TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

The National Institute of Standards and Technology (NIST), the government agency charged with promoting U.S. innovation and industrial competitiveness by advancing technology, recently published a list of 65 forensic challenges associated with cloud-based environments. These challenges range from standard business practices to technological architecture and include the following:

Gone are the days when parental consent meant a signed permission slip—in the realm of data collection from children through the Web, parental consent takes on a whole new look. The Children’s Online Privacy Protection Act (COPPA)—which restricts the collection, use, and disclosure of certain personal information from children under the age of 13 by operators of commercial websites or online services (including mobile applications)—generally requires that the operator obtain a parent’s “verifiable parental consent” prior to collecting such information. Recent updates to the Federal Trade Commission’s (FTC’s) guidance on COPPA added some clarity to the scope of this necessary parental consent.

In a recent decision, the U.S. District Court for the District of Columbia held that the plaintiffs in a data theft case lacked standing when the only injury was an “increased likelihood” of becoming an identity theft victim.

In rendering its decision in In Re Science Applications International Corp. (SAIC) Backup Tape Data Theft Litigation, the district court relied on the U.S. Supreme Court’s decision in Clapper v. Amnesty International USA, where the Court held a “mere loss of data” or “increased risk of identity theft” in a data breach case does not constitute an injury that confers standing. Instead, individuals whose data has been stolen must show that injury has actually occurred or is certainly impending.

The facts of the SAIC case are pleasantly low tech. Data back-up tapes were stolen from a car. The tapes were never found. The tapes contained personal information for more than 4.7 million members of military families. In the hands of a tech-savvy cyber criminal, such information could be a jackpot, but, in the hands of a common street criminal, maybe not. The district court in SAIC stated: “At this point, we do not know who [the thief] was, how much [the thief] knows about computers, or what [the thief] has done with the tapes. The tapes could be uploaded onto [the thief’s] computer and fully deciphered, or they could be lying in a landfill somewhere in Texas.”

The court in SAIC provided a simple summary: “In sum, increased risk of harm alone does not constitute an injury in fact [sufficient for standing]. Nor do measures taken to prevent a future, speculative harm.”

Accordingly, in order to have standing to pursue a data breach case, a plaintiff would have to demonstrate much more than an increased likelihood of harm. Rather, a plaintiff would have to show an actual injury that was directly caused by the breach. Even then, of course, that would only establish standing, and a plaintiff would have to prove the other elements of his or her case.

Computer Weekly reported last week that Ben Barry of Coeus Consulting blogged that "There are some services which might be too important to outsource—service integration and management (SIAM) is one example.” Although we agree SIAM is important, the challenges and opportunities relating to service integration lead only to the following conclusion—SIAM is also too important to ignore.

Cloud services are all the rage, and the race is on to adopt this new technology, but what if we just sit back and gaze? What is the hard data telling us? Skyhigh Networks recently released its latest quarterly Cloud Adoption & Risk Report, which offers the following insight based on enterprise customer usage data:

Canada's Anti-Spam Legislation (CASL), which sets forth guidelines for and places certain restrictions on sending "commercial electronic messages" (CEMs) to Canadian residents, is now in effect. Under CASL, sending a CEM to a Canadian resident’s email address requires consent from the resident, the sender’s identification information, and an unsubscribe mechanism. The summary below is derived from the CASL compliance-related information compiled by the Canadian Radio-television Telecommunications Commission (CRTC):

California Governor Jerry Brown recently signed into law AB 129, a bill intended to ensure that the use of various forms of alternative currency does not violate California law. Section 107 of the California Corporations Code, which previously prohibited an individual or corporation from issuing or putting into circulation “anything but the lawful money of the United States,” was repealed under AB 129 to clarify that the code does not prohibit the issuance and use of alternative currency.

As part of Morgan Lewis's Technology May-rathon webinar series, Antitrust partners Will Tom, Clay Everett, and Jonathan Rich will discuss lessons from Bazaaarvoice/PowerReviews, Integrated Device Technologies/PLX Technology, and other challenges to high-tech mergers brought by the Department of Justice and Federal Trade Commission in recent years.

This webinar will be held today, Thursday, May 15, from 1 to 2 p.m. Sign up here >

As the European Union (EU) and Asia-Pacific Economic Cooperation (APEC) issue new rules on data protection, companies need to ensure their policies comply with the applicable regulations in this ever-changing landscape. The increasing requirements placed on companies bring to mind a famous quote: “With great power comes great responsibility.” Yes, Spiderman’s Uncle Ben said that, but the quote has particular applicability to the circumstances faced by multinational companies that have now been equipped with technology to transmit and access data across the world in the blink of an eye. Various data protection requirements have accompanied this “great power” of data transfer, particularly with respect to the transfer of personal data.

Australian businesses and agencies should take note of amendments to Australia’s Privacy Act, which regulates how organizations collect, handle, and disclose personal information within Australia. The new amendments, which took effect on March 12, are described below.

Who is covered under the amended act?

The Privacy Act applies to any private sector business that has a turnover of greater than AUD3 million (USD2.7 million) or that handles personal information for a benefit, service, or advantage or any entity that handles health or other sensitive information.