Category

Reputation Management
,
May 25, 2021

The Public Law Timing Threat: It’s Time To Rattle The Iceberg

The Public Law Timing Threat: It’s Time To Rattle The Iceberg

Key Contact: Hugh Hitchcock

Author: Jennifer Butcher & Evangeline O’Dowd

Hindsight is a wonderful thing, but to some, foresight is better. Take for example the Titanic. Had the ship plotted a different course immediately after the first warning signs, the catastrophic consequences that ensued would be little more than a dream. Seemingly, it is imperative that individuals and companies remain cognisant of the everchanging nature of the law and remain astute to the metaphorical icebergs they may be faced with in the public law domain.

Like many things in life, planning is the key to success. Early intervention in public law challenges provides us with an excellent example of why this is so. In recent times, there has been a rise in time barred and stale public law challenges on account of failure to act promptly and seek early and bespoke legal advice from the outset.

Regarding time limits, the Court follows a strict approach. In most cases, an application must be made promptly and in any event within 3 months of the decision under challenge. Sometimes the time to make an application is as little as 6 weeks in planning cases. Furthermore, a party cannot be dilatory or give the perception that you are acquiescing in a decision. Although rare, an application for a judicial review claim can still be dismissed if there is evidence of inaction or an avoidable delay. We often advise people to take robust legal advice urgently whenever a decision that concerns them is made or potentially could be made in the future.

The Benefits of Prompt and Experienced Legal Advice:

There is a clear link between seeking early legal advice and resolving problems sooner. Understandably, clients may be faced with up-front costs in seeking prompt and experienced legal advice from the outset. However, where individuals do not act imminently, the far fetching and ruinous consequences that ordinarily occur in the course of these proceedings begets exposure to far higher costs in the long-term. Below, we have set out some of the key benefits to seeking prompt yet experienced legal advice.

You can assess all your options

In successful judicial review cases, the previous decision can be quashed, and a new determination made. With that in mind, a plethora of substantively different and complex results can be sought, which without proper legal advice often leaves people making rushed and detrimental decisions given the short time frame. Early legal intervention means that lawyers can explain all the options that are available to you, giving you plenty of time to consider the best decision for you.

Consider both short term and long term

Often, individuals can be clouded by the short-term initial effects of a decision but fail to give thought to the long-term consequences. Masked by emotions, frequently individuals deal with the initial problem they are faced with and do not consider the insurmountable difficulties a rash decision could give rise to. In terms of public law challenges, public awareness and reputational risk can often be a factor that needs to be considered from the outset.

Coming from a position of strength not weakness

From a lawyer’s perspective, developing legal strategies and determining tactical considerations takes time. Formulating a factually strong, compelling, and persuasive opposition is no different. By seeking early legal advice, you can drastically increase your chances of success, putting you in a position of strength from the outset. Equally, by retaining early advice, it is easier to streamline the claim and hone in on the strongest points of opposition, which will give you the best opportunity to successfully undermine your opponent’s position.

Two Recent Cases

R (Bailey & others) -v- City and County of Swansea Council

Acuity Law have recently been instructed by a group of Mumbles Road residents in a judicial review claim seeking to challenge plans to develop a skate park at a particular location by the seafront at Llwynderw. Local residents sought legal advice to voice their concerns. Due to the residents seeking early legal intervention and through Acuity’s experienced team, the residents were able to submit the judicial review within the requisite time period, meaning that the High Court will now be required to determine whether the decision by the Council to hand over the site to the Community Council was lawful.

Porthcawl Residents’ challenge of Ministry of Justice plans

Acuity Law also recently acted on behalf of a number of Porthcawl residents against the Ministry of Justice in a public law challenge. The MoJ’s proposed development which was seeking to convert a local hotel into a residential shelter for women convicted of low-level crime was met with great concern from local residents given that no consultation had taken place. In light of this, Acuity Law worked with members of the local community to strongly oppose the development. The opposition was constructed on the basis of the likely damage to the local economy, drain on public services and increased localised crime rates. Following Acuity Law’s intervention, the MoJ has confirmed that it is no longer considering the Porthcawl hotel as a potential location.

Conclusion

The above examples solidify that a prompt approach backed by experienced legal and holistic advice is the key to successful public law challenges. The time taken in constructing an organised and structured opposition is pivotal when faced with public sector entities and evidently a strategy which has a proven track record of success for our clients.

In conclusion, it is imperative that individuals act promptly when making a public law challenge in order to avoid the inevitable icebergs that undeniably come to the surface in the event of a delayed reaction. Planning and predicting these icebergs will most certainly make for a smooth sailing and favourable outcome. Had the Titanic foreseen the iceberg, the drivers would have diverged from the path in plenty of time and the outcome would have been extremely different. Don’t make the same mistake in the legal realm and take robust legal advice urgently whenever a decision that concerns you is made or potentially could be made in the future.

For further details or advice on any topics raised in the article, please contact our litigation team.

Source: https://www.lawsociety.org.uk/en/topics/research/research-on-the-benefits-of-early-professional-legal-advice

,
May 19, 2021

Ransomware: Holding Your Data Hostage

Ransomware: Holding Your Data Hostage

Key Contact: Lowri Morgan-Macdonald

When you hear the word “ransom”, you may automatically think of innocent bystanders being held hostage at gunpoint, or the child of a prominent politician being kidnapped, each with the promise of their release only in return for the payment of a ransom (you might even think of a film starring Mel Gibson, which at least one member of our team quite likes)! But with advances in technology and the associated increase in cyber-crime, we are seeing more and more incidents of a different type of ransom, namely ransomware attacks.

Some of the most recent and high-profile examples of such attacks include Ireland’s state health services provider being forced to shut all its IT systems and having to cancel some medical appointments, after being subject to a ransomware attack. There was also a recent ransomware attack on Colonial Pipeline in the US, which led to its service having to be taken down for five days, causing shortages in the supply of diesel, petrol, and jet fuel across the US.

Ransomware was also a hot topic at the Information Commissioner’s Office (ICO)’s recent Data Protection Practitioner’s Conference (DPPC). The ICO’s dedicated Cyber Incident Investigation and Response Team reported a consistent increase in ransomware attacks over the past 12 months from a monthly average of 13 incidents up to a more alarming 42 incidents in 2020-21 – helped, no doubt, by more people working from home and using less secure hardware. They also confirmed that ransomware attacks account for one of the leading causes of personal data breaches reported and/or investigated by the ICO.

In this article, we are going to take a closer look at ransomware attacks, the impact that they can have on your business, and what steps you can take to protect against such attacks.

What is ransomware?

Ransomware is a type of malicious software that can stop you from accessing your computer, or the data stored on it, by locking the computer or encrypting such data. The attacker will then demand the payment of a ransom, often in the form of a cryptocurrency such as Bitcoin, in order to unlock your computer or decrypt the data. The attacker may also threaten to delete your data or publish it online if you refuse to pay the ransom.

What are the potential consequences of an attack?

A ransomware attack can of course have very significant financial consequences for your business, whether you decide to pay the ransom or not. At the DPPC, the ICO referenced Palo Alto Network’s Unit 42 Ransomware Threat Report which stated that the average ransom paid by organisations subjected to such attacks in 2020 was £225,000. Major news networks and newspapers in the US also reported that the Colonial Pipeline in the US paid the attackers a ransom of nearly £3.6 million! But, even if you do not pay the ransom, there are likely to be significant costs and losses associated with dealing with and remedying the effects of such an attack.

Such an attack can also lead to a personal data breach under the UK GDPR. This is because a personal data breach is essentially defined as a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data; and ransomware attacks are often likely to come within this definition.

At the DPPC, the ICO gave examples of some ransomware attacks that may not obviously be categorised as personal data breaches. These include where ransomware has encrypted personal data using automated tools so that an actual person has not viewed or access any of the personal data – they stated that such an attack would still constitute a personal data breach as availability and access to such data is still compromised. So it is important that specialist advice is sought in the event of any such attack and that policies and procedures are in place beforehand so that these issues can be identified and there is a plan on how to deal with them.  

If a ransomware attack leads to a personal data breach, you must notify the ICO of the breach within 72 hours if it is likely to result in a risk to the rights and freedoms of individuals. An example given by the ICO of an attack that may not need to be reported is where you have a backup of your data which can be restored in a few hours, there is no detriment to the individual whilst the backup is being restored, it is subsequently restored and you are confident that no personal data has been exfiltrated. But, you will need to assess on a case-by-case basis whether any breach is likely to result in a risk to the individuals affected and ensure that you document any such assessment, whether you decide to report or not. You must also notify the affected individuals if the breach is likely to result in a high risk to the rights and freedoms of individuals. These determinations are not straightforward and are time-critical, in the midst of a cyber-attack you need advisors who can react quickly to give you the support you need.

If a personal data breach is reported to the ICO, the ICO will investigate the breach and will, in particular, investigate your compliance with articles 5(1)(f) and 32 of the UK GDPR. These are essentially the security principles of the UK GDPR, which require you to process personal data securely by means of appropriate technical and organisational measures.

As well as the potential financial and regulatory impacts, a ransomware attack can also be incredibly damaging for your reputation as customers, suppliers, partners, and various other parties may lose confidence in your ability to protect and manage their data.

How can you protect against an attack?

So, what can you do to protect yourself against an attack? Although you cannot completely eliminate the risk of an attack happening, there are some steps that you can take to reduce any such risk and to help deal with the consequences in the event that the worst does happen. These include:

  • Security – ensure that you have appropriate security in place. There are plenty of resources available to assist with this, particularly on the National Cyber Security Centre’s website (https://www.ncsc.gov.uk/).
  • Backups – maintain regular and up-to-date backups of your files and ensure that these are segregated from your main, live system to reduce the risk of an attacker also gaining access to such backups.
  • Remote access – where you allow remote access to your network, use a secure VPN, use multi-factor authentication and ensure that your devices, operating systems and platforms are up-to-date.
  • Data breach policies and procedures – have up-to-date policies and procedures in place to help you and your staff identify, investigate, report and respond to a security incident in accordance with data protection legislation.
  • Disaster recovery and incident response plans – ensure that you have plans and procedures in place to deal with any such incident.
  • Staff training – provide regular training to your staff in relation to cybersecurity and data protection so that they know what to do if there is an attack.
  • Advisors – engage specialist advisors to help you plan for any such attack and who can be on hand if one should arise.

If you would like to discuss any of the above, or would like any advice or assistance in pulling together any policies, procedures, plans or training programmes, please contact hello@acuityreputationmanagement.com.

Our Acuity Reputation Management solution also provides a full suite of corporate reputation management protection. We provide a bespoke service delivered by our industry-leading reputation management experts, tailored to your business’ needs on a flexible blended rate basis. Our full-service solution covers all areas of reputation management from IP protection to litigation as well and data support and training. For more information, please visit https://acuityreputationmanagement.com/ or email us at hello@acuityreputationmanagement.com.

,
April 15, 2021

Do I need consent to send marketing to my contacts?

Do I need consent to send marketing to my contacts?

Key Contact: Lowri Morgan-Macdonald

One of the common misconceptions, particularly since the GDPR came into force in May 2018, is that you always need express opt-in consent in order to send marketing to customers, clients, or other contacts. However, that is not necessarily the case. Although consent is often required, the requirements depend on how you are carrying out your marketing and to whom such marketing is directed. In this article, we will therefore give you an overview of what the law actually says around consent and direct marketing and what steps you may need to take in order to comply.

The law

There are two sets of privacy laws that are relevant when you are undertaking unsolicited direct marketing (i.e. marketing that is directed at particular individuals and which has not been specifically requested):

  1. Privacy and Electronic Communications Regulations (PECR); and
  2. The UK GDPR and the Data Protection Act 2018 (DP Laws).

The PECR sits alongside the DP Laws and you will need to ensure that you comply with both sets of laws whenever you are undertaking such marketing.

PECR

The PECR sets out, amongst other things, the rules for carrying out unsolicited direct marketing by email, phone, fax, text, and other electronic messages (such as picture/video messages, voicemails and direct messages via social media).

The PECR does not apply to marketing by post or online advertising – but you will still need to ensure that you comply with the DP Laws if you are processing personal data as part of any such marketing or advertising.  

The concept of ‘direct marketing’ covers the communication by any means of advertising or marketing material which is directed at particular individuals. It does not cover genuine market research or customer service messages such as correspondence regarding a contract or purchase, provided that such research and/or messages do not contain any promotional material such as inducements to purchase other products or to renew a contract.

The rules are also generally more relaxed for business-to-business marketing.

Email, text, and phone marketing are likely to be the most relevant forms of marketing for most businesses nowadays and we have therefore set out a summary of the rules below:

Email / text marketing

The general rule is that you must not send email or text marketing to individuals (which includes sole traders and some partnerships) unless they have provided specific opt-in consent to receive such marketing from you.

The only exception to that rule is known as the ‘soft opt-in’ which allows you to send email or text marketing to an individual who is an existing customer who has bought (or negotiated to buy i.e. actively expressed an interest in buying your products or service such as by asking for a quote) a similar product or service from you in the past. However, the marketing message must relate to similar products or services and you must have given the individual an option to opt-out both when you first collected their details and in each subsequent marketing message. This exception does not apply to prospective customers or contacts on a marketing list that you have purchased.

You can however send email or text marketing to any corporate body (i.e. a company, LLP, or government body) without consent. But you will still need to ensure that you comply with the DP Laws where you are processing personal data of any individual employees for the purposes of such marketing.

Telephone marketing

In general, you must not make live marketing calls to any number registered with the Telephone Preference Service (TPS) or the Corporate TPS (CTPS) unless that person has specifically consented to receive such calls. You must also not make such calls to any person who has objected to your calls in the past.

In terms of automated calls (i.e. a call made by automated dialling which plays a recorded message), you must not make such marketing calls unless the person has specifically consented to receiving such calls from you.

Whether you are making live or automated calls, you must always give your name, allow your number to be displayed and provide a contact address or freephone number (only if requested in the case of live calls).

The same rules apply to individuals and businesses.

DP Laws

If direct marketing involves any processing of personal data (which will generally be the case if you are contacting a specific individual), then you will also need to ensure that you comply with the DP Laws when undertaking such marketing.

In order to process such personal data in accordance with the principles of the DP Laws, you must have a valid lawful basis for such processing. The lawful bases that are most likely to be relevant for marketing are consent and legitimate interests.

Consent

If consent is required to carry out any marketing under the PECR, then you will also need consent to process such data under the DP Laws.

The consent standard under both the PECR and the DP Laws is the same – it must be a freely given, specific, informed and unambiguous indication of the individual’s wishes by which he/she by a statement or by a clear affirmative action signifies agreement to the processing of personal data relating to him/her. That means, amongst other things, that the consent must relate to the specific method of marketing to be used and must be a positive opt-in action such as ticking a box or signing a statement; pre-ticked boxes or opt-outs are not valid forms of consent for these purposes.

You must also give individuals the right to withdraw their consent at any time.

Legitimate interests

If consent is not required to carry out marketing under the PECR, then you may not need consent to process such data under the DP Laws and you may instead be able to rely on legitimate interests.

In order to do so, you must be able to demonstrate that (1) you are pursuing a legitimate interest; (2) the processing is necessary for that purpose; and (3) such interests are not overridden by the interests or fundamental rights and freedoms of the data subject (this is known as the ‘three-part test’). You must be able to satisfy each limb of the three-part test in order to rely on this lawful basis.

It is worth noting that the recitals to the UK GDPR specifically refer to direct marketing as an activity that may indicate a legitimate interest. But this does not mean that it definitely will; you will still have to satisfy the requirements of the three-part test in order to rely on this as a lawful basis.

Some important factors to consider when assessing the three-part test include whether individuals would expect you to use their personal data in this way and what negative effects your marketing could have on individuals, particularly vulnerable individuals.

If you cannot satisfy the three-part test, then it is likely that you will need to rely on consent as your lawful basis to process such data under the DP Laws.

Although the focus of this article is on whether consent is required for sending marketing to customers, you will also need to ensure that you comply with your other obligations under the DP Laws when doing so. These include informing individuals, usually in the form of a privacy notice, that you intend to use their personal data for marketing purposes and if you plan to transfer their personal data to a third party for such purposes, ensuring that any personal data held is accurate and up-to-date, and allowing individuals to object to the processing of personal data for direct marketing purposes at any time.

Executive summary

We have set out below a quick guide as to whether consent is likely to be required for different forms of direct marketing. However, please note that this is only a general guide and its applicability will depend on your assessment of the appropriate legal basis under the DP Laws in the particular circumstances and your general compliance with the PECR and DP Laws in all other respects.

Marketing MethodRecipient (Individuals includes sole traders and some partnerships)Is consent required under the PECR?Is consent required under DP laws?
Emails or TextIndividualsYes ORYes
Soft Opt-InLegitimate Interest may be appropriate
Emails or TextBusiness ContactsNoLegitimate Interest may be appropriate
Live Phone CallsIndividuals / Business ContactsNo but must screen against TPS/CTPSLegitimate interest may be appropriate where number not registered to TPS/CTPS
Automated phone callsIndividuals / Business ContactsYesYes
PostIndividuals / Business ContactsNoLegitimate Interest may be appropriate

For more information, please contact Lowri Morgan-Macdonald from our Data Privacy & Cyber Security Team

1 2