The UK is one of the world’s most advanced digital economies and this is both strength and a weakness, according to a report on BBC News on 13 February 2017. Principals and suppliers and agents and distributors are exchanging confidential information and data on a daily basis. Often this is facilitated by the provision of laptops, tablets and mobiles by principals to their agents or by the creation of an intranet by a supplier with its distributors. Often too, agency and distributorship agreements make reference to the obligation on the agent or distributor to use confidential information only in the performance of their contractual duties and not to disclose it to third parties. But that is where the contractual provisions usually end. So what should principals and suppliers be thinking about when it comes to confidential information and data? The agent The starting point is whether the principal provides the agent with a laptop, tablet or mobile. If so, the agency agreement should require the agent to keep the device secure at all times. Further if the device is lost, the agent should be required to reimburse the cost. Sometimes the agent will be able to access the principal’s computer system. In this situation there should be an obligation on the agent to keep usernames and passwords secret and to keep its own data security up to date. The Data Protection Act requires businesses handling confidential information or personal data of another business to keep this data secure. Agents are businesses and subject to the Act. Sometimes devices are used to receive or send improper material. The agency agreement should prohibit such activity. Where notice of termination of an agency agreement is given, the agreement can be expected to require the return of the device. But where the device is owned by the agent, the agreement should require the agent to pass the device to the principal in order that it can be wiped of confidential commercial information and personal data. Whilst agency law does impose obligations of confidentiality and a duty of good faith on an agent, without specific contractual provisions a principal can be left exposed to the misuse of confidential information and data by an agent.
The distributor The disclosure and use of confidential information and issues concerning cybersecurity are much more open in the case of distributors. The starting point here is that a distributor will be required by common law to keep confidential that information which is confidential. But in order for the supplier to be protected, the distributorship agreement should include specific provisions addressing issues concerning the disclosure and use of confidential information. In respect of cybersecurity, whilst many suppliers will rely on their own data security there is good reason to require distributors to install and maintain data security and, where appropriate, to take steps to avoid hacking by third parties. To minimise the damage from a data security breach should one occur, it will be essential for all parties to develop and implement an “incident response plan” to highlight each party’s responsibilities in respect of data security. And if the agency or distributorship agreement is already in existence? The starting point is that a principal cannot simply impose new contractual obligations on an agent. To do so will allow the agent to claim that the principal’s actions constitute a repudiatory breach of the agreement which the agent can treat as bringing the agreement to an end. The agent can then make very significant claims under the Commercial Agents Regulations. However, it is possible for a principal to rely to some extent on the Regulations in order to address some of the above issues. This is because the Regulations require that the agent complies with the principal’s reasonable instructions. However, if there is a contract which addresses these issues, so much the better. The starting point in respect of a distributor is the same as that for an agent. The supplier cannot act unilaterally. But unlike an agent, there is no legislative partial safety net in respect of which a supplier can rely. So again so much the better if from the off the issues are contractually addressed. Overall Hacking is in the news. Indeed, in the first 2 months of 2017 Fox Williams advised 3 clients on 4 different cybersecurity breaches. In 2 cases, we notified the Information Commissioner’s Office of the breaches on behalf of our clients. This action was taken on the basis that it was good practice. Under the Data Protection Act, although there is no legal obligation on companies to report breaches of security, the ICO recommends that serious breaches are reported. From 25 May 2018, every business will be required by the General Data Protection Regulation to notify the ICO of certain types of data breaches within 72 hours of the business becoming aware of the breach. Whether in respect of agents or distributors, it is often when things go wrong on termination of the agency or distributorship agreement that issues concerning confidential commercial information and data security arise. So if you are reading this article online, are you reading it comfortably? More particularly is anyone else reading it? And can they access your confidential commercial information and personal data? Invariably, prevention is better than cure.
Fox Williams, 10 Finsbury Square, London, EC2A 1AF Tel: +44 (0)20 7614 2505 Email: slsidkin@foxwilliam
Disclaimer: This column does not contain legal advice and is for general guidance only. Agentbase, Fox Williams LLP Solicitors and the writer accept no liability in connection with the general guidance given in this column. Please ensure that you obtain legal advice before acting in reliance upon anything in the article. For example please be clear that the answers given in this column may not cover all possible angles, aspects, relevant considerations and/or points of law and so that all or any information which is given above needs in every instance to be referred for legal advice for clarification and amplification, before being relied upon