TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

Cybersecurity continues to be an issue at the forefront of many of our contract negotiations. Though not typically included in the “data security” section of an agreement, the level and scope of cyberinsurance coverage often plays an important factor in the discussions between customer and vendor.

On this topic, Morgan Lewis partners Mark Krotoski and Jeffrey Raskin will present an upcoming webinar as part of our firm’s Cyber Insurance Webinar Series to discuss ongoing developments in the cyberinsurance space, with a focus on the critical factors your company can consider as part of its overall cybersecurity protection strategy. The one-hour webinar, Cyber Insurance: Is Your Company Covered?, will take place on Tuesday, September 17, at 2:00 pm ET.

The January 1, 2020, deadline to comply with the California Consumer Privacy Act (CCPA) is fast approaching. Signed into law in the summer of 2018, the CCPA creates a variety of new consumer privacy rights and will require many companies to implement policies and procedures to manage and comply with new consumer-facing responsibilities. Catch up on the details of the CCPA in our previous post, this LawFlash, and the Morgan Lewis CCPA resource center.

An IAPP article by Annie Bai and Peter McLaughlin recently caught our attention, as it discusses the business risks of complying with the “verifiable consumer request” requirement under the CCPA. Under the CCPA, a California consumer may (1) request that a covered business provide access to the consumer’s personal information or (2) request that his or her personal information be deleted. Upon receiving such a request, the covered business must verify the identity of the requesting individual and respond. However, there is not much clarity in the CCPA regarding how a covered business must verify an individual’s identity.

The National Institute of Standards and Technology (NIST) recently circulated a draft white paper discussing recommended security practices to be adopted throughout the various phases of software development. The white paper provides three overarching reasons for integrating secure development practices throughout the software development lifecycle (SDLC) regardless of the development model (e.g., waterfall, agile), namely, “to reduce the number of vulnerabilities in released software, to mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and to address the root causes of vulnerabilities to prevent future recurrences.”

The white paper discusses the following four secure software development practices, and breaks down each topic by (1) practices, (2) tasks, (3) implementation examples, and (4) references.

Executive Order 13873 was issued on May 15 with the goal of “Securing the Information and Communications Technology and Services Supply Chain.” The order ultimately seeks to manage the national security risk that can exist in information and communications technology (ICT) transactions between those subject to US jurisdiction and those subject to the jurisdictions of foreign adversaries. The order defines “information and communications technology or services” as “any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including transmission, storage, and display.” A “foreign adversary” is defined in the order as “any foreign government or foreign non-government person engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons.”

Internet-connected devices contributing to the Internet of Things (IoT) are projected to exceed 50 billion devices by 2025, according to the Federal Trade Commission’s Bureau of Consumer Protection in its June 2018 comments on the Consumer Product Safety Commission’s notice of public hearing and request for written comments on “The Internet of Things and Consumer Product Hazards.” Such widespread use of and access to these internet-connected devices—which can collect personal data from their users—has spurred legislative movement toward introducing security standards for IoT devices. These initial steps start with the US government’s use of IoT devices through the Senate’s third proposed bill on the subject, S.734. The bill, known as the Internet of Things Cybersecurity Improvement Act of 2019, aims to manage cybersecurity risks regarding secure development, identity management, patching, and configuration management of “covered devices.” Under the proposed bill, a “covered device” is one that can connect to the internet, has data processing capabilities, and “is not a general-purpose computing device.” The covered devices at the focus of this bill refer to devices “owned or controlled by” the federal government.

More than 1,000 Support Anti-Terrorism by Fostering Effective Technologies Act (SAFETY Act) of 2,002 approvals have been granted by the US Department of Homeland Security (DHS) since the act’s inception. Many professional sports teams in the National Football League, Major League Baseball, and National Basketball Association have had their venues certified under the SAFETY Act. For example, New Era Field for the Buffalo Bills became the 14th NFL stadium to receive a SAFETY Act certification in October 2018. However, professional sports leagues do not have a monopoly on large sporting events that garner huge crowds—some universities have football stadiums with capacity for more than 100,000 people.

New York has increased its effort to enforce cybersecurity by creating a new unit designed to combat cybercrime and protect individuals’ sensitive data from attacks.

On May 22, New York appointed former federal prosecutor Justin Herring to lead the state’s newly created Cybersecurity Division at the New York Department of Financial Services (DFS).

As companies continue to improve the cyber defenses of their computer systems operating key enterprise and national infrastructure, one area that presents unique challenges is the supply chain. A single asset may depend on multiple vendors around the world, some of whom may only produce a single component or piece of software, but any of which can introduce critical vulnerabilities. Please join us for a one-hour webinar to discuss best practices in supply chain cybersecurity to mitigate these risks.

Morgan Lewis partner Peter Watt-Morse (Pittsburgh) and associate Eric Pennesi (Pittsburgh) will be participating in the Pennsylvania Bar Institute’s 2019 Cyberlaw Update, which will address trending topics, including blockchain and cryptocurrency and security and privacy concerns related to social media, in addition to GDPR.

Topics to be discussed include:

  • Social Media Ethics – Its Use and Impact on the Practice of Law
  • IP in the Age of Cloud Computing and Artificial Intelligence
  • Responding to Data Breaches – Legal Update and Practical Counsel

The event will be hosted at the PBI Professional Development Center (Heinz 57 Center, 339 Sixth Avenue, 7th Floor, Pittsburgh PA, 15222) on Tuesday, April 30 from 9:00 am to 4:00 pm.

Register for Event