On October 11, 2017, the House of Representatives passed bill H.R. 2105, the NIST Small Business Cybersecurity Act (NIST Act), which would require the US Department of Commerce’s National Institute of Standards and Technology (NIST) to provide cybersecurity guidance to US small businesses. The NIST Act was passed shortly after the very similar Senate bill S. 770, the MAIN STREET Cybersecurity Act of 2017, which passed on September 28.


The NIST Act would require NIST to issue voluntary guidelines, within the year following enactment, specifically tailored to the cybersecurity needs of small businesses. As drafted, the guidelines must

  • be generally applicable and usable by a wide range of small business concerns;
  • vary depending on the size and nature of the implementing business concern and the sensitivity of data collected and stored;
  • include elements to promote awareness of basic controls, a workplace cybersecurity culture, and third-party relationships in order to help mitigate common cybersecurity risks;
  • include case studies;
  • be technology neutral; and
  • to the extent possible, be based on international standards and consistent with the Stevenson-Wydler Technology Innovation Act of 1980 (15 U.S.C. §§ 3701 et seq.).

Upcoming Webinar

October 17, 2017

On October 25, A. Benjamin Klaber, a lawyer in our technology, outsourcing, and commercial transactions group, will be co-presenting a CLE-webinar, “Drafting Website and Mobile App Terms of Use, Privacy Policy, and IP Protections.” The webinar will offer guidance on drafting and enforcing terms of use, privacy policies, and IP protection language for websites and mobile apps to effectively mitigate business risk.

The webinar will take place from 1:00–2:30 pm EDT. 

Additional information regarding the webinar, registration, and CLE credits can be found here.

The US House of Representatives passed the ‘‘Safely Ensuring Lives Future Deployment and Research In Vehicle Evolution Act,’’ or the ‘‘SELF DRIVE Act’’ on September 6. As stated in the act, the purpose of the law is to “memorialize the Federal role in ensuring the safety of highly automated vehicles as it relates to design, construction, and performance, by encouraging the testing and deployment of such vehicles.”

The act preempts any state laws that impose lower or inconsistent requirements regarding the design, construction, or performance of highly automated vehicles, automated driving systems, or components of automated driving systems. However, states will still be able to set regulations on registration, safety inspections, licensing, and insurance.

On Wednesday, October 11, Edward J. Hansen, a partner in our technology, outsourcing, and commercial transactions group, will be presenting a case study titled “Is Your BPO Robo-Ready?” at The Conference Board’s Robotic Process Automation (RPA) for Shared Services Seminar. The case study will explore the intersection of outsourcing and robotics process automation (RPA) and include topics such as how RPA impacts sourcing and affects the outsourcing business model, as well as how contingencies in existing deals may introduce the benefits of RPA.

The daylong seminar will begin at 8:00am at The Conference Board Conference Center, 845 Third Avenue, New York, and will conclude at 4:45pm.

Ed’s presentation will be at 2:10–3:10pm.

Additional information on the seminar and registration can be found here.

On Thursday, October 12, as part of the 3 Rivers Venture Fair, Peter Watt-Morse, a partner in our technology, outsourcing, and commercial transactions group, will be moderating the expert panel Cybersecurity: Update on the Latest Risks and Opportunities. In addition to Peter, expert panelists will include David Brumley (CEO/co-founder of ForAllSecure and professor in ECE and CS at Carnegie Mellon University), Norman Sadeh (CEO, Wombat Security Technologies, and professor of computer science at Carnegie Mellon University), and Roberta Anderson (director of Cohen & Grigsby, P.C.).

The panel will take place from 9:45 am to 10:30 am.

The 3 Rivers Venture Fair is a two-day event that kicks off at 8 am Wednesday, October 11, at Heinz Field in Pittsburgh. The event concludes at 2:30 pm on Thursday, October 12.

Additional information regarding the 3 Rivers Venture Fair and registration can be found here.

On June 5, 2017, the Supreme Court of the United States granted certiorari in Carpenter v. United States, a case in which the court will assess and decide the extent of the Fourth Amendment’s protection against a warrantless search and seizure of cell-site-location information (CSLI), which includes the GPS coordinates of each cell tower and the dates and times any cell phone connects to it.


In Carpenter, the FBI obtained CSLI from wireless carriers linked to suspect Timothy Carpenter’s cell phone in an attempt to place him at the sites of several robberies. However, the CSLI obtained was not only for those dates and times of the known robberies, but also included months of records detailing every location from which Carpenter made a call—and all of this was obtained without a warrant.

Carpenter, who is represented by the American Civil Liberties Union (ACLU), argues that his Fourth Amendment rights were violated when the FBI obtained the CSLI without a warrant. However, the FBI relied on the “third-party doctrine,” a legal theory used by law enforcement to access personal data without having to demonstrate probable cause. This would allow access to certain information collected by private businesses for providing services to customers without constituting a “search.”

Morgan Lewis partner Rahul Kapoor and associate Parikhit Sarma will serve as panelists at the Indian Corporate Counsel Association’s International Summit. Rahul will chair the panel titled “Standard Setting Organizations and Standard Essential Patents,” while Parikhit will speak on “Managing Risks In M&A – Perspective From India and Overseas.”

October 5, 2017
9:00–9:30 am | Registration
5:15–6:00 pm | Standard Setting Organizations and Standard Essential Patents

October 6, 2017
11:00–12:00 am | Managing Risks In M&A – Perspective From India and Overseas

The Leela Palace
Africa Avenue, Chanakyapuri, Diplomatic Enclave
New Delhi, Delhi 110023, India

In the wake of several major data breaches over the last several months, new data security and data breach notification bills have been introduced in the US Congress, and others may also be in progress.

Two key bills currently introduced are:

  • Bill S. 1815, the Data Broker Accountability and Transparency Act of 2017 (DBAT Act), which would set new accountability and transparency requirements for data brokers selling consumers’ sensitive information; and
  • Bill H.R. 3806, the Personal Data Notification and Protection Act of 2017 (PDNP Act), which would provide for a single national data breach notification standard.

On August 31, the White House released a report developed by the American Technology Counsel (ATC), Office of Management and Budget, Department of Homeland Security, Department of Commerce, and General Services Administration addressing the objectives of and a plan for the modernization of federal information technology (IT).

Historically, modernization has been a problem due to factors such as resource prioritization, the inability to procure services quickly, and technical issues. The report splits these issues into two groups—the modernization and consolidation of networks and the use of shared services to enable future network architectures.

Network Modernization and Consolidation

In the report, the ATC calls for government agencies to maximize the secure use of cloud computing, modernize government-hosted applications, and securely maintain legacy systems. In addition, the report calls for the consolidation and improvement of the acquisition of network services.

Earlier this month, the United Kingdom’s Information Commissioner’s Office (ICO) released an initial draft guide of contracting requirements and liabilities for data controllers and data processors doing business together under the General Data Protection Regulation (GDPR).

According to the ICO guide, any time a party that determines the purposes and means of the processing of personal data (Controller) uses a party that processes personal data on behalf of a Controller (Processor), a written contract between the parties is required. If a Processor uses a sub-Processor, the Processor shall be deemed a Controller and will be subject to the same requirements and liabilities as a Controller.