Latest news and updates on issues affecting business. - Amazon Web ...
Latest news and updates on issues affecting business. August 2017
In this issue • One year countdown until GDPR: is your organisation compliant? • As risk gets more complex, directors and officers are held more accountable • Recent HSE news and prosecutions • No BI - Why? • Recent cyber security news and prosecutions
One year countdown until GDPR: Is your organisation compliant? In less than a year, the EU General Data Protection Regulation (GDPR) will come into force. The forthcoming guidelines are intended to create uniform data protection rules for EU member states. Despite Brexit, UK organisations that want to conduct business in the EU must also comply with the GDPR. The government has confirmed that the United Kingdom’s decision to leave the EU will not affect the commencement of the GDPR. As the GDPR will be formally adopted on 25th May 2018, your organisation must begin taking the necessary steps, if you have not already done so. By that date, your organisation should complete the 12 steps outlined by the Information Commissioner’s Office (ICO), which can be found here. Especially if your organisation relies on a constant stream of prospect data for its sales pipeline, now is the time to audit that data to ensure you can keep prospecting and selling after the GDPR commences. If your organisation fails to comply with the new regulation and does not provide adequate cyber protection for your customers, you could receive sizeable fines and penalties. The GDPR has a simple, two-tiered fine structure: 1.
An organisation may be fined up to €10m (roughly £8m) or 2% of its annual turnover - whichever is higher - for not properly filing and organising its records, for not notifying the supervising authority and data subject about a breach, and for not conducting impact assessments. 2. An organisation may be fined up to €20m (roughly £16m) or 4% of its annual turnover - whichever is higher - for violating the basic principles related to data security or for violating consumer consent.
As risk gets more complex, directors and officers are held more accountable Since the financial crisis in 2008, claims against directors and officers have grown more frequent, complex and expensive. One reason for this rise is government legislation that has increased business transparency and placed the responsibility on directors and officers. In fact, after new guidelines from the Sentencing Council came into force in February 2016, the number of health and safety prosecutions against directors and officers tripled. What’s more, the value of the 20 highest fines in 2016 totalled £38.5m, which was just slightly more than all 660 successful prosecutions in 2015-16. In addition to stricter legislation, the emergence of new risks - such as cyber breaches - has heightened the circumstances surrounding boardroom decisions. With good cause, as each UK business was hit 230k times by cyber attacks in 2016.
As a result, 73% of directors and officers are regularly discussing their organisations’ cyber security policies, according to a recent industry survey. Unfortunately, despite the increased awareness about the potential cyber dangers, only 57% of all UK organisations have taken action to identify and prevent cyber security risks. Failing to take necessary action on cyber threats could make you and your fellow senior directors liable for fines and prosecutions based on your directors’ and officers’ responsibility to prioritise cyber defence. To help ensure that your organisation’s directors and officers are complying with government legislation and protecting against cyber threats, consider adopting the following best practices: • • • •
Keep clear and concise records on your organisation’s practices as well as any boardroom decisions. Conduct a thorough risk assessment along with a health and safety review of your premises and policies. Monitor emerging risk areas at the senior level to ensure you can respond to them quickly. Update your network security and keep a safe backup of your vital files.
Recent HSE news and prosecutions Warburtons fined £1.9m after injury to agency worker After a worker got his arm trapped in a conveyor belt, Warburtons Ltd was fined £1.9 million and ordered to pay full costs of £21,459.71. The worker was cleaning parts of the bread line whilst it was running, when his arm was caught. In its investigation, the HSE found that the company failed to install protective guarding on the machine, which would have prevented this incident. Company fined after failing to comply with enforcement action Devon residents were put at risk from unsafe work practices from Hatchmere Park Ltd, who was fined £90k and ordered to pay costs of £25k. The buildings that were under construction lacked any safety guards, which left both workers and residents exposed to potential falling debris. In its investigation, the HSE noted that the company failed to comply with safety standards, which required it to install fencing around the perimeter of the buildings and signs that alerted any passer-by of the construction. Company, contractor fined after member of public hit by fencing wire After a Redditch woman was struck by fencing wire that had gotten entangled in a mechanical flail, RM Contractors Limited was fined £180k and ordered to pay costs of £22k, and a Complete Tree Services contractor was sentenced to 120 hours of community order and ordered to pay costs of £3.5k. In its investigation, the HSE found that both the company and the contractor failed to properly assess the potential risks and implement safety precautions.
No BI - Why? After a disaster like a major fire and during the reconstruction period a company may have little or no money coming in. Turnover is dramatically reduced but fixed costs continue, including wages, National Insurance, pension scheme contributions, rent, bank charges and advertising. There are often increased costs such as temporary accommodation, overtime and buying-in finished goods. A business interruption (BI) policy pays for fixed costs and trading profit plus any increased costs of working during this time. The alternative is funding these costs yourself, or closure of the business. Companies who suffer a major loss often become bankrupt because their insured indemnity period was too short or they had no disaster recovery plan. So what do you need to think about in regard to having the correct BI cover? Indemnity period. This is the time taken to regain pre-damage turnover levels and is limited to the maximum indemnity period chosen. Consideration needs to be given to the following when determining the insured indemnity period. Time factors to be considered include: • • • • •
Premises rebuilding time needs to include demolition and debris removal, tendering and planning approval, weather disruption, and for tenants dependent on a landlord’s insurance or redesign preferences. If not readily available, finding temporary accommodation may be viewed over-optimistically, particularly regarding lease issues. If it is not possible to order or borrow replacement machinery immediately then long lead times need to be factored in if specialist and/or imported machinery is required for your business. Friends and competitors could be willing to help you fulfill orders to satisfy customers but customer loyalty in a competitive market may not be as secure as anticipated. To ensure that the recovery time frame and sums insured are correctly set, simply consider lost profit while your business recovers.
Increased cost of working (ICW). Cover against this is especially important for organisations where disruption, however substantial, is likely to have a negligible effect on turnover. Take, for example, a trade association whose income is derived from a levy on its members. A fire destroying its offices would have little or no impact on its business in terms of turnover, but may nevertheless result in huge costs for temporary premises. Neither should it be forgotten that additional ICW cover can bring with it substantial benefits to other businesses. It can prove an incredibly valuable and flexible tool in the recovery process, essentially buying extra breathing space and the freedom to take action without having to justify those decisions immediately in terms of cost-effectiveness. Advance profits. Great care is needed if your loss occurs before your business has started operations in new premises. Problems can include a recruited and trained workforce expecting wages, bankers expecting loans to be serviced and customers expecting goods to be available. An advance profits extension is needed if you are contemplating extended, additional or relocated factory premises. Ensure the policy covers all appropriate locations. When assessing the risk of losses arising at various locations, it is vitally important that all the interdependencies of sites and functions are taken into account and recognised within the policy terms. The objective is simple enough: to ensure that losses are recoverable across the whole business, not just the specific premises suffering the damage. Therefore, it is vital that proper consideration is given to understanding, for example, the potential impact of a head office or warehouse loss on retail outlets, or the codependency of manufacturing and distribution divisions at separate locations. Machinery breakdown. This can sometimes result in turnover reduction and in this instance specialist cover may be needed under an engineering BI policy. Computer systems. Computer systems can be badly affected by a virus resulting in turnover loss and increased costs that requires the specialist cyber cover of a computer BI policy. Seasonality. Annual figures may conceal seasonal trends; bumper period of trade of which more than one might be encompassed by the maximum indemnity period. Winning back customers. Even when your business is reinstated, don’t forget to take into account the time it may take to win back your customer base. If you are a business in the UK, there is no reason why you should opt out of including business interruption in your insurance portfolio. Should you ever need to make a claim, a BI policy is the best way to make sure you are not out of pocket or out of business.
Recent cyber security news and prosecutions Morrisons supermarket chain fined for ignoring customers’ marketing wishes After sending out 130,671 emails to people who had previously opted out of receiving marketing related to their Morrisons More card, Morrisons was fined £10.k. In its investigation, the ICO found that the company’s actions deliberately broke the Privacy and Electronic Communication Regulations (PECR). What’s more, the GDPR, a new data protection law concerning organisations receiving consent from customers, comes into force next year. That means incidents, such as this, will have much more severe penalties. Maidstone firm responsible for nuisance calls fined £50k The ICO received 169 complaints about receiving unwanted calls from MyHome Installations Ltd. Over a period of 18 months, the company bought customer data from third-party companies in order to make unsolicited phone calls, even to individuals on the ‘no call’ register. As these actions violated the PECR, the company was fined £50k. Radcliffe used-car dealer fined £40k for sending 336k spam texts Concept Car Credit Limited sent more than 300k spam-marketing text messages without ensuring that it was only contacting individuals that had consented to receive the marketing. In addition to a £40k fine, the ICO also issued the company an enforcement notice, ordering it to stop sending unlawful texts. If the company does not comply with the notice, it could face additional fines and penalties.
The content of this newsletter is of general interest and is not intended to apply to specific circumstances. It does not purport to be a comprehensive analysis of all matters relevant to its subject matter. The content should not, therefore, be regarded as constituting legal advice and not be relied upon as such. In relation to any particular problem which they may have, readers are advised to seek specific advice. Further, the law may have changed since first publication and the reader is cautioned accordingly. © 2017 Zywave, Inc. All rights reserved.
bluefingroup.co.uk Bluefin Insurance Services Limited. Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU. Registered in England No: 931954. Authorised and regulated by the Financial Conduct Authority. 2140-0717
In this issue • One year countdown until GDPR: is your organisation compliant? • As risk gets more complex, directors and officers are held more accountable • Recent HSE news and prosecutions • No BI - Why? • Recent cyber security news and prosecutions
One year countdown until GDPR: Is your organisation compliant? In less than a year, the EU General Data Protection Regulation (GDPR) will come into force. The forthcoming guidelines are intended to create uniform data protection rules for EU member states. Despite Brexit, UK organisations that want to conduct business in the EU must also comply with the GDPR. The government has confirmed that the United Kingdom’s decision to leave the EU will not affect the commencement of the GDPR. As the GDPR will be formally adopted on 25th May 2018, your organisation must begin taking the necessary steps, if you have not already done so. By that date, your organisation should complete the 12 steps outlined by the Information Commissioner’s Office (ICO), which can be found here. Especially if your organisation relies on a constant stream of prospect data for its sales pipeline, now is the time to audit that data to ensure you can keep prospecting and selling after the GDPR commences. If your organisation fails to comply with the new regulation and does not provide adequate cyber protection for your customers, you could receive sizeable fines and penalties. The GDPR has a simple, two-tiered fine structure: 1.
An organisation may be fined up to €10m (roughly £8m) or 2% of its annual turnover - whichever is higher - for not properly filing and organising its records, for not notifying the supervising authority and data subject about a breach, and for not conducting impact assessments. 2. An organisation may be fined up to €20m (roughly £16m) or 4% of its annual turnover - whichever is higher - for violating the basic principles related to data security or for violating consumer consent.
As risk gets more complex, directors and officers are held more accountable Since the financial crisis in 2008, claims against directors and officers have grown more frequent, complex and expensive. One reason for this rise is government legislation that has increased business transparency and placed the responsibility on directors and officers. In fact, after new guidelines from the Sentencing Council came into force in February 2016, the number of health and safety prosecutions against directors and officers tripled. What’s more, the value of the 20 highest fines in 2016 totalled £38.5m, which was just slightly more than all 660 successful prosecutions in 2015-16. In addition to stricter legislation, the emergence of new risks - such as cyber breaches - has heightened the circumstances surrounding boardroom decisions. With good cause, as each UK business was hit 230k times by cyber attacks in 2016.
As a result, 73% of directors and officers are regularly discussing their organisations’ cyber security policies, according to a recent industry survey. Unfortunately, despite the increased awareness about the potential cyber dangers, only 57% of all UK organisations have taken action to identify and prevent cyber security risks. Failing to take necessary action on cyber threats could make you and your fellow senior directors liable for fines and prosecutions based on your directors’ and officers’ responsibility to prioritise cyber defence. To help ensure that your organisation’s directors and officers are complying with government legislation and protecting against cyber threats, consider adopting the following best practices: • • • •
Keep clear and concise records on your organisation’s practices as well as any boardroom decisions. Conduct a thorough risk assessment along with a health and safety review of your premises and policies. Monitor emerging risk areas at the senior level to ensure you can respond to them quickly. Update your network security and keep a safe backup of your vital files.
Recent HSE news and prosecutions Warburtons fined £1.9m after injury to agency worker After a worker got his arm trapped in a conveyor belt, Warburtons Ltd was fined £1.9 million and ordered to pay full costs of £21,459.71. The worker was cleaning parts of the bread line whilst it was running, when his arm was caught. In its investigation, the HSE found that the company failed to install protective guarding on the machine, which would have prevented this incident. Company fined after failing to comply with enforcement action Devon residents were put at risk from unsafe work practices from Hatchmere Park Ltd, who was fined £90k and ordered to pay costs of £25k. The buildings that were under construction lacked any safety guards, which left both workers and residents exposed to potential falling debris. In its investigation, the HSE noted that the company failed to comply with safety standards, which required it to install fencing around the perimeter of the buildings and signs that alerted any passer-by of the construction. Company, contractor fined after member of public hit by fencing wire After a Redditch woman was struck by fencing wire that had gotten entangled in a mechanical flail, RM Contractors Limited was fined £180k and ordered to pay costs of £22k, and a Complete Tree Services contractor was sentenced to 120 hours of community order and ordered to pay costs of £3.5k. In its investigation, the HSE found that both the company and the contractor failed to properly assess the potential risks and implement safety precautions.
No BI - Why? After a disaster like a major fire and during the reconstruction period a company may have little or no money coming in. Turnover is dramatically reduced but fixed costs continue, including wages, National Insurance, pension scheme contributions, rent, bank charges and advertising. There are often increased costs such as temporary accommodation, overtime and buying-in finished goods. A business interruption (BI) policy pays for fixed costs and trading profit plus any increased costs of working during this time. The alternative is funding these costs yourself, or closure of the business. Companies who suffer a major loss often become bankrupt because their insured indemnity period was too short or they had no disaster recovery plan. So what do you need to think about in regard to having the correct BI cover? Indemnity period. This is the time taken to regain pre-damage turnover levels and is limited to the maximum indemnity period chosen. Consideration needs to be given to the following when determining the insured indemnity period. Time factors to be considered include: • • • • •
Premises rebuilding time needs to include demolition and debris removal, tendering and planning approval, weather disruption, and for tenants dependent on a landlord’s insurance or redesign preferences. If not readily available, finding temporary accommodation may be viewed over-optimistically, particularly regarding lease issues. If it is not possible to order or borrow replacement machinery immediately then long lead times need to be factored in if specialist and/or imported machinery is required for your business. Friends and competitors could be willing to help you fulfill orders to satisfy customers but customer loyalty in a competitive market may not be as secure as anticipated. To ensure that the recovery time frame and sums insured are correctly set, simply consider lost profit while your business recovers.
Increased cost of working (ICW). Cover against this is especially important for organisations where disruption, however substantial, is likely to have a negligible effect on turnover. Take, for example, a trade association whose income is derived from a levy on its members. A fire destroying its offices would have little or no impact on its business in terms of turnover, but may nevertheless result in huge costs for temporary premises. Neither should it be forgotten that additional ICW cover can bring with it substantial benefits to other businesses. It can prove an incredibly valuable and flexible tool in the recovery process, essentially buying extra breathing space and the freedom to take action without having to justify those decisions immediately in terms of cost-effectiveness. Advance profits. Great care is needed if your loss occurs before your business has started operations in new premises. Problems can include a recruited and trained workforce expecting wages, bankers expecting loans to be serviced and customers expecting goods to be available. An advance profits extension is needed if you are contemplating extended, additional or relocated factory premises. Ensure the policy covers all appropriate locations. When assessing the risk of losses arising at various locations, it is vitally important that all the interdependencies of sites and functions are taken into account and recognised within the policy terms. The objective is simple enough: to ensure that losses are recoverable across the whole business, not just the specific premises suffering the damage. Therefore, it is vital that proper consideration is given to understanding, for example, the potential impact of a head office or warehouse loss on retail outlets, or the codependency of manufacturing and distribution divisions at separate locations. Machinery breakdown. This can sometimes result in turnover reduction and in this instance specialist cover may be needed under an engineering BI policy. Computer systems. Computer systems can be badly affected by a virus resulting in turnover loss and increased costs that requires the specialist cyber cover of a computer BI policy. Seasonality. Annual figures may conceal seasonal trends; bumper period of trade of which more than one might be encompassed by the maximum indemnity period. Winning back customers. Even when your business is reinstated, don’t forget to take into account the time it may take to win back your customer base. If you are a business in the UK, there is no reason why you should opt out of including business interruption in your insurance portfolio. Should you ever need to make a claim, a BI policy is the best way to make sure you are not out of pocket or out of business.
Recent cyber security news and prosecutions Morrisons supermarket chain fined for ignoring customers’ marketing wishes After sending out 130,671 emails to people who had previously opted out of receiving marketing related to their Morrisons More card, Morrisons was fined £10.k. In its investigation, the ICO found that the company’s actions deliberately broke the Privacy and Electronic Communication Regulations (PECR). What’s more, the GDPR, a new data protection law concerning organisations receiving consent from customers, comes into force next year. That means incidents, such as this, will have much more severe penalties. Maidstone firm responsible for nuisance calls fined £50k The ICO received 169 complaints about receiving unwanted calls from MyHome Installations Ltd. Over a period of 18 months, the company bought customer data from third-party companies in order to make unsolicited phone calls, even to individuals on the ‘no call’ register. As these actions violated the PECR, the company was fined £50k. Radcliffe used-car dealer fined £40k for sending 336k spam texts Concept Car Credit Limited sent more than 300k spam-marketing text messages without ensuring that it was only contacting individuals that had consented to receive the marketing. In addition to a £40k fine, the ICO also issued the company an enforcement notice, ordering it to stop sending unlawful texts. If the company does not comply with the notice, it could face additional fines and penalties.
The content of this newsletter is of general interest and is not intended to apply to specific circumstances. It does not purport to be a comprehensive analysis of all matters relevant to its subject matter. The content should not, therefore, be regarded as constituting legal advice and not be relied upon as such. In relation to any particular problem which they may have, readers are advised to seek specific advice. Further, the law may have changed since first publication and the reader is cautioned accordingly. © 2017 Zywave, Inc. All rights reserved.
bluefingroup.co.uk Bluefin Insurance Services Limited. Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU. Registered in England No: 931954. Authorised and regulated by the Financial Conduct Authority. 2140-0717
