David Lock QC of No 5 Chambers writes about lessons that can be learned from a recent Judicial Review case on IT security and the LSC tendering process:
The facts in R (M & Co) v Legal Services Commission.
This case concerned a sole practitioner in Birmingham, Ms M who tendered to renew a small Family contract with 25 NMS in the current contracting round. She completed the PQQ successfully and then completed the ITT using the LSC’s BravoSolution computer system. However, the day after the ITT was submitted, someone accessed her account on the BravoSolution computer system and changed the submission to indicate that she did not have an office in the relevant procurement area.
Ms M has had an office for 20 years and still has an office. However that answer meant that her tender was non compliant and it was subsequently rejected by the LSC.
Ms M commenced Judicial Review proceedings to challenge the refusal by the LSC to reconsider their decision on the grounds that it was at affected by third party fraud. During the proceedings the technical computer information was provided by the LSC from the BravoSolution computer system. Expert computer evidence commissioned by Ms M (not by the LSC) confirmed that the changes in question to the ITT were made by somebody accessing the BravoSolution account from a home computer system to which a former employee had access. At this point it remains unclear whether the changes to the ITT were made by the former employee or somebody else using that ISP address
David Lock QC and Louise Corfield of No5 Chambers (email@example.com) were counsel for Ms M in the case
However it was clearly established that, whoever made the changes, it was not Ms M or anybody who had her authority to access the BravoSolution computer system.
There were also issues in the case about the ease with which the password could be changed using the “Forgotten Password” box which then sends an email with a new password to the email address provided by the Applicant Organisation (which in turn raises issues about the data security of the given email address).
Despite those facts being established, the LSC continued to defend the case which came before Mr Justice Bean on Friday 15 March 2013. At trial the Judge gave a strong preliminary indication on the merits and, faced with that indication, the LSC consented to an order to quash the decision to refuse Ms M a contract and agreed to reconsider the decision on the basis of the information provided in the genuine ITT. There was also provision for part of Ms M’s costs to be paid by the LSC
The outcome of the case.
This case was therefore a rare example of a successful Judicial Review against the LSC on a tendering issue, although it is perhaps unfortunate that no written judgement was provided indicating how the courts would deal with a case where a decision of a public body appears perfectly valid on its face but, unknown to the public body, has been affected by third party fraud.
The lessons emerging from the case.
There are a number of issues which emerged from the case which may be of interest to legal aid practitioners.
1. The LSC see the BravoSolution username as being personal to an individual and not to the Applicant Organisation.
There is provision within the BravoSolution etendering computer system for individuals to be registered and provided with their own username and password in addition to the login details and password for the Applicant Organisation.
The statistics provided in the case suggest that less than 20% of tenderers register any Applicant Users in addition to the Applicant Organisation. However, whilst this is not entirely clear from Information for Applicants document, the LSC
interpret the User Agreement to provide that the initial username and password are not an username and password for the Applicant Organisation but are individual to the named person who is registered on the system. The LSC interpret the
terms of the User Agreement to provide that this username and password are personal to that individual.
2. Disclosure of the username and password is a breach of the user Agreement.
The LSC’s case in M suggested that disclosure of the username and password by the original registrant to anyone constitutes a breach of the User Agreement. Any breach of the User Agreement results in automatic disqualification.
It follows that every secretary, assistant or other individual at the firm needs to be registered as part of any LSC tender process and needs to be provided with their own username and password in order to login to the BravoSolution computer system.
If a secretary is provided with a partner’s username and password in order to complete part of the ITT, this may be considered by the LSC to be a breach of the User Agreement and thus may lead to automatic disqualification of the tenderer. The fact that 82% of applicants only register one username and password (or mistaken assumption that this refers to the Applicant Organisation rather than an individual within the Applicant Organisation) suggests that this might be widely misunderstood.
The message from this case is therefore that an individual who registers on the BravoSolution computer system must not disclose their registration details to anyone else within the Applicant Organisation and that every single individual who has anything to do with a tendering process needs to be separately registered on the BravoSolution computer system in order to avoid a breach of the User Agreement.
3. Removing the registration of an Applicant User.
Another issue which emerged from the case was that whenever a person who is registered on the BravoSolution computer system leaves the Applicant Organisation or becomes in anyway a person who the firm cannot rely upon (because for example there are suspended on disciplinary grounds), an application must be made to BravoSolution to have their username and password removed so that they cannot access the computer system. If the tenderer does not do this and there is any malicious use of the BravoSolution computer system by that individual, the Applicant Organisation will be bound by the changed tender.
4. How is responsibility allocated for fraudaulent use of the BravoSolution computer system within the User Agreement?
The fourth issue from the case concerns paragraph 5.7 of the terms of the User Agreement. This provides:
“The Applicant shall be responsible for any unauthorised, false or fraudulent response to any invitation to participate in a procurement that is submitted using one of its Applicant Users’ ID and password”
The LSC has confirmed that this “standard term” which was not discussed with any legal aid practitioners before it was inserted into the User Agreement. Its effect is that the tenderer is deemed to be responsible in law for any fraud on the BravoSolution computer system committed by a third party, whether the tenderer is at fault in passing on a username and password or not. The wording would also appear to place “responsibility” for such a fraud on the tenderer even if the fraud was committed by an employee of BravoSolution or the LSC. The width of this term may be something that the LAPG wishes to take up on behalf of legal aid practitioners with the LSC.
There were interesting arguments in the M case as to whether this clause fell within the scope of the Unfair Contract Terms Act 1977 and/or whether it was enforceable at law following cases such as Thornton v Shoe Lane Parking  2QB 163 but no decision was given as to whether this term was enforceable (and the concession by the LSC in the M case cannot be taken as an admission that the term is not enforceable in other cases)
The outcome for Ms M
The LSC have yet formally to confirm that Ms M has been granted a contract because the most that the court can do is to quash the decision and direct the LSC to make a new decision.
However the issues raised in this case emphasise the need for legal aid practitioners to be vigilant on IT security issues when completing tenders.