Managing risk when using private investigators

Managing risk when using private investigators Lawson Caisley, Partner Litigation (Corporate) Nigel Parker, Senior Associate Corporate 29 April 2014 Allen & Overy 2014

2014 Seminar schedule Tuesday 29 April 8.30am-9.30am Bishops Square Friday 2 May 12.30pm-1.30pm Bishops Square Tuesday 6 May 8.30am-9.30am Bishops Square Monday 19 May 12.30pm-1.30pm Bishops Square Tuesday 20 May 12.30pm-1.30pm Bishops Square Thursday 22 May 8.30am-9.30am Bishops Square Thursday 27 May 8.30am-9.30am Bishops Square Tuesday 3 June 8.30am-9.30am Bishops Square Thursday 12 June 8.30am-9.30am Bishops Square Tuesday 24 June 12.30pm-1.30pm Bishops Square Managing risk when using private investigators Lawson Caisley, Partner Litigation (Corporate), Nigel Parker, Senior Associate Corporate Recent developments in banking and finance law Richard Hooley, Consultant (Allen & Overy LLP) Bank recovery and resolution in Europe a credible framework? Bob Penn, Partner Financial Services Regulatory EMIR: current hot topics Emma Dwyer, Partner ICM, Damian Carolan, Partner - Banking The quest for meaning. An overview of the law of contract part I interpretation Jason Rix, Senior PSL Litigation, Rainer Evers, Senior Associate Litigation Shareholder activism it s coming; are you ready? Richard Cranfield, Partner Corporate, Richard Browne, Partner Corporate Ring-fencing retail banks three different approaches Bob Penn, Partner Financial Services Regulatory, Etay Katz, Partner Financial Services Regulatory Awkward twins: managing UCITS and AIFs under one roof Pavel Shevtsov, Partner Banking, Anne Pages, Associate Banking MiFID II an update on key developments Damian Carolan, Partner Banking What do we do now? An overview of the law of contract part II termination and remedies Jason Rix, Senior PSL Litigation, Rainer Evers, Senior Associate Litigation Allen & Overy LLP One Bishops Square, London E1 6AD, United Kingdom Tel +44 20 3088 0000 Fax +44 20 3088 0088. If you would like to attend one or more of our seminars, please visit www.aoseminars.com where you can register. If you have any queries or require further information please email seminarregistration@allenovery.com 2 Allen & Overy 2014

Managing risk when using private investigators (8.30am 9.30am) Lawson Caisley Nigel Parker Summary The use of private investigators is widespread, in matters ranging from M&A to litigation. There has recently been considerable interest and press coverage in relation to the use and activities of private investigators, both of the PIs themselves and the actions of their clients. Several PIs have been jailed for using unlawful means to obtain information on behalf of their clients. Increasingly, the authorities, press and politicians have also focused on the instructions given to PIs by their clients. This has included criminal investigations by SOCA (now the NCA) and the Home Affairs Select Committee threatening to publish a list of instructing companies. The Information Commissioner has also stated that companies cannot turn a blind eye to the methods used on their behalf and must face the full force of the law if they do not take steps to ensure information is legally obtained. This seminar will examine the legal risks involved in using private investigators, and how best to manage those risks, as well as related issues such as dealing with requests for information from the subjects of the investigations and undertaking internal investigations. Allen & Overy 2014 3

Speaker biographies Lawson advises leading FTSE companies and international groups, and has extensive experience of all aspects of complex commercial litigation and investigations. He is ranked as a leading dispute resolution lawyer in the legal directories where comments about him include; a lawyer who inspires trust clients know they can rely on him (Chambers 2013); gives his clients a first-class response (Legal 500 2011); brilliant with clients and works hard to ensure their goals are accomplished (Legal 500 2010); offers an excellent strategic overview and is always available to clients (Chambers 2011); thinks strategically and gets the best results for his clients (Chambers 2010). Lawson Caisley Partner Contact Tel +44 20 3088 2787 lawson.caisley@allenovery.com Nigel specialises in non-contentious intellectual property, data privacy and commercial contracts. He works across a wide variety of business sectors. Nigel has advised a number of clients on internal investigations, governance issues, training and related matters relating to the use of private investigators. Chambers UK 2014 recognised Nigel as a Star Associate and described him as Smart, pragmatic and highly responsive. Nigel Parker Senior Associate Contact Tel +44 20 3088 3136 nigel.parker@allenovery.com 4 Allen & Overy 2014

Managing legal risks when using private investigators Tuesday 29 April, 2014 Allen & Overy LLP 2014 LT:10824494.1 Allen & Overy 2014 5

Meeting you today Portrait Lawson Caisley Partner Litigation (Corporate) Tel +44 20 3088 2787 lawson.caisley@allenovery.com Nigel Parker Senior Associate Corporate Tel +44 20 3088 3136 nigel.parker@allenovery.com Allen & Overy LLP 2014 2 6 Allen & Overy 2014

Overview 1. Use of private investigators 2. Risks of private investigations 3. Risks for clients of private investigators 4. Data protection risks 5. Other criminal offences 6. Warning signs 7. Debunking myths 8. Managing risk Allen & Overy LLP 2014 3 Allen & Overy 2014 7

1) Use of private investigators obtaining information and evidence relating to existing, or contemplated, legal proceedings verifying the legitimacy of insurance claims investigating internal and external fraud tracing debtors and recovering stolen goods tracing witnesses and serving court documents background checks on witnesses employee background screening and drug & health screening investigating misuse of intellectual property due diligence on potential business partners financial investigations cyber investigations and ensuring cyber security anti-bribery and corruption investigations job applicant background screening and market reference exercises due diligence, third party and vendor screening Allen & Overy LLP 2014 4 8 Allen & Overy 2014

2) Risks of private investigations Unauthorised access to computer material Computer Misuse Act 1990 Fraud Fraud Act 2006 Bribery Bribery Act 2010 Unlawful obtaining or disclosure of personal data Data Protection Act 1998 Failure to register as a data controller Data Protection Act 1998 Breach of Data Protection Act Principles Data Protection Act 1998 Allen & Overy LLP 201 2014 Allen & Overy 2014 9

2) Risks of private investigations Unlawful interception RIPA Breach of confidence Trespass to goods Theft Theft Act 1998 Harassment Protection from Harassment Act 1997 Others -Criminal Justice and Public Order Act 1994 -Equality Act 2010 -HRA 1998 Allen & Overy LLP 201 2014 10 Allen & Overy 2014

No direct regulation of private investigators, yet Home Affairs Committee inquiry Tasked with undertaking an inquiry into PIs (following phone-hacking inquiry) July 2012 Report recommended Licensing of PIs and private investigation companies by end of 2013 Code of Conduct for PIs Criminal record for breach of s.55 DPA to act as a bar to individual operating as PI 31 July 2013, Secretary of State announced that by autumn 2014 the Security Industry Authority ( SIA ) will regulate private investigators under the Private Security Industry Act 2001 ( PSIA 2001 ) Powers under PSIA 2001 PIs to be licensed by SIA, subject to satisfactory criminality and identity checks and competency based training Criminal record for breach of s.55 DPA to act as bar to individual operating as PI Practising without licence or breaching conditions of licence to be criminal offence maximum sentence under PSIA 2001 currently 6 months imprisonment and/or fine of up to 5,000 Allen & Overy LLP 201 2014 7 Allen & Overy 2014 11

3) Risks for clients of private investigators Primary liability (eg in-house security dept. investigations) Secondary liability Inchoate offences (eg conspiracy) Data breach Breach of DPA Principles (eg failure to notify) Subject access requests Allen & Overy LLP 2014 8 12 Allen & Overy 2014

PIs and illegal trade in information 2004 2006 2007 2008 Operation Motorman 4 PIs convicted ICO Reports ICO calls for custodial sentences for illegal trade in information Operation Barbatus 2 PIs and 3 ex-police officers convicted Criminal Justice and Immigration Act 2008 Introduced custodial sentence for breach of s 55 (up to two years) not activated by Secretary of State Allen & Overy LLP 2014 9 Allen & Overy 2014 13

Increasing focus on clients 2012 2012 2013 Aug 2013 Operation Millipede 4 PIs convicted SOCA (now the NCA) concludes no evidence of criminality by clients Leveson Inquiry Strong criticism of lack of action by the ICO ICO response to Leveson Referred back to What Price Privacy? Home Affairs Select Committee Demands disclosure of client names (refused by SOCA and ICO) SOCA passes Millipede files to ICO Allen & Overy LLP 201 2014 10 14 Allen & Overy 2014

Increasing focus on clients Nov 2013 Jan 2014 ICU PIs convicted (fined 5K) no action against clients IKEA Senior executives in France placed under investigation for hiring private investigators Candy Brothers Allegation against PIs and instructing solicitors Allen & Overy LLP 201 2014 11 Allen & Overy 2014 15

Operation Spruce Feb 2014 1 construction 4 legal services Operation Spruce ICO announces intention to take action against clients of PIs convicted under Operation Millipede awaiting decision to prosecute Allen & Overy LLP 201 2014 ICO worked through list of 98 clients from Operation Millipede ICO initially said evidence that 19 may be liable for breaches and/or criminal liability under DPA. ICO announced 7 February 2014 that it intends to pursue 11 of these clients. Requests/search orders to begin week commencing 10 February 2014 FBI to be called in to investigate 8 US companies using British PIs 5 retail companies 3 private investigator firms 12 2 financial 3 insurance 1 security company 16 Allen & Overy 2014

4) Data protection risks Disclosure of personal data by a client to a PI Obtaining & sharing of personal data by a PI Use & holding of personal data by the client Allen & Overy LLP 201 2014 13 Allen & Overy 2014 17

Criminal offences under the DPA Unlawful obtaining of personal data Section 55 DPA Knowingly or recklessly, without consent of the data controller: Obtaining personal data Disclosing personal data Procuring disclosure of personal data Criminal offence 5,000 fine (magistrates) Unlimited fine (Crown Court) No custodial sentence (although two year custodial sentence enacted, but not activated) Director/officer liability Examples of s 55 offence Blagging ie obtaining information by deception: Pretending to be the data subject Pretending to be somebody connected to the data subject or an employee of the entity being blagged (eg HMRC, BT, banks, GP surgery) Using information which you are entitled to access for illegitimate purposes: An HR employee providing information about employees to a third party A bank employee disclosing information about customer to third parties Police officers accessing information from the police database GP receptionist accessing medical data Accessing information you are not allowed to access in the workplace Allen & Overy LLP 2014 14 18 Allen & Overy 2014

Data protection principles 1. Processing shall be fair and lawful 2. Personal data shall be processed for specified/compatible purposes 3. Personal data shall be adequate, relevant, not excessive 4. Personal data shall be accurate and kept up to date 5. Personal data shall not be kept for longer than necessary 6. Processing shall be in accordance with rights of data subjects 7. Technical and organisational security measures shall be taken 8. No cross-border transfers without appropriate safeguards Allen & Overy LLP 201 2014 15 Allen & Overy 2014 19

Practical application of the Principles Principles Lawfulness, Legitimacy Practice Prin 1: Must not breach other laws when collecting/using (e.g. bribery) Engagement terms Monitoring engagement Prin 1: Must have a legitimate basis, which is not outweighed by interests of the individual (i.e. right to privacy) Assess legitimacy of decision to use PI and scope of investigation/methods used Prin 1: Usually must have explicit consent to process sensitive personal data Minimise/avoid processing sensitive personal data Allen & Overy LLP 2014 16 20 Allen & Overy 2014

Practical application of the Principles Principles Transparency Practice Prin 1: Transparent Usually must notify individuals of use of personal data (fair processing notice) We may collect and process the following data about you for the following purposes Exempt if processing for detection or prevent of crime Exempt if processing necessary for obtaining legal advice, legal proceedings, defending legal rights Allen & Overy LLP 2014 17 Allen & Overy 2014 21

Practical application of the Principles Principles Proportionality, accuracy Practice Prin 3: Adequate, relevant Consider proportionality (e.g. impact assessment) Define the scope of engagement Prin 4: Accurate and up to date Control acceptable sources of information; obligation to fact-check Prin 5: Not kept for longer than necessary Implement retention policy Limitation Act 1980 6 years Allen & Overy LLP 2014 18 22 Allen & Overy 2014

Practical application of the Principles Principles Data subject rights Practice Prin 6: Data subjects have a right of access Data minimisation Implement a subject access requests policy Prin 6: Data subjects have a right to prevent processing Data minimisation Allen & Overy LLP 2014 19 Allen & Overy 2014 23

Practical application of the Principles Principles Security Practice Prin 7: Appropriate steps must be taken to ensure security of data Access controls Systems (e.g. encryption) Data processing agreement Licences/accreditation No subcontracting Policies (e.g. use of mobile devices) Allen & Overy LLP 2014 20 24 Allen & Overy 2014

5) Other criminal offences Allen & Overy LLP 2014 21 Allen & Overy 2014 25

Bribery Our sources within the tax authority told us that he is not under investigation Bribery Act 2010 - A crime to receive or give a bribe (whether to a private individual/company or a foreign official) Created new criminal offence: failure of commercial organisations to prevent bribery by a person associated with the company, even if without knowledge or direction of the company Associated person broadly defined as someone who provides services to the company Includes senior execs who consent or connive Maximum 10-year prison sentence Allen & Overy LLP 2014 22 26 Allen & Overy 2014

Fraud We were able to establish from his service provider that he has not made any calls outside of the UK Fraud Act 2006 Fraud by False Representation The representation must be wrong or misleading, and the person making it must know it is, or might be, wrong or misleading The defendant's conduct must be dishonest and his intention must be to make a gain, or to cause loss to another (or expose them to a risk of loss) Maximum 10-year prison sentence Allen & Overy LLP 201 2014 23 Allen & Overy 2014 27

Computer Misuse Act 1990 We used the Administrator s password which you provided to access her old email account It is an offence to gain unauthorised access to computer material A person will commit this offence if: (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer; (b) the access he intends to secure is unauthorised; and (c) he knows at the time when he causes the computer to perform the function that that is the case. Maximum two-year prison sentence Allen & Overy LLP 201 2014 24 28 Allen & Overy 2014

Regulation of Investigatory Powers Act 2000 During a conversation with X he mentioned that Offence for person to intentionally and without lawful authority to intercept any communication in the course of its transmission by means of a public or private telecommunication system Maximum two-year prison sentence Allen & Overy LLP 201 2014 25 Allen & Overy 2014 29

6) Warning signs Deception (e.g. blagging) Involvement of public officials / authorities Covert monitoring (e.g. surveillance) Sensitive Personal Data (e.g. health, offences) Access to private communications Non-public information Allen & Overy LLP 201 2014 26 30 Allen & Overy 2014

7) Debunking myths But - it s public information - it s true - everyone else does it - it happened outside the UK - we have no other way of getting the information we need - the lawyers did it, it s not our responsibility - we didn t use the information - we ve deleted the information Allen & Overy LLP 201 2014 27 Allen & Overy 2014 31

How can a PI lawfully be of use? Potentially lawful activity Surveillance Collating information from publicly available sources Carrying out interviews or obtaining witness accounts Gathering evidence for legal proceedings provided that No harassment Notice provided or exemption applies under the DPA No other offence committed eg fraud, bribery, computer misuse etc. Notice provided or exemption applies under the DPA No other offence committed eg fraud, bribery, computer misuse etc. No blagging No bribery No deceit as to nature of interview or identity of PI Notice provided or exemption applies under the DPA No other offence committed eg fraud, bribery, computer misuse etc. Allen & Overy LLP 201 2014 28 32 Allen & Overy 2014

8) Managing Risk Implement guidelines and a process/policy Use standard terms of engagement Minimise processing of personal data (esp. sensitive data) Monitor engagement Raise awareness / training Maintain DPA registration and fair processing notice where possible (eg employees) Allen & Overy LLP 201 2014 29 Allen & Overy 2014 33

Questions? These are presentation slides only. The information within these slides does not constitute definitive advice and should not be used as the basis for giving definitive advice without checking the primary sources. Allen & Overy means Allen & Overy LLP and/or its affiliated undertakings. The term partner is used to refer to a member of Allen & Overy LLP or an employee or consultant with equivalent standing and qualifications or an individual with equivalent status in one of Allen & Overy LLP's affiliated undertakings. Allen & Overy LLP 2014 30 34 Allen & Overy 2014

Allen & Overy 2014 35

36 Allen & Overy 2014

Allen & Overy 2014 37

Allen & Overy LLP One Bishops Square, London E1 6AD United Kingdom Tel +44 20 3088 0000 Fax +44 20 3088 0088 www.allenovery.com In this document, Allen & Overy means Allen & Overy LLP and/or its affiliated undertakings. The term partner is used to refer to a member of Allen & Overy LLP or an employee or consultant with equivalent standing and qualifications or an individual with equivalent status in one of Allen & Overy LLP's affiliated undertakings. Allen & Overy LLP or an affiliated undertaking has an office in each of: Abu Dhabi, Amsterdam, Antwerp, Athens (representative office), Bangkok, Beijing, Belfast, Bratislava, Brussels, Bucharest (associated office), Budapest, Casablanca, Doha, Dubai, Düsseldorf, Frankfurt, Hamburg, Hanoi, Ho Chi Minh City, Hong Kong, Istanbul, Jakarta (associated office), London, Luxembourg, Madrid, Mannheim, Milan, Moscow, Munich, New York, Paris, Perth, Prague, Riyadh (associated office), Rome, São Paulo, Shanghai, Singapore, Sydney, Tokyo, Warsaw, Washington D.C. and Yangon. MKT:4218973.1 38 Allen & Overy 2014