In light of recent significant ransomware cyberattacks such as the one that originated in Ukraine and quickly spread to affect hundreds of thousands of computers in more than 150 countries, we wanted to provide a few pointers on shoring up your company’s contractual language to mitigate (or at least shift) the risks involved with these types of attacks.

On August 1, 2017, Delaware’s historic blockchain law became effective. The Delaware General Corporation Law (DGCL) has always required corporations to keep records of their stock and stockholders. Before this new law was adopted, there was nothing specifically stopping a Delaware corporation from using blockchain technology to keep track of its stockholders, but there was also a great deal of regulatory uncertainty. With these new changes to the DGCL, companies incorporated in Delaware are now expressly allowed to keep track of their stockholders and outstanding stock by using blockchain (also known as distributed ledger) technology.

The US Patent Act[1] gives patent holders the right to prevent others from making, using, offering for sale, or selling the invention in the United States or importing the invention into the United States.[2] The premise behind granting these rights in new inventions is to encourage inventors to disclose new technology to the public by offering the inventors a limited monopoly on the use of such technology.

The doctrine of patent exhaustion limits the ability of a patent holder to control the future sale and use of individual items that contain or use the patented technology. When a patent holder sells or authorizes the sale of an individual item, the patent holder can no longer control that item by asserting its rights under the US Patent Act. That is, the patent holder cannot claim that the subsequent sale of that item infringes the patent holder’s patent rights. The patent rights are said to be “exhausted.”

In addition to the recent FTC Guidance on COPPA, discussed in a previous post, the FBI has released a Public Service Announcement about the dangers of internet-connected toys and other kids’ devices. Our privacy group has put together a comprehensive LawFlash on both the FTC Guidance and the FBI’s Announcement. Read the LawFlash for more detail and reminders for compliance.

On August 30, Morgan Lewis and the Sourcing Industry Group (SIG) will host a full-day Executive Immersion Program in Boston. This popular program provides advanced presentations, workshops, and case studies geared toward executive decision-makers. Speakers include Morgan Lewis partners and industry thought leaders Ed Hansen and Doneld Shelkey.

The Executive Immersion Program will include an interactive master contracting workshop geared toward sourcing professionals and in-house counsel. Participants in the contracting workshop will be given examples from experienced professionals that lead information technology–enabled transformations and manage outsourcing deals.

In April, US President Donald Trump signed a bill rejecting Obama-era regulations on the consent needed for a broadband internet access service (BIAS) provider to use and disclose a consumer’s sensitive information—including geolocation data. In the wake of such regulations being blocked, some state legislatures introduced geolocation privacy bills to address the use and disclosure of consumers’ geolocation information. The Illinois House and Senate recently passed one of those efforts to regulate such use of geolocation information.

The latest update to the Statement on Standards for Attestation Engagements (SSAE)—a set of standards applying to compliance reporting, issued by the Auditing Standards Board (ASB)—came into effect recently. If your contract requires certain reports from service providers, you may need to update your contractual language to reflect ASB's changes under this recent update (SSAE 18).

Frequently, contracts with service providers for certain services require the service provider to retain an accounting firm to perform specific audits and to deliver the results of such audits or a report thereof. Based on the SSAE 18, the audit language related to such audits may need to be updated. For example, if your audit language requires service organization control (SOC) 1 reports conducted under the SSAE 16 standards, this language is now out of date. As of May 1, 2017, SOC 1 reports will be issued under SSAE 18, which redrafts all of the prior SSAE versions, with a few exceptions. Going forward, an "SSAE 16/SOC 1 report" should be referred to as an "SOC 1 report" in your contracts, removing the reference to SSAE 16.

While many experts are not characterizing the changes in SSAE 18 as major developments, it is still important to discuss these changes with the relevant professionals and to determine whether your contracts' audit language needs to be updated.

A liquidated damages clause can be a useful tool in a contract to reduce uncertainty and the time and resources spent on potential disputes. Liquidated damages clauses specify the amount of damages to be paid by the breaching party in the event of certain types of breaches as defined in the contract by the parties. The amount of liquidated damages represents the contracting parties’ best guess as to the amount of anticipated or actual damages that would be incurred by the non-breaching party in the event of a specified breach of the contract by the other party.

There are steps you can take in determining the liquidated damages amount and drafting your contract to make sure courts uphold the liquidated damages provision. Of course, while this post discusses liquidated damages clauses generally, you should also research how the jurisdiction applicable to your contract treats liquidated damages.

In May 2017, Senator Mark Warner of Virginia sent a letter to the Federal Trade Commission (FTC) raising concerns about the security of data collected, transmitted, and/or stored by internet-connected products geared toward children. FTC acting Chairman Maureen Ohlhausen sent a response letter discussing Senator Warner’s concerns and the FTC’s enforcement of the Children’s Online Privacy Protection Act (COPPA), and the FTC released updated guidance on COPPA compliance in late June 2017.

In June 2017, companies, government entities, and law firms faced a global ransomware attack from a type of malware where attackers lock certain data or components of a system and demand payment in exchange for returned access to such data or systems. Lawyers and law firms are targets of attacks like this and other forms of data breaches at high rates. In the wake of this latest global ransomware attack, let us recall certain ethical obligations related to technology that apply to lawyers.