TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

Risk is an interesting topic that can (and does) take volumes to address. Still, it’s helpful to step back and take stock of how you deal with risk in complex sourcing deals.

One way to break down how you look at risk is in terms of allocation versus mitigation. Contracts tend to focus heavily on risk allocation. The limitations of liabilities clause, for example, feels like risk mitigation, but what those limits really do is determine who is going to bear the risk that already exists.

Clearly understanding risk and allocating it appropriately is extremely important and not to be taken lightly. Still, it’s a mistake to give short shrift to thinking about how to mitigate that risk in the first place. This begs the question, what can be done to get that risk level down a bit?

Morgan Lewis and the Sourcing Industry Group (SIG) are co-hosting an Executive Immersion Program that will feature intensive workshops for sourcing leaders. Speakers include Morgan Lewis partners and industry thought leaders Ed Hansen and Vito Petretti, as well as leading industry consultants from Alsbridge.

Topics will include:

If You Build It (Right), They Will Come: 
A Master Workshop on Contracting
This contracting workshop is specially designed for practitioner sourcing leaders and in-house counsel who engage in the review, creation, and/or execution of contracted services and terms. This session is designed to enhance master competencies in contracting and negotiating. Delivered in a highly interactive format (beginning with time for networking and concluding with a set of workshops designed to drive home the material), this workshop will include direct examples and experiences from some of the most experienced and innovative practitioners in the industry with extensive backgrounds in IT-enabled transformation, as well as customer and vendor outsourcing deal management. This workshop is back by popular demand and usually fills up fast.

Buying Technology in a Time of Disruption
At a time when technology is driving a business revolution, it’s no longer sufficient to have one mode of sourcing. Traditional sourcing is focused on cost reduction, quality, standardization, compliance, and risk containment, but there are times when sourcing must instead focus on disruption, transformation, capability enablement, differentiation, and speed, while never losing sight of the basics. Strategic IT sourcing now requires adaptive multi-modal approaches to maximize value to the business. In this session, Alsbridge will outline best practices to maximize business value across hardware, software, cloud, network, outsourcing, and integrated solutions sourcing.

Register for the Executive Immersion Program.

The Defend Trade Secrets Act of 2016 (DTSA), signed into law on May 11 by US President Barack Obama, is a new law that establishes federal rights and remedies for trade secret owners. Summarized by our colleagues in a recent LawFlash, the DTSA represents the most significant trade secret reform in decades.

Among the DTSA’s key features are whistleblower protections that could require immediate changes to form agreements and policies governing the use of trade secrets and other confidential information.

Have you ever noticed how many professional biographies mention complexity? It seems like everyone is handling “complex” litigation or “complex” commercial transactions or helping clients drive home “complex” projects.

In the sourcing world, most of us think of ourselves as handling “complex” sourcing. A fair question to ask then is, what does “complex” mean in this context? And, does it matter?

The short answer to whether the term “complex” matters in sourcing is that it should, and it is worth taking a few minutes to think about.

The University of Tennessee has adopted a model for sourcing that puts projects on a continuum from simple to complex. Adopting that model for our purposes, it is helpful to think of “noncomplex” as something that can be completely described in a contract and is supplier agnostic. The go-to product for illustrating this is the unassuming number 2 pencil. As long as you can describe the pencil completely (lead hardness and consistency, color, length, diameter, and size, etc.), it doesn’t matter where you get the pencil. All that really matters is the cost. Once you sign your supply contract, as a buyer, you can just sit back and check the boxes of pencils when they arrive to make sure they comply with their specifications.

On April 28, the Payment Card Industry (PCI) Security Standards Council (Council) announced the release of PCI Data Security Standard (PCI DSS) version 3.2 to replace version 3.1, which expires on October 31, 2016. The announcement states that “[c]ompanies that accept, process or receive payments should adopt [version 3.2] as soon as possible to prevent, detect and respond to cyberattacks that can lead to breaches.”

The Council pointed out that because PCI DSS is recognized as a “mature standard” by the payment industry, “the primary changes in version 3.2 are clarifications on requirements that help organizations confirm that critical data security controls remain in place throughout the year, and that they are effectively tested as part of the ongoing security monitoring process.”
One such change is to expand the use of multi-factor authentication to include all administrators who access cardholder data. This builds on the existing requirement of multi-factor authentication for all personnel with remote access to cardholder data.
Version 3.2 also includes a number of new requirements for organizations to follow, most of which apply only to service providers. To allow companies time to implement the new requirements, they will serve as best practices until January 31, 2018, after which they will become requirements.

Highlights of the new requirements include the following:

  • New requirement 3.5.1 — Service providers must maintain a documented description of cryptographic architecture (e.g., algorithms, protocols, and keys).
  • New requirement 6.4.6 — Organizations must ensure that security controls are implemented and documentation updated for all new or changed systems and networks. In other words, validation of security controls must be incorporated into change management processes.
  • New requirements 10.8 and 10.8.1 — Service providers must establish processes to timely detect, report, and respond to failures of critical security control systems (e.g., firewalls, anti-virus, and physical/logical access controls).
  • New requirement 11.3.4.1 — Service providers must perform penetration testing on segmentation controls (if used) every six months (formerly an annual requirement) and after any change to segmentation controls.
  • New requirement 12.4.1 — Executive management must establish responsibilities for the protection of cardholder data and implement a PCI DSS compliance program.
  • New requirements 12.11 and 12.11.1 — Service providers must perform reviews on at least a quarterly basis to confirm that personnel are following security policies and procedures, and maintain documentation of such quarterly review process.

A common concept in outsourcing called “watermelon” service levels refers to service levels that a vendor is meeting but a customer is unhappy with (green on the outside, but red on the inside, like a watermelon). In other words, the vendor is complying with the contract, but that is not enough to satisfy the customer. This is not limited to customers. Often, vendors aren’t happy either.

This condition, in which the parties are in compliance with the contract but are unhappy with their deal, can permeate throughout the relationship and have grave consequences. These include destroying the morale of both parties’ employees, tanking a perfectly good change-management program, and making it difficult for the customer or the provider to realize the deal’s benefit.

Watermelon service levels occur for many reasons, but one common one is failing to understand and take into account the difference between deal financials and deal economics. Deal financials are about money, plain and simple—which is very important, but incomplete. Deal economics, on the other hand, are about motivating behavior and allocating scarce resources (in this case, time constrained personnel on both sides). So, although having good financials may be a powerful motivator, it is only part of the picture.

Last week, Morgan Lewis kicked off the sixth annual Technology May-rathon, a series of over 20 programs focusing on critical trends, developments, and issues in the technology industry.

This year’s programming includes a variety of webinars and panel discussions that highlight key topics such as privacy and data security, telehealth, the new EU General Data Protection Regulation, encryption, digital health products, telecom transactions, employment law issues, copyright infringement, and e-commerce. There are two webinars scheduled for this week, and the series continues with programs throughout the month of May.

Be sure to check out the complete schedule of events where you can register for the programs that interest you.

On April 27, the US Senate Commerce Committee approved the Developing Innovation and Growing the Internet of Things Act (DIGIT Act) with the intent to help the United States capitalize on potential economic opportunities and benefits that growing the Internet of Things (IoT) can offer.

The DIGIT Act would require the US Secretary of Commerce (Secretary) to convene a working group comprising governmental stakeholders and discretionary nongovernmental representatives to provide recommendations to the US Congress on how to appropriately plan for and encourage the proliferation of the IoT in the United States. The working group would, among other things, assess the legal and regulatory landscape that could inhibit the IoT and consider policies and programs that encourage coordination among federal agencies that have jurisdiction over the IoT.

In making its recommendations, the working group would also be required to consult with nongovernmental stakeholders, including information and communications technology business leaders, as well as experts in industrial sectors such as agriculture and healthcare. The DIGIT Act would also establish a steering committee appointed by the Secretary to advise the working group.

On April 27, the US House of Representatives (House) voted 419-0 to approve the Email Privacy Act (Act). Background information on the Act can be found in our April 19 Sourcing @ Morgan Lewis post.

It remains unclear as to whether or when the US Senate may address or act on the Act; however, the unanimous House vote may add some pressure on the Senate to move towards approval. We will continue to provide updates as they occur.

On April 13, the US House Committee on the Judiciary (the Committee) voted 28-0 to approve the Email Privacy Act (Act), which would, among other things, require federal authorities to obtain a warrant from a judge to access all emails or other digital communications. 

The Act would amend the Electronic Communications Privacy Act of 1986 (1986 Act), which prohibits providers of remote computing services or electronic communication services from knowingly divulging to government entities the contents of any communication that is in electronic storage or otherwise maintained by a provider, subject to certain exceptions. Under the 1986 Act, as currently in effect, law enforcement and civil agencies may request such communications so long as they are more than 180 days old (and considered abandoned property) with only a subpoena. Unlike warrants, subpoenas can be issued without proof of probable cause. The Act would now require government authorities to obtain a warrant before requiring providers to disclose the content of such communication, regardless of how long the communication has been held in electronic storage.