TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

As we previously discussed, nobody is safe from cybersecurity threats, and as our colleagues last reported, the US Securities and Exchange Commission (SEC) has heightened its cybersecurity scrutiny, issuing an investigative report on cyber fraud against publicly traded companies and signaling it will pursue both bad actors as well as companies failing to implement controls to detect and prevent hacking. A victim of a data breach itself, the SEC is now demonstrating how it intends to pursue bad actors.

On January 15, the SEC filed a civil suit in US District Court in the District of New Jersey related to its own hacking against individuals and business entities in Ukraine, Hong Kong, California, Belize, Russia, and Korea. The SEC alleges in the suit that the defendants hacked into the agency’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) system through a variety of means—including phishing emails and malware—and stole information (namely, publicly-traded companies’ earnings information). The suit further alleges the defendants then traded securities based on the stolen information before it became public. The SEC argues all defendants were necessary participants in the “fraudulent scheme” as some defendants were required to “obtain, through deception, material nonpublic information from the SEC’s EDGAR system” and others were required to “monetize the material nonpublic information by making profitable trades.” The SEC requests the district court to permanently enjoin the defendants from engaging in unlawful conduct[1], order the return of all profits and/or gains realized from the trading, and impose civil penalties[2] on the defendants.

The Hatch-Goodlatte Music Modernization Act was signed into law on October 11, 2018. The act has been termed a music industry peace treaty of sorts, as it is designed to address years of issues and compromise between music streaming technology companies, such as Spotify, and artists and record labels. The act had unanimously passed the US House of Representatives and Senate earlier in 2018.

In today’s connected world, companies rely heavily on their websites and mobile applications to reach consumers. There have been a number of lawsuits filed alleging companies’ websites and mobile applications are inaccessible to the visually impaired in violation of the Americans with Disabilities Act of 1990 (ADA).[1] As we last discussed, a federal court found Winn-Dixie had violated Title III of the ADA.

Every January, electronics manufacturers descend upon Las Vegas for the annual Consumer Electronics Show (CES) to showcase their latest and greatest forays in devices. Not surprisingly, there was no shortage of shiny fresh connected devices with new and evolving applications in everything from workouts and personal care to the more usual suspects of television and virtual assistants. With Internet of Things (IoT) becoming more ubiquitous, it was only a matter of time before legislation followed. On September 28, 2018, California enacted the United States’ first IoT law, set to go into effect January 1, 2020, just in time for next year’s CES.

Morgan Lewis will co-host an interactive master workshop on negotiations and contracting geared toward business leaders, sourcing professionals, and in-house counsel who work together on complex transactions such as digital transformations and vendor outsourcing. Edward J. Hansen, Vito Petretti, Donald G. Shelkey and Valerie A. Gross of our Technology, Outsourcing and Commercial Transactions practice will present and lead discussions on topics including:

Towards the end of 2018 we ran a series of Contract Corner blog posts on the GDPR and Data Processing Addendums. (See here and here.) December brought detailed guidance from the UK Information Commission’s Office (ICO) on contracts and GDPR compliance (the New Guidance), which replaces draft guidance previously issued as part of a consultation by the ICO in 2017 (the Draft Guidance).

The process of “going digital” has drastically affected the outsourcing market in recent years. During their webinar, Outsourcing Across the Globe—Going Digital, Ed Hansen, Simon Lightman, Barbara Melby, and Mike Pierides will discuss how to prepare for the future of outsourcing and leading trends that will impact outsourcing transactions globally in 2019. Topics will include the following:

  • Privacy considerations for Europe, China, and beyond
  • The increasing impact of automation
  • Using the contract to mitigate risk

The webinar will be held on Wednesday, January 23, 2019, from 12:00 pm to 1:00 pm ET (5:00 to 6:00 pm GMT).

Register for the webinar.

On behalf of the technology, outsourcing, and commercial transactions team at Morgan Lewis, we’d like to wish you and your loved ones a wonderful new year.

What would you like to hear about in 2019? Let us know by emailing your idea to techandsourcing@morganlewis.com.

As 2018 comes to a close, we have once again compiled all the links to our Contract Corner blog posts, a regular feature of Tech & Sourcing @ Morgan Lewis. In these posts, members of our global technology, outsourcing, and commercial transactions practice highlight particular contract provisions, review the issues, and propose negotiating and drafting tips. If you don’t see a topic you are interested in below, please let us know, and we may feature it in a future Contract Corner.

In Part 1 of this series, we looked at the prevalence of standalone data processing addendums (DPAs) as a means to comply with rules on engaging third-party outsourcers under the EU General Data Protection Regulation (GDPR). In particular, we focused on the risks associated with “one size fits all” precedence clauses. In this Part 2, we take a detailed look at some of the commercial issues arising from DPAs, the GDPR’s mandated contract requirements.

What’s the Issue?

Article 28 of the GDPR includes a set of mandated data processing clauses that are broader in scope than the contract requirements under previous EU data protection laws. In addition, despite the GDPR having been in force for more than six months now, it is still uncertain how regulators will interpret and enforce Article 28.

As a result, parties to outsourcing agreements can find themselves in protracted discussions around which party bears the cost of implementing Article 28. Below are some key areas of focus in the context of outsourcing agreements.