Announcing May 3, 2017 Cybersecurity Conference

On May 3, 2017 Elliot Golding, Partner and Cybersecurity expert based in our Washington DC office will be speaking at the American Conference Institutes 8th Annual Advanced Forum on Managed Care Disputes and Litigation.  Elliot will be presenting on ‘Cybersecurity and Service Providers: Strategies for Keeping Compliant when Dealing with Outside Vendors’. He will provide practical advice and best practices for managing vendor risk, including a discussion of contracting recommendations and trends, security requirements, and how to explain HIPAA to third parties.  The presentation will also provide an update on recent changes in security-related laws, such as new obligations imposed by the New York Department of Financial Services (NYDFS) Cybersecurity Regulation.  Further information and registration details can be found on the ACI website.

Was the court’s approach to this exclusion clause reasonable?

Every now and again, the English courts hand down a judgment which seems to fly in the face of established law. The recent High Court decision in Goodlife Foods Limited v Hall Fire Protection is one such judgment.

Hall installed a fire suppression system in Goodlife’s premises.  A fire subsequently broke out causing property damage and business interruption losses to Goodlife in excess of £6 million.  Goodlife claimed that the cause of the fire was the failure of the fire suppression system and sued Hall.  Goodlife’s claim for breach of contract was statute barred under the Limitation Act 1980 so Goodlife brought proceedings instead for negligence.  Hall sought to rely on clause 11 of its standard terms and conditions which purported to exclude its liability in negligence.  Clause 11 said:

We exclude all liability, loss, damage or expense consequential or otherwise caused to your property, goods, persons or the like, directly or indirectly resulting from our negligence or delay or failure or malfunction of the systems or components provided by [Hall] for whatever reason…”

The High Court was satisfied that Hall’s standard terms and conditions were incorporated into the contract. It went on to hold that:

(1) Clause 11 purported to exclude liability for death or personal injury caused by negligence (“…damage … caused to your … persons”);

(2) Despite this, clause 11 was not an unusual or onerous clause and was successfully incorporated into the contract without Hall having to take additional steps to bring it to Goodlife’s attention;

(3) The exclusion for death or personal injury was not fatal to the validity of clause 11. Although section 2(1) of the Unfair Contract Terms Act 1977 (UCTA) prohibited such an exclusion, the court could simply excise those words before assessing if the remainder of the clause was reasonable;

(4) Even though the remainder of clause 11 was extremely wide-ranging, it satisfied the UCTA reasonableness test. The only likely loss that Goodlife would suffer would result from a fire not controlled by the suppression system. This was a risk that Goodlife could (and indeed should) insure against. Accordingly, the court was satisfied that clause 11 represented “a perfectly sensible allocation of the risk of loss and damage”.

This ruling goes against decades of judgments in which the courts have consistently held that an exclusion of death or personal injury automatically renders the entire exclusion clause void. The courts have not been willing to ‘blue pencil’ (sever) that aspect of the clause and leave the rest standing.  In addition, the courts have traditionally struck down as unreasonable exclusion clauses that leave the innocent party without a meaningful remedy in respect of the loss they have suffered.  Clause 11, excluding as it did all liability of Hall, did not give Goodlife a meaningful remedy.  However, it was still found to be a reasonable allocation of risk on the basis that Goodlife should have insured against the very losses that it had purchased the fire suppression system to prevent.

Perhaps this judgment is a one-off? That remains to be seen.

Weekly Data Privacy Alert – 17 April 2017

Please click here to read the latest data privacy alert from the Squire Patton Boggs Data Privacy & Cybersecurity team.This week’s alert covers news from the EU, Germany and the UK.

EU

  • WP29 Examines Privacy Shield Issues in April Plenary Meeting
  • MEPs to Consider Recommendations on ePrivacy Regulation

Germany

  • Berlin Data Protection Commissioner Issues Activity Report for 2016
  • Federal Data Protection Commissioner Welcomes Improvements of Draft Law on Automated Driving

UK

  • ICO Guidance on Consent Set for June 2017 Release

For more information on any of these items, or data privacy issues generally, please feel free to call any of the of the following individuals:

Annette Demmel (Germany)

Caroline Egan (Birmingham)

Francesca Fellowes (Leeds)

New Insolvency Rules – Are Your Commercial Agreements Up-To-Date?

On 6 April 2017, new Insolvency Rules came into force which will affect creditors’ rights in most insolvency procedures. More information on the insolvency changes generally are available in this blog post.

One of the key changes in the new rules is the abolition in corporate insolvencies of creditors’ meetings. Creditors will no longer be asked to attend in-person meetings as a matter of course. Instead, in-person meetings will only be held where requested by 10% of the creditors in a case (in value or number) or by 10 individual creditors. Various substitutes for face-to-face meetings are introduced, including decisions on the affairs of the insolvent debtor being made by correspondence or electronic voting.  These substitutes are likely to become the norm in insolvency processes.

These changes will impact on commercial contracts governed by English law. Currently, many contracts are drafted so that “Insolvency” is defined to include the holding of a creditors’ meeting in relation to one of the contracting parties. The fact that the party is deemed insolvent pursuant to this definition can, in turn, often give the other contracting party the right to terminate the contract.  In light of the new Insolvency Rules, definitions of ‘Insolvency’ (or similar terms) and termination rights must be updated so that termination rights kick in at the right time.

Article 29 Working Party issues draft Guidelines on Data Protection Impact Assessments

On 04 April 2017, the Article 29 Working Party (WP29) issued its much-anticipated draft Guidelines on Data Protection Impact Assessments (DPIAs), which will be required under Article 35 of the EU General Data Protection Regulation (GDPR). The draft Guidelines are open for comment from the public until 23 May 2017, after which the final Guidelines will be published. The DPIA Guidelines will be complemented by the WP29 Guidelines on Profiling, a draft of which is expected to be published later this year.

The draft DPIA Guidelines provide additional insights into the types of processing that will require a DPIA and the circumstances under which consultation with data protection authorities must be carried out. The requirement will apply to processing operations that meet the criteria of Article 35 and that are initiated after the GDPR becomes applicable, on 25 May 2018 (or that are modified in significant ways after that date). However, the WP29 recommends that DPIAs be carried out for all processing operations that meet the Article 35 criteria.

The draft DPIA Guidelines also:

O         provide various examples of the types of processing operations that will be subject to DPIAs as well as the criteria that should be considered in assessing whether the processing is likely to present a high risk to the rights and freedoms of data subjects (thus triggering the DPIA obligation);

O         clarify that prior consultation with the Data Protection Authority (DPA) is required when there is a “residual” high risk to the rights and freedoms of data subjects, even after remedial measures are applied to address the risks; and

O         seek to promote the development of a common list of EU processing operations for which DPIAs are necessary, and for which they are not necessary, along with common criteria for specifying when DPAs should be consulted.

 

Weekly Data Privacy Alert – 10 April 2017

Please click here to read the latest data privacy alert from the Squire Patton Boggs Data Privacy & Cybersecurity team. This week’s alert covers news from the EU, France and the UK.

EU

  • Article 29 Working Party Adopts Guidelines on Data Portability, Data Protection Offcers and Lead Authorities
  • Article 29 Working Party Consults on Data Protection Impact Assessment
  • Article 29 Working Party Adopts Opinion on Draft ePrivacy Regulation

France

  • CNIL Publishes Its Annual Report

UK

  • DCMS Consults on Derogations From GDPR

For more information on any of these items, or data privacy issues generally, please feel free to call any of the of the following individuals:

Stephanie Faber (France)

Caroline Egan (Birmingham)

Francesca Fellowes (Leeds)

HHS Announces $400,000 HIPAA Settlement with Community Health Center

 

The Department of Health and Human Services Office of Civil Rights (HHS OCR) recently settled with a notable covered entity – a nonprofit Federally Qualified Community Health Center (FQHC) – over alleged Health Information Portability and Accountability Act (HIPAA) Privacy and Security Rule violations. FQHC’s generally serve underserved populations, and qualify for enhanced reimbursement from Medicare and Medicaid. The Denver-based FQHC, Metro Community Provider Network (MCPN), provides medical, dental, and behavioral care to approximately 43,000 patients per year, a large majority of whom have incomes at or below the poverty level. MCPN has agreed to pay $400,000 to HHS and implement a Corrective Action Plan (CAP).

This settlement highlights how long HHS OCR investigations can take (five years from investigation start to settlement); how broad HHS OCR targets are (FQHCs are not safe from scrutiny); and just how onerous corrective action can be after an investigation (see below). Continue Reading

Weekly Data Privacy Alert – 3 April 2017

Please click here to read the latest data privacy alert from the Squire Patton Boggs Data Privacy & Cybersecurity team. This week’s alert covers news from the EU, Germany and the UK.

EU

  • MEPs Raise Concerns Over EU-US Privacy Shield

Germany

  • Schleswig Holstein: Data Protection Authority Issues Information Leaflet on Privacy in Resident Registration Matters
  • Bundestag Committee: Experts Criticise Planned Amendment of the Federal Data Protection Act

UK

  • ICO Provides Update on ePrivacy Reform
  • ICO Publishes Discussion Paper on the Use of Profiling

For more information on any of these items, or data privacy issues generally, please feel free to call any of the of the following individuals:

Annette Demmel (Germany)

Caroline Egan (Birmingham)

Francesca Fellowes (Leeds)

Weekly Data Privacy Alert – 27 March 2017

Please click here to read the latest data privacy alert from the Squire Patton Boggs Data Privacy & Cybersecurity team. This week’s alert covers news from France, Germany, the UK and the US.

France

  • Use of Email Content for Marketing Purpose Requires Consent on a Yearly Basis

Germany

  • Netzwerk Datenschutzexpertise” Issues Report on Right of Standing for Consumer Associations in Privacy Issues
  • Bavarian Data Protection Authority Presents Activity Report for 2015/2016

UK

  • ICO Imposes £70,000 Penalty on Airline Over Marketing Emails
  • ICO Introduces New Resources for the Health Sector

US

  • US Congress Votes to Rescind FCC’s Broadband Internet Privacy Rules

For more information on any of these items, or data privacy issues generally, please feel free to call any of the of the following individuals:

Annette Demmel (Germany)

Caroline Egan (Birmingham)

Stephanie Faber (France)

Francesca Fellowes (Leeds)

Philip Zender (San Francisco)

 

EU Parliament adopts a Resolution on the Adequacy afforded by the EU-US Privacy Shield

On 6th April, the European Parliament adopted a resolution on the “Adequacy of the Protection afforded by the EU-US Privacy Shield”. The resolution draws attention to previously identified and new concerns about the Privacy Shield framework and considers what the focus should be during the upcoming joint annual review of the Privacy Shield.

The resolution states that there has been a lack of clarity in terms of the commitment of the new US administration to the Privacy Shield arrangements due to various Executive Orders having been issued by the new US President Trump. One example is the Executive Order on ‘Enhancing public safety in the Interior of the US,” issued on 25th January 2017, which excludes foreign citizens from the protections of the US Privacy Act. The resolution considers that this Executive Order contradicts the written assurances that judicial redress mechanisms will be available to individuals whose personal data is accessed by the US authorities. The resolution calls for the EU Commission to carry out a detailed legal analysis of the consequences of the President’s Executive Order and its impact on the right of EU citizens to seek judicial redress in relation to US government agencies’ use of their personal data when it is transferred to the US under the Privacy Shield.

Continue Reading

LexBlog