TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

The Office of the Comptroller of Currency (OCC), an independent bureau of the US Department of the Treasury that regulates and supervises all national banks and federal savings associations, last week held its Responsible Innovation Forum. The forum is the latest in the OCC’s continuing efforts to address the changing landscape of the financial services industry, particularly with respect to financial technology (FinTech), such as mobile payment services and marketplace lending platforms.

Earlier this year, the OCC released the white paper Supporting Responsible Innovation in the Federal Banking System: An OCC Perspective, which summarized the OCC’s research and presented its view on the principles by which it evaluates innovation in the financial sector. The white paper was followed by a comment period (which concluded May 31) during which industry stakeholders could provide feedback on issues, including FinTech innovation and the OCC’s approach to dealing with innovation in the industry.

Jennifer Lonoff Schiff from CIO.com recently posted advice for small businesses looking to outsource. In her article, “6 outsourcing tips for small business,” Schiff acknowledges the benefits of outsourcing—even for small business—and notes that while “not every small or midsized business can afford to outsource functions . . . it pays to do your homework and due diligence before giving over part of your business to a third party.” 

The Ponemon Institute, which conducts independent research and offers strategic consulting on privacy, data protection, and information security policy, recently released its 2016 Cost of Data Breach Study: Global Analysis (2016 Study) identifying global trends in costs associated with data breaches and the implications for organizations. Ponemon conducts the study annually with the goal of quantifying the economic impact of data breaches and observing cost trends over time. According to Ponemon, “a better understanding of the cost, the root causes and factors that influence the cost will assist organizations in determining the appropriate amount of investment and resources needed to prevent or mitigate the consequences of an attack.”

The 2016 Study—which included 383 companies in 12 countries—found that, in comparison to the results of the 2015 study, the average total cost of a data breach increased from $3.79 million to $4 million, and the average total cost paid for each lost or stolen record containing sensitive and confidential information increased from $154 to $158. Further, Ponemon’s analysis of the results places the likelihood of an organization having at least one material data breach (at least 10,000 lost or stolen records) within the next 24 months at 26%.

In last month’s Cyber-Awareness Monthly Update, the Office for Civil Rights (OCR) of the US Department of Health and Human Services (HHS) asked “Is Your Business Associate Prepared for a Security Incident?

The OCR, which is tasked with, among other things, ensuring equal access to certain health and human services and protecting the privacy and security of health information, noted growing concerns by covered entities under the Health Insurance Portability and Accountability Act (HIPAA) regarding security breaches of their business associates. In particular, the OCR explained that “[d]espite the requirements of HIPAA, not only do a large percentage of covered entities believe they will not be notified of security breaches or cyberattacks by their business associates, they also think it is difficult to manage security incidents involving business associates and impossible to determine if data safeguards and security policies and procedures at their business associates are adequate to respond effectively to a data breach.”

Mark Rosekind, chief of the National Highway Traffic Safety Administration (NHTSA), recently announced that the NHTSA will release documents to serve as a framework for national regulations concerning automated and autonomous vehicles. The documents, which are scheduled for release in July, will allow states to institute additional rules or regulations regarding self-driving vehicles.

In another appearance last week, Mr. Rosekind further explained that the NHTSA has been working on a model state policy for automated vehicles to help states develop policies consistent with other states’ and federal policies and in turn promote “a uniform nationwide framework to help enable innovation.” Mr. Rosekind also noted that the NHTSA is mindful that any regulations in this industry must evolve with the industry rather than remain static for long periods of time.

Although this model policy framework will be a resource available to states, as Mr. Rosekind put it, “What the states actually implement is their call.” With these remarks, he clarified that the NHTSA has no current intention to promote binding federal regulations as a means of achieving a consistent approach to self-driving vehicle restrictions nationwide. This is undoubtedly a disappointment to the many companies in the industry that have pushed for federal regulations to promote uniformity and avoid the substantial efforts necessary to sift through the potentially conflicting state rules.

The Hamburg Data Protection Agency (DPA) recently fined three companies for not having appropriate replacements for the Safe Harbor in place after the expiration of the permitted grace period. While the amounts of these fines are not particularly concerning, the precedent and potential for future, more burdensome fines is significant.

As we discussed in a previous post, in the landmark case Maximillian Schrems v. Data Protection Commissioner, the European Court of Justice (ECJ) ruled that the Safe Harbor program (which had dictated the conditions of the transfer of personal data from the European Union to the United States since 2000) is invalid. The European DPAs granted companies a transitory period to migrate from the Safe Harbor to other legal tools for their international data transfers, in particular by implementing Binding Corporate Rules (BCRs) or the Model Contractual Clauses. This transitory period expired in February. Since that time, some proactive DPAs, including the Hamburg DPA in Germany, have launched their own inquiries to ensure that the companies under their jurisdiction are in compliance.

When we last discussed the application of Title III of the Americans with Disabilities Act (ADA) to websites (see our April 2015 post), the US Department of Justice (DOJ) appeared primed to propose the Web Content Accessibility Guidelines (WCAG) 2.0, Level AA as the standard required for public accommodations in the private/non-government sector. Then, in late 2015, DOJ announced that it would not finalize regulations to explain what constitutes accessible website content for public accommodations in the private/non-government sector under Title III until fiscal year 2018 at the earliest. Recent DOJ developments now bring into question this 2018 target.

As explained in our December 2015 LawFlash, “DOJ Delays ADA Regulations for the Accessibility of Private Websites to 2018,” the rationale for pushing back the Title III regulations was DOJ’s desire to move forward with its rulemaking for the corresponding website accessibility guidelines for government agencies and contractors under Title II of the ADA. DOJ explained that the Title II rulemaking would “facilitate the creation of an important infrastructure for web accessibility that will be very important” for the Title III web accessibility rulemaking. At the time, the Title II guidelines were expected to be finalized in the summer of 2016.

The use and acceptance of electronic signatures are becoming more commonplace around the globe. One estimate has the number of transactions using electronic signatures growing from 210 million in 2014 to 700 million in 2017. In our practice, we are seeing more companies implement electronic signature solutions in their commercial contracting practices and procedures.

Given this increased usage of electronic signatures, we think it’s a good time to remind our readers that a new legal framework for electronic signatures is set to take effect in the European Union on July 1.

In their upcoming webinar, “Landmark Trade Secret Law Establishes New Rights and Remedies,” Silicon Valley partner Mark Krotoski, San Francisco partner Christopher Banks, and Philadelphia partner John Gorman will discuss the new Defend Trade Secrets Act of 2016 (DTSA). Signed into law on May 11, the DTSA represents the most significant trade secret reform in decades.

Contract drafting is one of those subjects that just doesn’t get the attention it deserves. Many clients seem to view drafting as a dark art learned in the basements of law schools. Worse than that, even many lawyers view it the same way.

We have all had to plod through long, boring contracts with page-long sentences that contain ideas separated by what feels like millions of commas. No wonder many people think the best contracts are the ones that stay in a drawer.

But the contracts in complex sourcing deals should play an operational role and not just be relegated to a forgotten drawer. Many times, when we get involved in disputes, we find that a major contributor to that dispute was that each party ignored the contract they worked so hard to create and just behaved the way they did in their respective prior deals. What a shame.