Cyber security is a complex, rapidly-changing and multi-national challenge. Clifford Chance is working with some of the world's leading corporates to help them to better protect their business activities, mitigate cyber security risk and respond quickly in the event of a breach.
Learn how you, as a lawyer, can help businesses to navigate this challenge.
• Task 1 - Practical guidance on an ICO Dawn Raid.
Developing practical guidance for a client on how to respond in the event of an ICO Dawn Raid
• Task 2 - Assess the legal situation after a data leak and take the necessary steps.
Communicating on a personal data breach
• Task 3 - Respond to a data-related damages claim.
Advising on litigation strategy
Developing practical guidance for a client on how to respond in the event of an ICO Dawn Raid
Here is the background information on this Task 1
Please note that this task will require you to record an audio clip, as such, please be mindful that your device may 'request access to your microphone’ for the purposes of completing the task.
Our Client is an international online travel company called "World Catch Travel", who arrange holiday packages for customers around the world (the "Company"). The Company are growing rapidly and currently have over 1 million customers. As part of the business operations for organising holidays, the Company needs to collect and store customers' personal data, such as name, address, passport details, credit card details etc. meaning that they are extremely data rich. The managing partner of the Company, has heard of other travel and holiday companies, such as British Airways and Marriott, receiving huge fines from regulators for not complying with data protection legislations.
Further, she heard on the news about a company receiving an ICO (Information Commissioner's Office) Dawn Raid and fears she, or the Company, would not know how to respond if they became subject to one.
Here is task
The Client is very concerned about the prospect of receiving an ICO Dawn Raid inspection, and would like you to call her to give her an overview of the key considerations and practical guidance as soon as possible. She usually has back to back meetings during the day, so has asked that you leave a message on her voicemail to listen to between meetings.
For this task, please prepare a voice message to be left on the client's answering machine with key information about an ICO Dawn Raid.
We recommend taking approximately 1 hour to research the topic, and up to 30 minutes to prepare and record the voice recording. The voice recording should be between 4-6 minutes and include at least the following information:
(1) Introduction
• Explain who you are and why you are calling
• A brief overview of what an ICO Dawn Raid is
• What the ICO's powers are in an ICO Dawn Raid
(2) Important things to know
• What information can be withheld from the ICO (this is a key consideration for companies, as they are entitled to withhold certain types of information, however if they refuse to hand over documents that the ICO are entitled to, it increases their likelihood of penalty).
• How the company should react when they are notified e.g., engaging local counsel, who they should inform, whether they should allow interviews, what devices they should be allowed access to.
• This may be scenario specific advice or general common sense guidance relating to cooperation with investigatory bodies.
(3) Any other information
• Additional points that you think would be useful for the Client and the Company to know that would let them feel more prepared and or less worried about the possibility of being subject to a Dawn Raid.
(4) Close the call
It may be useful to also prepare a written script first before recording. You can use the template included in the resources section below (we would suggest you keep your script to below 500 words).
Communicating on a personal data breach
Here is the background information on this Task 2
Our client, Great New Games, owns and operates a web shop where customers can purchase video games digitally. The web shop contains a database holding customer information, including names, address information and credit card information for more than 2.5 million customers. The client's customers consented in the processing and saving of the aforementioned data under the EU General Data Protection Regulation (GDPR).
During a scheduled software update the client discovered that the data of about 4,000 customers was publicly available for a period of up to six days. The database was unencrypted and available to possibly anyone to access until the latest database update today, at which point the data leak was closed. We have no information whether there was an unauthorised database access whilst the database was unencrypted.
The client is concerned about possible reputational damage should the data leak become publicly known. However, if a third party had gained access to customer information, e.g. credit card information, they could have abused this information to the customers' disadvantage. Mr. Arthur Dent is Great New Games' data protection officer and has asked for advice regarding this data leak.
Here is task
For this task, please draft an email to the client.
• Assess the legal situation under the GDPR.
• Inform the client about possible notification obligations: Who has to be notified? Outline the conditions for a notification obligation and the required content of such a notification.
• Where applicable, inform the client about further obligations or risks arising from violation of notification obligations.
Your email needs to be thorough, outlining the law around notification obligations under the GDPR. We suggest you write approx. 3,000 words and then edit the email down to approx. 1,000 words. This task may take you between 2 - 3 hours to complete.
Advising on litigation strategy
Here is the background information on this Task 3
Our client, Shikari Inc., operates a data centre. The data centre is a top-tier facility located in the EU, with the highest certifications of business continuity («Rating 4», ensuring 99.995% uptime per year). The data centre consists of a warehouse offering colocation (a.k.a. housing) services, which means that Shikari's clients use Shikari's servers and connectivity services (e.g. cloud) to store and access large volumes of data.
Pursuant to a colocation agreement made with Ludens Inc., Shikari undertook to store Ludens' data (the "Data"). Ludens is a provider of diagnostic services, which means Ludens has proprietary technology and hardware that it licenses to hospitals to provide diagnostic services to individuals. Ludens also reuses patients' data, in anonymised format, by reselling that data to its clients, as discussed below.
Ludens' Data includes:
• "Commercial Know-How": information on Ludens' clients, e.g. client lists, documents outlining Ludens' marketing strategy, sales, turnover and financial data;
• "Technical Know-How": documents listing the patents protecting Ludens' diagnostic tools describing the technology on which Luden relies (projects and drawings, manufacturing and maintenance manuals, user manuals); and
• "Health Data": data relating to certain patients who were diagnosed using Ludens' diagnostic tools. Ludens processes health data by anonymising and aggregating individual patient data and then selling the datasets of anonymous data to hospitals and researchers.
Shikari's data centre was recently the target of a cyber incident, and as a result certain Data of Ludens' was hacked.
Following the incident, Ludens sent Shikari a warning letter, whereby Ludens sought damages for Shikari's alleged breach of its obligation to store Data. Ludens' claim relies on the following main arguments:
• Ludens' Commercial Know-How (Commercial Know-how: Intangible asset including any information, data and documents outlining how a business works (sale strategy, client lists, etc) and this can be included in drawings, manuals, files, etc) and Technical Know-How (Technical Know-How: intangible asset including any information, data and documents outlining how a business works (technology, manufacturing processes, etc.) and this can be included in drawings, manuals, files, etc..) was material confidential information which gives Ludens an advantage over its competitors (the "Breach of Confidence Claim");
• There was a breach of the health data pertaining to patients who had been diagnosed and treated with Ludens' tools. Therefore Shikari is liable under the GDPR (Art. 5) for having failed to put in place the necessary security measures aimed at preventing unauthorised data processing (the "Data Protection Claim").
Here is task
Please prepare a note of preliminary advice where you go through the various defensive arguments Shikari may use to resist Ludens' Claims. You may structure the note as follows:
Foreword:
Please briefly recap what the note is about and provide a very high-level summary of the main facts.
• 1 - the occurrence of a data breach • 2 - the theft from the servers hosting Ludens' data • 3 - the kind of data that Shikari stored on behalf of Ludens • 4 - Ludens' claims
Executive summary:
Please present an executive summary at the beginning of the note summarising your arguments/findings.
Tip: draft the 'Executive Summary' once you have completed the full 'Defensive strategy' section below.
Defensive strategy:
For each claim, please:
• Summarise the grounds on which the claim relies;
• Outline potential arguments rebutting the claim; and
• Identify next steps, i.e. what actions Shikari and/or your firm need to take to prepare for litigation. Consider whether you have all the necessary information and request any additional documents required to establish the facts and legal obligations.
Your note should be between 1,000 - 2,000 words in length.