right if there is no deal.
• The risk that Hague may not apply where the exclusive jurisdiction clause was entered into before Brexit has sometimes been called "the change of status risk". That risk has been heightened by recent guidance published by the European Commission which suggests the Commission's view is that exclusive English jurisdiction agreements are within the Hague Convention only if they are entered into post Brexit.
• The Commission's view is not conclusive. It could be that national courts in the EU27 and ultimately the CJEU will adopt a different interpretation – on the face of it, it's not easy to see why the UK's change of status (from member of Hague by virtue of EU membership to member of Hague in its own right) should give rise to this difference of treatment. However, the Commission's view is obviously unhelpful.
• In light of this risk, parties should think about whether they are likely to need to enforce any judgment under a contract in one or more EU Member States. If so, the next question is whether the judgment will be enforceable under domestic law if Hague doesn't apply. That will be possible in most, although not all, EU countries, but it may be more complex, time consuming and costly.
• If there are concerns, it may be worth considering other options. These may include a non-exclusive English jurisdiction clause, which would give flexibility to choose an appropriate jurisdiction at the time the proceedings commence, or an arbitration clause, since arbitration is unaffected by Brexit and has a very effective enforcement mechanism under the New York Convention. Either of these options could be combined with an agreement to replace the clause with an exclusive English jurisdiction clause if there is a no deal Brexit.
• For contracts entered into already which contain an exclusive English jurisdiction clause, if there are concerns over enforcement in the EU27, the jurisdiction clause could be amended now if all parties agree, or the parties could decide to wait and see whether there is a no deal Brexit and re-evaluate at that stage.
• Brexit also has potential implications for termination of contracts, as parties may be looking to get out of contracts which no longer make sense in the changed commercial landscape. In some cases there may be a termination clause which allows termination on notice, or at will, or there may be breaches of contract that can be relied on to bring the contract to an end. Or there may be a material adverse change clause or force majeure clause which may apply, or the doctrine of frustration may come into play, though all of these require a high threshold.
• The doctrine of frustration was recently considered by the High Court in the Brexit context in the European Medicines Agency case, [2019] EWHC 335 (Ch) (considered here). In that case the court rejected an argument that the EMA's lease of premises at Canary Wharf will be frustrated as a result of Brexit.
• The decision demonstrates the uphill struggle likely to face a party seeking to establish that its contracts are frustrated as a result of Brexit. However, in principle it leaves open the possibility of establishing frustration where a party is able to show that it will be deprived of all or substantially all of the benefit of a contract, or that it will simply not get what it bargained for, rather than performance merely becoming more onerous or inconvenient. An appeal against the decision is due to be heard in 2020.

Smart legal contracts – managing risk with next generation contracts

• A "smart legal contract", or SLC, is a legal contract which is intended to operate (in whole or part) on a digital platform. An SLC may contain both natural language clauses, as in a traditional contract, and "smart clauses", which are codified, machine-readable translations of those clauses which allow the contract to be automated.
• A distinction is to be drawn between SLCs and “smart contracts”, which are simply pieces of code which perform digital events. Implementing "smart contracts" without anchoring the code within a valid legal contract can give rise to complex issues regarding validity/enforceability.
• The codified provisions of SLCs can build in "oracles" or the ability to "talk” to external data sources – which can range from industrial sensors to interest rates indices – so that the SLC can monitor and detect events and update the contract, notify parties of real world events or trigger the execution of digital acts.
• SLCs have the potential to reduce the burden of contract management and regulatory compliance, so that businesses can reduce risk and generate cost savings.
• As a simple example, a SLC could be used to automate a delivery notification obligation, under which Party A has to notify Party B upon receipt of delivery. Such a clause could be automated by enabling it to "talk" to a weighbridge sensor which detects delivery. The clause would be coded to monitor the live data from the sensor and check whether or not delivery has occurred, and to notify Party B once it has occurred. There could be other variations, for example building in a longstop date so that if delivery has not occurred by that date a dispute notice is generated.
• SLCs need to be uploaded onto a digital platform, and there are significant benefits in using a blockchain platform to store the SLC and record the contractual events in an immutable form on a distributed ledger.
• A blockchain is a type of database that is shared, replicated and synchronised among the members of a de-centralised network. This technology offers advantages in terms of cybersecurity as, contrary to a centralised network, the distributed network is not subject to a single point of failure.
• There are a number of permissioned blockchain platforms being developed by private entities or consortia of entities, for particular industry use cases. HSF is involved in a consortium to investigate and develop the “Australian National Blockchain”, which will be the first business-ready, industry agnostic SLC platform in Australia. A pilot for early adopters is due to start in late 2019-2020. We are also considering what blockchain platforms are available and suitable for use elsewhere in our network.
• SLCs are likely to lead to a real increase in efficiency for the resolution of disputes. They are likely to enable parties to narrow the scope of disputes, as there will be greater certainty as to the definitive version of the contract and a better audit trail of what's happened in the life of the contract up to the point where a dispute arises. There may also be the potential for automating or streamlining some steps within the dispute resolution process, such as notification requirements, the identification of arbitrators and the validation of their statements of independence, as well as the expedited recognition and enforcement of arbitral awards or court judgments.