TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

Morgan Lewis partner Peter Watt-Morse (Pittsburgh) and associate Eric Pennesi (Pittsburgh) will be participating in the Pennsylvania Bar Institute’s 2019 Cyberlaw Update, which will address trending topics, including blockchain and cryptocurrency and security and privacy concerns related to social media, in addition to GDPR.

Topics to be discussed include:

  • Social Media Ethics – Its Use and Impact on the Practice of Law
  • IP in the Age of Cloud Computing and Artificial Intelligence
  • Responding to Data Breaches – Legal Update and Practical Counsel

The event will be hosted at the PBI Professional Development Center (Heinz 57 Center, 339 Sixth Avenue, 7th Floor, Pittsburgh PA, 15222) on Tuesday, April 30 from 9:00 am to 4:00 pm.

Register for Event

As we previously discussed, nobody is safe from cybersecurity threats, and as our colleagues last reported, the US Securities and Exchange Commission (SEC) has heightened its cybersecurity scrutiny, issuing an investigative report on cyber fraud against publicly traded companies and signaling it will pursue both bad actors as well as companies failing to implement controls to detect and prevent hacking. A victim of a data breach itself, the SEC is now demonstrating how it intends to pursue bad actors.

On January 15, the SEC filed a civil suit in US District Court in the District of New Jersey related to its own hacking against individuals and business entities in Ukraine, Hong Kong, California, Belize, Russia, and Korea. The SEC alleges in the suit that the defendants hacked into the agency’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) system through a variety of means—including phishing emails and malware—and stole information (namely, publicly-traded companies’ earnings information). The suit further alleges the defendants then traded securities based on the stolen information before it became public. The SEC argues all defendants were necessary participants in the “fraudulent scheme” as some defendants were required to “obtain, through deception, material nonpublic information from the SEC’s EDGAR system” and others were required to “monetize the material nonpublic information by making profitable trades.” The SEC requests the district court to permanently enjoin the defendants from engaging in unlawful conduct[1], order the return of all profits and/or gains realized from the trading, and impose civil penalties[2] on the defendants.

As 2018 comes to a close, we have once again compiled all the links to our Contract Corner blog posts, a regular feature of Tech & Sourcing @ Morgan Lewis. In these posts, members of our global technology, outsourcing, and commercial transactions practice highlight particular contract provisions, review the issues, and propose negotiating and drafting tips. If you don’t see a topic you are interested in below, please let us know, and we may feature it in a future Contract Corner.

In Part 1 of this series, we looked at the prevalence of standalone data processing addendums (DPAs) as a means to comply with rules on engaging third-party outsourcers under the EU General Data Protection Regulation (GDPR). In particular, we focused on the risks associated with “one size fits all” precedence clauses. In this Part 2, we take a detailed look at some of the commercial issues arising from DPAs, the GDPR’s mandated contract requirements.

What’s the Issue?

Article 28 of the GDPR includes a set of mandated data processing clauses that are broader in scope than the contract requirements under previous EU data protection laws. In addition, despite the GDPR having been in force for more than six months now, it is still uncertain how regulators will interpret and enforce Article 28.

As a result, parties to outsourcing agreements can find themselves in protracted discussions around which party bears the cost of implementing Article 28. Below are some key areas of focus in the context of outsourcing agreements.

The Pittsburgh session of the annual Cyberlaw Update for the Pennsylvania Bar Institute (PBI) will take place on Tuesday, July 17. Moderated by Morgan Lewis partner Peter Watt-Morse, the update enters its 21st year and this year’s seminar will focus on current hot-button issues including blockchain and cryptocurrency and security and privacy concerns related to social media, IOT, GDPR, and the Dark Web.

Speakers at the all-day event include Mr. Watt-Morse and of counsel Emily Lowe, who will be speaking on privacy and security concerns regarding social media from both a policy and regulatory standpoint in the wake of the disclosures related to Cambridge Analytics; and associate Ben Klaber who will be reviewing such concerns as they apply to the burgeoning market of Internet of Things (IoT) devices.

Two members of our Technology, Outsourcing, and Commercial Transactions practice group, Morgan Lewis partner Barbara Melby and associate Katherine O’Keefe, recently published an article in The Legal Intelligencer that analyzes best practices with respect to diligence, internal controls, and management of providers in the mitigation of security risks in cloud-based offerings. The article, titled, “Mitigating Security Risks in Cloud Offerings Through Diligence, Oversight,” discusses how companies, in even the most risk-averse industries, have begun to routinely adopt cloud-based solutions and how these companies are mitigating the inherent risks associated with cloud services.

Senators Edward Markey and Richard Blumenthal introduced a new privacy rights bill on April 10 titled “Customer Online Notification for Stopping Edge-provider Network Transgressions” (CONSENT Act). The CONSENT Act’s obligations would apply to entities known as edge providers who provide services through a software program (including a mobile application) or over the internet (1) that require its customers to subscribe to or maintain an account to obtain services; (2) that require a customer to purchase services; (3) through which a customer performs searches; or (4) through which a customer provides sensitive customer proprietary information.

The CONSENT Act would require the Federal Trade Commission (FTC) to promulgate regulations to protect the privacy of customers of edge providers within one year of passage of the CONSENT Act that would take effect within 180 days of such promulgation. Specifically, the CONSENT Act stipulates that such FTC regulations must

When it comes to cybersecurity and data breaches, smaller businesses do not necessarily make less likely targets. According to a recent report on the state of cybersecurity in small and medium-sized businesses by the Ponemon Institute, 61% of small and medium-sized businesses experienced a cyberattack in 2017, a 6% increase from 2016. Similarly, the report said 54% of small and medium-sized businesses experienced data breaches (up from 50% in 2016). In a recent article in Entrepreneur, CEO of Simple SEO Group Brendan Egan discusses some of the biggest cybersecurity threats facing small businesses today.

The Risk of Leaks in the Internet of Things

As we have previously discussed on this blog (see here and here), the security of internet of things (IoT) devices has been a growing concern for both government and industry, due in part to a number of high profile attempted cyberattacks using IoT devices. The connected nature of IoT devices and real-time data collection that makes IoT a powerful tool for organizations also creates multiple potential backdoors into the organization. To prevent IoT devices from being targeted by hackers, it is important to observe security best practices such as changing default passwords and, for manufacturers, providing unique default usernames and passwords that are difficult to crack. As we have previously discussed, among other organizations, the US Department of Homeland Security has issued guidance to help stakeholders account for security in the development, manufacturing, implementation, and use of IoT devices.

Galvanized by a confluence of charged factors—like privacy, cybersecurity, children, and the Internet of Things (IoT)—and sparked by recent assertions of Children’s Online Privacy Protection Act (COPPA) regulatory power, the US Federal Trade Commission (FTC) entered into a pioneering settlement with electronic toy manufacturer VTech regarding a breach of children’s personal information. The FTC’s message to companies is crystal clear: when it comes to kids’ data, transparency and security are elemental.

Scarce Insulation from COPPA

The COPPA Rule explains what operators of websites and online services must do to protect children’s privacy and safety online, and the FTC serves as the enforcer. As we previously discussed, the FTC released updated guidance in response to concerns about the security of data collected and used by internet-connected products geared toward children. The FTC noted that COPPA defines “website or online service” broadly and specifically listed connected toys and IoT devices within the COPPA Rule’s purview. Although the FTC released a policy that permits collecting a recording of a child’s voice without parental consent in certain situations, such circumstances are narrowly limited to the sole and limited purpose of replacing written words—say, an instruction—and the recording must be immediately destroyed.

Our privacy and cybersecurity colleagues at Morgan Lewis have offered their insights into the shared responsibility of the government and the private sector in adopting effective information security practices and the need for a tailored, flexible approach to cybersecurity regulation. In their Bloomberg Law Privacy and Security Law Report entry, The Government’s Role in Promoting and Leading Effective Cybersecurity, Morgan Lewis partner Mark Krotoski and associate Martin Hirschprung highlight several recent cyberattacks, discuss cooperation efforts between the government and private sectors, provide an overview of the current US regulatory landscape, and identify their recommendations for key factors the government should consider to streamline and reduce the burden of cybersecurity regulations while still promoting effective cybersecurity.