The UK is one of the world’s most advanced digital economies and this is both a strength and a weakness, according to a report on BBC News on 13 February 2017.
Are you reading this newsletter comfortably? But who else is reading it? More particularly, can they access your confidential commercial information and personal data?
Principals and suppliers and agents and distributors are exchanging confidential information and data on a daily basis. Often this is facilitated by the provision of laptops, tablets and mobiles by principals to their agents or by the creation of an intranet by a supplier with its distributors. Often too, agency and distributorship agreements make reference to the obligation on the agent or distributor to use confidential information only in the performance of their contractual duties and not to disclose it to third parties. But that is where the contractual provisions usually end.
So what should principals and suppliers be thinking about when it comes to confidential information and data?
Does the principal provide the agent with a laptop, tablet or mobile? If so, does the agency agreement require the agent to keep the device secure at all times? What if the device is lost: will the agent be required to reimburse the cost?
Can the agent access the principal’s computer system? If so, there should be an obligation on the agent to keep usernames and passwords secret and to keep its own data security up to date?
Where the agent is handling confidential information or personal data of the principal, there should be specific obligations to keep this data secure, as required by the Data Protection Act.
Sometimes devices are used to receive or send improper material. The agency agreement should prohibit such activity.
Where notice of termination of an agency agreement is given, the agreement can be expected to require the return of the device. But where the device is owned by the agent, the agreement should require the agent to pass the device to the principal in order that it can be wiped of confidential commercial information and personal data.
Whilst agency law does impose obligations of confidentiality and a duty of good faith on an agent, without specific contractual provisions a principal can be left exposed to the misuse of confidential information and data by an agent.
The disclosure and use of confidential information and issues concerning cybersecurity are much more open in the case of distributors.
The starting point is that a distributor will be required by common law to keep confidential that information which is confidential. But in order for the supplier to be protected, the distributorship agreement should include specific provisions addressing issues concerning the disclosure and use of confidential information.
In respect of cybersecurity, whilst many suppliers will rely on their own data security there is good reason to require distributors to install and maintain data security and, where appropriate, to take steps to avoid hacking by third parties.
To minimise the damage from a data security breach should one occur, it will be essential for all parties to develop and implement an “incident response plan” to highlight each party’s responsibilities in respect of data security.
The law makes clear that an agent is prohibited from using the principal’s confidential information for the agent’s benefit without the informed consent of the principal. If the agent breaches the prohibition the agent is liable to account to the principal for the benefit obtained.
In contrast there is no such prohibition on distributors with the possible exception of distributors being subject to an implied duty of good faith.
But whether in respect of agents or distributors, it is often when things go wrong on termination of the agency or distributorship agreement that issues concerning confidential commercial information and data security arise. But invariably, prevention is better than cure.