Category Archives: Technology Media & Telecoms

What really is the ‘law firm of the future’?

It’s a struggle to think of an industry that hasn’t been disrupted by advances in technology – marketing, finance and retail, to name a few.

The legal industry, however, has typically been seen as late to the party. But as we know from our latest report, firms in the sector are now taking tech adoption seriously in a bid to become the “law firm of the future.” In fact, the industry is taking technologies such as artificial intelligence (AI) and machine learning more seriously than other industries, with 55% of IT staff in the legal sector currently using predictive coding and 48% using machine-learning technologies. That’s compared to only about a third of CIOs in non-legal sectors (30% and 38%, respectively).

Steeped in tradition, there is no denying that some firms are more hesitant when it comes to technology – those that are “set in their ways” regarding the structure of the business. However, they need to realise that it’s sink or swim if they choose not to adapt to the digital age.

Competition from start-ups

The new kids on the block are causing senior executives at law firms to think seriously about the way they do business. Now experiencing what legacy banks have been struggling with for almost seven years, law firms are facing fresh competition from start-ups that have a vast knowledge of technology and a huge set of IT skills, enabling them to operate new business models.

Working with four of the five Magic Circle firms, we know that by operationalising IT systems, law firms have the opportunity to work more efficiently and increase their billable hours. If every episode of The Good Wife, Suits or Law & Order were to show the true amount of time spent shuffling paper, they wouldn’t make it to air!
However, a law firm’s ability to increase billable hours is limited when they fail to adopt an IT system that allows them to benefit from new technology in a safe way.

With the help of new technologies, less time will be spent on tedious administrative tasks and employees will no longer need to refer to the “files cupboard” when researching past cases, as so many still do. Luminance is an example of beneficial technology for the sector. Its AI software understands language at speeds no human could, providing an immediate and global overview of any company and picking out warning signs without needing any instruction. Firms using analytics tool Brainspace, for example, are able to better understand unstructured data faster than ever before.

Due to security fears, it’s understandable that firms have been slow to utilise cloud technologies, despite the fact that moving to a cloud platform could make them easily accessible from many different offices across the world. However, what firms need to understand is that with the right platform and security offering they could increase billable hours and grant global access. After all, every hour spent searching through the files cupboard or scanning documents is an hour that can’t be billed to a client.

In order to keep up with the competition, we will no doubt see many of the “traditional” firms take on the characteristics of legal start-ups that not only enable firms to increase billable hours but also aid and improve client interaction. For example, AI chatbots, like DoNotPay’s, could offer standard legal advice via a mobile phone or tablet, giving the enquirer an answer immediately, or direct them to the best solution/department. The result would be a seamless and quality customer experience, while freeing up time for lawyers to work on more bespoke cases.
Competitive salaries aren’t everything

As a way to enhance their services, many industries, like financial services, are recognising the importance of attracting top tech talent. Those who have been slow to provide roles focused on innovation have fallen victim to global tech corporations, like Facebook and Google, which are a larger cultural draw for millennials.

Top law firms with tough entry requirements but competitive salaries have previously been an attractive option for law students. However, those entering the industry want more from a job than just a chunky wage packet at the end of the month – they want to be sold a lifestyle.

According to PwC (2011), millennials crave a better work/life balance ahead of wanting more money, and would like technology to be better incorporated into their job. Many industries have answered these desires – plenty of financial corporations have opened innovation labs as a response, whilst other industries offer employees the option of working remotely or on the move, supplying them with smartphones or tablets to access databases. But law firms have a long way to go in attracting top tech talent who will be the key to bringing fresh and innovative ideas to challenge the archaic business model. Law firms also need change at the top of the partnership to allow tech experts in the firm to drive the changes needed.

In-house isn’t necessarily best

Previously, law firms have been confident in deciding which IT network their firm requires. Understandably, as guardians of highly sensitive documents, firms tended to keep everything in- house. However, as the competitive threat from start-ups increases and more and more firms look to adopt technology to keep up, organisations are recognising that they simply don’t have the resources to consult on the best possible IT strategy for their needs. In addition to this, General Data Protection Regulation (GDPR), which comes into force in May 2018, will put pressure on firms from a data control/processing standpoint. Ahead of this date, to get their “data house in order,” firms must partner with reputable third parties who are focused on meeting compliance regulations.

In response to industry challenges, we will undoubtedly see an increased number of mergers and consolidations, as firms look to expand globally. That being said, the lack of IT knowledge within firms will only become more problematic. Without a scalable and robust network, these transitions will be next to impossible, take far longer than needed and will be a risk to a firm’s security.

There needs to be a cultural shift in educating firms around the need for digital transformation. It’s understandable that the industry is cautious of “handing over” its data – news stories like the Panama Papers scandal and the increasing threat of cyber-attacks being reported daily in the media have made law firms wary of outsourcing solutions and services. However, if data protection regulations aren’t met, a firm’s clients are at risk, and its own finances and reputation could also suffer. Outsourcing this responsibility to an organisation that is dedicated to ensuring data is stored securely, and that complies with regulation, means one less worry for the corporate team.

Legal firms are at a crossroads – they either digitally transform and adapt to the needs of their employees and customers, or face the consequences. However, it’s not just about adopting tech for the sake of it. Consideration as to how workloads can be eased, billable hours increased and how the quality of client interaction can be improved will put such firms in a good position to survive, and thrive, in the digital age.

The Future of Scandal: Technology and Corporate Wrongdoing

The Future of Scandal: Technology and Corporate Wrongdoing

For as long as there has been business and investors, there have been those who have sought to make money illicitly by breaking the rules and misleading others.

Nowadays, corporate scandals come in many shapes and forms, but among the most common are those related to fraud and price-fixing cartels. One thing that links all modern scandals is the importance of electronic devices, both as a means of propagating a scandal and as a source of electronic evidence that can be used to detect a scandal or deal with the legal consequences.

This article examines the life cycle of a scandal; how they are created and how they emerge, as well as offering practical advice on prevention and crisis management.

How do scandals start and how can they be prevented?

A joint report by the International Corporate Governance Network (ICGN), the Governance Institute (ICSA) and the Institute of Business Ethics (IBE) suggests that certain corporate cultures can increase the chance of wrongdoing.

The report highlights some ‘red flags’ that can be an indicator of malfeasance and according to the report are not industry-specific; with examples being drawn from banking, retail, manufacturing and automotive sectors. According to the report there are three main factors that lead to a degeneration in ethical behaviour:

  • “Corporate stress” which encourages employees to take short-cuts
  • Tolerance of minor rule breaches and an atmosphere where rules are pushed to their limits
  • Focus on short-term targets

Much like the ‘Broken Windows’ theory of crime, the report’s authors believe bad behaviour is incremental. What could start as relatively minor breach could develop into something more serious.

Other factors given by the report include:

  • controversial pay deals, such as high executive pay or targets which encourage risk-taking to hit short-term targets
  • complex legal structures which make it hard for boards and management to work out what is going on inside the company
  • poorly executed takeovers which lead to a mix of cultures within a company, with “pockets” of bad behaviour thriving beyond the control of the board
  • lax financial discipline, for example both Northern Rock and RBS had excessive leverage which led to their problems as the crisis hit.

The report also warned of the dangers of “autocratic” chief executives who staff are afraid of angering for fear of reprisals, meaning that vital information about potential problems might never reach senior management.

The report said that the best way of improving companies’ corporate cultures to reduce risk was to get boards more involved and have a better understanding of the way staff are motivated and treated.

Changing company culture can be a long-term process. A more immediate preventative measure is to look to corporate communications. Scandals, particularly cartels, live and die by conversation. Without communication between parties, there can be no cartel, in the traditional sense of the word.

Including checks on communication can be a powerful part of any robust compliance strategy.  Since evidence showing misconduct may be found in written communications and among irregularities found in financial data, savvy compliance officers and in-house counsel regularly conduct mock dawn raids and perform compliance audits. Both these methods are good starting points for companies wanting to take a more proactive approach to compliance.

What is a mock dawn raid?                                           

Mock dawn raids are usually conducted by third parties, such as lawyers and ediscovery providers, to deliver the experience of an unannounced inspection from an authority. Computer forensics professionals will seize electronic devices, such as laptops, computers and phones, as well as take copies of data from servers and the cloud. They may also take paper documents. Data stored on these devices will then be forensically copied for analysis and a full audit trail maintained. Other consultants may train a variety of personnel (including receptionists, in-house legal and IT) on the proper procedures to follow when confronted with a surprise inspection.

After a mock dawn raid, it is possible to learn from the experience and identify areas that the company ought to address.

Mock dawn raids are a powerful tool for compliance officers because they can help to assess a company’s level of readiness for investigations and they also send a strong message to employees that compliance is taken seriously

Compliance audits

Authorities such as the European Commission and Competitions and Markets Authority recommend that companies conduct internal reviews to assess compliance. Regularly reviewing samples of electronic communications and information is an important part of an internal compliance audit. The benefit of such audits is to gain insight and to be in the driving seat if anything seems out of place.

Information gathered from interviews may lead the audit toward particular sources of data for review. Email, databases and even social media can be targeted to provide an organisation with a more comprehensive view of the levels of risk to which it is exposed.

As the know-how to interrogate databases develops, companies are increasingly using specialist data analytics tools to proactively examine financial, operational and transactional data. Even light analysis of databases can uncover patterns, anomalies and red flags. For example, data can be arranged graphically to show purchases by country or account number. Outliers such as purchases being made in unexpected countries or to duplicate accounts can then be investigated.

Regardless of the method chosen, organisations that carry out internal reviews to detect wrongdoing, such as corrupt practices and anti-competitive behaviour, are better positioned to defend themselves should a scandal be uncovered.

What industries are at risk from corporate scandals in 2017?

As stated earlier, scandals can stem from misconduct of individuals or small groups of individuals and so in theory any industry runs the risk of a scandal. However, corporate culture aside, some industries are more at risk from corporate scandals emerging simply because they are more heavily regulated than others and the regulator’s focus is increasingly broad.

The Competition and Marketing Authority (CMA) stated that their priorities for 2017 were in the following areas:

  • Consumers’ access to markets and barriers to decision-making
  • Online and digital markets
  • Technology and emerging sectors
  • Regulated sectors and infrastructure markets
  • Markets for public services
  • Sectors that are important to economic growth

Ostensibly, this covers quite a large swathe of industries operating in the UK and beyond. Any corporation whose business activities fall under the above categories should consider making compliance a priority for 2017.

On a more international scale, the European Commission has also laid out its priorities for 2017, and whilst they are broadly analogous with the CMA’s, there are some interesting points to note. Firstly, European antitrust authorities will gain increased powers to prosecute breaches of competition rules under draft legislation to be proposed by next June, following talks between the Commission, corporations and competitions experts.

Currently, the Commission is proposing the following actions to increase the power of national regulators.

  • giving national authorities tools to detect and sanction violations of EU competition rules;
  • encouraging companies to come forward to national authorities with evidence of illegal cartels through ‘leniency’ programmes;
  • ensuring the independence of the national authorities
  • ensuring authorities have sufficient resources and staff

Big data and how companies use big data is also a priority for the Commission.  Companies in possession of big data can potentially trigger both Articles 101 (antitrust cases) and 102 TFEU (abuse of dominance cases). However, the Commission is looking to strengthen its ability to enforce the rules in cases involving big data.

During a speech in late 2016, Margarethe Vestager, the European Commissioner for Competition stated that the Commission does not object to the collection of large data sets as long as they don’t hurt consumers in the process, by undermining competition. In order to combat this, the Commission is aiming to release a proposal on legislation for big data in early 2017. Based on Vestager’s comments in the speech, this is likely to be in the form of a directive rather than a regulation.

She also commented that further scrutiny may be required for mergers with valuable data, even if the turnover of these companies is not large enough to come under the usual merger control criteria. Again, this widens the pool of companies who are at risk of corporate scandals emerging from regulation, bringing in smaller players who might not be prepared for competition scrutiny. Companies handling large data sets should ensure they are up to speed with the latest directives and understand how their data can breach EU law and take steps to ensure compliance.

What should companies do?

Going looking for trouble leaves some companies feeling squeamish, but the authorities often impose lower fines when a company confesses and provides good quality evidence to help the authorities with their investigations.

If the wrongdoing is exposed by a whistle-blower or as a result of a regulatory investigation, this can add considerable pressure to any internal investigation the company chooses to instigate. Companies who are implicated in this way are more vulnerable to penalties. Also, if the matter has had time to grow in scale, they face potentially larger legal penalties and fees than if they had put themselves into the whistle-blower position. And when outside investigators looking at one issue discover further skeletons in the closet, this can lead to further scrutiny, public criticism and costs.

If a company is implicated in a scandal, what is the best way to manage the situation?

  1. Act quickly and launch an internal investigation as soon as possible. Once news of a scandal is in the public domain, an investigation by a regulatory body is almost inevitable. An internal investigation will help get to the heart of the issue and enable a company’s legal team to form a strategy based on evidence found in the investigation. Time is of the essence, so technologies such as predictive coding can help find hot documents as early as possible. Predictive coding learns from the decisions made by human document reviewers to prioritise other similar documents for review and to predict how unseen documents might be categorised.
  1. Think outside the box when it comes to data. Email and calendar appointments are some of the most important sources of electronic evidence, but valuable evidence can be found from other sources, as well. Twitter, Instagram and even GPS data from satellite navigation systems can provide revealing information that may be vital to a case.
  1. Use an experienced digital forensics provider. It is of vital importance that data is collected in a forensically-sound, defensible manner. Digital forensics experts employ the correct techniques to carefully and accurately contain, preserve and extract critical evidence. This includes the implementation of a strict “chain of custody” procedure and audit trail throughout the analysis of the data. Leaving the task of handling such important evidence to in-house IT teams, potentially without advanced forensics knowledge, can compromise the defensibility of a case.

Although corporate scandals and wrongdoing can seem somewhat inevitable, a rigorous compliance regime and a positive company culture can reduce the risk of scandals causing reputational and financial damage should wrongdoing be found.

 

Preparations for MiFID II: IT teams ahead of their Risk & Compliance colleagues within Financial Institutions

A recent study from Aeriandi of IT decision makers and Risk & Compliance managers within UK financial services businesses, has revealed a concerning lack of preparation and understanding of the requirements of MiFID II legislation coming into force in January 2018.

The study, carried out in January 2017 shows that managers and decision makers within these institutions have little understanding of the severity of potential penalties and are struggling to apply the legislation to their businesses.  However, comparing the responses of IT professionals and those responsible for managing Risk & Compliance within a business shows IT teams have a better overall understanding of the consequences of non-compliance.  62 per cent of Risk & Compliance managers admitted to not knowing a company can be fined up to five million euros or 10 per cent of annual turnover, compared to only 42 per cent of IT managers and decision makers.

It would appear however, that a countdown to compliance has begun.  Organisations are now starting to invest time and money in preparations.  30 per cent of respondents say that budget has been allocated this year to help with preparations, and more than a third (36%) report that policy and procedure have now been developed.

The revised Markets in Financial Instruments Directive, commonly known as MiFID II, is due to come into force in January next year.  First introduced by the EU in response to the 2008 financial crisis, MiFID II is a set of sweeping reforms for the financial industry designed to prevent history from repeating itself.  The new legislation governs everything from where and how derivatives can be traded, to measures for reducing volatility and policing potential conflicts of interest among financial advisers.  Achieving compliance is no mean feat and certainly will not happen overnight.  Indeed, MiFID II is widely considered to be one of the most sprawling pieces of financial legislation ever devised, and as a result it presents numerous challenges for those looking to achieve compliance ahead of the deadline in early 2018.

One of the more contentious aspects of the new legislation is the change in requirements relating to the recording and archiving of telephone calls.  The Financial Conduct Authority (FCA) currently mandates that only the telephone conversations of individuals directly involved in trading need to be recorded.  MifID II broadens the scope considerably to include anyone involved in the advice chain that may result in a trade.  Naturally, this has a significant impact regarding the scope of whose conversations must be recorded once the new legislation takes effect.  Conversations between the likes of wealth managers or independent financial advisors and their clients will now all fall under this scope.  Furthermore, the legislation applies to both fixed line and mobile conversations, and all calls must be stored and accessible for a minimum of five years after taking place (seven in some instances).

This particular portion of MiFID II is causing a certain degree of consternation.  Before MiFID II was announced, few financial institutions had the infrastructure in place to meet the new requirements.  Many are still working on how best to achieve compliance and are looking to third party solutions to increase their call recording and archiving capabilities. Leveraging third party expertise enables organizations to achieve ‘out of the box’ compliance.

Choosing the right third party technology can prove difficult without necessarily knowing what to look for in a solution.  There are, however, a number of key requirements that should be considered when assessing call recording and archiving solutions, which will ensure the technology meets the requirements set out by MiFID II:

  • Coverage of all required telephone platforms

MiFID II mandates that calls must be recorded across both mobile and landline platforms, so ensuring the solution has the capability to do this is crucial.

  • Easy implementation and scalability

Will implementing the new solution result in business down time and therefore, loss of revenue?  Many cloud-based recording and archiving solutions no longer require any on-site installation.  This can eliminate potential disruption during integration. Scalability is also a major factor.  Can the solution scale both up to cover busy periods, whilst scaling down to save the organization money during quieter periods?  If not, organizations will likely end up overpaying for excess recording capacity, or having to buy additional capacity at premium pricing on short notice.

  • Access to call recording archives from anywhere

Cloud-based recording and archive solutions offer the ability to access call recordings and archives from anywhere, at any time via a secure online portal. This is particularly beneficial to organizations spread over multiple sites or countries. Vendors specializing in on-site recording and storage often cannot deliver this level of flexibility in terms of recording accessibility, so be careful to ensure any solution being considered can match the needs of the organization.

  • Secure storage and encryption to protect recordings

MiFID II mandates that call recordings relating to a financial transaction must be stored for five years after the transaction was made.  This is a significant rise from the six-month period currently mandated by current FCA legislation.  Not only does this impact heavily on storage resources, it also presents security challenges, particularly if the recordings contain sensitive financial information.  After all, five years is a long time to keep data safe.  Only recording and archive solutions that offer the latest levels of data encryption and provide guarantees about who is able to access recordings should be considered.  If a technology includes outdated encryption or the company does not offer ongoing guarantees regarding upgrades to security as/when they become available, it should be avoided at all costs.

  • Compliance with additional data standards

The primary driver for implementing a suitable call recording and archiving system is to achieve MiFID II compliance.  Many solutions, however, also offer additional layers of compliance such as the Payment Card Industry Data Security Standard (PCI DSS) and BS10008; governing whether recorded content is legally admissible in court if required.  These data standards can bring additional return on any investment made and should be considered when choosing a suitable solution.

With less than a year to go until penalties for non-compliance will kick in, you would hope that those responsible for delivering compliance would be completely prepared.  However, our research demonstrates that for many, planning is still at a very early stage.  Organizations must understand the key areas of impact on their business and start to plan for change.   Detailed risk analysis needs to take place along with mapping out the required processes and procedures for MiFID II compliance.  Only then can a business determine whether their existing solutions will be adequate, or if it needs to roll out a new set of tools and supporting processes.

GDPR – the double-edged sword facing the legal profession

On May 25th 2018, the way companies handle data will change forever. On this day next year, the General Data Protection Regulation (GDPR) will come into force, changing how customer data is handled, and outlining the toughest consequences of data breaches ever seen. Considering we create 2.5 quintillion bytes of data a day , and the global volume of electronically stored data is doubling every two years , this presents a problem for businesses and their advisors internationally.

The GDPR will shake up the collection and processing of personal information of EU individuals, colossally. Whether it’s a business in France, Germany, the US or India, there is no room for complacency as the new set of obligations will apply to all companies that target both EU markets and consumers. It also presents an issue for law firms as let’s face it, they will be hit two fold; both in terms of data held about clients, employees and so forth, along with any potential data they have been provided by clients and third parties which they are storing.

Complacency is no longer an excuse for firms, they need to know what they’re doing with consumer data, or face the consequences. For those who infringe the rules, there are significant changes to the penalties they face. One of the biggest developments is that Supervisory Authorities have the power to impose hefty administrative fines for violations – be that in regard to data protection law or operational transgressions. Whilst a tiered approach is being brought in to direct the appropriate punishment, the majority of breaches look to fall into the higher tier. In terms of punishment, it currently stands at:

• Tier one: fines of up to €10,000,000, or 2% of global turnover, whichever is higher
• Tier two: fines of up to €20,000,000, or 4% of global turnover, whichever is higher

As you can see from the above, this is a significant rise from the previous limit of £500,000. To put this in context, Talk Talk was fined £400,000 for the data breach of its 157,000 customers. With the new changes, they could have faced the maximum tier two fine of up to €20,000,000 or 4% of their turnover. Quite a difference indeed and one that could ultimately ruin a smaller firm with less capital.

The problem we all face is, the world we operate in is going through a digital transformation, which relies on scrupulous data recording and being able to verify that the information we hold is truly up-to-date. The NHS, for example, fell foul of this in February when the news hit that 700,000 patients had not received sensitive health information, because records were out of date or incomplete. Imagine waiting for a biopsy result, or news on your treatment dates, only for the information to never turn up. Or, in the most recent case, being able to google yourself and find transcriptions of doctors letters on your medical treatment leaked by a 3rd Parties insecure infrastructure . You might have thought critical information such as this would be available, but this example typifies the challenges facing businesses, including those in the legal sector – you need to know what data you have, and ensure it’s correct.

But what does it mean in terms of implication and operations for UK firms? Below are five recommendations to help legal firms get ahead.

Library vs landfill

A common challenge for any client-servicing business is knowing what data to file and what to delete. Names, addresses, personal health information, legal history or payment details may well be necessities, but all this information can start to mount up, to the point that you have such a detailed picture of an individual that they would be shocked if they knew the true extent of the depth of information you hold on them. In addition to holding all this information, locating it can also present an issue for some businesses, particularly if that data goes back for years.

When you are dealing with serious amounts of data, it’s not uncommon to be using multiple mediums of communication, multiple servers and multiple databases to hold all the information, never mind the ad-hoc extracts people tend to make whenever they need them. Therefore, it’s not impossible for customer data to sit in more than one place on your system, leaving valuable information forgotten about and collecting dust. However, this is not good practice. Information should be held in one place, to make it more secure and to ensure you have an accurate (and accountable) picture of the customer’s information. Dissipated data is a nightmare, and if a business needs to quickly present accurate data information, searching for records in disparate locations is a massive drain on resources. Additionally, with data duplicated across multiple locations, businesses could be wasting space that could be freed up. Time and server space are expensive commodities, so GDPR is a good opportunity to get everything in one, secure place via a data inventory.

Consumer rights

Leading on from the data storage point, GDPR also gives consumers the right to know how their data is stored, and what it’s being used for (data minimisation). Therefore, businesses need to be wary of what data they hold, as if they can’t give a valid, business-critical reason for holding that specific data, they need to get rid of it (and in the right way). Generally, any consumer requests for their own personal data must be fulfilled within one month of receipt.

For law firms, this presents a problem. Background information related to cases is almost always kept on file – be it testimonies, character witness statements or client details. Once cases are over, calls need to be made on how long this information should be held for, and to what extensive degree (can some files be purged quicker than others?). Above all, a decision needs to be taken as to who ‘owns’ the decision over whether data should be deleted or not, the law firm or their client?

Additionally, businesses will be looking to their legal advisors for help with the changing data legislation, so legal firms need to be advising on how best to meet the new regulations. For example, stellar security is vital to protect core assets, and identifying any weak spots should be undertaken to help avoid any breaches. Due to the extensive repercussions, Data Protection Officers could be recommended as a remedy, to oversee data governance, security, analytics and location, being directly responsible to the Board. We fully expect this job function to increase in headcount and importance over the next two to five years, as conservative estimates predict up to 28,000 DPOs will need to be appointed across the EU before GDPR comes in .

Employment

Changes in data holding will also affect employment, and how much information companies can hold (or collect) on their employees – even more so in the case of former employees. Privacy notices and consent will be big, immediate issues for businesses to deal with. Businesses will need to look at the terms and conditions of privacy notices and ensure they follow the guidelines by including information such as how long information will be held for and if said information will be transferred to other countries. Legal practitioners will therefore need to work with clients to ensure they’re meeting these regulations.

In terms of consent, this has traditionally been a murky area, so the GDPR changes may help make this clearer. As it stands, businesses can keep and process data as they have employee ‘consent’. GDPR has more prescriptive requirements around consent, and states that employees must be able to withdraw their consent at any stage and the processing of the data needs to be ‘explicit’ in detail. Employers will therefore be able to rely on the consent argument less, and will need other legal arguments to hold on to employee data.

Legal implications

To adopt GDPR fully, changes to the Data Protection Act will need to be made to ensure there is no duplication or confusion. The government is adopting GDPR in full, as it comes in before the UK exits the EU. Therefore, changes will be made and legal firms will need to be aware of any possible alterations, and how clients will be affected, especially given all the uncertainty around Brexit. There is also the possibility of whether the UK and US governments look to make their own data flow laws, as with the UK leaving the EU, it will no longer be covered by the EU-US Privacy Shield, never mind the future relationship between the UK and the EU.

GDPR is one of many international initiatives aimed at simplifying the legal and regulatory requirements about the management and security of data. Firms, therefore, will often find themselves bound by a wide range of requirements which can differ significantly depending upon the industries and jurisdictions they operate in. Regulations ranging from MiFID II, Basel III, Solvency II and FRCP Rule 37(e) should be fully considered and included in any data compliance strategy.

Breach notification

Any firm which has experienced a data breach will now be expected to report this to their Supervisory Authority within 72 hours. Currently, only those working in Financial Services or telecoms are required to report breaches, so for companies outside these sectors, they will now need to comply fully with this legal requirement. Being able to assist clients develop and integrate internal procedures for discovery, reporting and investigation of breaches will be an essential component of any advice.

Opportunity for trusted advisors

In order to meet the full requirements of GDPR, clients will need to be advised of the full extent of potential changes and the steps they will need to take to manage the alterations required. This is not limited to legal advice, but demands an element of technical knowledge as well as operational change management. To facilitate this for clients, it is vital to partner with experts who can help advise on any changes, to leave no stone unturned. Businesses can no longer leave it to the IT Director to facilitate the changes, and legal advice can help manage costs and warn on the potential damage (financial and reputational) of breaches. Clients need to employ a holistic approach to the GDPR with all their relevant data stakeholders involved in order to ensure that they make the right decisions.

Intelligent Contracts – Is this the Way Forward for Enterprises?

Technology is an ever moving target. It’s one of the most demanding working environments; every few weeks or months you need to understand and account for new technologies changing the nature of IT.

However, the benefits of being in a fast-paced environment are that new opportunities to combine methods or technology occur almost daily. One such combination is Narrow Artificial Intelligence for contract detection and extraction of information held within physical contracts. This is brought together with ‘smart contracts’, the encoding and execution of contractual data and events on a programmable blockchain, a technology solution which provides a public ledger of all the transactions on a network. A block is the ‘current’ part of a blockchain which records some or all of the recent transactions, and once completed goes into the blockchain as a permanent database.

Smart contracts may not fully deliver on all that is promised, as they face several technical limitations and challenges. The usefulness of the data or functions encoded, and how it gets accurately encoded onto the smart contract are often questioned.

Intelligent Contracts

Intelligent Contracts are far more intelligent (as the name suggests) and extensible than smart contracts as they are currently defined. The intelligence comes from the ‘I’ in AI (Artificial Intelligence), where a system is taught to continually and consistently recognise and extract key information from contracts, with active learning based on users’ responses, both positive and negative, to the extractions and predictions made. This is very different to current smart contracts, but it still uses some of the underlying methods of blockchain and the extension to store immutable information or actionable events within a block.

The Value of Intelligent Contracts

To help demonstrate the value of Intelligent Contracts, let’s take a sample customer of a large international IT/software company that has acquired different companies or business units over many years. They have over 16 different contracting solutions on both the buy and sell sides of their business, with no standard reporting on contracts. They continually sign Master Agreements in different locations or departments, and should allow all global entities access to discounts once negotiated levels are reached or exceeded. This is a very common challenge with larger organisations.

You can immediately see where a ‘smart contract’ could be used to encode the master agreement’s key performance indicators (KPIs) onto a blockchain, and then automatically apply the discounts across all departments. However, with all the different systems, and no single or consistent method to track and report on new contracts being created, signed, or agreed to on (potentially) 3rd party paper, extracting the required information can be a challenge

Blockchain: The Single Source of the Truth

If we take this further, past just the encoding of actions, and the combination of parties and events, we can see how this solution provides companies with a ‘single source of the truth’ within contracts. As a contract placed onto the blockchain has been agreed by both parties, why not share the same information between parties – as a single entity with continually updated contract terms?

Companies placing details of actual contracts onto a public blockchain might soon run into issues of security and scalability. Security because every person on the blockchain can see the transactions that occurred, and scalability as block size is limited on public blockchains for many reasons, not least of which is performance. With blockchain, the larger the blocks the longer it takes, and the more processing power is needed to reach consensus (e.g. the process used by a group of peers responsible for maintaining a distributed ledger to reach agreement on the ledger’s contents.) To this end, it should be clear that a public blockchain or smart contracts system are unlikely to meet the requirements of many organisations for contracts.

Intelligent Contracts use private blockchains with algorithms to ensure no single system controls the creation of the blocks, leading to immutable and distributed consensus. As the chains are private, the issue with sizes of blocks is removed, and security can be implemented at many different layers, including HASH-only and PKI key-level security for access to information encoded on the blockchain. The use of the private blockchain also allows for the system to provide Know Your Customer (KYC) functions, as each entity within the system would be required to be known as they are a party to, or have an interest in a contract. They can all participate in the creation of the blocks as each entity is known and trusted.

With the differences outlined above, it’s clear to see why Intelligent Contracts are what enterprise customers need.

Intelligent Contracts: The User Experience

One of the most important aspects of technology is to make users’ daily lives simpler, and the operation and adoption of new technology as seamless as possible. One of the best ways I have found to do this, over years of working with enterprise customers, is to embed new functions into well-known existing applications or processes so users are actually unaware of the new processes and functions taking place behind the scenes.

Who Needs Intelligent Contracts?

In the example above, I described a large software/IT company with many different contract repositories and processes across their business functions and lines of businesses.

But there are many other types of use cases for Intelligent Contracts, where the capabilities of this new technology will provide significant value over what is currently available. These include M&A and business restructuring, Contract Lifecycle Management (CLM), and regulatory compliance.

Intelligent Contracts in M&A

When ownership of an organisation changes, the contracts associated with that business are divested or acquired within those transactions, and can greatly affect the accretive nature or overall outcome of the transaction. In M&A, organisations need to review contracts and analyse their metadata in the due diligence phase, to ensure they know what they are buying, and then integrate contracts into the new organisation post transaction. With divestitures, they need to know which entities to assign the appropriate contracts to.

With Intelligent Contracts, organisations will be able to immediately locate all relevant contracts as they will be located in one repository. All the metadata will be associated as blocks on the relevant chains, and so full reviews will be fast and simple, in due diligence and post transaction. For example, special indemnifications and assignment and termination rules will be identified immediately across the entire portfolio, and will be relevant to valuation. The current deal room, where limited subsets of contract documents are placed for manual reviews across multiple legal professionals will no longer be needed. The deep analytics embedded in Intelligent Contracts will mean that M&A and legal professionals can immediately, and visually, capture all types of metrics and analytics across entire contract portfolios.

Contract Lifecycle Management

A challenge often found with Contract Lifecycle Management is system ROI (return on investment) which has been elusive for most customers. The systems are heavy in workflow and document library services, and are very light in contract data management. They have proven to be overly complex, tough to implement, and suffer from low adoption rates and usage with knowledge workers. They also have poor change management functionality, and the data management is primarily manual input of contract data by users, which is inconsistent and error prone.

Intelligent Contracts will be authored in the familiar Word user interface, and collaboration and negotiation is facilitated via workflow in the blockchain. Contract data is captured and shared automatically on the chain, and there is never any question or confusion as to which versions and edits are being used and approved, and why. Changes can be initiated and processed in the Line of Business (LOB) via Word using approved language, meaning legal operations resources are used more efficiently and cost effectively. The result is a lean, efficient, secure, and scalable contracting system that finally delivers the ROI desired for contract automation.

Regulatory Compliance

The final user case is in regulatory compliance. With Intelligent Contracts, when a regulation changes, all contract data is automatically captured and presented visually, so organisations understand the size and nature of the impact of the new regulation to their business. Compliance owners can determine strategies and project plans to meet compliance deadlines.

When contract repapering or renegotiation is needed to achieve compliance, the business owner can initiate the process in MS Word and using approved language, make the needed changes. Those changes are captured on the blockchain, and then can be routed to legal operations resources for final approval. This is more efficient than using legal operations resources throughout the entire process. The blockchain is available to all relevant parties, so contract changes are permanent, transparent, and auditable.

Solving the case for a more connected legal workforce

Whilst article 50 may not yet have been triggered, the impact of the Brexit referendum (mainly uncertainty) has been strongly felt by everyone and in particular the legal community. Those in trade, financial and regulatory law are working 80+ hour weeks in an attempt to help clients with the legal confusion brought about by the possible changes. Conversely transaction lawyers have seen their work go on hold, whilst clients step back and see how business settles. In law firms themselves, there are discussions about location. Some firms are asking if it would it be better to be situated in Ireland, for example, possibly leading to offices distributed across various locations. What is the impact of these increased workloads, and multiple locations, and can technology play a role in easing their delivery whilst remaining compliant and secure?

One possible solution may be cloud working. It delivers the ability to share documents across multiple locations, multiple devices and for staff to collaborate, boosting productivity. Like employees in other businesses, solicitors are under extreme pressure to be always-connected and to be able to access relevant and accurate information, wherever they may be. In particular, for solicitors, who bill not by the hour but in segments of six minutes, even the shortest time away from safe access to client information, reduces the ability to log billable hours; directly impacting their revenue.

Furthermore, in the legal profession a lot of work relates to small but crucial updates to legal documents. Therefore, being able to access the most current data is essential. It could mean the difference between losing a case or winning it. Even in less significant instances, updating the wrong version of a contract for example would lead to lost billable time, lost productivity and lost revenue.

The threat from Public Cloud

However, solicitors cannot risk breaking compliance laws by using the public cloud, no matter how convenient. If legal professionals did use public cloud file, sync and share providers like Box and Dropbox, the firms would no longer have control over where confidential data was stored. Not only does this give legal firms a lack of visibility as to where their data is (shadow IT) or who has access to it, but it can leave them facing heavy fines. Because the data is uploaded to the cloud, it’s impossible to know whether or not it’s being protected in the right way to maintain legal professional privilege and protect client data. For lawyers, client data has to be kept in a controlled environment and the last thing any legal professional wants is data to be leaked about its highly confidential cases.

What law firms need is the ease of sharing that a public cloud can offer, but with the security and control that it is unable to deliver. This means an on-premises solution that offers file sync and share capabilities but remains under the control of in-house IT, without storing any data in the public cloud.  This private cloud needs to offer the ability to share data, as well as access it while on the go, and have the attributes of enterprise storage such as high performance, expanded capacity, and solid reliability.

Unified storage for the enterprise

Law firms need a unified solution, which delivers high performance and multi-site collaboration at LAN speed to support business continuity and disaster recovery, as well as mobile access. Today’s storage needs to offer organisations the ability to securely and seamlessly connect its mobile workforce to files stored within the corporate data centre. The enterprise can then combine security requirements with the ability to remotely access any corporate data (even from internal servers) and can handle growing capacity requirements.

It is important for legal firms to move beyond traditional file storage systems that fail to deliver the easy access and file sharing features essential for today’s connected workforce. Public cloud does not provide the security and privacy required. So, in order for legal firms to enjoy the advantages of connected working (ease, productivity, increased revenues) whilst remaining secure, compliant and private, the solution is a unified storage solution with private cloud integration – case closed!

The GDPR: How to Make the Simple Complex

I fear my European legal cousins share a character trait with my US colleagues – the ability to make the simple complex. I have practiced law longer than I am going to admit, with the past four years in-house as the Chief Privacy Officer and VP of Legal Affairs at a tech company that creates privacy products. I rely upon counsel from many outside firms for concise business-oriented advice and also speak on a daily basis with in-house counsel for many of our clients. Those who I go back to time and again are those who keep it simple and make their advice relevant to my business – no easy feat considering the complexity of many laws.

The General Data Protection Regulation (GDPR) is meaty and dense, certainly a legislative tome. Coming in at 186 pages, it makes an excellent bookend. Personally I view it as a brilliant piece of legislation, irrespective of whether it was by design or default. First, the four year EU-wide legislative process was staggering. When it began I couldn’t conceive of it being completed, but it was. Secondly, guidance on regulatory expectations is embedded within the law, stripping away a lot of ambiguity that is often coupled with legislation. And third, given the twin realities of an explosion in borderless digital commerce and the lack of a national privacy law in the United States, the GDPR’s extra-territorial application will make it the de facto national privacy law of the US, which is good news.

Don’t get me wrong, compliance necessitates paying attention to the details. But before any of us, however, can pay attention to the small things of the GDPR, we need to understand the big picture to best explain it to CEOs, CFOs and Board of Directors. The GDPR is a seismic event for many organizations, even greater than Y2K leading up to 2000. It goes way beyond data protection – it’s title is a misnomer – and should be named the General Data Governance Regulation.

The GDPR is really pretty simple. The law is all about giving power back to the people. That plays well to my revolutionary youth still buried inside this middle-aged mind. And the way this will be done is by requiring companies to do the two things: be both accountable and transparent for their data practices.

Accountability requires companies to be introspective and take a good hard look in the corporate mirror to get a comprehensive understanding of what data they collect, how they collect it, whether it’s personal or nonpersonal, and how they use it. It’s a pretty reasonable ask, despite the public discussion on about how unreasonable this obligation is. Unsurprisingly, Big Law and Big Consulting have quickly seized upon this, rightly seeing it as a massive business opportunity, ramping up their assessment teams, to begin their complex GDPR gap analysis. This new GDPR services industry will spawn billions, in fact IDC estimates it will create a $3.5 billion market opportunity for security and storage vendors by 2019.

This is important. A baseline is needed to measure where you are against where you need to be by 25 May 2018, the go live date. But it’s not the whole story. Remember, process review is only the first step, but the goal is to get that full picture understanding so you can know what your weak spots are and put in the right privacy controls to protect those vulnerabilities. Once you get all that, then you can accurately document it both to the regulatory authorities, and clearly and honestly communicate your data practices to your customers and employees.

The second top-level obligation, after the introspection, is to be outward facing and transparent about how you use data. This transparency obligation is manifested in a few ways, but at the end of the day it boils down to this: communicate clearly to your audience. There’s a dilemma, however, namely how to communicate effectively while still satisfying the law’s disclosure requirements. This is something many organizations have been wrestling with for quite a while. The GDPR codifies the obligation to be transparent in a concise easy to understand why, which will force counsel to shift their advice from a no-risk approach, to a contextual based risk approach.

The new individual rights under the GDPR should not come as a surprise to anyone. The concepts have been around for years in one form or another, usually as high-level principles. Now though, these well-established privacy concepts are rights: to access and correct your data, to get your data in a readable format, right to erasure, the ‘right to be forgotten’, whereby a person can ask for offending information about her to be removed from a website, and to object to profiling, also known as ‘tracking’ in the US.

While the right to erasure has proved vexing and controversial, the important thing to remember is that a data controller really needs to have a process in place that allows: (i) for a person to request certain data be removed or taken down, (ii) triggering the data controller to review the request and go through a determination process using the GDPR’s guidelines in deciding whether to honor the request, and (iii) respond to the request. For example, if an individual wants evidence that he is a registered sex offender taken off a website, it may be in the public’s best interest that such data should not be removed.

Clearly many new processes will be created, and companies will assuredly rely upon counsel to help understand how to deploy them. From my experience, where counsel adds the most value is in keeping it simple. I already know that the GDPR is a big deal and penalties for non-compliance can be crippling. However, the regulation is also an opportunity. It’s a once in a career moment when legal and privacy can plant a flag in the ground and demonstrate that if done right, and the essence of the GDPR is captured by good data hygiene practice, then compliance with the law will be the least of the things to accomplish. That’s the advice I need.

 

 

R-E-L-A-X: We Can Still Patent Software, But Don’t Expect A Clear Test Anytime Soon

More than two thirds of all patents challenged under 35 U.S.C. §101 have been invalidated since Alice Corp v. CLS Bank was decided in 2014.[1] Is this recent trend signaling the beginning of the end of the software patent? Should software even be patentable? Will a clear test help? While both the majority and dissenting opinion in Intellectual Ventures I LLC v. Symantec Corp. agree that software is patentable, in a bizarre twist, the concurring opinion has declared that software patents are finished. Clearly some judges on the Federal Circuit have run out of patience with the multitude of software patents that were drafted prior to the Mayo/Alice cases being decided. Nonetheless, don’t expect a clear test for patent eligibility under §101 anytime soon. This article reviews the majority and dissenting opinions in Intellectual Ventures, contrasts the concurring opinion, and explains why we believe a clear test for patenting software is not needed and in fact, would set back the patent system for years.

Intellectual Ventures I LLC v. Symantec Corp.

Intellectual Ventures sued Symantec for infringement of three patents. Ultimately, all three were found to be directed toward different abstract ideas:

1) Receiving mail and discarding it based on the characteristics of the mail

2) Screening messages

3) Virus scanning

The Federal Circuit went through both steps in the Alice framework and ruled that all three patents were invalid under §101 (affirming the District Court on two and overruling the Court on the remaining patent).

The Federal Circuit made two things clear. First, the inventive concept required to transform an abstract idea into a patent eligible concept must be in the claims. This concept was spelled out by the majority directly addressing the dissenting opinion. The dissent had argued that one claim in one patent was patentable because that claim improved the functioning of the computer and addressed problems specific to the internet. However, the majority stated that, while it was true the patent disclosed an improvement in the functioning of a computer, the improvements at issue were absent from the claims. Therefore, the Federal Circuit held the claim invalid.

Second, the majority makes clear that software is still patent eligible. The majority restated precedent noting that to be patent eligible, software must improve the functioning of the computer or solve problems specific to the technological environment. The majority even gave an example of how the virus screening claim at issue might have been patent eligible.[2] The fact that the majority stated what they are looking for when determining software patent eligibility and provided a concrete example of how such a claim might have been patentable, makes clear that software is still patent eligible.

Judge Mayer’s Concurring Opinion

Initially, Intellectual Ventures I LLC v. Symantec Corp. seemed like another run-of-the-mill software patent case. Company A sues Company B for infringement of software patents.  Company B argues that the asserted patents are invalid under §101. The Federal Circuit agrees and the software patents are ruled invalid. Case over, right? Not so fast. Judge Mayer, in a concurring opinion, has decided he’s had enough of software patents in general. His frustration likely built up after more than two years of purging the system of software patents that never should have been issued. Since Alice in 2014, software patents have been invalidated at the Federal Circuit level under §101 at an alarming rate of roughly 95 percent.[3]

Judge Mayer’s central point, on its face, is difficult to dispute. If an idea (software) is not patentable and only embodiments of the idea are patentable, and the generic computer the software is running on is not patentable, then all ideas running on the generic computer should not be patentable. However, guidance from the Courts, like the majority opinion, has said software must improve the functioning of the computer or solve problems specific to the technological environment in order to be patent eligible. It’s undisputable that patents directed at conventional ideas cannot be patented by simply tying those claims to a generic computer. What we believe Judge Mayer is missing is that not all software patents are generic ideas on generic computers. In reality, a lot of software patents are behind the improvements of the electronic devices we use today. Software has a place in patent law; unfortunately, it has taken patent law several years to catch up and find that place.

Judge Mayer’s reasoning has two main points:

1) Software patents “run afoul” of the First Amendment

2) Software patents on a generic computer are not eligible for patent protection

Judge Mayer’s first point regards preemption, a main concern in the post-Alice world. However, instead of worrying about how a patent claim might preempt a field of invention, Judge Mayer expresses concern about preempting the First Amendment by “exacting heavy taxes on widely-used conduits for online expression.”[4] This concern, while somewhat valid, is actually resolved by the Alice framework, which specifically addresses the potential for preemption. If, for example, an idea preempts “widely-used conduits for online expression,” it would be ineligible for patent protection under §101. Thus, Judge Mayer’s slippery slope argument involving preemption is not a valid reason to make software ineligible for patent protection.

Judge Mayer’s second point, the more sweeping concept of preventing patents from being issued on software, is broken into four sub-points:

1) The scope of software patents outweighs their technical disclosure

2) Software patents provide incentives at the wrong time

3) There are too many software patents

4) Software patents lack the definiteness required by patent law

The first sub-point also regards preemption. As noted above, preemption is accounted for under the current Alice framework. However, one sticking point for Judge Mayer is that most software patents do not include the software code behind the invention. The reason for the lack of code in the patent, however, is that the code itself is not patentable. What is patentable is what the code does. Software code itself can be protected using copyright law and has no place in patent law.

The second sub-point, that software patents provide incentives at the wrong time, exists for virtually any invention, not just software. While Judge Mayer correctly points out that a lot of software patents are filed at the “idea stage,” before the invention is finished, the same is true for most inventions. This problem has only gotten worse because of the new First to File rule under the America Invents Act. It’s true that “those who scamper to the PTO early…reap hefty financial dividends.”[5] But, this reward is not a result of software patents; it is a result of the new filing provision of the America Invents Act. Right or wrong, first-to-file is here to stay and all inventors are incentivized to file patent applications as early as possible.

The third sub-point, that there are too many software patents, should have no bearing on whether software is patent-eligible. Clearly, most of the things we use today are operational because of software. In fact, it is very likely that you are reading this article using an electronic device that is operational because of software. It’s no surprise that the most popular area of innovation has a lot of patents. Software’s patent eligibility doesn’t hinge on the popularity of the technology it relates to.

The fourth sub-point, that software patents lack the definiteness required by patent law, is also related to preemption. Judge Mayer states that software is “akin to…literature or a piece of music, undeniably important, but too unbound” to be patent eligible.[6] But Judge Mayer misses the point – software patents don’t patent software, they patent what software does. If software simply does something that can be accomplished without it, the Alice framework will render that ineligible for patenting, thereby preventing the preemption Judge Mayer is concerned about.

A thorough review of Judge Mayer’s analysis, combined with the fact that it was a concurring opinion, shows that the software patent is not dead. The current Alice framework directly addresses most of Judge Mayer’s concerns. Looking at the underlying reasons for Judge Mayer’s arguments suggests he is simply frustrated with the large number of bad software patents he sees on a regular basis.

There Is No Cookie-Cutter Solution

We should not spend much time waiting for a clearer standard on patenting software from the Supreme Court. Many recent cases seeking such guidance have been denied certiorari.[7] This is likely because the patent system has already learned first-hand the consequences of bright line rules. In its 2008 search to find a predictable test, the Federal Circuit declared the Machine or Transformation test as the standard for patent eligibility under §101.[8] While the Machine or Transformation test seemed to be in line with Supreme Court precedent, it had tremendous unintended consequences. The Machine or Transformation test led to numerous patents awarded merely because a conventional abstract idea was performed on conventional computer hardware. Today, many similar patents are regularly invalidated because implementing an abstract idea on a generic computer is not patent eligible. While many suggest that the sheer number of patents being invalidated is a sign of bad things to come, or worse, that software and its effects are not patent eligible, the fact that these patents are being invalidated is actually a good sign. The heightened number of invalidated patents is an indication that a lot of ineligible patents were issued under a system that hand-cuffed both patent examiners and the courts. The patent system is purging itself of patents that slipped through the system under the Machine or Transformation test.

The Supreme Court has long “warn[ed] …. against” interpreting Section 101 “in ways that make patent eligibility depend simply on the draftsman’s art.”[9] Trying to give a definition to the term “abstract idea” or a clear test on patent eligibility under §101 would do just that. Given the Alice framework, it’s clear that software patents will continue to be granted based on how well a patent prosecutor can define the invention so that it is not simply an “abstract idea.” A clear test with bright line rules and definitions would handcuff patent examiners and the courts for years, and once again set back the patent system.

For the purposes of §101, the want of predictability is outweighed by the need of flexibility. Patent law exists to promote the progress of science and useful arts. Scientific progress is unpredictable. An overly rigid legal system will only “impede innovation more than it would tend to promote it.”[10] Moreover, “Section 101’s vital role…is to insure that patent protection promotes, rather than impedes, scientific progress and technological innovation.”[11] The current application of the patent eligibility standard is working; no clear test is needed.

Summary

In trying to address new technology, the Federal Circuit used an inflexible rule to interpret Section 101. Since then, the Supreme Court has made determinations under Section 101 more flexible, which has led to large-scale purging of many patents that should never have been issued. The Supreme Court would not have gone through Bilski, Mayo and Alice, if software were ineligible for patent protection. Instead, the Supreme Court appears to be trying to mold a flexible set of rules that can keep pace with innovation. Another inflexible rule would simply set the patent system back again. The software patent is alive and well. It is merely being held to the same standard as all other areas of technology.

 

[1] Two Years After Alice: A Survey of The Impact of a ‘Minor Case’ (Part 1), Bilski Blog, June 16, 2016, available at: http://www.bilskiblog.com/blog/2016/06/two-years-after-alice-a-survey-of-the-impact-of-a-minor-case.html.
[2] Intellectual Ventures I LLC, v. Symantec Corp, 2015-1769, at 24-25 (Fed. Cir. 2016).
[3] Two Years After Alice: A Survey Of The Impact Of A ‘Minor Case’ (Part 1), Bilski Blog, June 16, 2016, available at: http://www.bilskiblog.com/blog/2016/06/two-years-after-alice-a-survey-of-the-impact-of-a-minor-case.html.
[4] Intellectual Ventures I LLC, v. Symantec Corp, 2015-1770 at 3 (Fed. Cir. 2016) (Mayer, C. J., concurring).
[5] Id. at 10.
[6] Id. at 12.
[7] Ultramercial, LLC et al. v. Wild Tangent, Inc. 772 F. 3d 709 (Fed. Cir. 2014) (cert. denied).
[8] In re Bilski, No. 2007-1130 (Fed. Cir. Oct. 30, 2008).
[9] Alice Corp. v. CLS Bank Int’l, 134 S. Ct. 2347 (2014).
[10] Mayo Collaborative Servs. v. Prometheus Labs., Inc., 132 S. Ct. 1289 (2012).
[11] I/P Engine, Inc. v. AOL Inc., 2013-1307, at*9 (Mayer, C. J., concurring) (“A robust application of section 101 ensures that the nation’s patent laws remain tethered to their constitutional moorings.”)

Organisations need to act now in order to meet the requirements of the new Electronic Identification and Signature (eIDAS) legislation

Electronic signatures present a huge potential for businesses to improve their operations, create better customer experiences, improve security, and increase potential revenue. E-signature technology now offers cross-border recognition of electronically-signed documents, and instant verification of signer identities and document authenticity – which are essential for businesses operating in increasingly digital and mobile environments.

However, transitioning to e-signatures brings a number of challenges —both regulatory and operational— that businesses need to be aware of. With e-signature adoption increasing, and it becoming mandatory for businesses to recognise electronic identities (eIDs) from mid-2018, it is crucial organisations prepare themselves now.

The changing e-signature landscape

Adoption of e-signatures is still uneven across different industries. A lack of technology standards has been an issue, as has the fact that e-signatures historically have not had the same legal standing as handwritten signatures.

Major changes are underway: this year the EU’s new regulation on electronic identification (eIDAS) became legally binding. The regulation provides a common legal framework for understanding and categorizing e-signature processes; makes it easier for citizens and businesses within EU member states to understand and use e-signatures; and gives e-transactions and other e-signed documents the same legal status as paper documents.

What’s more, this summer also saw Adobe help launch the Cloud Signature Consortium, a group of leading industry and academic organisations brought together to build a new open standard for cloud-based digital signatures across mobile and web. The aim of the initiative is to make electronic signing consistent, secure and scalable, so that anyone can sign digital documents from any digital channel or device.

Under eIDAS, only certain business entities, called Trust Service Providers (TSPs), will be able to issue digital IDs that can be used to create legally verifiable “qualified electronic signatures”. eIDAS establishes a common foundation for mutual recognition of electronic signatures across EU member states, making qualified electronic signatures compatible across all 28 participating EU countries and within the 236 trust providers recognized by the EU.

By providing legal and regulatory standardisation around e-signatures, the eIDAS regulation lays down a predictable legal structure for individuals, companies (in particular SMEs), and public entities to safely access services and conduct transactions online and across borders in just “one click”. With this framework, businesses across Europe can finally and confidently embrace digital transformation with electronic signatures.

Classification of e-signatures

Any business that utilises e-signatures will have to be eIDAS-compliant, and so it is crucial that owners become familiar with the new legislation, and review and identify which business processes need to be updated for compliance.

eIDAS considers three categories of e-signatures, and defines a class of providers—called Trust Service Providers (TSPs)—who offer electronic IDs, time stamping, and other services that support electronic signatures. It goes into significant detail about security requirements, burden of proof, rules for mutual recognition, and supervision of TSPs. eIDAS offers a standardised mechanism for a business or corporate entity to understand the legal standing of the signatory, based on the following signature categories:

  1. Electronic Signatures

An electronic signature under eIDAS is data in electronic form attached to or logically associated with other data, and which is used by the signatory to sign a document. eIDAS provides that an electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely based on the fact that it is in electronic form. In other words, courts cannot discard them as evidence only because they are electronic, with a legal principle called non-discrimination.

  1. Advanced Electronic Signatures

Advanced signatures are a specific type, or a subset of, the larger category of electronic signatures. They are: uniquely linked to the signatory; capable of identifying the signatory; created using data that the signatory can use under his sole control; and are linked to the signed document in a way that any subsequent change is detectable. This requirement can be met with a specific type of digital ID, called a “certificate”, which is typically issued by a Trust Service Provider.

  1. Qualified Electronic Signatures

Qualified signatures are a very specific form of an advanced signature, and they are the only signatures defined in eIDAS that have the equivalent legal effect as a handwritten signature. They’re also the only type that will be automatically recognized by other member states. For businesses to work with Qualified Electronic Signatures, the signer needs to work with a certificate-based digital ID issued by a Trust Service Provider that has been specifically accredited in a member state. In addition, qualified signatures require the use of a qualified signature creation device. For example, the certificate is stored on a smart card, and the signer uses a smart card reader when signing the document.

When it comes to e-signatures, qualified electronic signatures really are the gold standard. These tend to apply to document processes that have high monetary value or where the risk associated with identity fraud is too high to bear. Processes related to government benefits or clinical research are good examples. This category also applies to any business process where applicable law requires, exceptionally, a specific form with a handwritten signature. Example of these types of exceptions are employment termination proceedings in Germany or the transfer of real estate in some countries.

The majority of the use cases, however, don’t require written forms, with businesses typically having the flexibility to utilize Advanced Signatures. These require that each signer have a certificate-based digital ID, which may be practical for employees or favoured business partners, but is more difficult to implement when working with new customers, partners, or the public at large.

The eIDAS legislation also introduces the idea of “electronic seals”: With eIDAS, only an individual person can use an electronic signature. A legal entity, such as a business, cannot. The business can, however “seal” a document to ensure certainty of a document’s origin and integrity.

Preparing for the future of e-signatures

It will be mandatory for businesses to recognise electronic identities (eIDs) from mid-2018. A business that is unprepared for the eIDAS regulation may find that it risks restricting potential customers and partners, as it will not be able to facilitate long distance digital signing or legally verify a documentation due to the absence of the right technical infrastructure. And beyond the potential loss of new trade, a business may face legal repercussions for failing to comply with eIDAS adequately.

Any business using e-signatures will, naturally, also have to be compliant with the Data Protection act, which governs data security and compliance for a new breed of businesses services which are increasingly based on the Cloud. Regardless of its size, any business handling personal data is responsible for its protections.

Besides regulatory concerns, business owners will also have to evaluate which technologies can best advance this transition by engaging with the specialist vendor community, which can provide expert counsel on compliant solutions. Doing so will enable them to test their in-house expertise and verify that their current and planned technologies will continue to operate within regulatory boundaries.

With the arrival of eIDAS, businesses have been given the flexibility to deploy electronic signature solutions that meet their specific requirements. The use of e-signatures is only set to grow, as businesses continue to operate in an increasingly connected environment. By ensuring compliance as early as possible, businesses can better guarantee that they won’t be superseded by more agile, technologically savvy competitors, while having the capability to conduct cross-border business securely and safely.

GDPR and the effect on data breaches

The Information Commissioner’s office have now confirmed that the UK will have to enact the General Data Protection Regulation (GDPR) by May 2018 given this implementation date will occur before the expiry of the two year period from the giving of the UK’s Article 50 notice to leave the EU.

The introduction of the GDPR is the biggest overhaul of data protection legislation in 18 years, 18 years which have seen a major boom in data and advancements in technology which the previous legislation has failed to keep pace with. Furthermore, the introduction of the GDPR will impact, to some degree, every single business and organisation in the UK.

Under the current legislation only public bodies, via a voluntary arrangement, have a positive obligation to report data breaches to the Information Commissioner. As such when a data breach occurs many private sector organisations simply batten down the hatches and hope no-one traces a data breach back to them, and in most cases they will get away with this.

However, the GDPR introduces a new positive notification requirement where certain types of breaches (i.e. those likely to result in a risk to the rights and freedoms of individuals) have to be reported to the Information Commissioner within 72 hours of becoming aware of the breach and, if the breach is likely to result in a high risk to the rights and freedoms of individuals (e.g. the data lost could result in identity theft), then the individuals whose data has been breached, which could be customers or employees, without undue delay.

The thought of having to write, on a firm’s headed paper, to individuals telling them your firm has lost their data constitutes a significant reputational risk, especially in today’s era of social media where that letter could be photographed, published online and shared thousands of times. This, combined with the threat of fines for not reporting breaches of up to €10m or 2% of global turnover, should firmly put data protection compliance and the introduction of the GDPR on the boardroom agenda of every organisation in the UK.

Rather than waiting until May 2018 and then trying to get everyone in an organisation up-to-speed on the new legislation every business should be taking steps now so that when May 2018 arrives they are already up-to-speed with the new legislation which significantly reduces the risk of having to report data breaches to the Information Commissioner and possibly customers, employees and other third parties, from May 2018 onwards.

Whilst a lot of the press attention has been on high profile data breaches caused by hackers and cyber-attacks, the one area that often gets overlooked, and is traditionally the weakest link in any data protection system, is the human element.

The vast majority of data breaches occur due to human error. This is someone such as an employee or sub-contractor doing something they shouldn’t be doing or simply making a mistake such as the fax or e-mail to the wrong recipient, losing a memory stick or failing to encrypt data or destroy data properly.

Any business can have a superb written data protection policy, however that policy is not worth the paper it is written on unless employees are trained so they understand the reason there is a policy in the first place, the personal consequences on them from an employment/disciplinary perspective in not complying with that policy, the wider financial and reputational damage consequences to the organisation itself and how practically that policy impacts on them as they go about their day-to-day tasks.

Without the benefit of rolling out a comprehensive system of staff training (both initially and on an on-going basis) businesses will continue to put themselves at risk, both from a financial and reputational point of view, as employees go about their daily task oblivious to how their actions can have serious consequences down the line.