The pain of GDPR compliance and the long term effects

Posted by 7 September, 2018 (0) Comment

 

GDPR has no exemptions that organisations I work with can rely on, perhaps for the first time with data, we are all in it together.

The challenges facing organisations trying to comply are magnified by the amount of “fake news” surrounding it. I haven’t been surprised by the feeding frenzy from those trying to cash in yet I am somewhat alarmed by the number of “experts” on this untried legislation. I understood that it took 10,000 hours to become an expert in something and I’m wondering how the experts managed that. C’est la vie.

What truly concerns me is that this is a massive cultural change and I fear that the policies being written and disseminated are not going to empower the people that need to deal with data on a daily basis. During my 29 years in the field of risk, insurance and business continuity I have seen many issues that could have been avoided by educating people. Yet it seems that policies are written to ensure employment or contracts can be terminated rather than actually encouraging people to comply. I realise that this is partly due to legal precedent yet motivating people by fear is far weaker than motivating them by other means.

Having listened to many people and taking in copious amounts of information, I think that the feeding frenzy has prevented people from understanding the “mission” of the data regulators. They want organisations to be careful with data and respect the wishes and privacy of people like you and I.  It is not a lot to ask yet achieving that aim is undoubtedly awkward. It is a lot less awkward if the culture of an organisation recognises this.

I have this awful nagging doubt that people will not be motivated to do the right data thing if they are told off or, disciplined when they make mistakes. I’ve seen many policies that tell people what to do yet they are rarely allied with the cultural piece. Even rarer is the right level of education and reinforcement that motivates.

The deadline will come and go yet the mission of the regulator is not going to be achieved if the culture of blame continues to be the most pervasive in organisations. One issue that no-one seems to have thought about is the way salespeople treat data. Arguments over who owns it are regular, especially with the advance of online networks. Roughly 50% of people take data with them when they leave one organisation for another. There are at least two companies in breach when this happens and the individual has broken the law. It is theft after all.

The existing regulations state that this shouldn’t happen yet half of the population think it’s OK to take it when they really know that they shouldn’t. It could be argued that the policies that discipline people have worked because they have stopped the other half from doing this. Yet half is not enough. It should be a single digit number, at the very worst.

So policies and procedures are not working now. New ones will not change that if they don’t address the cultural side of human behaviour.

What can be done?

A new type of policy is required. Naturally, it should start at the top of an organisation. It should motivate people to change the way they think about data. It should be readable, not shrouded in jargon. It should reward people for doing the right thing. It should be something that everyone is reminded about. But not “beaten up” over.

 

Jason Cobine is an Insurance broker in London who works with businesses and charities. He has built a business from scratch, without pilfering data so he knows how hard it is. Yet it was a cultural decision that has been proved to be correct.

 

Categories : Accountants Insurance,All Risks Insurance,Business Insurance,Company Insurance,Contractors Insurance,Intellectual Property Insurance,Legal expenses insurance,Liability Insurance,Personal Insurance,Solicitors insurance,Uncategorized Tags : , , , , , , , , , , ,

The GDPR is coming. Time to sit down, relax and take stock

Posted by 3 May, 2018 (0) Comment

This article is about the feeding frenzy taking place, how to avoid it and what to look out for in the run up to GDPR lift off.

 

Welcome back, or if you’re new here sign up to our orange RSS button to the top right of this page to receive insurance tips, new posts, plus details of events and promotions that could help you or your network reduce the risks facing their organisation.

 

The vultures have been circling for some time now.

 

Plenty of people are putting the frighteners on good people that just want to survive the supposed relentlessness of heavily armed Data Commissioners issuing fines aplenty. Which will not actually happen. The ICO simply haven’t got enough resources to do that. Much like other agencies that are not for profit.

 

Speaking of which, it is those that are for profit that we need to be wary of. I’ve received several updated contracts from insurance companies dictating how data issues need to be resolved. My first piece of advice is to establish what your partners expect of you because, whilst the data commissioner might give you 72 hours to report certain types of breach, I am now contractually bound to give others 24 hours notice. Probably because they want the lions share of the deadline to get themselves ready. They also insist on certain types of data security and issue tight deadlines on “data subject access requests”. Cheeky but true.

 

So have you read all your contracts recently?

 

At least some of our partners are decent enough to tell us they’re being updated. Other contracts, like insurance policies, already cater for the change with clever wording. Where it states that they expect you to be complying with the law it actually means that as soon as the law changes, you have to be compliant with the new one. They don’t need to wait for the renewal of a contract to make you keep up with legislation. They’ve already taken care of it.

 

Are you going to read all your supplier or partner contracts? Probably not. Who has the time? I hear you sigh! Keep these in mind when you are changing your policies that are affected by GDPR. There might be a clash. You might want to notify them with 72 hours, yet they might stipulate immediately. Forewarned is forearmed and I don’t think fines are going to cause the biggest headache. I think it will be interruptions to business and loss of reputation and/or clients.

 

Government crack the whip

 

I have a feeling that the government announcement last week, that it would try and reduce the compensation culture by cracking down (again) on so called “whiplash” claims, might fuel the class action culture that Morrisons supermarkets find themselves subject to. There are a lot of companies that rely on that revenue stream (it’s in the billions) and they will switch to the next as quick as they went from PPI to holiday sickness claims. And PPI is coming to an end.

 

Wrap Up: We’re not overly concerned about the deadlines imposed by our supply chain because we have the resources to cope with them. Yet we’re very pleased we know what they are because a data breach causes enough confusion on it’s own.

 

Top Tip: Once you’ve assessed your position, review your contracts to see what else you might need to weave in. This is a once in 20 year opportunity to engage with your stakeholders. Done well, it will build trust regarding data and how you want to keep it safe. That trust is gold dust in the current climate.

Categories : Accountants Insurance,All Risks Insurance,Business Insurance,Company Insurance,Contractors Insurance,Customer Service,General Requirements,Intellectual Property Insurance,Liability Insurance,Solicitors insurance Tags : , , , , , , , , , , , , ,

Say it but don’t blame me

Posted by 2 May, 2015 (0) Comment

Sometimes it’s best to help your prospects understand what you offer that your competitors don’t rather than trying to highlight the inadequacies of your competitors. This is specially the case when the comments you make are in public especially when your competitors get angered easily and or have very deep pockets or in-house legal teams. This article explains what happens when someone is unhappy  with what you say about them, how to avoid it and what you can do about it.

Welcome back, or if you’re new here sign up to our orange RSS button to the top right of this page to receive insurance tips, new posts, plus details of events and promotions that could help you or your network reduce the risks facing their organisation.

I have a client who has produced software that is absolute outstanding and reduces the amount of time you and I spend waiting for organizations to answer our calls. It also reduces the number of staff call center require and I think it’s a product that provides everyone with a benefit. They have nearly 1 million subscribers to their app so they must be doing something right.

There was a time, before they appeared on “Dragons Den”, that they were looking to generate a buzz about their business. They talked to a marketing consultant and eventually persuaded to use a marketing expert who’s specialized in generating PR for technology based businesses. It all sounds great, everything heading in the right direction.

 

We didn’t say that did we?

 

The marketing expert had decided to seed the press and other relevant forums with explanations about the different waiting times that people experience when calling well known companies. In theory these companies were not competitors to our clients. They were irked even angered, to find them self at the top of a table highlighting which companies leaves callers on hold for the longest time. The angriest was a particularly large company in the health industry and they decided to issue a letter asking our client to explain exactly where they got their information from and asking them to remove any reference to that company from the public domain. This was an understandable reaction to an article that was supposed to improve the profile of this client yet it just sort to anger a party they didn’t needed to anger and caused many other problems internally. The initial panic should never be underestimated when you get a letter from a in-house lawyer because they have so much time on their hands to deal with such issues.

naturally my first question to my client was had they actually made the points that the in-house lawyer objected to. Their answer was it wasn’t us. Yet when I used Google I found the article was credited to them. At which point they said it was an outsourced marketing expert who had put these articles together. I asked if the marketing expert had provided evidence of their insurance. Blank looks all round. I asked if the marketing expert’s research had been checked by my client. More blank looks. I asked if the marketing expert had used an specialist to research the details they were using. The blank looks continued.

 

Shall we tell them it wasn’t us.

 

This was the comment my client made next and I asked them if they thought that would send the complainant off towards the marketing company and they realized that was probably never going to happen. If that were the case, everyone would simply say someone else did it in our name and no one would ever seize or desist when the lining someone. Fortunately they didn’t need to have this conversation because we had already provided them with a legal defense if allegation of liable defamation or breach of confidentiality were leveled at them yet they still had learned a valuable lesson about suppliers. These days very few businesses are self contained. Nearly every company I know relies on a employee or another organization to help them deliver their product or services. However not all such businesses are as careful as they should be and you can either be guilty by association or considered guilty because something is done under your umbrella.

Top Tip:
Check your suppliers carefully if they have insurance and it is fit for purpose you can give them a free rain, which makes your life easier.

Wrap up:
If they don’t have insurance you shouldn’t be dealing with them. Because at best, your insurance premiums will creep up as your suppliers make mistakes. That’s like buying car insurance and allowing the worst driver you know and drive even though they are already banned.

 

 

Categories : Business Insurance,Company Insurance,Liability Insurance Tags : , , , , ,

No-one will sue me or blame me

Posted by 27 December, 2014 (0) Comment

Business is easier to do when people are getting on yet it pays to keep everyone happy when relationships start to falter. This article is about money, the fact that it talks when opinions differ and why it is a foreign language for some.

Welcome back, or if you’re new here sign up to our orange RSS button to the top right of this page to receive insurance tips, new posts, plus details of events and promotions that could help you or your network reduce the risks facing their organisation.

I’ve had an idea…..but I can’t do it on my own

 

Inventors are not just stuck in sheds. Some of them are hugely creative and have big idea after big idea. I am contacted by inventors when they want to protect an idea they’ve created. Most of them are in “start-up” mode and it takes time for the income to pour in.

However, they still need services to help them lift off and it is not uncommon to reach bartering agreements or agree profit or equity shares with those that help them out. Wonderful isn’t it? In an ideal World, yes, in the real World it depends. Recently, I’ve been contacted by two different companies who both had similar issues with such agreements . They were both being taken to court when such “contracts” had gone sour, they were very loose unwritten agreements.

We can’t agree about everything

 

But it pays to sit down and agree the basics. The first indication that something was going wrong was the receipt of a legal document outlining a case of a service provided that hadn’t been paid for. In each case the inventor thought they had “come to an agreement” yet the complainant asserted that nothing had been written down and they expected a prompt realisation of profits, which is rare. Both inventors were upset as well as being annoyed. One was being asked for £40,000 in fees for work they had “ordered”. The other was being invoiced for £18,000 fees for time spent “assisting” the start-uo.

Even after the first legal notice was issued, the inventor contacted the person that was “owed” the £40,000 and came to another agreement. They were somewhat surprised to learn, soon after, that the complainant had obtained a judgement against them and bailiffs were chasing them for money they didn’t have. Sometimes, the courts do odd things. Launching an appeal has proved fruitless for at lease one company facing a wind up order. Their business was closed down by a judge before the appeal date arrived. It is beyond belief.

You owe me, I sue you

 

Eventually, the money was found yet it had been earmarked for marketing so the launch had to be delayed in one case. The debts were paid when they may not have been legally liable to pay them. They were forced to settle because they didn’t have the resources to defend themselves.

Defending yourself doesn’t have to be ridiculously costly but it does take up time. High quality legal resources have to be paid for. It’s not only about what you sign, it’s about what you agree.  Verbal agreements are often considered binding by one party and failure to defend a corner means louder voices are likely to be heard. The balance between defending and paying up doesn’t always leave defendants between a rock and a hard place. I have plenty of clients who have successfully defended  spurious allegations.

Wrap up; Contracts aren’t always big documents and verbal agreements are often taken seriously. It’s really difficult to juggle all the tasks when unexpected legal issues arise. Not to mention the upset if you don’t know where to turn.

Top tip; Do not ignore issues that are on the “too difficult list”. They have a habit of resurfacing  and investor shareholders hate that too. It is not fair but the deepest pockets usually win.

Categories : After The Event,Business Insurance,Company Insurance,Design Insurance,Domian name protection,Intellectual Property Insurance,Legal expenses insurance,Liability Insurance,Litigation expenses insurance,Patent Insurance,Trade Secret Protection,Trademark Insurance Tags : , , , , , , , , , , , , , , , ,

Efficient insurance isn’t always friendly

Posted by 23 June, 2014 (0) Comment

This article is about how improvements in technology should help providers improve the service to their clientèle. Read on to find out how IT has made life easier, where it has failed, and the backlash that is “in the post”.

Welcome back, or if you’re new here sign up to our orange RSS button to the top right of this page to receive insurance tips, new posts, plus details of events and promotions that could help you or your network reduce the risks facing their organisation.

Treating customers fairly?

 

Recently I have been learning how to use a new IT system which will increase our efficiency and profit. The people showing us how to use the system are terribly nice and say some nice things, yet also some very surprising things. One that really did surprise me relates to the way the system allows us to meet all the compliance regulations that are bestowed upon us, by the FCA (Financial Conduct Authority) I was pleased to find that the system made our life easier when ticking the compliance boxes.

It was during a discussion about “treating customers fairly” (TCF) that I was so surprised. TCF involves doing what it says on the tin – making sure that the customer is at the centre of what you do. This ensures that they are well treated and their aims are met whilst your business meets its aims too. For me, this is the most valuable thing you can do in a business, because customers are always right and when they are wrong, its usually because they have not been well informed. This is a statement that most business owners don’t want to hear, yet when they are the customer they realise that it’s actually true.

What’s the surprise?

 

The comment that surprised me so much was after I complimented the trainers on showing us how to add efficiency into our compliant processes. Our training lady announced that no one usually cares about this, to which I exclaimed “pardon!” because I couldn’t believe that a sector so beaten and bowed by criticism still fails to take its customers’ rights seriously. I enquired what the lady meant by “no one usually cares” and she reiterated that all the other people she trains (all is probably an overstatement) find ways to avoid ticking the compliance box of TCF. I am not surprised that this happens, but I am surprised that it is an industry wide problem. However, it does explain one scenario that has puzzled me somewhat.

Why is it important?

 

When I first went “alone” I carried out research and found that a healthy percentage of people that had purchased insurance were not sure that it was right for them. This meant there were people who would find our service useful. This gave us immense confidence as we ploughed our furrow and provided a service that isn’t available to all. It still isn’t available to all, because we could not possible service the entire commercial insurance buying public, not by ourselves. But watch this space. We have no immediate plans to dominate the UK, yet what I have discovered over the last few years has shown us that the vast majority of people who buy insurance are not treated fairly. There is work for us to do in changing that. It is a challenge, but one I am ready for.

Wrap Up: Not all insurance policies are the same. Not insurance companies are the same. Not all businesses are the same. So ensure you get what you need, before you need it.

Top Tip: If ever you do have a problem with insurance ask your supplier how they are treating you fairly, whilst dealing with the problem.

 

Categories : Accountants Insurance,After The Event,All Risks Insurance,Building Contractor,Business Insurance,Company Insurance,Contractors Insurance,Customer Service,Design Insurance,Domian name protection,General Requirements,Health & Safety,Intellectual Property Insurance,Legal expenses insurance,Liability Insurance,Litigation expenses insurance,Patent Insurance,Personal Insurance,Solicitors indemnity,Solicitors insurance,Trade,Trade Secret Protection,Trademark Insurance,Uncategorized Tags : , , , , , , , , , ,

Flatterers deceive UK start-ups

Posted by 19 April, 2014 (0) Comment

A spectacularly large US company flattered a UK start-up with a huge contract which was eventually signed and secured. This would give them the capital they need to multiply their success. The contract wasn’t exclusive and the start ups web application was valuable to many similar companies. A fantastic “result” and only two types of insurance were required by the US company.

Welcome back, or if you’re new here sign up to our orange RSS button to the top right of this page to receive insurance tips, new posts, plus details of events and promotions that could help you or your network reduce the risks facing their organisation.

Contractual responsibility

 

The contract issued by the Americanclient had 2 pages making direct reference to the type of due diligence, risk management and business insurance required of the start-up. The rest of the contract revealed 26 further liabilities and requirements that were, or would become, necessary.

Not all were manageable for a small company with limited cash flow. The really fine points of the contract referenced this exact point and made it clear they would take full and furious legal action if something went wrong. Ouch, a soft landing is required so we received an introduction.

Part of the liability related to the website, which was provided as a service, and had to be operational 99.9% of the time. The US company staff would be trained to use it and then supported 24/7. It had to work and the contract made it clear that they would want compensation for any downtime over 0.01% in any one year. Keep in mind that one way to compensate is not charge fees that are due.

Penetration testing must be the answer

 

It helps work out weaknesses today yet doesn’t account for advances made by hackers tomorrow. IT Systems security methods of suppliers aren’t always reliable and data theft was the main concern of the US client. They made the UK startup contractually liable for the costs of notification to the relevant authorities and those whose personal data is compromised.

This is a really tough figure to try and quantify because few own up when they have a data breach so the statistics cannot be compiled. Contrast that with fires where it is easier to quantify losses.

That won’t change just because it becomes a must to do (new regulations are due to land in the EU in 2015). So if some Herbert got at the data, the US company would have to spend to meet US regulations and the UK start-up could be ruined by the losses. Identity theft costs vary from person to person so it really is a difficult number to calculate.

Legal liabilities change across borders or state lines

 

The chances of a breach are minuscule, the costs ridiculous. The damage to brand immeasurable. Get a lawyer to get legal on your contracts and they’ll close the gaps. Some clauses don’t hold water in the UK yet US companies issue proceedings where they want. The contract formed a vicious circle when the statement of work and suppliers agreement were reviewed together. No stone had been left unturned and the US company had a fair minded legal team. That is not always the case.

However, there was a liability of millions and the supplier of the application’s infrastructure were only going to cough up £182k if they failed to maintain their supply. Worse still, the infrastructure wasn’t easy to transfer to a new supplier and a 30 day window tied the start-up down. No fix in 30 days and the US contract terminated automatically. And further contracts would not have been issued by them or anyone else.

We deal with cyber risk every weekly basis. It rarely touches the smaller business, yet their suppliers are at risk. Cloud sounds great yet it is not as solid as your own database with your own security. The solutions are a contractual nightmare.

Wrap up: It is not unheard of for a large company to issue a contract to a start-up, allege an error and drown them in legal proceedings. This is because they can then strike a deal which leaves the start-up Directors free of debt if they give up their Intellectual Property. Only in America? No! Uk companies do this too. Does Directors protection work in these cases? No! See why here: https://cobinecarmelson.com/wp-content/uploads/2011/11/What-are-Directors-real-risks.-CCLv5-URL.pdf

Top tip: One digital games company signed an NDA and found the other signatory copied their ideas and started selling their titles. It cost £300,000 to force them to stop and compensate the original designer. There is no point getting someone to sign an NDA unless you have the means to enforce it !

Categories : Accountants Insurance,All Risks Insurance,Business Insurance,Company Insurance,Design Insurance,Domian name protection,General Requirements,Intellectual Property Insurance,Legal expenses insurance,Liability Insurance,Litigation expenses insurance,Patent Insurance,Solicitors indemnity,Solicitors insurance,Trade,Trade Secret Protection,Trademark Insurance Tags : , , , , , , , , , ,