Choose Site
TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

As companies adjusted to the “new normal” of coronavirus (COVID-19) restrictions, spending on cloud services has seen a boom. Spending by companies on cloud services exploded in the second quarter to a record $34.6 billion, up approximately 11% from the first quarter of 2020 and 30% from the same period last year, according to research firm Canalys, as reported by the Wall Street Journal.

With the world in various states of lockdown, your organization’s online presence is more important than ever…even more so with official enforcement of CCPA beginning last month. It may be a good time to spend an afternoon reviewing and updating the legal boilerplate on your organization’s website. Here is what we recommend for a basic three-part review to get you started:

  • Privacy Policy. Many clients updated their policy earlier this year to reflect changes required by CCPA. If you fall into this category, then ensuring that the proper version of your privacy policy is reflected on your website, typically in the footer, is a good idea. You would be surprised to know how many clients update their policy, but then fail to actually post the correct version publicly. If you did not recently review your privacy policy, it may be a good time to do so. In addition to seeking advice on changes recommended in light of CCPA, it is also good hygiene to pull the policy and give it a fresh read. Has your organization’s collection practices changed? Has your organization began using or disclosing data differently than it has in the past? A privacy policy only protects your organization to the extent that it is accurate and complete, so periodically spending an hour or so to ensure its accuracy is typically time well spent.

Adding corporate flexibility to IT-related commercial contracts can make seemingly unrelated mergers and acquisitions (M&A) transactions a bit less complex. Although many contracting parties already consider assignment rights and restrictions in relation to certain successor scenarios, the divestiture scenario—where contractual rights are not simply transferred in whole—deserves a closer look.

The UK Financial Conduct Authority (FCA) announced on July 8 that the guidelines issued by the European Insurance and Occupational Pension Authority (EIOPA) on outsourcing to cloud service providers are not applicable to regulated activities (in this instance, insurance and reinsurance undertakings) within the UK jurisdiction.

In its statement, the FCA noted that this is due to the fact that the EIOPA guidelines will enter into force on January 1, 2021, which is after the end of the EU withdrawal transition period.

The Business Software Alliance (BSA) recently endorsed principles for building trust in the Internet of Things (IoT), highlighting the need for a risk-based approach that (1) accounts for the various components, capabilities, users, environments, life cycles, and complexities of the IoT ecosystem, and (2) engages the corresponding stakeholders. Given the near boundless opportunities—and risks—deriving from its connectivity, a connected device should not be designed and managed in isolation.

The following key themes emerged throughout the BSA policy principles:

The European Securities and Markets Authority (ESMA) published its draft guidelines on outsourcing to cloud service providers on June 3. Steven Maijoor, the chair of ESMA, indicated that the purpose of the guidelines is to “help firms understand and mitigate the risks that they are exposed to when outsourcing to cloud service providers.”

Although many companies are already revisiting contractual provisions relating to nonperformance, like force majeure clauses, as the coronavirus (COVID-19) pandemic continues to wreak havoc on public health and the economy, other proactive (but less publicized) contractual measures can facilitate early discovery and mitigation of potential nonperformance.

In a prior series of posts, we discussed issues relating to intellectual property indemnification, including some exceptions, remedies, and allocation of liability. Given that these provisions often involve taxing negotiations and that many technologies have become intertwined, below we explore some nuanced—and frequently sticky—issues regarding third-party products and how they can be resolved.

In the wake of the reinvigorated call for equality and greater diversity and inclusion, many companies—largely through their procurement organizations—are taking the opportunity to revisit their diversity supplier programs, including assessing impact and reevaluating best practices for pursuing supplier diversity and tracking the impact of these programs.

Most major companies include a supplier diversity program or mission statement as part of their procurement guidelines, often highlighting such programs on their external supplier portals. Some companies flow these guidelines down to their vendors in large procurement/services contracts, requiring compliance by such vendors with respect to their subcontractors.

In April, we shared a LawFlash Outsourcing and Managed Services Agreements During COVID-19: Our Perspective. With the continued and unprecedented impact of the coronavirus (COVID-19) pandemic on business operations, we thought it would be timely to provide a brief update on five top-of-mind issues that we are addressing with outsourcing and managed services clients.

Remote Working

  • Many outsourcing and managed services agreements include strict requirements on the location of personnel, including the location of certain personnel onsite at a customer site and/or the location of offshore personnel at secure delivery centers with no permitted remote working. These physical location restrictions often are coupled with requirements with respect to the type of technology that can be used when connecting to or accessing the customer’s systems or interacting with end users (such as hardened desktops only, no personal devices), security requirements and detailed connectivity and bandwidth requirements (particularly if there are end user facing activities such as call centers).