Stephen Sidkin, a partner in corporate law firm Fox Williams, highlights the issues retailers and suppliers face when they share confidential information – and the steps they must take under the law to keep it safe
Hacking is very much in the news. In the first two months of 2017, Fox Williams advised three of its clients on four different cyber-security breaches.
Retailers and distributors should take note, because this does affect them, especially when they are handling confidential information from suppliers.
From May 25, 2018, every business will be required by the General Data Protection Regulation to notify the Information Commissioner’s Office (ICO) of certain types of data breaches within 72 hours of the business becoming aware of the breach.
In the case of two of our clients, we notified the ICO of the breaches on behalf of our clients. This action was taken on the basis that it was good practice. Under the Data Protection Act, although there is no legal obligation on companies to report breaches of security, the ICO recommends that serious breaches are reported.
An article earlier this month in The Sunday Times highlighted “an alarming reality: the digitalisation of modern life has dramatically outpaced the security required to keep us safe”.
Showrooms and sales designers and manufacturers and distributors are exchanging confidential information and data on a daily basis. This is often facilitated by the provision of laptops, tablets and mobiles by showrooms to their sales designers or by the creation of an intranet by a manufacturer with its distributors.
Often, the agreements put in place make reference to the obligation on the sales designer, retailer or distributor to use confidential information only in the performance of their contractual duties and not to disclose it to third parties. But that is where the contractual provisions usually end.
So what should showrooms, distributors and manufacturers be thinking about when it comes to confidential information and data?
This is particularly so in the case of showrooms using freelance or remote designers working from home, where they will be commercial agents for the purpose of the Commercial Agents Regulations and so entitled to the protections provided by those Regulations.
The sales designer
The starting point is whether the showroom provides the sales designer with a laptop, tablet or mobile. Such as in the case of a remote or freelance designer who may work from home. If so, the agreement between them should require the sales designer to keep the device secure at all times. Sometimes the sales designer will be able to access the showroom’s computer system. In this situation, there should be an obligation on the sales designer to keep user names and passwords secret and to keep data security up-to-date.
The Data Protection Act requires businesses handling confidential information or personal data of another business to keep this data secure. Sales designers, as agents, are businesses and subject to the Act.
Where notice of termination of an agreement is given, the agreement can be expected to require the return of the device. But where the device is owned by the sales designer, the agreement should require the sales designer to pass the device to the showroom in order that it can be wiped of confidential commercial information and personal data.
While agency law does impose obligations of confidentiality and a duty of good faith on an agent, without specific contractual provisions a showroom can be left exposed to the misuse of confidential information and data by a sales designer.
The disclosure and use of confidential information and issues concerning cyber-security are much more open in the case of distributors.
The starting point here is that a distributor or retailer will be required by common law to keep confidential that information which is confidential. But in order for the manufacturer to be protected, the distributorship agreement should include specific provisions addressing issues concerning the disclosure and use of confidential information.
In respect of cyber-security, while many manufacturers will rely on their own data security, there is good reason to require distributors or retailers to install and maintain data security and, where appropriate, to take steps to avoid hacking by third parties.
To minimise the damage from a data security breach, should one occur, it will be essential for all parties to develop and implement an “incident response plan” to highlight each party’s responsibilities in respect of data security.
And if an agreement is already in existence?
The starting point is that one party cannot simply impose new contractual obligations on the other party. To do so could constitute a repudiatory breach, which could be regarded as bringing the agreement to an end. They could then make very significant claims under the Commercial Agents Regulations.
However, it is possible for a showroom to rely, to some extent, on the Regulations in order to address some of the above issues. This is because the Regulations require that an agent comply with the principal’s reasonable instructions. However, if there is a contract that addresses these issues, so much the better.
The starting point in respect of a distributor is the same as that for a showroom or freelance designer. The manufacturer cannot act unilaterally. But unlike a sales designer, there is no legislative partial safety net in respect of which a supplier can rely. So again, so much the better if from the off the issues are contractually addressed.
Whether in respect of sales designers or distributors, it is often when things go wrong on termination of the agreement that issues concerning confidential commercial information and data security arise.
And if you are reading this article online, are you reading it comfortably? More particularly, ask yourself – is anyone else reading it? And can they access your confidential commercial information and personal data?
Invariably, prevention is better than cure.