There has been a recent surge in media coverage of incidents affecting corporate bodies and of calls for directors to be held personably responsible. Reports such as the theft of a laptop from an employee of the Nationwide Building Society and the highly publicised Madoff case have highlighted the need for directors to be very aware of the company procedures that they have in place. Directors are becoming increasingly concerned about their liability, both personally and to the company. As a consequence, in-house counsel may well be asked for legal advice not just from the company’s perspective, but from the directors’ personal viewpoints.
Directors’ nightmares and the role of in-house lawyers
The role of a director is under scrutiny, more so than ever, to ensure they are consistently acting in the best interests of the company, for example, by establishing and monitoring an effective system of internal and external controls and procedures, and ensuring that key functions are delegated to competent employees who can effectively run the business on a day-to-day basis. Directors are under pressure to regularly review what procedures are in place across the business and in-house lawyers are part of that process. Where required, in-house lawyers may also need to turn to external counsel to assist them in their guidance to directors, where, for example, there is a conflict between the company and the directors’ personal interests.
It is therefore important to ensure that a suitable policy is in place as to when directors need to seek independent legal advice. An example where this may apply is if there appears to be a conflict between the directors of the company and the company itself. In instances such as this, cost may be an issue. The directors should consider whether a budget is made available for situations such as this. While directors’ and officers’ liability insurance may be available, this only applies where a loss has arisen and should be a last option where all other avenues have been exhausted.
This article discusses recent developments in the tax, fraud, data protection, and health and safety arenas. It considers what procedures and controls should not only be in place as a prevention, but also what to do when an incident happens and how to react and respond.
Loss of confidential information
Over the past year there has been a constant stream of reports of confidential information being either lost or stolen. Consequences of such loss of data include financial loss and/or damages for breach of contract, costs of implementing new security measures, adverse publicity, all of which may lead to loss of customer confidence.
The Financial Services Authority (FSA) already has the power to fine a company or the directors themselves for such a breach of security. Norwich Union was recently fined £1.2m by the FSA for a security lapse. The Information Commissioner’s Office (ICO) has historically had much weaker powers to impose financial penalties and, although there are criminal offences under the Data Protection Act (DPA) 1998 for deliberately or recklessly disclosing personal data without the consent of the data subject, the ICO has used them infrequently. Enforcement by the ICO under the DPA 1998 can be by way of an enforcement notice requiring the data controller to comply with the principles of the DPA. As an example, Virgin Media were recently ordered by the ICO to encrypt all portable media devices after losing an unencrypted disc. Criminal prosecutions and fines under the DPA are generally rare.
Criminal Justice and Immigration Act 2008
However, since May 2008, s77 of the Criminal Justice and Immigration Act (CJIA) 2008 introduced new criminal sanctions for this offence that increase the maximum penalty for unlawfully obtaining or disclosing personal data, including 12 months’ imprisonment, a fine to the statutory maximum, an unlimited fine and two years’ imprisonment. In addition to this, directors can be liable for an offence if it is committed with their consent, connivance or negligence, such as where a director fails to notify the ICO or keep the notification up to date with information concerning the company’s data processing. The ICO’s new powers under the CJIA 2008 will include the ability to fine the company for failure to comply with any of the eight data protection principles. This power to impose fines has yet to come into force but the ICO has been pressing for them to be significant along the lines of the powers of the FSA.
Guidance in the event of data loss
The ICO recommends, in the event of data loss, that four steps are implemented:
- containment and recovery (ie ensuring key individuals are responsible for investigating breaches);
- assessing the risk (ie considering the type and sensitivity of data involved);
- notification of the breach (there is currently no legal requirement to inform the ICO of any data losses but if a large number of people are involved or serious consequences are anticipated, informing the ICO would be best practice); and
- evaluating and responding (ie the company should identify how the breach occurred and what steps could have been avoided).
How can the company prevent such breaches?
A data controller within the company remains liable for any data breaches even where a breach is committed by a data processor and not the data controller itself. It is important to take responsibility for any data outsourced to third parties by undertaking careful and full due diligence of that processor. Contractual terms should be carefully considered (including granting indemnities in relation to any fines) by both in-house counsel and, where necessary, reviewed by external advisers, and the rights to monitor and audit data processors should also be understood and appreciated.
Therefore, it is advisable for in-house lawyers to ensure that the group has an implementation plan in place at an early stage for any potential breaches of data protection and to seek external advice where they are intending to send out confidential information to third parties and to ensure their security checks are in place at all times.
Reducing the risk of fraudulent activity
Directors are subject to increasing scrutiny by both the press and general public and are at risk of being labelled as the ‘bad guys’. The recent ongoing cases of Satyam and Madoff have highlighted the necessity for internal controls and the significance of awareness on the part of directors or other employees of a fraudulent act. In-house lawyers need to be aware of the preventative controls and damage limitation exercises that may be required.
Concept of fraud: how does it relate to directors and their personal liability?
Criminal fraud is defined and governed by the Fraud Act 2006, and the Companies Act (CA) 2006 includes offences of fraudulent trading specific to companies and directors. Section 993 of CA 2006 sets out penalties that can include up to ten years’ imprisonment and/or an unlimited fine imposed on the directors. Civil liability has consequences that range from rescission of the contract in question to general and exemplary damages. It is not necessary to show that the loss is foreseeable, just that it is caused by deceit. Both companies and their directors can be held liable for such misrepresentations.
The most common types of fraud include:
- purchasing/procurement fraud, eg where a purchasing director favours a supplier in which they have a financial interest in return for backhanders;
- accounting fraud, eg results manipulated to encourage investment or maintaining the appearance of financial security; or
- simple asset misappropriation, eg false expense claims, theft, collusion with customers and suppliers.
Others include bribery and theft of customer lists, business plans, and other confidential commercial information.
How can directors prevent or reduce the possibility of a fraudulent act?
Prevention and early detection can help to deter or highlight fraud at an early stage when steps could be taken to recover the money lost. Most fraudulent activity occurs due to insufficient internal controls, which directors need to be aware of and ensure are corrected as soon as possible. In-house lawyers need to ensure the directors consider and understand internal controls and the implications of not having such procedures in place. Once internal controls have been put in place, directors should not assume everything will be fine. Classic indicators that a fraud is taking place should not be ignored. These include lifestyle changes that are difficult to relate to an employee’s salary, a refusal to take holiday (in case their fraud is discovered) and any failure to comply strictly with the processes put in place to prevent fraud. Directors need to be aware and act immediately on behalf of the company, where any fraudulent activity comes to light.
It is advisable to prepare in advance a contingency plan in the event that a fraudulent act is discovered. In-house lawyers and directors of the company should make decisions as to who leads the investigation, what professional services are required, what reports should be made and what evidence needs to be gathered. Directors are under no precise legal duty to investigate, but they are at risk of their general duties to the shareholders being breached if they fail to take appropriate action. Directors cannot be insured for liability as a result of fraud, dishonesty or criminal acts, so it is worth seeking professional advice at an early stage to ensure that the company has sufficient anti-fraud controls in place, where possible.
Health and safety in the workplace: who is responsible?
Health and safety is often an issue that is overlooked by senior executives, including directors, in any company. It must, however, be carefully considered, especially in the light of the Corporate Manslaughter and Corporate Homicide Act 2007 (the 2007 Act) that came into force in April of the same year.
Under the 2007 Act, an organisation (ie company directors, company secretary, senior operational personnel and regional managers) is guilty of an offence if its activities are managed or organised in such a way that they cause a person’s death and amount to a gross breach of a duty of care owed where the senior management is a substantial element of such breach of duty of care. It is therefore important for directors, as well as other senior management to note that the management and operational failure need not be the immediate cause, it only need be a cause. Penalties under the 2007 Act are against the organisation and not against individual company officers. These include fines that are anticipated to be significantly higher than the Health and Safety at Work Act 1974 (the 1974 Act). Current guidelines suggest 5% of annual average turnover for a three-year period prior to sentencing. Publicity orders, which may include announcements on television, radio and in newspapers, and remedial orders may also be imposed by the court but only where there is a conviction. Unlike the 2007 Act, the 1974 Act places responsibility on individuals to take care of themselves and others who may be affected by the individual’s acts or omissions. Penalties include fines and, in some cases, imprisonment.
Health and Safety (Offences) Act 2008
The Health and Safety (Offences) Act 2008 (the 2008 Act) came into force in January last year to ensure:
- tougher, more commensurate punishment;
- more effective deterrence; and
- greater efficiency in the dispensation of justice.
In practice, the 2008 Act imposes penalties on both individuals and organisations convicted of health and safety breaches. Penalties for individuals include fines of up to £20,000 for breach of a regulation (previously it was up to a maximum of £5,000) and imprisonment for a period of up to 12 months.
Directors need to be aware of, and have in place, underlying operations and measures to ensure their exposure to breaching health and safety legislation, and the prospect of such fines and penalties being imposed, is minimised. These include health and safety training programmes for all employees, health and safety management systems being implemented, and risk assessments being undertaken. The company should keep logs of accidents, accident frequencies including days of work lost, any trends in such occurrences, and all major accidents should be reported to the Health and Safety Executive immediately. With the 2008 Act now in force it is therefore critical, more so than ever before, to ensure that not only the organisation, but the individuals within the workplace are aware of the health and safety issues.
HMRC’s ‘deliberate’ change in tax rules
HM Revenue & Customs (HMRC) implemented new rules effective from 1 April this year. Their ambition? To ‘support those that comply and come down hard on those that seek an advantage through non-compliance’. The new rules cover their powers to gather information, including requiring entry onto the premises of a business to inspect records and to impose penalties where they find errors and omissions. From 1 April, in addition to personal liability in relation to VAT, directors can now also be held personally liable for penalties in direct tax, ie corporation tax, capital gains tax and income tax. Consequently, directors of any company need to be acutely aware when it comes to any tax-related issues.
The biggest change is that there is now no need for HMRC to prove dishonesty or fraud to establish personal liability. The test has shifted to a deliberate error in a document (which can include an e-mail or telephone call). ‘Deliberate’ is widely interpreted and is considered a lower standard than fraud or dishonesty. Where, for example, directors under-report to HMRC with knowledge, this is clearly deliberate, but what if a director is reckless as to whether a number in a report or return is incorrect? What about if a company engages in aggressive tax-avoidance that fails, or takes a position on its tax that is proved to be unsustainable?
Personal liability on directors is not imposed frequently by HMRC but it does happen and is likely to increase following this change in the rules. Since HMRC no longer has to use the emotive and confrontational language of ‘fraud’ or ‘dishonesty,’ the new regime allows them to impose stiffer penalties where they might have previously shied away from them. Likely areas where personal liability might be fixed include where a company is at risk of becoming insolvent or is insolvent, as discussed above, so directors must take extra care if the company is facing financial difficulties. Also, directors who have benefited personally, perhaps as a director-shareholder, need to be aware that HMRC will scrutinise them more thoroughly.
Penalties
Penalties under the new rules are severe, starting at 70% of the tax at stake and increasing to 100% if steps have been taken to conceal the error. The penalty can be mitigated if the taxpayer co-operates in putting matters right, with extra mitigation if the taxpayer comes forward voluntarily. It is therefore important, more than ever, to ensure tax advice is sought at an early stage and throughout any process, and to follow such professional advice to avoid HMRC imposing severe penalties on both the company and directors who can be held personally liable.
Conclusion
It seems somewhat ironic that as the economic climate gets tougher, the law tightens in several areas. As we have seen, sanctions are being imposed on areas of the law that apply for most businesses, from tax-related issues to loss of confidential information. It is therefore vital to ensure that both the company and the directors know that their internal controls, procedures and practices are consistently kept to the highest possible standard. For in-house lawyers, this is the time to be homing in on internal reviews, checking appropriate procedures are in place and, where this is not the case, advising the company on its best practice and how to, with external advice if necessary, implement new improved changes.
By Michelle Liu, senior solicitor, McGrigors LLP.
E-mail: michelle.liu@mcgrigors.com.
