WASHINGTON, DC - APRIL 10: Facebook co-founder, Chairman and CEO Mark Zuckerberg testifies before a combined Senate Judiciary and Commerce committee hearing in the Hart Senate Office Building on Capitol Hill April 10, 2018 in Washington, DC. Zuckerberg, 33, was called to testify after it was reported that 87 million Facebook users had their personal information harvested by Cambridge Analytica, a British political consulting firm linked to the Trump campaign. Photo by Zach Gibson/Getty Images)
Facebook chief executive Mark Zuckerberg testifying to a US Senate committee on Cambridge Analytica last year © Getty
Experimental feature

Listen to this article

00:00
00:00
Experimental feature

The introduction of huge fines for allowing cyber hacks; a beefed-up rule book for European markets; and the spectre of a bad Brexit: European companies faced a host of threats last year.

While uncomfortable for businesses at the receiving end, those challenges have spelt new opportunities for law firms that are helping their clients navigate them.

“The world in Europe changed last year and it was all to do with GDPR,” says Patrick Van Eecke, partner and global co-chair of data protection, privacy and security at law firm DLA Piper.

To some, the letters GDPR (General Data Protection Regulation) might conjure up needy emails from retailers and news websites beseeching customers “not to leave”. But for companies operating across the EU, the new data protection rules, designed to prevent the abuse of personal data, have resulted in big new obligations and potentially devastating fines for breaches.

“Before that, companies could shuffle breaches into the background and hope no one would find out about them,” says Mr Van Eecke.

Today companies have just 72 hours to notify their relevant data regulator — in the UK, the Information Commissioner — and risk punitive fines of up to 4 per cent of their annual revenues or €20m, whichever is the higher, for infringing certain rules. In the UK, for example, the previous maximum fine was £500,000, as levied on Facebook in 2018 for failing to protect users’ personal information in the Cambridge Analytica data scandal.

Yet, despite the possibility of fines, there are no clear guidelines on how to define the severity of a breach, and it is not straightforward to work out whether customers should be informed. “Companies are struggling with the definitions of ‘high impact’ and ‘high risk’ in the context of a data breach because it has not been defined by legislation,” says Mr Van Eecke.

Some law firms have devised systems to help companies understand their responsibilities. After work by DLA Piper lawyers across Europe, the firm launched its Notify software, which uses an algorithm based on the requirements, definitions and exemptions surrounding data breaches and the necessary response. It replaces a process of human interpretation with a streamlined questionnaire that spits out a reporting template too.

Last year British Airways was the first company to be fined under GDPR by the UK regulator, after cyber hackers stole personal data of half a million of the airline’s customers, resulting in a £183m fine.

Lawyers have legal privilege, giving them an advantage over the Big Four accountancy and consultancy firms, which have been encroaching on law firms’ turf, particularly in areas of employment law and intellectual property.

“Law is the only profession to offer privilege on all information shared in a cyber incident,” says Mr Van Eecke. “When the situation can change on an hour-by-hour basis you don’t want to have any documents created by consultants which do not fall under privilege, as the company could be in extreme danger,” he argues.

1.5m

Paragraphs of legal text in Mifid II that emerged over seven years

Another seismic regulatory shift has hit companies in Europe over the past year. In January 2018, European market rules were overhauled in ambitious reforms known as Mifid II. The aim was to afford greater protection to investors and improve transparency of trading and investing across asset classes, from derivatives to bonds and fixed income.

But the legislation — seven years in the making and running to some 1.5m paragraphs of text — had a big impact on companies operating in financial markets, which sought stringent advice from lawyers and consultancies.

One change affected financial companies relying on trading venues, which have mushroomed across Europe. After Mifid II came in, the venues amended their rules.

“The rule books can range from 50 pages to over 200,” says April Brousseau, head of innovation and new business at law firm Simmons & Simmons. The firm has devised Trading Venue Reviewer, a tool that allows clients to compare and contrast the rules on each venue on a single platform.

Regulatory changes such as Mifid II, GDPR and uncertainty thrown up by Brexit have led to new mandates for the Big Four accounting and consultancy firms. The Big Four, it was predicted in 2017, could earn as much as $30bn a year from legal services, according to ALM Intelligence, a consulting and legal analyst.

In July, one of the Big Four, Deloitte, hired Andrew Lilley, former managing partner at law firm Travers Smith, to lead its employment practice, having secured an alternative business licence in June 2018. The move intensified an increasingly fierce turf war.

Magic circle law firm Allen & Overy has set up its own consulting business, A & O Consulting, and says it is filling a gap highlighted by clients, including big banks. “Law firms have tended to give structural advice and consultancy firms have come in to do the implementation. But as a bank you have to deal with two different parties and there’s a risk of a lack of co-ordination or the ball getting dropped between the two,” says Tom Lodder, managing director of A & O Consulting. “The incumbents probably aren’t happy with the increased competition. We have interaction with the Big Four and we are learning from them and, in some cases, stealing talent too.”

The tables below rank law firms for the FT Innovative Lawyers Europe awards.

New Products and Services
RankLaw firmDescriptionOriginalityLeadershipImpactTotal
STANDOUTKennedysDeveloped a suite of products for claims management, helping clients to save time, money and use lawyers less. PuniWraps, an artificial intelligence tool for Bermuda-based clients to manage high-volume, low-level punitive damage claims, reduces processing time by 40 per cent and saves an average $500 per claim. The Subro tool takes out the complexity for clients to recover damages owed by third parties, removing the need for external lawyers. A third tool, Riverstone, enables clients to manage high-volume construction claims at speed and scale.98825
STANDOUTSimmons & SimmonsDeveloped the Trading Venue Reviewer to provide clients with summaries of the rule books and associated risks of more than 140 trading venues in Europe. The tool is subscription based and customisable, helping clients ensure compliance and operational efficiency to avoid fines and sanctions. The firm estimates it would take four times longer to manage risks and requirements for the venues without TVR.88824
HIGHLY COMMENDEDDentonsEstablished a new service for central European clients that advises on opportunities for EU funding, grants and tax incentives to further company research and development of new technology. The offering combines legal, tax, consulting, financial, scientific and technological expertise. The group is advising 15 clients on €250m worth of grants and funded projects to develop new intellectual property and process improvements.78823
HIGHLY COMMENDEDDLA PiperDeveloped Notify, an algorithmic tool to help clients assess both the severity of a data breach and whether they are required to report it to authorities within the set 72-hour window. Lawyers and technologists across the firm’s European offices collaborated with the European Union Agency for Cybersecurity, using official reporting standards to develop the algorithm, removing personal bias in decision making.88723
HIGHLY COMMENDEDEcijaPartnering with Prodigioso Volcán, a Spanish public relations agency, the firm produces plain-language contracts for financial sector clients, combining clear language with visual communication. Financial institutions in Spain had been under scrutiny for using unclear and potentially misleading language in customer contracts, requiring a reworking of much of their documentation. Clients include local council projects such as the redesign of traffic fines.88723
HIGHLY COMMENDEDMishcon de ReyaTwo new services, MDR Brand and MDR Cyber have expanded the firm’s offering into consulting and other professional services. MDR Brand packages services such as brand licensing, commercial partnerships, intellectual property and legal advisory for clients. MDR Cyber combines legal advice with reputational management, cyber security and digital investigations. Software developed in-house supports the offering, helping the team to capture data faster and with less risk for clients.88723
HIGHLY COMMENDEDNorton Rose FulbrightDeveloped N-Accelerate, a process for the automation of complex transaction documents, making production 10 times faster than traditional document automation tools, with an error rate of zero. The process has enabled lawyers without coding experience to automate Loan Market Association documents and templates for other transactions. The time taken to draft LMAs has shrunk from 10 hours to 20 minutes.78823
COMMENDEDAllen & OveryLaunched A & O Consulting to provide strategic advice and operational support to clients on complex regulatory matters. Consultants combine traditional legal services with advisory on governance, corporate purpose and culture, operational risk and regulatory policy.78722
COMMENDEDDeloitte Legal (Spain)Following the introduction of tax obligations in Spain requiring companies to provide real-time invoice data to tax authorities, the firm developed My Tax Analytics to automate the process and leverage the potential of the new datasets. The system can detect invoicing discrepancies, automatically populate tax forms and improve budgeting and resource planning.78722
COMMENDEDMills & ReeveAccording to the UK’s Solicitors Regulation Authority, 75 per cent of all reported cybercrimes in 2016 were “Friday afternoon frauds”, when large sums are handled at the completion of property conveyancing transactions, worth a total of £85m. The firm has set up a service with insurance client Pen Underwriting to streamline responses to notification of a fraud, reducing reaction time and recouping more 50 per cent of its 2018 losses, amounting to £2.5m.77822
COMMENDEDShoosmithsDevelopment Constraints is a new service for property developers to reduce the burden of costly and unnecessary insurance premiums on greenfield projects. A team of lawyers analysed surveyor reports to assess whether the legal risks associated with high-rise construction, such as the impact on a neighbour’s right to natural light, were properly appraised. The firm found that reports frequently assessed this risk to be too high, which led to unnecessarily expensive insurance cover. Commended: Wayne Nash.88622
COMMENDEDCMSExpanded the equIP programme to international markets. Now 73 start-ups from more than 20 countries are involved in the incubation programme. CMS lawyers who worked for the start-ups at a discounted rate do not suffer remuneratively. Lawyers have worked on four exits and 60 fundraisings since the programme’s inception in 2015. Commended: Anthony Waller.68721
COMMENDEDGoodwinCreated the En Bloc security agreement to simplify the process for banks to secure syndicated loans in Germany. The package includes all rights and protections necessary, reduces documentation by 75 per cent and cuts errors and duplicative work. A matrix of providers and security options provides banks with a complete overview of a credit security package on one page.77721
COMMENDEDAllen & OveryDeveloped marginMAPP, an online tool freely available to all clients to assist them with identifying whether new arrangements are needed to comply with initial margin rules. The tool was built on Neota Logic’s automation software, using decision-tree logic, cutting time and costs associated with complying with the new initial margin rules.67720
COMMENDEDHerbert Smith FreehillsDeveloped software to determine automatically what personal information data breaches contain, and whether there are notification requirements. Documents with the most sensitive data are prioritised and the software works with the ediscovery software Relativity to enhance efficiencies. Estimated cost savings on medium-sized breaches are $200,000. Commended: Andrew Moir.77620
COMMENDEDSelepey, Volkovetsky & PartnersSpecialising in the distressed assets market in Ukraine, the firm combines legal and broader business advice to improve compliance with consulting services to assist business development for clients. The firm takes options in revitalised assets rather than a fee based on hourly billing, and has revitalised several large supermarket chains.67720
COMMENDEDToffoletto De Luca Tamajo e SociImplemented a structured process to commoditise legal services, developing several products that lawyers can pitch as part of their service to clients. Teams of lawyers and trainees worked together to develop and market the new tools, which cover long-distance employee monitoring, flexible working policies, data privacy, employee benefit plans and whistleblowing.67720

Get alerts on Legal services when a new story is published

Copyright The Financial Times Limited 2019. All rights reserved.
Reuse this content (opens in new window)

Follow the topics in this article