TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

As companies continue to improve the cyber defenses of their computer systems operating key enterprise and national infrastructure, one area that presents unique challenges is the supply chain. A single asset may depend on multiple vendors around the world, some of whom may only produce a single component or piece of software, but any of which can introduce critical vulnerabilities. Please join us for a one-hour webinar to discuss best practices in supply chain cybersecurity to mitigate these risks.

Morgan Lewis partner Peter Watt-Morse (Pittsburgh) and associate Eric Pennesi (Pittsburgh) will be participating in the Pennsylvania Bar Institute’s 2019 Cyberlaw Update, which will address trending topics, including blockchain and cryptocurrency and security and privacy concerns related to social media, in addition to GDPR.

Topics to be discussed include:

  • Social Media Ethics – Its Use and Impact on the Practice of Law
  • IP in the Age of Cloud Computing and Artificial Intelligence
  • Responding to Data Breaches – Legal Update and Practical Counsel

The event will be hosted at the PBI Professional Development Center (Heinz 57 Center, 339 Sixth Avenue, 7th Floor, Pittsburgh PA, 15222) on Tuesday, April 30 from 9:00 am to 4:00 pm.

Register for Event

The Federal Trade Commission (FTC) is requesting comments on proposed amendments to two rules addressing the privacy and security of customer information under the Gramm-Leach-Bliley Act. The FTC plans to publish the notices in the Federal Register in the near future.

Russia’s Central Bank, the financial markets regulator in Russia, might soon receive the right to block websites. On 24 January, the State Duma, the lower house of the Russian parliament, approved amendments in the first reading to the Federal Law "On Information, Information Technologies and Protection of Information" and the Civil Procedure Code (the Proposed Amendments).

The Proposed Amendments are designed to give the Central Bank the right to block websites violating financial market legislation or used to maintain fraudulent activities.

As we previously discussed, nobody is safe from cybersecurity threats, and as our colleagues last reported, the US Securities and Exchange Commission (SEC) has heightened its cybersecurity scrutiny, issuing an investigative report on cyber fraud against publicly traded companies and signaling it will pursue both bad actors as well as companies failing to implement controls to detect and prevent hacking. A victim of a data breach itself, the SEC is now demonstrating how it intends to pursue bad actors.

On January 15, the SEC filed a civil suit in US District Court in the District of New Jersey related to its own hacking against individuals and business entities in Ukraine, Hong Kong, California, Belize, Russia, and Korea. The SEC alleges in the suit that the defendants hacked into the agency’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) system through a variety of means—including phishing emails and malware—and stole information (namely, publicly-traded companies’ earnings information). The suit further alleges the defendants then traded securities based on the stolen information before it became public. The SEC argues all defendants were necessary participants in the “fraudulent scheme” as some defendants were required to “obtain, through deception, material nonpublic information from the SEC’s EDGAR system” and others were required to “monetize the material nonpublic information by making profitable trades.” The SEC requests the district court to permanently enjoin the defendants from engaging in unlawful conduct[1], order the return of all profits and/or gains realized from the trading, and impose civil penalties[2] on the defendants.

Every January, electronics manufacturers descend upon Las Vegas for the annual Consumer Electronics Show (CES) to showcase their latest and greatest forays in devices. Not surprisingly, there was no shortage of shiny fresh connected devices with new and evolving applications in everything from workouts and personal care to the more usual suspects of television and virtual assistants. With Internet of Things (IoT) becoming more ubiquitous, it was only a matter of time before legislation followed. On September 28, 2018, California enacted the United States’ first IoT law, set to go into effect January 1, 2020, just in time for next year’s CES.

As 2018 comes to a close, we have once again compiled all the links to our Contract Corner blog posts, a regular feature of Tech & Sourcing @ Morgan Lewis. In these posts, members of our global technology, outsourcing, and commercial transactions practice highlight particular contract provisions, review the issues, and propose negotiating and drafting tips. If you don’t see a topic you are interested in below, please let us know, and we may feature it in a future Contract Corner.

In Part 1 of this series, we provided an overview of data (or knowledge) commons and some key issues to consider, but how does one actually create and manage a data commons? To find your feet in this budding field, build on the theoretical foundation; address the specific context (including perceived objectives and constraints); deal with the thorny issues (including control and change); establish a core set of principles and rules; and, perhaps most importantly, plan for and enable change.

You may have heard of the “tragedy of the commons,” where a resource is depleted through collective action, but knowledge is different from other resources—knowledge can be duplicated, aggregated, integrated, analyzed, stored, shared, and disseminated in countless ways. Given that knowledge is a critical resource for seemingly intractable problems, the opportunity of the commons (or the tragedy of the lack of commons) is worth thoughtful consideration.

Imagine that you or a loved one is suffering from a terminal or debilitating disease and that data and knowledge are out there, waiting to be combined and harnessed for a cure or a transformational treatment. Imagine that self-interest (including attribution), legal restrictions (including intellectual property protections), inertia, complexity and difficulty of collective action, and other weighty forces are between you and that breakthrough discovery. Though not a new concept, commons have been garnering attention lately as an alternative framework for catalyzing groundbreaking research and development, particularly when relevant data and knowledge are scattered and particularly in the life sciences community. But before we all throw away our patents and data-dump our trade secrets, there are some thorny aspects to governing a data (or knowledge) commons. For example:

  • A commons is essentially its own society. Anyone who has been part of a homeowners’ association knows that collective governance is almost always muddy. Aligning incentives, objectives, and values can be challenging.
  • Founders may have trouble relinquishing control or enabling change. Participants may become confused or upset if rules or priorities change.
  • Commons are not as well understood and tested. They must coexist with, and within, other systems that may be more rigid and rules-based. Participants may be logistically, intellectually, and otherwise tied to traditional methods and may prefer semi-exclusive zones rather than open collaboration.
  • It may be difficult to measure the effectiveness or value of commons.
  • Policing activities (e.g., authentications or restrictions) may be burdensome. And once the cat is out of the bag, it’s difficult to undo uses or disclosures.
  • Commons managers may not be willing to take on certain responsibilities or liabilities that would make participants more comfortable.
  • Different types of information and tools have different levels of sensitivity and protection. Certain information, like personal data, is highly regulated.

Scholars have taken theoretical frameworks built for natural resources and adapted them to the data commons setting. Key findings include that data commons must be designed to evolve and that communities with high levels of shared trust and values are most likely to succeed. Whereas governance through exclusivity (e.g., patents) is useful when trust levels are low, a resource sharing governance model (e.g., commons) can be effective when trust levels are high.

If you’d like to know more:

  • We will be hosting a webinar with one of the aforementioned scholars—Professor Michael J. Madison, faculty director at PittLaw—on Tuesday, December 18, 2018, from 12:00 pm to 1:00 pm ET. Register and join us for the discussion.
  • In a subsequent post, we will provide some tips and considerations with respect to drafting policies, standard terms, data contribution agreements, and other governing documents for data commons.

Knowledge sharing has long been an important element of academic research. And now collective sharing and governance of data assets throughout the scientific community, including for-profit participants, is gaining momentum. During their webinar, Out in the Open: The Knowledge Commons Framework, Emily Lowe, Ben Klaber, and Professor Michael J. Madison, faculty director at PittLaw, will discuss issues related to knowledge commons. Topics will include the following:

  • A fundamental overview of knowledge commons, including the framework’s strengths and weaknesses
  • Standard requirements regarding data contribution, access, use, sharing, protection, and attribution
  • How to decide if a knowledge commons framework is right for your business, and if so, how to implement it successfully