TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

Join Morgan Lewis at our Philadelphia office on April 11 for a discussion on hot topics impacting services contracts in the digital economy. Morgan Lewis labor and employment partner Sarah Bouchard, litigation partner Greg Parks, together with technology, outsourcing, and commercial contracts partners Barbara Melby and Michael Pillion, and associates Christopher Archer and Katherine O’Keefe will speak at the event.

Topics will include:

  • Ethical considerations for lawyers working in a digital world
  • Common issues to consider when using vendor cloud agreements
  • Industry updates
  • Contracting for automation solutions

A networking reception will follow the discussions. We hope you can join us!

Register here.

Morgan Lewis partner Peter Watt-Morse (Pittsburgh) and associate Eric Pennesi (Pittsburgh) will be participating in the Pennsylvania Bar Institute’s 2019 Cyberlaw Update, which will address trending topics, including blockchain and cryptocurrency and security and privacy concerns related to social media, in addition to GDPR.

Topics to be discussed include:

  • Social Media Ethics – Its Use and Impact on the Practice of Law
  • IP in the Age of Cloud Computing and Artificial Intelligence
  • Responding to Data Breaches – Legal Update and Practical Counsel

The event will be hosted at the PBI Professional Development Center (Heinz 57 Center, 339 Sixth Avenue, 7th Floor, Pittsburgh PA, 15222) on Tuesday, April 30 from 9:00 am to 4:00 pm.

Register for Event

Towards the end of 2018 we ran a series of Contract Corner blog posts on the GDPR and Data Processing Addendums. (See here and here.) December brought detailed guidance from the UK Information Commission’s Office (ICO) on contracts and GDPR compliance (the New Guidance), which replaces draft guidance previously issued as part of a consultation by the ICO in 2017 (the Draft Guidance).

As 2018 comes to a close, we have once again compiled all the links to our Contract Corner blog posts, a regular feature of Tech & Sourcing @ Morgan Lewis. In these posts, members of our global technology, outsourcing, and commercial transactions practice highlight particular contract provisions, review the issues, and propose negotiating and drafting tips. If you don’t see a topic you are interested in below, please let us know, and we may feature it in a future Contract Corner.

In Part 1 of this series, we looked at the prevalence of standalone data processing addendums (DPAs) as a means to comply with rules on engaging third-party outsourcers under the EU General Data Protection Regulation (GDPR). In particular, we focused on the risks associated with “one size fits all” precedence clauses. In this Part 2, we take a detailed look at some of the commercial issues arising from DPAs, the GDPR’s mandated contract requirements.

What’s the Issue?

Article 28 of the GDPR includes a set of mandated data processing clauses that are broader in scope than the contract requirements under previous EU data protection laws. In addition, despite the GDPR having been in force for more than six months now, it is still uncertain how regulators will interpret and enforce Article 28.

As a result, parties to outsourcing agreements can find themselves in protracted discussions around which party bears the cost of implementing Article 28. Below are some key areas of focus in the context of outsourcing agreements.

Morgan Lewis partner Barbara Melby, the leader of our technology, outsourcing, and commercial transactions practice, has been invited to present at an upcoming Practising Law Institute (PLI) event, Outsourcing 2018: ITO, BPO and Cloud, in New York City. Barbara’s one-hour presentation will take place Friday, November 2, at 11:15 am. She will discuss intellectual property issues in outsourcing, including the following topics:

  • Recognizing and avoiding common IP pitfalls
  • Copyright, patent, and trade secret issues from vendors’ and customers’ perspectives
  • IP representations, warranties, and indemnities in outsourcing transactions
  • Open-source considerations
  • IP issues in cloud deals

The presentation is part of a two-day PLI outsourcing event November 1–2 at the PLI New York Center, 1177 Avenue of the Americas (2nd floor), New York. You can also access the event via webcast and various groupcast locations.

To register, visit the Outsourcing 2018: ITO, BPO, and Cloud event page.

European financial institutions (competent authorities, credit institutions, and investment firms as defined in EU Regulation No. 575/2013, collectively Institutions) have been instructed to comply with the European Banking Authority’s (EBA’s) recommendations when outsourcing to cloud service providers (Recommendations) as of July 1, 2018.

With cloud-based solutions offering new products geared to potentially reduce infrastructure costs and improve services, outsourcing to cloud-based services providers is becoming progressively more popular by Institutions. This trend has prompted the EBA to issue the Recommendations, with the expectation that Institutions will use their best efforts to comply.

When in-house lawyers start thinking about how to support a business client that is looking to implement a new or replacement enterprise resource platform (or more commonly known as an ERP system), we often suggest that they first discuss these 10 framework issues to get a sense of the scale, complexity, and timing of the potential transaction. While the below list certainly does not cover all of the issues that will need to be considered, it is intended to help in-house lawyers understand the objectives, parameters, and potential risk areas of a transaction.

Cybersecurity remains at the top of the list of risk concerns when organizations outsource IT and other functions leveraging cloud-based solutions. While there are no guaranteed methods to fully eradicate cybersecurity risks, companies should consider taking the following steps to mitigate the risk.

#1 – Diligence!

As a first step, it is helpful to define the minimal security controls that you will require your outsourcer to implement and adhere to, and then compare your organization’s own security requirements to the outsourcer’s solution. You can begin by forming a cross-functional due diligence team with stakeholders such as IT security, internal audit, compliance, and business owners to conduct robust and meaningful reviews of an outsourcer’s security solution and evaluate essential factors, including the following:

  • Types of data
  • How data is flowing and transferred
  • Location of data
  • How your organization’s privacy policies align with the outsourcer’s
  • Encryption requirements and access control processes
  • How remote access is handled
  • Whether the outsourcer follows industry best practices and regularly monitors and audits its controls
  • How the outsourcer uses subcontractors
  • Applicable laws and regulations

Two members of our Technology, Outsourcing, and Commercial Transactions practice group, Morgan Lewis partner Barbara Melby and associate Katherine O’Keefe, recently published an article in The Legal Intelligencer that analyzes best practices with respect to diligence, internal controls, and management of providers in the mitigation of security risks in cloud-based offerings. The article, titled, “Mitigating Security Risks in Cloud Offerings Through Diligence, Oversight,” discusses how companies, in even the most risk-averse industries, have begun to routinely adopt cloud-based solutions and how these companies are mitigating the inherent risks associated with cloud services.