TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

The National Institute of Standards and Technology (NIST) recently circulated a draft white paper discussing recommended security practices to be adopted throughout the various phases of software development. The white paper provides three overarching reasons for integrating secure development practices throughout the software development lifecycle (SDLC) regardless of the development model (e.g., waterfall, agile), namely, “to reduce the number of vulnerabilities in released software, to mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and to address the root causes of vulnerabilities to prevent future recurrences.”

The white paper discusses the following four secure software development practices, and breaks down each topic by (1) practices, (2) tasks, (3) implementation examples, and (4) references.

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act was signed into New York law by Governor Andrew Cuomo on July 25, after passing the New York State Assembly on June 17. The SHIELD Act takes effect on March 21, 2020, and will modernize New York’s current laws governing data breach notification and data security requirements with the intention of providing greater protection for consumer's private information, while holding companies accountable for providing such protections.

Read our previous post on the SHIELD Act for more information.

The European General Data Protection Regulation (GDPR) took effect in May 2018, requiring companies that handle or process EU residents’ personal information to conform to practices that seek to more fully protect consumer sensitive information. Companies that fall under this category, known as data controllers, must secure consumer consent or another legally acceptable method of gathering personal information, notify individuals of the personal information that is collected and how it will be used, and limit the collection and maintenance to necessary information for a limited period of time. The individuals whose personal information is gathered also have a right to access the information, limit its use, and withdraw their consent from data controllers for such use.

Morgan Lewis partner Peter Watt-Morse (Pittsburgh) and associate Eric Pennesi (Pittsburgh) will be participating in the Pennsylvania Bar Institute’s 2019 Cyberlaw Update, which will address trending topics, including blockchain and cryptocurrency and security and privacy concerns related to social media, in addition to GDPR.

Topics to be discussed include:

  • Social Media Ethics – Its Use and Impact on the Practice of Law
  • IP in the Age of Cloud Computing and Artificial Intelligence
  • Responding to Data Breaches – Legal Update and Practical Counsel

The event will be hosted at the PBI Professional Development Center (Heinz 57 Center, 339 Sixth Avenue, 7th Floor, Pittsburgh PA, 15222) on Tuesday, April 30 from 9:00 am to 4:00 pm.

Register for Event

As we previously discussed, nobody is safe from cybersecurity threats, and as our colleagues last reported, the US Securities and Exchange Commission (SEC) has heightened its cybersecurity scrutiny, issuing an investigative report on cyber fraud against publicly traded companies and signaling it will pursue both bad actors as well as companies failing to implement controls to detect and prevent hacking. A victim of a data breach itself, the SEC is now demonstrating how it intends to pursue bad actors.

On January 15, the SEC filed a civil suit in US District Court in the District of New Jersey related to its own hacking against individuals and business entities in Ukraine, Hong Kong, California, Belize, Russia, and Korea. The SEC alleges in the suit that the defendants hacked into the agency’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) system through a variety of means—including phishing emails and malware—and stole information (namely, publicly-traded companies’ earnings information). The suit further alleges the defendants then traded securities based on the stolen information before it became public. The SEC argues all defendants were necessary participants in the “fraudulent scheme” as some defendants were required to “obtain, through deception, material nonpublic information from the SEC’s EDGAR system” and others were required to “monetize the material nonpublic information by making profitable trades.” The SEC requests the district court to permanently enjoin the defendants from engaging in unlawful conduct[1], order the return of all profits and/or gains realized from the trading, and impose civil penalties[2] on the defendants.

As 2018 comes to a close, we have once again compiled all the links to our Contract Corner blog posts, a regular feature of Tech & Sourcing @ Morgan Lewis. In these posts, members of our global technology, outsourcing, and commercial transactions practice highlight particular contract provisions, review the issues, and propose negotiating and drafting tips. If you don’t see a topic you are interested in below, please let us know, and we may feature it in a future Contract Corner.

In Part 1 of this series, we looked at the prevalence of standalone data processing addendums (DPAs) as a means to comply with rules on engaging third-party outsourcers under the EU General Data Protection Regulation (GDPR). In particular, we focused on the risks associated with “one size fits all” precedence clauses. In this Part 2, we take a detailed look at some of the commercial issues arising from DPAs, the GDPR’s mandated contract requirements.

What’s the Issue?

Article 28 of the GDPR includes a set of mandated data processing clauses that are broader in scope than the contract requirements under previous EU data protection laws. In addition, despite the GDPR having been in force for more than six months now, it is still uncertain how regulators will interpret and enforce Article 28.

As a result, parties to outsourcing agreements can find themselves in protracted discussions around which party bears the cost of implementing Article 28. Below are some key areas of focus in the context of outsourcing agreements.

The Pittsburgh session of the annual Cyberlaw Update for the Pennsylvania Bar Institute (PBI) will take place on Tuesday, July 17. Moderated by Morgan Lewis partner Peter Watt-Morse, the update enters its 21st year and this year’s seminar will focus on current hot-button issues including blockchain and cryptocurrency and security and privacy concerns related to social media, IOT, GDPR, and the Dark Web.

Speakers at the all-day event include Mr. Watt-Morse and of counsel Emily Lowe, who will be speaking on privacy and security concerns regarding social media from both a policy and regulatory standpoint in the wake of the disclosures related to Cambridge Analytics; and associate Ben Klaber who will be reviewing such concerns as they apply to the burgeoning market of Internet of Things (IoT) devices.

Two members of our Technology, Outsourcing, and Commercial Transactions practice group, Morgan Lewis partner Barbara Melby and associate Katherine O’Keefe, recently published an article in The Legal Intelligencer that analyzes best practices with respect to diligence, internal controls, and management of providers in the mitigation of security risks in cloud-based offerings. The article, titled, “Mitigating Security Risks in Cloud Offerings Through Diligence, Oversight,” discusses how companies, in even the most risk-averse industries, have begun to routinely adopt cloud-based solutions and how these companies are mitigating the inherent risks associated with cloud services.