An Introduction to SIAM

Posted on March 4th, 2015 by

Increasing user experience is driving the need for IT to play a critical role in delivering business outcomes. As a result and to ensure end-to-end delivery across the business value chain, businesses need to look at ways to ensure that the business needs and IT work together.   In order to do this, organisations need to work, act and think smarter. There are a number of ways to do this, including establishing a discrete Service Integration and Management (SIAM) function to integrate IT services.

SIAM is not new and there is no “one size fits all” approach.   Indeed, for a number of years the UK Government has been looking at, or tried to establish, SIAM functions. Some have been successful (e.g., FCO) and some have not (e.g., MOJ). There has been less emphasis on the use of SIAM by private organisations but I think this will change over time as businesses realise that they don’t have (amongst other things) the internal skills set or resources to provide the IT needed to deliver business outcomes in a cost effective way.

Over the next few months, I will be publishing a series of blogs on SIAM which will cover the following (and other) common questions:

1. What is SIAM, its role and how it differs from the traditional outsourcing model?

2. What are the advantages and disadvantages of SIAM?

3. What are the main risks and how can these risks be mitigated?

4. How can I ensure that I implement an effective and successful SIAM function?

This first blog will address the first of these four questions

What is SIAM?

In its shortest and simplest terms, it is a way to manage multiple ICT suppliers/services and integrate them to provide a single business-facing ICT organisation.

If, as you do, you Google “service integration and management” (unfortunately, Googling “SIAM” brings up lots of information on the Society of Industrial and Applied Mathematics!), it will throw up several definitions, including:

Service integration and management lets an organisation manage the service providers in a consistent and efficient way, making sure that performance across a portfolio of multi-sourced goods and services meets user needs” (;

an approach to managing multiple suppliers of information technology services and integrating them to provide a single business-facing IT organisation” (Wikipedia); and

a tower based IT service delivery model that is being rolled out across Government and within some Private sector organisations” (

You’ll also be presented with lots of colourful diagrams.

Although these definitions and diagrams are helpful, it is up to the business to ensure that it has a clear definition of what SIAM means to it. In addition, the business will still need to have its own Intelligent Client Function (ICF) as there will be a number of functions that will have to be retained (e.g., enterprise architecture, security/regulatory compliance and overall governance of the SIAM).

The Role of SIAM v traditional outsourcing

Essentially, the SIAM’s role is to maximise the performance of end-to-end services to the business in the most cost effective way – ensuring that the services and suppliers work and collaborate together, and providing a robust service desk.

Compared to the traditional “single supplier” outsourcing model, SIAM enables businesses to have the flexibility to multi-source their IT services without having to be reliant on one organisation or a prime contractor which doesn’t truly offer value for money, offers little flexibility and doesn’t enable the business to take advantage of new technologies.

As well as service management, and implementing and managing ITIL (the two elements of SIAM), the SIAM will typically also be responsible for continuous improvement, innovation, transition, managing change, and responding to the needs of the business.

If you are thinking of establishing a SIAM function and would like discuss the legal and commercial issues in more detail (ahead of my future blogs on this topic), please contact me.



Progress update on the draft EU Cybersecurity Directive

Posted on February 27th, 2015 by

We have just posted a piece on our Privacy and Information Law Blog concerning the draft EU Cybersecurity Directive.  It contains an update of the progress so far and the proposed amendments that are currently being debated by the EU institutions.

Happy reading



White Spaces to change colour

Posted on February 24th, 2015 by

Following its earlier consultation reported on in this blog (, Ofcom has now published its decision to allow licence-exempt access to the unused parts of the radio spectrum in the 470 – 790 MHz frequency band – that currently used by Digital Terrestrial Television (“DTT“), and Programme Making and Special Events (“PMSE“).

It is intended that access will be controlled by designated white space databases, which will store information on the location of DTT and PMSE users to avoid harmful interference with these pre-existing users. The technology has already been trialled as part of a pilot, which demonstrated use cases including land-ferry broadband; digital signage; live video feeds (of animals in London Zoo); and flood detection. To date, no harmful interference has been reported.

Devices must either be ‘Master Devices’, which will communicate with the database designating white space; or a ‘Slave Device’ which transmits under the control of a Master Device. Therefore the spectrum sharing will be dynamic in order to make the most efficient use of the spectrum available in the area.

A European harmonised standard has been prepared for white space devices (EN 301 598), and devices compliant with that standard will also comply with the UK regime.

The draft Wireless Telegraphy (White Space Devices)(Exemption) Regulations 2015 proposed by Ofcom set out a general exemption permitting the establishment, installation and use of white space devices provided that it transmits on frequencies designated as white space within the 470Mhz to 790MHz frequency band; is not used airborne and does not interfere with any wireless telegraphy; and doesn’t allow the user to alter the technical/operational settings in a way which would affect its device parameters or its operation within the operational parameters. Note that there are additional particular requirements specified for Master and Slave Devices.

The device parameters include information such as (i) whether it is a Master or Slave Device; (ii) its unique identifier; (iii) type of device; and (iv) geolocation data. The operational parameters include (i) boundaries within which transmissions are made; (ii) spectral density; (iii) limits on channel usage; and (iv) time and geographic area within which parameters are valid.

Ofcom intends that the new technology will be available before the end of this year.



UK Government to invest £120m in the tech sector

Posted on February 17th, 2015 by

On 16 February the Government’s Technology Strategy Board, Innovate UK, published its digital economy strategy, showing how £120 million of support for business innovation will be provided over the next 4 years.

According to the report, the global digital services market will be worth as much as the entire UK economy by 2020, and the digital economy strategy aims to keep the UK at the forefront of digital innovation.

£15 million per year is earmarked for innovative business projects and £15 million per year will be divided between the Digital Catapult centre, the Open Data Institute and Tech City UK.

The strategy has 5 key objectives:

  1. encouraging digital innovators to develop their ideas and establish businesses
  2. championing approaches focused on users of digital technology
  3. equipping innovators with the right technical and business expertise
  4. growing infrastructure, platforms and ecosystems
  5. ensuring the digital economy is sustainable



Ten steps to successful Business Process Outsourcing

Posted on February 16th, 2015 by

First published in Professional Outsourcing magazine

My firm closes £5-10 billion of outsourcing work every year. Spanning a vast range of transactions from central government shared services to Fortune 500 offshoring, each deal poses its own unique problems.

Tackling the issues requires a team with a unique mix of skills. I have glowing admiration for the many truly professional sales and procurement, project leads and operational experts, security folk and HR advisers I have worked with over the years. Collaborating with them has taught me a lot. And in my role as a lawyer on these deals, I have been fortunate to see every part of the process from strategy through procurement, from change to exit.

The challenge is to manage complexity and risk in a way which results in efficiency and simplicity.

Here are my top ten thoughts on how to make this possible.

1.  Focus on the business drivers

It’s an obvious place to start, but the outsourcing process is complex in nature and that can sometimes obscure the reasons to do the deal. It is vital to identify early on the likely benefits of the project and then strongly focus on key drivers. This focus must not stop at the business case stage. Required benefits must be measured throughout RFI and RFP evaluation and through to preferred bidder and the contract terms. It is just as important to continue measuring performance against key drivers over the lifetime of the outsourcing.

2.  It’s all about the people…

If people are important to ITO, they are the lifeblood of BPO. From each individual in the delivery team to senior management team governance, it is important to understand recruitment and selection of people and the performance required of them. You may need to consider people incentivisation and measures against staff attrition.

Because BPO is about people-managed processes (perhaps based around an ERP system or platform), care needs to be take on recruitment criteria, training and ramp-up. Take a look at the Group 4 debacle over the London Olympics security guards contract if you want to reflect on the effect of ramping-up too quickly and the implications for on-boarding people.

3.  There’s more to a baking a cake than measuring the ingredients

There was an interesting if messy court case a few years back between Vertex and Powergen in which the judge said that while Vertex may have been meeting service levels, it was not providing the required standard of service. The case may seem a little odd, but there is a point. Service levels are a statistical sampling of a service and not a description of the holistic service output required. I might answer in three rings, escalate in 10 minutes and close the call in 30 minutes. But what does this tell you about quality of delivery?

It is possible to design more quality-driven measures of success, such as whether a process is completed error-free; the richness of functionality produced in an Agile sprint; or the time and cost to on-board a call centre operative. However, SLAs are not the entire answer.

It is key to closely document the processes being outsourced so it is clear what is to be achieved. Equally, service descriptions should be backed up by standards, policies and procedures to ensure corporate standards are met. The contract itself can also include fall-back protections such as warranties on quality of personnel and work, corrective plans or indemnities for loss of data.

The point is to look at how service delivery is documented holistically and across the contractual documentation and processes.

4.  It’s your reputation on the line

Frequently, BPO staff will be hired and deployed exclusively for one customer. Often it is attractive to connect the BPO activity to the customer’s brand. When the services are externally focussed, such as customer service desks, order fulfilment or payment processing the brand is even more present. BPO is often highly visible and can expose the brand of the customer and service provider in a more prominent way than other forms of outsourcing.

How well will your reputation be protected if there is a service failure? It may sometime be that the lid can’t be kept on some problems. For example, security breaches may need reporting to the regulators (and more and more frequently, to business customers under contract). For public bodies, there are limits to how much they are able to deal with confidentially once ministers or councillors step in or the press uses Freedom of Information to find a story.

Customer and supplier may need to think through the communications implications, internally, to the press and to consumers of the customers services. They will also need to tightly control management of any crisis or issues.

Because reputation management is important in BPO, the development of communications and remediation plans, escalation and stakeholder management may need further development than in a typical ITO.

5.  Price and value are different propositions

Most contracts rightly focus on pinning down pricing. It is a valuable exercise to ensure fixed and activity based charging components are well understood, as well as how changes or termination payments will be costed.

However, each element of the work must produce a business result and the production of value is very different from the recovery of cost and a margin. In many cases, value delivered and not just effort expended must be captured.

For some elements of BPO, we have been developing pricing approaches to do just that. For example, in application development and management, ensuring work is right first time; or requiring sufficient functionality to trigger payment for a sprint.

As well as measuring value, some deals may focus on cost reduction. Application rationalisation, service simplification and year-on-year savings may all be deployed.

We frequently deploy standard benchmarking and continuous improvement techniques. While always good to include, mechanisms developed to achieve specific results for specific services are more desirable.

6.  Innovate or die

There are usually two reasons to outsource: Do it better, and do it cheaper.

Whether or not the deal will deliver on these aims is dependent on how developed the business model is. Many suppliers are become adept at innovation and cost reduction mechanics, but it is not always easy to enshrine these in the deal. (Cue the dreaded 20 page “Innovation service description….”)

Innovation is plainly important since the way customer and service provider do business is sure to evolve over the outsourcing lifecycle. So as a minimum, the parties should discuss potential innovation and examine the potential for change. This keeps the customer at the forefront of developments and defends good service providers from falling behind the curve on perceived value.

We have seen and developed innovation programmes which are clear and specific to the deal. These have been especially important in the $$$100 millions plus deals where investment is high and improved service or decreased cost key. Typical mechanisms include:

(i) Funding for agreed innovations

(ii) Technology refresh programmes

(iii) Service rationalisation plans

7.  Compliance is not optional

With many BPOs, the customer is outsourcing services which carry with them a significant compliance burden – from simple payroll requirements and the obvious data privacy implications to more complex issues such as support for Sarbanes Oxley, financial services regulatory requirements or statutory HR processes. These compliance issues need carefully thinking through to ensure the relevant standards are met – and to deal with the implications if they are breached.

8.  The exit is signposted

Every BPO comes to and end and so every BPO contract needs to ensure that the customer is able to move its services back in-house or to another supplier. Yet outsourcing contracts can be thin on detail or too theoretical about handover of services.

Given it is one of the sections of the contract which will definitely be dusted down at some stage, it is best to ensure exit activity is detailed and the cost mechanisms clear.

Exit is surprisingly difficult in practice and mechanisms to ensure that at any point in time the customer has vital information to hand or accessible are important. For example, salvaging in-flight projects or continuing to maintain service levels can be tough without access to data, people and systems. Knowledge transfer and access to data, software and systems is also essential.

9.  Fit for the future

Organisations continue to tactically outsource individual service towers to service providers while grappling with how to manage suppliers across the organisation. There are a number of developing models which align suppliers across service towers. Their suitability depends on the depth of the intelligent client/retained organisation, maturity of model and speed of contract refresh. Some current models which might help future proof contracts include:

(i) Ensuring supplier co-operation provisions and consider whether there will need to be multi-supplier governance for jointly solving issues

(ii)  Catering for Operating Level Agreements and service interfaces which allow clean hand-off of process between suppliers, and for suppliers to resolve issues between themselves before escalating to the customer

(iii) Allowing assignment of the contract by the customer should the service tower outsourced be consolidated and managed by another provider

(iv) Allow for a service integration model to be developed including reporting and interfacing with a service integrator.

10.  There is an x in team

There may be no “I” in team, but great outsourcing teams call on the best people across the organisation. They are multi-disciplinary, diverse in thinking and able in communication. Great outsourcing teams have a certain “x” factor which leads to success.

Customer and supplier will need good people collaborating to avoid the key pitfalls in outsourcing. There is no denying that the customer and supplier have different aims and are looking for different outcomes. But the two teams need to find a space in which they can collaborate, share frank views and build success in the delivery of services. Because outsourcing is ultimately a collaborative process in seeking joint solutions, it is the “x” in team which makes the most significant difference to the long term success of BPO programmes.


Spectrum allocation: Ofcom’s assessment of the UK’s position

Posted on February 9th, 2015 by

Ofcom has released an update on the UK’s preparations for the World Radiocommunications Conference (WRC), which is due to be held in Geneva in November 2015. The WRC is held every four years, and involves representatives from over 150 countries coming together to discuss and agree necessary revisions to the international treaty setting the global framework for use of spectrum, known as the Radio Regulations. Spectrum is a scarce resource, and the WRC is an essential part of agreeing standardised approaches to its allocation and use, ensuring efficient and appropriate service delivery.

Ofcom will be representing the UK at the WRC, and the UK’s position on the issues to be discussed will be finalised between the government and Ofcom in the coming months and will incorporate feedback from interested parties. Between now and November, Ofcom will also participate in in the European preparations for the conference, the aim of which is to form common positions on pan-European issues, likely to be agreed in two waves – the first in June and the second in September 2015.

As part of Ofcom’s preparations, they issued a consultation in June 2014 which remained open until 19 September 2014. As a result of the feedback received around the need for stakeholders to feed into the process, Ofcom has established a stakeholder group which sits above the International Frequency Planning Group (IFPG) to collect and incorporate the stakeholder positions. This group will meet every 2 to 3 months in the run up to the WRC and will provide an opportunity for interested parties to join and inform the UK’s strategic direction. Ofcom received around 100 responses which enabled them to refine the main elements of the UK position, grouped around the below agenda themes.

Spectrum for mobile broadband

One of the most important tasks for the WRC is to identify additional spectrum bands to support the ever-increasing volumes of mobile data traffic.  In doing so, the WRC will have to balance the competing needs of mobile broadband services and applications against other services and technologies, including satellite services and digital terrestrial television. Ofcom’s current position is that:

  1. it will support the identification of spectrum in the 1427 – 1452MHz,  1452 – 1492 MHz, and 1492 – 1518 MHz bands for mobile broadband services;
  2. it will oppose proposals that would allow mobile broadband usage of spectrum currently allocated to Digital Terrestrial Television in the 470 – 694 MHz band;
  3. consistent with existing EU decisions, Ofcom will support mobile broadband use of spectrum in the lower part of the C-band, from 3.4 – 3.8GHz.  However, Ofcom recognises that there is little support at EU level for similar use of the upper portion of the C-band from 3.8 to 4.2 GHz.  Satellite stakeholders have lobbied hard against sharing C-band spectrum with terrestrial broadband services, arguing it could lead to excessive interference.  The satellite industry has also argued that C-band spectrum is vital in tropical and sub-tropical regions where other frequencies are adversely affected by “rain fade” and where essential services are delivered by C-band satellite network.


Other WRC agenda items

 Some of the other issues to be considered at the next WRC include:

  1.  Unmanned aircraft: Ofcom’s current view is that that the UK will not support the use of fixed satellite service spectrum for the command and control of unmanned aircraft systems such as drones. Unmanned aircraft have a wide range of uses including search and rescue, disaster assessment, observation and monitoring of landscapes as well as military. Given the level of international interest in this topic, Ofcom have lifted this to a high priority issue.
  2.  Abolishing the Leap second:  A “leap second” is an additional second that is intermittently added to Co-ordinated Universal Time (UTC) so that an “earth day” stays in sync with the precise atomic clocks on which UTC is based. The adjustment is needed because the earth does not rotate at a consistent speed.  This adjustment to UTC occurs on an irregular basis and cannot be planned far in advance. This can cause problems for systems and applications that depend on precise time clocks.  There are contentious suggestions to abolish the leap second and instead adopt a continuous reference time-scale. All responses to the consultation indicated a preference to maintain UTC as it is currently defined, so the UK will oppose the changes. This is expected to be a very difficult issue at the WRC.
  3.  Agenda items for future WRC:  The UK has made a specific proposal to include the consideration of spectrum for mobile broadband in frequency bands above 6 GHz.  Ofcom has issued a “Call for Inputs”, inviting views on bands that could be investigated for 5G mobile broadband use (  Depending on the outcome of this exercise, Ofcom may provide a further update on this issue later this year.


Ultimately, the position reached by agreement between Ofcom and the Government on the WRC agenda will be signed off by the government’s Spectrum Strategy Committee just before the start of the WRC. Although it is clear that good progress has been made in refining the UK’s position following the consultation process, there will inevitably be further revisions to come.


From not-spot to hot-spot?

Posted on February 4th, 2015 by

Ofcom announced on Tuesday of this week that it has varied the licence terms of the UK’s four mobile network operators (“MNOs“) (EE, O2, Three and Vodafone) requiring them to ensure that basic voice coverage extends to 90% of the UK’s geographic land mass by no later than 31 December 2017. This follows the Government reaching a binding agreement with the MNOs in December of last year to improve the coverage they offer to consumers by eliminating ‘not-spots’ and investing £5bn collectively to improve their voice and data services.

Under the new terms, MNOs are required to ensure that signal strength in any given area of the UK is greater than or equal to the minimum threshold for at least one technology and band combination. By way of example, the minimum signal threshold for the GSM 900 MHz network is 93 dBm. There are four technology and band combinations at present, and it will be sufficient for an MNO to meet one of the signal thresholds to achieve compliance. An MNO can request that new technologies and bands be added to the list and Ofcom will seek to agree such requests and measure compliance accordingly.

MNOs are required to provide Ofcom with written confirmation on or before 31 December 2017 that they have complied with the requirements and the information on which the confirmation is based. Ofcom may also request any underlying data and materials that it considers necessary to check the MNO’s assessment. For the purposes of assessment, UK landmass includes islands that are inhabited; however, those islands that are geographically part of the UK but are uninhabited are excluded.

Should an MNO fail to achieve compliance in the given time frame, Ofcom can utilise its enforcement powers and issue a compliance notice.

In addition to the above, Ofcom is currently working with the UK government on a £150 million project to enable the erection of phone masts in mobile hot spots.

The move to improve coverage for consumers is a result of the Ofcom report of August 2014 which revealed that for mobile customers in rural areas, only 67% were happy with the coverage they received compared with 78% of those in urban areas.




US and UK Regulators position themselves to meet the needs of the IoT market

Posted on January 30th, 2015 by

The Internet of Things (“IoT“) is set to enable large numbers of previously unconnected devices to communicate and share data with one another.

In an earlier posting I examined the future potential regulatory landscape for the IoT market and introduced Ofcom’s (the UK’s communications regulator) 2014 consultation on the Internet of Things. This stakeholder consultation was issued in order to examine the emerging debate around this increasing interconnectivity between multiple devices and to guide Ofcom regulatory priorities. Since the consultation was issued, the potential privacy issues associated with IoT continue to attract the most attention but, as yet, no IoT issues have led to any specific laws or legal change.

In two separate developments in January 2015, the UK and US Internet of Things markets were exposed to more advanced thinking and guidance around the legal challenges of the IoT.

UK IoT developments

Ofcom published its Report: “Promoting investment and innovation in the Internet of Things: Summary of responses and next steps” (27 January 2015) which responded to the views gathered during the consultation which closed in the autumn of 2014. In this report Ofcom has identified several priority areas to focus on in order to support the growth of the IoT. These “next step” Ofcom priorities are summarised across four core areas:

Spectrum availability: where Ofcom concludes that “existing initiatives will help to meet much of the short to medium term spectrum demand for IoT services. These initiatives include making spectrum available in the 870/915MHz bands and liberalising licence conditions for existing mobile bands. We also note that some IoT devices could make use of the spectrum at 2.4 and 5GHz, which is used by a range of services and technologies including Wi-Fi.” Ofcom goes on to recognise that, as IoT grows and the sector develops, there may be a renewed need to release more spectrum in the longer term.

Network security and resilience: where Ofcom holds the view that “as IoT services become an increasingly important part of our daily lives, there will be growing demands both in terms of the resilience of the networks used to transmit IoT data and the approaches used to securely store and process the data collected by IoT devices“. Working with other sector regulators where appropriate, Ofcom plans to continue existing security and resilience investigations and to extend its thoughts to the world of IoT.

Network addressing: where Ofcom, previously fearing numbering scarcity, now recognises that “telephone numbers are unlikely to be required for most IoT services. Instead IoT services will likely either use bespoke addressing systems or the IPv6 standard. Given this we intend to continue to monitor the progress being made by internet service providers (ISPs) in migrating to IPv6 connectivity and the demand for telephone numbers to verify this conclusion“; and

Privacy: In the particularly hot privacy arena there is nothing particularly new within Ofcom’s preliminary conclusions. Ofcom concludes that there is a need for “a common framework that allows consumers easily and transparently to authorise the conditions under which data collected by their devices is used and shared by others will be critical to future development of the IoT sector.” In a world where the UK’s Data Protection Act already applies, it was inevitable that Ofcom (without a direct regulatory remit over privacy) would offer little further insight in this regard.

It’s not surprising to read from the Report that commentary within the responses highlighted data protection and privacy to potentially be the “greatest single barrier to the development of the IoT“. The findings from its consultation do foresee potential inhibitors to the IoT adoption resulting from these privacy challenges, and Ofcom acknowledges that the activities and guidance of the UK Information Commissioner (ICO) and other regulators will be pertinent to achieving clarity. Ofcom will be co-ordinating further cooperation and discussion with such bodies both nationally and internationally.

A measured approach to an emerging sector

Ofcom appears to be striking the right balance here for the UK. Ofcom suggests that future work with ICO and others could include examining some of the following privacy issues:

  1. assessing the extent to which existing data protection regulations fully encompass the IoT;
  2. considering a set of principles for the sharing of data within the IoT looking to principles of minimisation and restricting the overall time any data is stored for;
  3. forming a better understanding of consumer attitudes to sharing data and considering techniques to provide consumers “with the necessary information to enable them to make an informed decision on whether to share their data“; and
  4. in the longer term, exploring the merit of a consumer education campaign exposing the potential benefits of the IoT to consumers.

The perceived need for more clarity around privacy and the IoT

International progress around self-regulation, standards and operational best practice will inevitably be slow. On the international stage, Ofcom suggests it will work with existing research groups (such as the ones hosted by BEREC amongst other EU regulators).

We of course already have insight from Working Party 29 in its September 2014 Opinion on the Internet of Things. The Fieldfisher privacy team expounded the Working Party’s regulatory mind-set in another of our Blogs. The Working Party has warned that the IoT can reveal ‘intimate details’; ‘sensor data is high in quantity, quality and sensitivity’ and the inferences that can be drawn from this data are ‘much bigger and sensitive’, especially when the IoT is seen alongside other technological trends such as cloud computing and big data analytics.

As with previous WP29 Opinions (think cloud, for example), the regulators in that Opinion have taken a very broad brush approach and have set the bar so high, that there is a risk that their guidance will be impossible to meet in practice and, therefore, may be largely ignored. This is in contrast to the more pragmatic FTC musings further explained below, though following a similar approach to protect privacy, the EU approach is far more alarmist and potentially restrictive.

Hopefully, as practical and innovative assessments are made in relation to technologies within the IoT, we may find new pragmatic solutions emerging to some of these privacy challenges. Perhaps the development of standard “labels” for transparency notifications to consumers, industry protocols for data sharing coupled with associated controls and possibly more recognition from the regulators that swamping consumers with more choices and information can sometimes amount to no choice at all (as citizens start to ignore a myriad of options and simply proceed with their connected lives ignoring the interference of another pop-up or check-box). Certainly with increasing device volumes and data uses in the IoT, consumers will continue to value their privacy. But, if this myriad of devices is without effective security, they will soon learn that both privacy and security issues count.

And in other news….US developments

Just as the UK’s regulators are turning their attention to the IoT, the Federal Trade Commission (FTC) also published a new Report on the IoT in January 2015: As Ofcom’s foray into the world of the IoT, the FTC’s steps in “Privacy & Security in a Connected World” are also exploratory. To a degree, there is now more pragmatic and realistic guidance around best practices in making IoT services available in the US than we have today in Europe.

In this report the FTC recommends “a series of concrete steps that businesses can take to enhance and protect consumers’ privacy and security, as Americans start to reap the benefits from a growing world of Internet-connected devices.” As with Ofcom, it recognises that best practice steps need to emerge to ensure the potential of the IoT can be recognised.  This reads as an active invitation to those playing in the IoT to self-regulate and act as good data citizens. With the surge in active enforcement by the FTC in during 2014, this is something worthy of attention for those engaged in the consumer facing world of the IoT.

As the Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them the FTC’s approach focusses more on the risks that will arise from a lack of transparency and excessive data collection than the practical challenges the US IoT industry may encounter as the IoT and its devices create an increasing demand on infrastructure and spectrum.

The report focuses in on three core topics of (1) Security, (2) Data Minimisation and (3) Notice and Choice. Of particular note the FTC report makes a number of recommendations for anyone building solutions or deploying devices in the IoT space:

  1. build security into devices at the outset, rather than as an afterthought in the design process;
  2. train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
  3. ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
  4. when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
  5. consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
  6. monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.”

With echoes of privacy by design and data minimisation as well as recommendations to limit the collection and retention of information, suggestions to impose security on outside contractors and then recommendations to consider and notice and choice, it could transpire that the IoT space will be one where we’ll be seeing fewer differences in the application of US/EU best practice?!

In addition to its report, the FTC also released a new publication designed to provide practical advice about how to build security into products connected to the Internet of Things. This report “Careful Connections: Building Security in the Internet of Things” encourages both “a risk-based approach” and suggests businesses active in the IoT “take advantage of best practices developed by security experts, such as using strong encryption and proper authentication“.

Where next?

Both reports indicate a consolidation in regulatory thinking around the much hyped world of IoT. Neither report proposes concrete laws for the IoT and, if they are to come, such laws are some time off. The FTC even goes as far as saying “IoT-specific legislation at this stage would be premature“. However, it does actively “urge further self-regulatory efforts on IoT, along with enactment of data security and broad-based privacy legislation”. Obama’s new data privacy proposals are obviously seen as a complementary step toward US consumer protection? What is clear is there are now emerging good practices and a deeper understanding at the regulators of the IoT, its potential and risks.

On both sides of the Atlantic the US and UK regulators are operating a “wait and see” policy. In the absence of legislation, with other potentially privacy sensitive emerging technologies we’ve seen self-regulatory programs within particular sectors or practices emerging to help guide and standardise practice around norms. This can protect at the same time as introducing an element of certainty around which business is able to innovate.

Mark Webber – Partner, Palo Alto California



Contracts refresher: excluding liability for loss of profits

Posted on January 28th, 2015 by

When a technology contract goes wrong, customers will often suffer not just from a loss of systems but also from disruption to their business. Disruption may lose them vital revenues and even give rise to claims from customers. It would seem intuitive that contracts should be clear cut and allow customers to claim for loss of profit. But the position is far from clear. As a result, customers and suppliers must carefully craft their contracts if they are to effectively include or exclude claims for loss of profits.

The key issue is that English law only allows losses to be claimable if they are not unlikely or reasonably foreseeable as a result of the breach at the time the contract was entered into. Exceptionally, claims may be allowed where at the time the contract was concluded the parties had special knowledge of a certain kind of loss (e.g. that one of the customer’s contracts depended on delivery by the supplier). These principles were established in Hadley v Baxendale (1854) 9 Ex Ch 341 and Heron II [1969] 1 AC 350, and  reiterated over the years.

These types of loss are often referred to in shorthand as “direct” loss to describe the “not unlikely” or foreseeable kind and “indirect loss” to cover other losses which are only claimable if special knowledge is evident. The distinction can quickly become unhelpful if the longhand definitions are forgotten as plainly a kind of loss like damage to property, on different sets of facts, could be direct or indirect under the Hadley v Baxendale test. This leads to a lot of confusion as people try to pigeonhole, say, loss of profits as necessarily being in one category or another. In reality, lawyers need to look to the case law for guidance on whether loss of profits have been determined to be claimable in similar circumstances to the ones they face, and then draft the best they can to reinforce or avoid the consequences.

The courts have therefore long recognised that loss of profits arising from a breach of contract can be a direct loss or an indirect loss, depending on the circumstances, including the nature of the contract and the nature of the breach. It is essential then that the exclusion and limitation provisions make clear whether any references to “loss of profits” are to all loss of profits (both direct and indirect), or only one or the other. Two High Court cases last year – Fujitsu v IBM, [2014] EWHC 752 (TCC) and Polypearl Limited v E.on Energy Solutions Limited [2014] EWHC 3045 (QB) – illustrate well the approach taken by the courts when interpreting exclusions of “loss of profits” in the context of direct and indirect loss and the pitfalls where the contract is unclear. Before commenting on these cases, it is helpful to delve further into the approach the courts take when interpreting exclusions clauses designed to avoid liability for loss of profits (should losses be claimable under the Hadley v Baxendale rule).

Interpreting exclusion and limitation clauses: the courts’ approach

Liability provisions in a contract typically exclude or cap a party’s liability for certain types of losses. It is important for all parties that these provisions are drafted clearly and unambiguously. A clearly drafted clause is less likely to be disputed, and if it ever fell to the courts to interpret the clause, there is less risk that the court might interpret it in a way that was not anticipated, leaving a party exposed to unexpected risks and liabilities. Good exclusion clauses do not leave it to the case law to decide what will be direct or indirect loss. They spell out the division of risk between the parties, and expressly exclude some types of loss (or cover other types through express warranties and indemnities).

In the past, the courts strained their interpretation of exclusion/limitation clauses to reach a fair or just outcome. Now, though, the courts will generally uphold and give effect to the literal meaning of a clause that has been negotiated between experienced business parties, provided the clause is clear, unambiguous and not open to more than one meaning and not drafted so widely that a party’s obligations are effectively robbed of contractual force, (i.e. so that obligations are just statements of intent).

The general approach taken by the courts when interpreting an exclusion/limitation clause is the same as for any other part of the contract, namely:

  1. Ascertain what a reasonable person would have understood the parties to mean. The “reasonable person” is assumed to have all the background knowledge which would reasonably have been available to the parties in the situation in which they were at the time of the contract;[1]
  2. If that approach results in two possible interpretations, then the court will generally take the interpretation that is most consistent with business common sense;[2]
  3. Where the parties have used unambiguous language, the court will apply it;[3]
  4. There is a presumption that a party does not intend to abandon any remedies arising by operation of law. Clear express words must be used in order to rebut this presumption.[4]
  5. The court will strain against interpreting an exclusion clause in a way that renders a party’s obligation under the contract no more than a statement of intent. The court will not reach that conclusion unless no other conclusion is possible.[5]


Loss of profit; direct and indirect loss

It is good practice, when drafting an exclusion or limitation clause, to set out clearly the types of loss that the parties intend will be recoverable (subject to any agreed cap) and those that will be excluded. This gives the parties more certainty than relying on a clause that refers in broad terms to “direct” and “indirect” losses.

Care is needed when drafting to make clear whether references to “loss of profits” are to both the direct and indirect kind, or only one or the other. Two High Court cases last year illustrate well the approach taken by the courts when interpreting exclusions of “loss of profits” and the pitfalls where the contract is unclear.

Fujitsu v IBM

In Fujitsu v IBM, the court had to decide whether an exclusion clause in a sub-contract between IBM and Fujitsu effectively excluded IBM’s liability for all loss of profits (i.e. direct and indirect), or for only “indirect” loss of profits.  IBM was the principal contractor under a contract for the provision of IT and business process change services and Fujitsu was its subcontractor. Fujitsu alleged that IBM had breached the subcontract by failing to allocate to Fujitsu the performance of services that, under the terms of the sub-contract, should have been performed by Fujitsu. As a preliminary issue, the High Court had to consider the exclusion clause in the sub-contract, which read:

“20.7 Neither Party shall be liable to the other under this Sub-Contract for loss of profits, revenue, business, goodwill, indirect or consequential loss or damage…”

Were the types of loss listed in the clause (loss of profits, revenue etc.) intended to be examples of indirect or consequential loss? The court ruled that the clause excluded liability for all loss of profit, not just the “indirect” kind. If the intention was to exclude indirect loss of profit only, the court said that it would have expected the parties to make this clear.   The references to “loss of revenue, business or goodwill” were not necessarily indicative of indirect loss. As it stood, the clause did not make “loss of profit” a sub-set of “indirect or consequential loss”. There was nothing in the context or surrounding clauses that pointed to a different interpretation than to simply apply the words of the clause.

Polypearl Limited v E.on Energy Solutions Limited

The same issue arose in a more recent case – Polypearl Limited v E.on Energy Solutions Limited.  Polypearl claimed that E.On Energy Solutions was in breach of a minimum spend commitment under an agreement for the sale/purchase of cavity wall insulation products. Polypearl claimed loss of profits of £2.1m on the shortfall and, as a preliminary issue, the court had to consider whether the following clause excluded liability for all loss of profit or for indirect loss of profit only:

“(10.1) Neither party will be liable to the other for any indirect or consequential loss, (both of which include, without limitation, pure economic loss, loss of profit, loss of business, depletion of goodwill and like loss) howsoever caused (including as a result of negligence) under this Agreement, except in so far as it relates to personal injury or death caused by negligence.”

Polypearl argued that its lost profits on the shortfall were a direct loss, and the judge agreed. The judge noted that the words in parenthesis made the meaning of the clause ambiguous. Did these words mean that Clause 10.1 applied only to indirect or consequential loss of profit? The court ruled that the clause excluded liability for indirect/consequential loss of profits, and not direct loss of profits:

  1. The most likely (and often the only) damage that Polypearl would suffer from E.on’s failure to meet the minimum spend commitment would be a loss of profits. It was unlikely that a business person would wish to exclude this direct loss;
  2. It was more in accordance with business common sense to interpret the words in parenthesis as an explanation of the phrase “indirect or consequential loss” rather than an attempt to place all loss of profits in the “indirect” category;
  3. The clause did not clearly indicate that the parties intended to abandon a claim for direct loss of profits. The clause did not go far enough to rebut the presumption that the parties to a contract do not intend to abandon any remedies for a breach of contract arising by operation of law.


Drafting tip      

It seems from these cases (and others)[6] that ambiguity around whether a particular type of loss is excluded or not commonly arises where references to specific types of loss (e.g. loss of profit, revenue, goodwill etc.) are bundled in with a reference to “indirect” loss. If the intention is to exclude liability for a certain type of loss in all cases, whether the loss is direct or indirect, then one way of avoiding this ambiguity is to separate out the exclusion of liability for indirect loss and the exclusion of liability for that specific type of loss.



[1] Rainy Sky v Kookmin [2011] UKSC 50, at 14

[2] Rainy Sky v Kookmin [2011] UKSC 50, at 21

[3] Rainy Sky v Kookmin [2011] UKSC 50, at 23

[4]Modern Engineering (Bristol) Ltd v Gilbert-Ash (Northern) Ltd [1974] AC 689 at 717

[5]Astrazeneca v Albermarle [2011] EWHC 1574, at 313

[6] See for example Proton Energy Group SA v Orlen Lietuva [2013] EWHC 2872 (Comm)


Leading the way in Digital Services – The UK hosts the first D5 summit

Posted on January 27th, 2015 by

The UK hosted the first summit of the ‘D5′ group of countries in December. The D5 Charter claims that the group, whose founding members are Estonia, Israel, New Zealand, South Korea, and the UK, comprises the most digitally advanced governments in the world.

The D5 group has been created to encourage collaboration between the founding members in the field of digital services. The D5 members have committed to working towards nine key principles of digital development.

One of the key principles of the D5 group is to make more and more of the systems, tradecraft, manuals and standards created by the D5 members ‘open source’ and shared between the members. The D5 group recognises that adhering to the group’s Charter will encourage innovation and growth in the digital economies of the D5 members and potentially lead to cost savings.

In his opening speech, Minister for the Cabinet Office Francis Maude spoke about transforming public services and delivering them in a more cost effective way by taking more services online. In particular he cited the Government Digital Service’s work in replacing over 1700 government websites with ‘GOV.UK’ as an example of the importance of digital services which has saved the government £60 million.

The UK government has already taken steps to show its commitment to the D5 Charter. The code for GOV.UK is open source and the government has pledged to share it with the government of New Zealand.

The D5 members have committed themselves to opening up markets to competition, in particular to small and medium sized enterprises. The D5’s commitment will be welcome news for start-ups in particular who may already be benefiting from the UK Government’s ‘Small business: GREAT ambition‘ initiative to help small businesses grow.