Tech & Sourcing @ Morgan Lewis

Many organizations have longstanding sustainability initiatives for reducing waste through efforts such as recycling or reductions in printing. However, organizations are now also looking to their use of technology to help improve the sustainability of their operations.

As 2021 comes to a close, we have once again compiled all the links to our Contract Corner blog posts, a regular feature of Tech & Sourcing @ Morgan Lewis. In these posts, members of our global technology, outsourcing, and commercial transactions practice highlight particular contract provisions, review the issues, and propose negotiating and drafting tips.

With the exponential growth of cyber threats, cloud computing and remote working, contract provisions regarding data security requirements have also expanded in size and frequency. It has become common practice to prepare schedules to detail (and limit) security requirements. Customers and vendors both have a vested interest in clearly identifying expectations and obligations for such requirements. In this week’s Contract Corner, we explore considerations when it comes to drafting security schedules.

Companies are transforming legacy systems, implementing automation and artificial intelligence tools, embedding digital capabilities into their products, shifting to cloud solutions and leveraging technology to better connect to their customers, personnel, and third parties, all at an unprecedented pace. The focus on businesses to get to market faster, reach a broader audience and provide real-time interaction has in turn put pressure on legal and sourcing documents to keep up. The complexity and volume of the numbers of projects (and contracts) can be daunting — especially for companies that have not yet elevated the importance of the technology law function within their organizations.

During the last year, we have seen a significant shift to “as a service” models and cloud solutions, as well as heightened attention on outsourcing as a strategic business tool to enable scalability, improved service, and accelerated access to in-demand technology and resources. This increased reliance on vendor performance to enable business operations has underscored the importance of implementing a solid service level methodology in order to: establish performance metrics that align with the customer’s expectations and business requirements; measure, monitor, and report performance against the metrics; set out the remedies for service level defaults, including service level credits and termination rights; and agree to events that may excuse performance resulting in missed service levels.

Over the last year, companies implemented new digital technology solutions at record levels, looking to implement emerging technologies, improve the user digital experience, leverage cloud solutions to store the massive amounts of data being generated, and test the waters on how to transact using digital assets. And we don’t see things slowing down.

We recently highlighted the Morgan Lewis financial services team’s overview of proposed guidance released by the three federal banking agencies with respect to third-party relationships within the fintech industry. The federal banking agencies, though, are not alone when it comes to guidance on third-party vendors.

As further guidance and regulations are proposed and begin to take shape with respect to relationships between banking organizations and third parties, including those in the fintech industry, our multidisciplinary teams here at Morgan Lewis are tracking each development. In July, shortly after the three federal banking agencies (the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency) released their proposed risk management guidance regarding third-party relationships, our banking and financial services team provided a general overview highlighting the key takeaways from the proposal. If you have any specific questions, please reach out to your Morgan Lewis team for assistance.

Through legislation, Connecticut has incentivized businesses to conform to one or more industry recognized cybersecurity frameworks. As we recently discussed, cybersecurity incidents and risks are taking centerstage. Under Connecticut’s recently enacted Public Act No. 21-119, An Act Incentivizing the Adoption of Cybersecurity Standards for Business (the Act), as further described below, a business that implements a qualifying cybersecurity program is shielded from punitive damages in connection with any data breach-related tort claim that is brought in, or under the laws of, Connecticut.

With the recent onslaught of ransomware attacks, it’s time to revisit force majeure clauses (again). Earlier in the pandemic, we reviewed how COVID-19 could impact force majeure provisions. Since then, there has been a flurry of analyzing, renegotiating, and testing contractual language, as parties work through, or anticipate, pandemic-related difficulties. While contracting parties focus on striking a balance of when, and to what extent, a party’s performance will be excused due to pandemic-related circumstances, a different threat could follow a similar trajectory.