Category Archives: Uncategorized

CYBERSECURITY The EU Network and Information Security Directive: U.S. Companies Take Note


Preventing or minimizing business risks should result in maximizing profits, but unexpected losses due to cyber security incidents can be costly to both businesses and affected consumers. The European Commission has finally addressed this rising issue with the new draft Directive, the Network and Information Security Directive (“NIS Directive”).  The intent behind the Directive is to create a higher level of network and information security across the EU by mandating that Member States by requiring essential services suppliers and digital network providers adopt higher standards to manage and report cyber security incidents.

The NIS Directive requires Member States to establish national network and information security strategy and implementation of regulations to ensure a high level of network security, create a national competent authority to monitor and enforce such regulations as adopted. Member States are mandated to engage in cooperative measures and information sharing between the Member States.

Operators of essential services, including energy, transport, finance, health, drinking water and digital infrastructure operations will be obliged to take measures to prevent and minimize any impact of cyber security attacks on their network and information systems.  This will also apply to many third party digital service providers that are used in the provision of services by identified essential services.  The affected service providers must have a sufficient incident management process to report, monitor, audit and conduct ongoing testing and to ensure continuity of the services provided.  Sanctions must be put in place to promote compliance, although its yet unknown what those sanctions might be.

So, why should U.S. companies take any notice of the NIS Directive? With the recent erosion of the EU – U.S. Safe Harbor the lack of a clear cut solution, U.S. companies doing business, whether ecommerce or more traditional, would be wise to take steps to ensure compliance with the minimum thresholds set by the Member States enacting regulations to comply with the NIS Directive.  Any EU legislation setting minimum thresholds, for data privacy or security will likely replace the requirements for self-certification in the EU-U.S. Safe Harbor.

If you would like further information, have any questions or concerns please contact us.


Data Privacy and Security: The Demise of the EU-U.S. Safe Harbor

padlock-1569395-639x852The lack of a cohesive body of data privacy and security laws in the U.S. created problems with transfers of personal information from EU citizens held by U.S. companies. Thus the EU-U.S. Safe Harbor was created and is administered by the U.S. Department of Commerce.  Under the Safe Harbor, U.S. companies could self-certify their compliance with minimum standards of data privacy and security such that the EU deemed such companies efforts as adequate to meet EU data privacy and security principles (set out in both Directives and regulations).  Late in 2015, the European Court of Justice issued a judgment declaring the Safe Harbor agreement as invalid.  This decision is cause for concern as U.S. companies may discover that they are no longer in compliance with EU data privacy and security principles, even though they have self-certified under the Safe Harbor.  Nevertheless, the Department of Commerce continues to allow U.S. companies to register and self-certify in the Safe Harbor program as a new solution is being sought to address tighter controls to meet more stringent data privacy and security principles.

In the meantime, companies of all sizes should be reviewing their current practices and reviewing the practices of any third party services providers being used, including cloud services. Be ready to take action.  Approximately one third of all data transfers of personal information is between the U.S. and the EU.  The EU General Data Protection Regulations (GDPR) set to become law in 2018 sets in place more rigorous regulations for consent to collect personal data, requests for removal of personal information from servers, and stepped up enforcement for complaints.  The object of the GDPR is to ensure strict levels of security without impeding market growth for businesses. Fines for failure to comply with the new Regulations may result in fines of up to 4% of a company’s global revenue.

Although the GDPR isn’t scheduled to take effect for some time, moving to best practices and implementing changes that will ensure future compliance is necessary. Don’t wait until the Regulations become effective, the invalidation of the Safe Harbor can, and likely will, trigger law suits against U.S. companies regardless of whether they have self-certified under the Safe Harbor.

Don’t be left behind and leave your company exposed.



Post-Data Breach Notifications and Disclosures.

You are a business that holds the personal information of employees and customers and the worst has been released: there has been a data breach.

Depending on where your business, employees and customers are located, there are different requirements on how to handle such a breach.

For those jurisdictions that have laws governing this area, there will be notice and disclosure requirements.

But what happens if the breach goes unnoticed? How can your business be sure that they are keenly aware of all data breaches? Many data breaches aren’t even discovered for months. Are all data breaches created equally? What sort of breach must be reported? We hope this posting will clear up some of the questions that your business may have regarding data breaches and required action if not put your business on the right track to data security.

There are ways in which companies can monitor if breaches have happened or if any strange behaviours are happening that would suggest that they have been hacked. Still, sixty-two percent of breaches take months to be discovered.

Almost every state has requirements that in at least some cases, data breaches, once discovered, be subjected to a risk of harm analysis and parties and the Attorney General be notified. Some industries require that there be notifications made. Some suggest that all data breaches should be paired with a notification and some press about what the company is going to do in the future to prevent such events from happening.

It is important to know what the standards are for not only the jurisdiction your business is located in but the jurisdictions for every person’s data that you hold, as residency of the person’s data is the standard that must be followed to meet the standards of most state laws in addition to the industry standards.

If you have more questions about data breaches and notification and disclosure requirements more specific to your business or jurisdiction then please don’t hesitate to contact us for more personalised information. Even questions about how to get started are welcomed.

We also can suggest purchasing a copy of our e-book, Data Privacy: A Practical Guide, available at:



New Australian Privacy Laws for Businesses: The Highlights.

Privacy has been a hot topic as of late all over the world. Legislation is often years behind changes in technology and in the case of privacy this is definitely the case. Two weeks ago, Australia’s new amendments for its privacy law came into effect updating the law to the impacts of today’s technological advancements. The original Privacy Act (1988) is being reformed and updated to protect Australians in the digital revolution. Not only will Australian businesses be making changes to be compliant but certain international organisations and businesses will also have to do the same or face steep fines. The first thing either organisation will have to consider is how it collects, uses, discloses, and handles personal information data. Without this information, determining whether or not the organisation is compliant with the amendment is impossible.

Australian Organisations. A key change in the Act is the addition of the Australian Privacy Principles (APPs) replacing the National Privacy Principles and the Information Privacy Principles. The thirteen APPs apply to organisations and agencies doing business in Australia with over AU$3-million in revenue. These entities will certain have big changes to implement if preparations had not been made before the effective date of the amendment. The biggest changes are how to deal with unsolicited personal information, using previously obtained information for direct marking purposes, obligations in regards to international data sharing, and increased protection and security for holding data.

International Organisations. As mentioned previously, this amendment not only applies to Australian businesses but to agencies and organisations doing business in Australia with over AU$3-million in revenue so many international businesses and organisations will be impacted. One very important change relates to personal information collected in Australia leaving the country. Now, if this particular information leaves Australia, the disclosing entity must take reasonable steps under the circumstances to assure that the receiving entity applies the thirteen APPs. There are some exceptions to this rule and an international organisation that is compliant with privacy laws in the EU and the US, for instance, should not think that they would be compliant in regards to Australia. The amendments are similar to other countries but tend to come out stronger in practice.

If your business is located in Australia, is an international business impacted by this amendment, or you just aren’t quite sure, please don’t hesitate to contact us for help in tackling this change for your organisation. We can help with determining if this amendment impacts you, how to avoid its impact or how to avoid fines and be compliant if you are impacted including but not limited to drafting new privacy policies, amending complaint procedures and being more transparent.



Why Incorporate in the British Virgin Islands.

When founding a registered business, be it a partnership or a corporation, the beginning stages are exciting and often less focused on the business aspects and more on the sales, advertising or innovation sides of the table. This can in the long run be detrimental to the business’ future needs, such as confidentiality and expansion. Many such start-ups will simply form their entity in the location that they operate in from the get-go; however, the start-ups that have good advisors may choose offshore financial centres as the perfect place to grow their business. The most popular offshore financial centre, with good reason, is the British Virgin Islands (hereinafter “BVI”).  The BVI has over 800,000 incorporated businesses and one of the most modern and progressive company laws in the world, the BVI Business Companies Act of 2004.

Choosing the BVI. As with many offshore financial centres, the BVI offers those who incorporate within its borders many benefits. A start-up would find the speed and cost associated with incorporation to be less compared to other options, that there is a wealth of legal, business and accounting experts to be had, a tax neutral environment, and no requirement that any of the directors reside in the BVI. Moreover, there is a huge decree of freedom with decision-making, whether the directors or the shareholders make the decisions. Many of the provisions in the BVI Business Companies Act can be disapplied in the Articles or Memorandum creating the opportunity for more control. There are of course, many more advantages with being incorporated in the BVI but these are just a few.

Recordkeeping Requirements. A few recent changes in legislation have altered the way BVI businesses need to keep records and supporting documentation. Under the BVI Business Companies Act of 2004, a BVI business must keep records to show and explain its transactions which enable the financial position of the company to be determined within reasonable accuracy at any time. This not only extends to corporations but also to limited partnerships. The terms required to keep these records is five-years. Whilst there is no requirement that the records be kept in the BVI, the registered agent must be apprised of the location and notified within two-weeks of any change to the location.

If you are considering founding your business in an offshore financial centre, the BVI or are already incorporated in the BVI and need to review your recordkeeping policies, please contract us and we’ll be glad to advise you further.


England and Wales Reform the Defamation Laws.

As more and more opinions are shared online all over the world, the risk of being brought to answer for a defamatory statement increases. Not only does this risk apply to the author of the statement but website operators can also be brought to answer for the defamatory statements of another published on their site. In England and Wales (hereinafter “the UK”), recent reform of the libel and slander standards in the form of the Defamation Act of 2013 has changed things up a bit, generally making it more difficult for a defamation suit to be brought. It is important to note, however, that Northern Ireland has not adopted this Act so the old rules still apply and Scotland has it’s own law and there are no talks to reform it as of now. The Defamation Act of 2013 came into effect in England and Wales on 1 January 2014.

The reasons for the reforms were to make it more difficult to bring a defamation suit by changing some of the defences, heightening the standard of injury that the complainant must prove for success and relaxing to whom the defences apply. The court system in England and Wales has been clogged up for years now by trivial complaints and libel tourism, in which many international complainants would bring suit in the UK rather than the more appropriate venue to take advantage of archaic common law standards that had placed the burden of proving the offending statement correct on the statement’s author.  With the reform, the complainant must prove the statement is defamatory in nature, in other words, they must prove that the statement is false. Moreover, when it comes to the question of injury, the statement must have or will seriously injury the complainant.

Website Operators. When a defamatory statement is being published online, website operators must be cautious as they can be held liable for defamation as much as the author of the statement. Under the reformed laws, a website operator will notify the author immediately of complaints regarding their statement. The author will then have five-days in which to outlining whether they consent to the removal of their content. Beyond the five-day period, the website operator will have two-days to remove the comment if no response has been given by the author. If there is a response, the author may or may not have to furnish their contact details with the operator to hand over to the complainant.

If you operate a website that publishes your content or the content of others, then please contact us to be certain that you understand all of the international defamation laws and application. Moreover, we can recommend safety features that can protect you from libellous statements published on your site.


The Trouble with Side Letters for Fund Managers

In the process of negotiating capital and private equity funds, the use of side letters is becoming more and more routine. A side letter is an ancillary document to a contract. Many prospective limited partners will ask that they have a side letter with which to memorialise their provisions to agreement. Whilst the usage of side letters can be important in setting up funds, if it is done carelessly or without proper procedure, then side letters will fail. Just last year, a UK Court of Appeal hearing the case of Georgi Velichkov Bardudev v EuroCom Cable Management Bulgaria Food & Ors found a side letter unenforceable despite the letter having been drafted by lawyers, referencing the Contracts (Rights of Third Parties) Act 1999 and a clear intention by the parties that the side letter be contractually enforceable. But the complications that side letters could bring does not stop with litigation, regulation and enforceability.

Whilst many funds would not have made it through the fundraising process without side letters to the partnership agreement, assuring that the provisions contained within each limited partner’s side letter do not conflict with others is an administrative battle that will last the duration of the fund. Moreover, if one or more of the limited partners had been extended most favoured nation (hereinafter “MFN”) protection, then the administrative complication is even more with regards to election rights, appropriateness of any elections made and recording provisions elected by those partners.

If a fund manager decides that the use of side letters is the best way to accomplish the needs of limited partners and meet the goals during fundraising, then there are a few guidelines to follow to help assure that the side letters are enforced and enforceable in law. To begin with, set out a road map to follow through the process and map any MFN rights are noted along with their scope. Work with legal counsel and take advantage of their expert consultation. Avoid creating side letters that aren’t required to accomplish the goals. Use specific language and details when creating the side letters.  As always, if you would like more information, require assistance with side letter formation or the fundraising process; do not hesitate to contact us.


You don’t need to be Target to get sued over data privacy violations

Following the latest major security breach, this time aimed at Target Corp. in which data connected to approximately 40 million credit and debit card users was stolen, over a dozen lawsuits have been filed, including 3 class action lawsuits.  The claims range from negligence in failing to protect customer data, to invasion of privacy, to failure to notify of the breach.  And a number of states have breach notification laws requiring the attorney general be notified.  This could also that governmental action will be taken possibly resulting in fines and penalties.

Civil lawsuits are becoming more prevalent to enforce data privacy policies and data protection laws.  Thus far, the biggest hurdle to overcome by plaintiffs, is proving damages.  Courts have dismissed a number of these suits simply because the plaintiffs could not establish that the data breach caused the plaintiff injury.  Plaintiff’s schooled off previous cases are becoming more clever in carefully in establishing damages.

One of the early cases, Burrows v. Purchasing Power, LLC, 12-cv-22800-UU (S.D. Fla. Oct. 18, 2012), filed claims for identify theft, negligence, invasion of privacy, and a violation of Florida’s Deceptive and Unfair Trade Practices Act.  The Plaintiffs, employee’s of Winn-Dixie, alleged that Winn-Dixie failed to protect and secure their personal information from theft.  An employee of a Winn-Dixie service provider, Purchasing Power, had obtained the Plaintiff’s personal information and misused it.  The case was eventually settled, and the defendants were required to maintain rigorous security safeguards going forward.  In order to receive settlement proceeds the plaintiffs had to prove they were victims of fraud and the circumstances of any loss.

In another case, there was no data breach, rather the plaintiffs alleged that their personal information was collected and sold to media outlets without their consent.  The claims included violations of the Electronic Communications, the Computer Fraud and Abuse Act and the Stored Communications Act.  This Seventh Circuit upheld certification of the class action, giving little weight to the defendant’s argument that the plaintiffs would each have to establish damages.

A Massachusetts law, the Song-Beverly Credit Card Act, prohibited retailers from collecting ZIP code information, thus preventing retailers from using ZIP code to find other personal information.  The Massachusetts Supreme Judicial Court broadened the term “personal information” to include ZIP codes and allowed the plaintiffs to proceed without having to establish that their data was compromised.

The number of cases involving claims of breach of data privacy or unauthorized use of information will undoubtedly continue to grow.  Businesses must keep vigilante to ensure compliance data protection laws wherever customers are located. Take precautions to avoid inadvertent breaches and update data privacy policies at least bi-annually.

Contact us if you need assistance maintaining an up-to-date data privacy policy.


Google Tax? The Birth of an Indirect Tax on Internet Advertising Companies

The Italian Parliament just passed a new law requiring Italian companies to purchase web-based advertising solely from companies with a registered Italian VAT number.  This is clearly aimed at large web-advertising companies such as Google, or Apple, that sell web-advertising from subsidiaries based in other countries.  Google, for example, sells EU advertising from its subsidiary in Ireland, minimizing income subject to Italian income tax.  Corporate income tax in Ireland is 12.5% on trading profits, whereas Italy corporate income tax is a much higher 31.4%.

Generally speaking, VAT is taxed in buyer’s location or the place tangible goods are delivered; however, VAT on electronic goods and services are charged in the seller’s location.  This new law requires Italian companies to purchase web-advertising from local companies, thereby capturing VAT on the transaction.  To register for an Italian VAT number the company would have to maintain a local presence, thus increasing the income taxable in Italy.  If enforceable, this would be a win-win for Italy, by increasing its revenues twofold.

The new law, however, is highly criticized.  As drafted, the new law is contrary to EU fundamental freedoms and laws such as the EU Distance Selling Directive, and the principles of non-discrimination found in the double tax treaties in which Italy is a party.  Thus, its enforcement is doubtful as currently adopted.  But its introduction will be carefully watched since many other EU Member States are struggling to find new methods of capturing income within their borders in order to increase their tax base.  The Organization of Economic Cooperation and Development is scheduled to study the issue in 2014.

Need assistance? Find our contact details on the Contact page.



Cayman Islands Signs FATCA Agreement with US

The Cayman Islands Financial Services Minister, Wayne Panton signed an agreement with the United States which will allow Cayman Island financial institutions to provide full disclosure of US assets held in the Cayman Islands by US persons and US entities.  The agreement, based on a Model 1 intergovernmental agreement, allows for the exchange of information between the governments ensuring transparency and exchange of information for tax purposes.

The Agreement signed, Friday November 29, 2013, puts the Cayman Islands on track with the U.S. Foreign Account Tax Compliance Act (FATCA), which became law in the U.S. in 2010, and will be fully effective in 2014.  While a mutual legal assistance treaty had been in place since 2001, local law made full disclosure by local financial institutions difficult.

Aimed at non-compliance by U.S. taxpayers with foreign accounts, FATCA requires foreign financial institutions to report about financial account held by U.S. taxpayers, or foreign entities in which U.S. taxpayers hold a substantial ownership interest.  FATCA imposed a 30% withholding tax on certain payments, interest or dividends paid by a U.S. corporation or the proceeds from the sale of shares, made to foreign financial institutions that refused to identify U.S. account holders.

FULL TEXT: US – Cayman Islands Agreement to Improve International Tax Compliance and to Implement FATCA [pdf]