TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

U.S. Treasury Secretary Jack Lew is urging Congress to pass legislation to bolster the country’s cyber defenses. The proposed bill—the Cybersecurity Information Sharing Act of 2014 (CISA)—may unleash a brute-force attack in the cyber war, but opposition based on privacy and civil liberties concerns could stop the bill dead in its tracks.

In a recent decision, the U.S. District Court for the District of Columbia held that the plaintiffs in a data theft case lacked standing when the only injury was an “increased likelihood” of becoming an identity theft victim.

In rendering its decision in In Re Science Applications International Corp. (SAIC) Backup Tape Data Theft Litigation, the district court relied on the U.S. Supreme Court’s decision in Clapper v. Amnesty International USA, where the Court held a “mere loss of data” or “increased risk of identity theft” in a data breach case does not constitute an injury that confers standing. Instead, individuals whose data has been stolen must show that injury has actually occurred or is certainly impending.

The facts of the SAIC case are pleasantly low tech. Data back-up tapes were stolen from a car. The tapes were never found. The tapes contained personal information for more than 4.7 million members of military families. In the hands of a tech-savvy cyber criminal, such information could be a jackpot, but, in the hands of a common street criminal, maybe not. The district court in SAIC stated: “At this point, we do not know who [the thief] was, how much [the thief] knows about computers, or what [the thief] has done with the tapes. The tapes could be uploaded onto [the thief’s] computer and fully deciphered, or they could be lying in a landfill somewhere in Texas.”

The court in SAIC provided a simple summary: “In sum, increased risk of harm alone does not constitute an injury in fact [sufficient for standing]. Nor do measures taken to prevent a future, speculative harm.”

Accordingly, in order to have standing to pursue a data breach case, a plaintiff would have to demonstrate much more than an increased likelihood of harm. Rather, a plaintiff would have to show an actual injury that was directly caused by the breach. Even then, of course, that would only establish standing, and a plaintiff would have to prove the other elements of his or her case.

“When I’m gone, what will happen to my social media profiles?” The increasing use of digital accounts has resulted in a search for answers to this and similar questions, with the goal of reaching an appropriate balance of probate considerations and privacy and cybersecurity laws. The Uniform Law Commission (ULC) weighed in with its proposed solution to the issue of access to a deceased or incapacitated person’s “digital assets”—e.g., email accounts, social media profiles, digital photos and videos, and other electronic records—with its recent approval of the Uniform Fiduciary Access to Digital Assets Act (UFADAA), which is a model law that must be adopted by a state to become effective.

Computer Weekly reported last week that Ben Barry of Coeus Consulting blogged that "There are some services which might be too important to outsource—service integration and management (SIAM) is one example.” Although we agree SIAM is important, the challenges and opportunities relating to service integration lead only to the following conclusion—SIAM is also too important to ignore.

Cloud services are all the rage, and the race is on to adopt this new technology, but what if we just sit back and gaze? What is the hard data telling us? Skyhigh Networks recently released its latest quarterly Cloud Adoption & Risk Report, which offers the following insight based on enterprise customer usage data:

Investment outsourcing is on the rise. Although it traditionally involved engaging an investment advisor to exercise discretion over an investment portfolio, it has, more recently, expanded to include institutional investors’ outsourcing of varying degrees of operational functions, including account-level monitoring and reporting, participant communication, custody, and middle-office and back-office services. The results of a recent survey of investment outsourcing firms published by Pension & Investments (P&I) highlighted that respondents’ outsourcing programs grew 25% from 2013 to an aggregate amount of $1.329 trillion worldwide in 2014. Those are big numbers.

A severability clause is one of those boilerplate sections that are typically hidden among the miscellaneous clauses at the end of a contract. Although usually these provisions do not get a lot of attention during negotiations, it may be time to dust off your template language and give your severability clause a good read. A recent finding by the U.S. Court of Federal Claims in DMS Imaging Inc. v. United States highlighted the significance of severability clauses. The court upheld a risk of loss provision in a lease agreement notwithstanding the fact that the indemnification provision in the same agreement may not have been enforceable.

The European Commission (the Commission) recently issued a press release recognizing the potential of data collection and exploitation (or "big data") and urging governments to embrace the positive aspects of big data.

The Commission summarized four main problems that have been identified in public consultations on big data:

  • Lack of cross-border coordination
  • Insufficient infrastructure and funding opportunities
  • A shortage of data experts and related skills
  • A fragmented and overly complex legal environment

Canada's Anti-Spam Legislation (CASL), which sets forth guidelines for and places certain restrictions on sending "commercial electronic messages" (CEMs) to Canadian residents, is now in effect. Under CASL, sending a CEM to a Canadian resident’s email address requires consent from the resident, the sender’s identification information, and an unsubscribe mechanism. The summary below is derived from the CASL compliance-related information compiled by the Canadian Radio-television Telecommunications Commission (CRTC):

California Governor Jerry Brown recently signed into law AB 129, a bill intended to ensure that the use of various forms of alternative currency does not violate California law. Section 107 of the California Corporations Code, which previously prohibited an individual or corporation from issuing or putting into circulation “anything but the lawful money of the United States,” was repealed under AB 129 to clarify that the code does not prohibit the issuance and use of alternative currency.