TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

Washington may be the next state to enact its own data privacy law after a bill was introduced into the Washington State Senate earlier this month. Known as the Washington Privacy Act, the bill’s sponsor, Sen. Reuven Carlyle, stated at a press conference that lawmakers had reached “95 percent agreement in principle on the core elements of the bill.” If enacted, the act would add to the complex regulatory framework governing data privacy, including the California Consumer Privacy Act (CCPA), which took effect on January 1, 2020.

The act would apply to legal entities conducting business or producing products targeted to Washington State residents and that (1) control or process personal data of more than 100,000 consumers or (2) derive 50% of gross revenue from the sale of personal data and process or control the personal data of more than 25,000 consumers.

In a recent Wall Street Journal article, cybersecurity journalist Catherine Stupp drew attention to the massive surge in internet-connected devices expected to be in use by the end of 2020. This increase in the Internet of Things, which refers to internet-connected devices ranging from televisions and automobiles to fitness tools and medical devices, presents several challenges to the world of cybersecurity.

The article not only urges manufacturers of internet-connected devices to apply cybersecurity techniques to increase security, but also asks large companies buying devices to incentivize good security practices by only purchasing devices with proper safeguards. The California Consumer Privacy Act, which took effect January 1, 2020, takes a step in the right direction by no longer allowing manufacturers to sell internet-connected devices with weak default passwords. Stay tuned for future developments as cybersecurity races to keep pace with the growth of connected devices.

Open Banking is an initiative mandated by the UK’s Competition and Markets Authority (CMA) in 2017. It is intended to facilitate better competition in the banking sector by mandating protocols that facilitate the secure sharing of customer-related data of the nine largest banks in the United Kingdom (CMA9) with third-party providers (TPPs).

Open Banking is developed and delivered in the United Kingdom by the Open Banking Implementation Entity (OBIE). The OBIE was established by the CMA and is funded by the CMA9. The CMA’s UK Retail Banking Market Investigation Order 2017 (Order), which applies only to the CMA9, requires the CMA9 to provide their customers with the ability to access and share their account data on an ongoing basis with TPPs through the use of specified application programme interfaces (APIs). This compliments the reforms under the EU’s Second Payment Directive (as transposed in the United Kingdom primarily by the Payment Services Regulations 2017), which requires all payment account providers to permit open access to payment accounts for authorized TPPs, but which does not specify the means of access or prescribe the scope of access in any detail.

Please join us for a dynamic webinar on hot issues impacting the structuring and negotiation of ecommerce contracts in 2020. Donald G. Shelkey and Eric Pennesi of our Technology, Outsourcing and Commercial Transactions practice will present and lead discussions on topics including:

  • Privacy and Security
  • Deals We Expect to See: An Integration Infection!
  • 2020 Market Positions

The webinar will take place on Wednesday, December 11, 2019, from 12:00–1:00 pm (Eastern Time). Register here.  

For years, there has been a persistent trend toward outsourcing retirement plan recordkeeping and other administrative responsibilities. Although historically more prevalent for defined contribution plans, this outsourcing trend has been accelerating for defined benefit plans thanks, in part, to the prevalence of frozen plans (i.e., no more benefit accruals) and the potential for administrative cost savings. But service providers will be quick to remind plan fiduciaries that lightening the administrative load does not include transferring fiduciary duties. When selecting and monitoring a service provider, one key issue facing retirement plan fiduciaries is their duty with respect to the privacy and security of plan participant data.

As we previously discussed, managing and administering retirement plans also mean managing and protecting an extensive trove of personal data. Although there is no overarching privacy law governing retirement plans, fiduciaries must adhere to the “prudent expert” standard of care in fulfilling their duties, and, in the current environment, it can be expected that courts will be sympathetic to assertions that privacy and security of plan participant data are within the scope of those duties. Given that fiduciaries are personally liable for their fiduciary breaches and considering the cost of a data breach can be in the millions of dollars, the sensible course of action for retirement plan fiduciaries is to be continuously diligent and attentive regarding data privacy and security. This extends to diligence and care in the structuring of the outsourcing agreement.

The Clearing House (the oldest banking association and payments company in the United States) recently released a model agreement as a voluntary starting point to facilitate data sharing between financial institutions and fintech companies.

The model agreement is intended to provide a standardized foundation that speeds up data access agreement negotiations; as the Clearing House notes, “[L]egal agreements between banks and fintechs have sometimes taken 12 months or more to be developed and finalized and have become a significant bottleneck to API adoption.” Additionally, the model agreement is designed to reflect the Consumer Financial Protection Bureau’s consumer protection principles on data sharing and aggregation, providing confidence to the contracting parties that the terms address key regulatory issues.

The German Federal Office for Information Security (BSI) has determined the suitability of an industry-specific security standard (B3S) with which hospitals can align their IT security measures. The B3S standard was developed by the German Hospital Association (DKG).

The importance of cybersecurity in the autonomous vehicle setting is well known, but nuance and complexity will be on our LiDAR (a pulsed laser that measures ranges) where the rubber meets the road.

The Challenging, Shifting Landscape

Cybersecurity is one of the key issues of the digital age, typically in the context of security and privacy of confidential or personal data. Cybersecurity is particularly challenging and important for technologies such as self-driving cars, where the real world and the digital, connected world meet and where cyber breaches could result in danger to life and property.

Autonomous vehicles are still in their infancy. Significant uncertainty surrounds this rapidly evolving ecosystem. Standards and regulations are still in a state of flux, and the “rules of the game” are still unclear: how, and how long, will human drivers/operators continue to be involved (along with their proclivity for risky, unpredictable and gullible behavior)? At this relative stage of immaturity, market participants are developing their own divergent solutions that will eventually need to seamlessly integrate, increasing the potential for cyber vulnerabilities. However, the opportunity (for both innovators and society at large) is clear, as smart, interconnected vehicles and systems promise remarkable improvements in efficiency and safety. The race is on.

The EU Commission issued its report on the third annual review of the functioning of the EU-US Privacy Shield (Privacy Shield) on October 23. The annual review and corresponding report is required of the Commission by the its July 2016 adequacy decision in which it found that the Privacy Shield ensures an adequate level of protection for personal data that has been transferred from the European Union (EU) to the United States. The goal of the review is to evaluate and publicly report on all aspects of the functioning of the Privacy Shield Framework.

Morgan Lewis partners Ksenia Andreeva, Anastasia Dergacheva, Vasilisa Strizh, and Brian Zimbler and associate Anastasia Kiseleva contributed the chapter on Russia for the recently released Data Protection & Privacy 2020, the eighth edition of the Lexology Getting the Deal Through publication.

Lexology Getting The Deal Through provides international expert analysis in key areas of law, practice, and regulation for corporate counsel, cross-border legal practitioners, and company directors and officers. The publication addresses many of the most important data protection and data privacy laws in force or in preparation throughout the globe, with a discussion of the same key data protection and privacy questions with analysis from leading practitioners in each of the featured jurisdictions.