At a recent conference, the Twelfth Annual Corporate Accountability Conference, 12 June 2014, Cercle National Des Armées, Paris, Pierre Poret, Counsellor, Directorate for Financial and Enterprise Affairs at the The Organisation for Economic Co-operation and Development, told the audience, referring to the OECD’s Risk Management and Corporate Governance report, that “too often, in the enterprise, there was little or no board-level responsibility, with the burden (and oversight responsibility) [for risk management] effectively stopping at the level of the line manager“. According to Monsieur Poret, the OECD’s findings showed that companies’ boards often played only a very limited role in risk management and that risk management standards were often set at too high a level, with outsourcing and supplier-related risk a key but much overlooked risk.
The head of the UK’s Financial Conduct Authority, Chief Executive Martin Wheatley,
used a speech at Bloomberg, London given on 3 June 2014 to promote the FCA’s Project Innovate (the drafted text of Martin Wheatley’s speech can be read at http://www.fca.org.uk/news/making-innovation-work). The FCA is the regulatory body that,
following reforms introduced by the Financial Services Act 2012, succeeded the Financial Services Authority. It has supervisory powers over the conduct of over 50,000 financial services firms in the UK, and authority to regulate the prudential standards of those firms not covered by the Prudential Regulation Authority. The PRA regulates deposit takers, insurers and significant investment firms.
In Part 1, we noted that financial institutions could find themselves potentially liable for committing an alleged Unfair, Deceptive, or Abusive Act or Practice (UDAAP) as a result of the actions of certain types of external service providers, particularly those that interface directly with customers. In this Part 2, we will discuss how financial institutions can mitigate the risk of UDAAP enforcement actions through their contracting strategies with their service providers.
A New Wrinkle of Risk
In some ways, the CFPB’s UDAAP authority resembles other regulatory regimes in that it places compliance obligations on both the issuer of the product as well as the third-party service provider that helps effectuate a transaction involving such a product. For example, export control laws place Office of Foreign Assets Control compliance obligations on both parties to a transaction. Data protection laws apply both to the controller as well as the processor of data. HIPAA protections for health information apply to the covered entity and its business associates.
The security community has been abuzz this week with the US. District Court of New Jersey’s April 7 ruling in Federal Trade Commission v. Wyndham Worldwide Corporation, et al. (see http://www.adlawaccess.com/wp-content/uploads/sites/137/2014/04/Opinion.pdf). Wyndham had asserted in a motion to dismiss that the Federal Trade Commission (“FTC”) did not have the authority to pursue enforcement actions against the hotelier related to data security. The District Court denied the motion and held that the FTC may in fact pursue claims related to data security under Section 5(a) of the FTC Act’s prohibition on unfair or deceptive acts or practices affecting commerce (see 15 U.S.C. 45(a)). While the significance of the holding is being debated in the legal community, this week’s decision highlights the Federal Government’s increasing emphasis on requiring certain baseline cybersecurity practices by the private sector.
The background facts of the case are fairly straightforward. The FTC brought suit against Wyndham Worldwide, Corp. in the wake of three separate security breaches that occurred between 2008 and 2011 and resulted in the theft of guests’ personal information (e.g., payment card account numbers, expiration dates, and security codes). The FTC alleges that after the initial two security incidents, Wyndham failed to implement reasonable and appropriate security measures which exposed consumers’ personal information to unauthorized access and resulted in consumer injury. Specifically, the FTC alleges that there were several problems with the Wyndham’s information security practices including wrongly configured software, weak passwords, and insecure computer servers.
So what does the Court’s holding mean for the private sector? Since, up until this case, the FTC’s data security actions have been settled out of court, this case marks the first time that the courts have ruled on the merits of the FTC’s authority related to data security actions. Fundamentally, the decision affirms that the FTC has the power to pursue enforcement actions for unreasonable cybersecurity practices under existing laws. The Court, however, cautioned that “this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” It is also important to note that the Court’s decision did not include a verdict on Wyndham’s liability in the matter (interested parties should continue to watch as the matter continues).
Much has been said about the EU “Cookie” laws introduced by an amendment to the Privacy and Electronic Communications Directive in 2011. Companies with European customers (including those in the US) have grappled with the law’s requirement to obtain informed consent from visitors to their websites before cookies can be used.
Not only being the subject of much academic debate, European regulators have also issued a series of guidance papers on the issue, including recent publications from the UK’s Information Commissioner’s Office and from the Article 29 Working Party, the group made up of representatives from the various EU privacy regulators. These provide layers of at times arguably conflicting commentary on how to comply with the law.
Whilst question marks hang over key issues (e.g.
Rafi Azim-Khan, Partner and Head of Data Privacy, Europe at Pillsbury and Chair of the British American Business’ Law Forum, was in Washington, DC yesterday to hear the important announcement of a key new data privacy initiative, blessed by regulators across the North America, Europe and Asia Pacific regions.
The initiative is aimed at assisting international businesses struggling to come to terms with increasingly complex global data privacy laws and increasing enforcement risks.
FTC Chairwoman Edith Ramirez and new EU Article 29 Working Party Chair Isabelle Falque-Pierrotin of CNIL were joined by UK Commissioner Christopher Graham, Ted Dean of the US Department of Commerce and Canadian APEC lead Daniele Chatelois in announcing publicly for the first time a new “Checklist” tool known as the “Referential”, designed to assist companies who have to deal with and transfer consumer and other types of data internationally. It applies to all businesses and all sectors.
In response to the financial crisis and recession in the United States that began in 2007, Congress passed the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (now commonly known as “Dodd-Frank”). Dodd-Frank created a vast array of new financial regulations, including the new and independent Bureau of Consumer Financial Protection designed to “regulate the offering and provision of consumer financial products or services under the Federal consumer financial laws.”
Now known by its alphabet soup moniker, the CFPB has jurisdiction to enforce one of the simplest, yet most powerful, provisions in Dodd-Frank: “It shall be unlawful for any covered person or service provider to engage in any unfair, deceptive, or abusive act or practice.” These “unfair, deceptive, or abusive” acts or practices have become commonly known in the legal and financial industries as “UDAAPs.” The CFPB has not implemented formal rulemaking with respect to the prohibition on UDAAPs. Instead, it has made the conscious decision to largely implement its UDAAP rules via its enforcement actions and a series of guidance documents, including the “Supervision and Examination Manual,” which articulates CFPB’s expectations for how this law is to be enforced.
In previous posts (Proposed Changes to UK’s TUPE will impact outsourcing deals, The UK Government consults on proposed changes to the TUPE regulations) we highlighted the UK Government’s proposed changes to the Transfer of Undertakings (Protection of Employment) Regulations 2006 (“TUPE 2006“). The UK Government has now finalised these changes,
resulting in the Collective Redundancies and Transfer of Undertakings (Protection of Employment) (Amendment) Regulations 2014 (“Amended TUPE Regulations“).
The Department for Business, Innovation and Skills (BIS) also published useful guidance which helps to explain the changes made to TUPE 2006. Generally speaking, the Amended TUPE Regulations brought into effect the changes discussed in our previous post,
The High Court of England and Wales has recently decided that a contract can, in principle, be made in two separate jurisdictions at the same time if the contract does not include choice of law and jurisdiction clauses. In this situation, either party could seek to enforce the contract in its home jurisdiction.
In Conductive Inkjet Technology Ltd v Uni-Pixel Displays Inc  EWHC 2968 (Ch), the court considered a dispute between two parties, one based in England and the other in Texas. The agreement in question was a non-disclosure agreement, which did not include a choice of law and jurisdiction clause as the parties were not able to agree on one during negotiations. The parties agreed the contract in an email exchange, and it was then signed by Conductive Inkjet Technology (CIT) in England and by Uni-Pixel Displays (UPD) in Texas. CIT then claimed that UPD made use of certain proprietary information in breach of the agreement and sought permission to serve claims on UPD in England. UPD challenged this by arguing that English courts did not have jurisdiction in the matter.
To recap the English law position on contract formation, the general rule is that a contract is made at the time and place where acceptance of the relevant offer is communicated to the offeror. There are two main rules as to when acceptance is communicated:
Procurement says SAS70;
Finance says SSAE 16;
Audit says SOC 2;