TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

London partner Pulina Whitaker recently published a LawFlash discussing how the United Kingdom’s exit from the European Union will make the UK a “third country”—meaning that unrestricted cross-border transfers of data will no longer automatically be able to take place between the UK and the EU—and considers whether the UK will be “adequate” after Brexit.

The first edition of Blockchain & Cryptocurrency Regulation 2019, published by Global Legal Insights, provides in-depth analysis of the developing arena of the regulation of blockchain and cryptocurrency, and country-by-country analysis of issues including government attitudes and definition, cryptocurrency regulation, sales regulation, taxation, money transmission laws and anti-money laundering requirements, promotion and testing, ownership and licensing requirements, mining, and border restrictions.

Continuing the firm’s thought leadership in this emerging field, Morgan Lewis lawyers Vasilisa Strizh, Anastasia Kiseleva, and Dmitry Dmitriev have written the chapter providing insight on the approach in Russia.

President Donald Trump signed the NIST Small Business Cybersecurity Act, S. 770 (formally known as the “Min Street Cybersecurity Act”) into law on August 14.

The new act amends the National Institute of Standards and Technology Act requiring it within the next year, in consultation with the heads of other appropriate federal agencies, to “disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks” and to require the National Institute of Standards and Technology (NIST) to consider small businesses when it “facilitates and supports the development of voluntary, consensus-based, industry-led guidelines and procedures to cost-effectively reduce cyber risks to critical infrastructure.”

The US Department of Homeland Security (DHS) hosted the first National Security Summit on July 31 in New York City. In attendance were US Vice President Mike Pence, senior members of the DHS and other federal agencies, as well as industry leaders from sectors including telecom, finance, and energy. One of the major announcements to come out of this summit was the formation of the National Risk Management Center, including a new supply chain risk management task force.

The World Bank announced on August 10 that 70 years after its first bond transaction, it will be issuing the first bond to use entirely blockchain technology, in part to help the bank gain experience in the use of blockchain. The World Bank’s innovation lab partnered with the Commonwealth Bank of Australia (CBAUF) and Microsoft on this endeavor almost a year in the making.

Blockchain is a growing list of records, or “blocks” linked using cryptography and resistant to modification since it is essentially an open, distributed ledger that can record transactions between two parties efficiently and verifiable in a permanent way. This means that once data is recorded, the data in a block cannot be altered without altering all later blocks, which requires majority consensus of the network. Just imagine all the people around the world agreeing to verify a single block and all subsequent blocks!

This July, the 2018 Cost of Data Breach Study: A Global Overview was released as an independent study by Ponemon Institute, LLC, sponsored by IBM Security. The study breaks down the rising costs of data breaches and the likelihood of an organization experiencing a future data breach, with information derived through interviews with more than 2,200 professionals from 477 organizations that have experienced a breach in the last 12 months.

The study does not focus on “mega breaches,” which are breaches that exceed 1 million records. However, for the first time this year the annual study offers separate insights into data breaches that resulted in the exposure of more than 1 million compromised records:

  • Mega breaches of 1 million records yield an average total cost of $40 million
  • Mega breaches of 50 million records yield an average total cost of $350 million

Moscow partners Anastasia Dergacheva and Brian L. Zimbler and associate Kseniya Lopatkina recently published a LawFlash on the new rules in Russia for platforms that aggregate information from online stores. Federal Law No. 250-FZ, signed on July 29, 2018, provides additional protection for consumers acquiring goods and services through online platforms. For more information on the effects of this new law, read the LawFlash.

Cybersecurity remains at the top of the list of risk concerns when organizations outsource IT and other functions leveraging cloud-based solutions. While there are no guaranteed methods to fully eradicate cybersecurity risks, companies should consider taking the following steps to mitigate the risk.

#1 – Diligence!

As a first step, it is helpful to define the minimal security controls that you will require your outsourcer to implement and adhere to, and then compare your organization’s own security requirements to the outsourcer’s solution. You can begin by forming a cross-functional due diligence team with stakeholders such as IT security, internal audit, compliance, and business owners to conduct robust and meaningful reviews of an outsourcer’s security solution and evaluate essential factors, including the following:

  • Types of data
  • How data is flowing and transferred
  • Location of data
  • How your organization’s privacy policies align with the outsourcer’s
  • Encryption requirements and access control processes
  • How remote access is handled
  • Whether the outsourcer follows industry best practices and regularly monitors and audits its controls
  • How the outsourcer uses subcontractors
  • Applicable laws and regulations

With the incorporation of multiple security products defending against increasingly complex attacks, cybersecurity teams can be overwhelmed with a deluge of threat alerts that make it challenging to adequately handle with the traditional processes. Shortages in IT security staffing and continued reliance on multiple technologies and processes have created inefficient and time-consuming systems. Fortunately, solutions to improve security operations exist by implementing Security Orchestration, Automation, and Response (SOAR) technologies.

Gartner, Inc., (Gartner) a leading research and advisory company, has published a report titled “Innovation Insight for Security Orchestration, Automation and Response” which has recognized the convergence of three previously separate technology sectors: (1) security orchestration and organization; (2) incident management and response; and (3) threat intelligence.

Senators Edward Markey and Richard Blumenthal introduced a new privacy rights bill on April 10 titled “Customer Online Notification for Stopping Edge-provider Network Transgressions” (CONSENT Act). The CONSENT Act’s obligations would apply to entities known as edge providers who provide services through a software program (including a mobile application) or over the internet (1) that require its customers to subscribe to or maintain an account to obtain services; (2) that require a customer to purchase services; (3) through which a customer performs searches; or (4) through which a customer provides sensitive customer proprietary information.

The CONSENT Act would require the Federal Trade Commission (FTC) to promulgate regulations to protect the privacy of customers of edge providers within one year of passage of the CONSENT Act that would take effect within 180 days of such promulgation. Specifically, the CONSENT Act stipulates that such FTC regulations must