Choose Site
TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

Companies developing digital therapeutics, clinical decision support apps, and other digital health technologies for use in the coronavirus (COVID-19) pandemic should be mindful of FDA’s quickly evolving policies and guidance affecting such technologies. In our recent LawFlash, FDA Regulation of COVID-19 Apps, Digital Therapeutics, and other Digital Health Technologies, we examine recent FDA developments and their implications for companies in the digital health space.

For example, FDA has issued several new guidance documents describing policies of enforcement discretion to help promote the development and availability of digital health technologies for COVID-19. FDA also has issued multiple Emergency Use Authorizations for new COVID-19-related digital health products, and has issued guidance intended to clarify when clinical decision support software is subject to FDA oversight. It is critical for companies seeking to develop digital health technologies for pandemic-related uses to determine whether and how their products may be regulated by FDA.

The Business Software Alliance (BSA) recently endorsed principles for building trust in the Internet of Things (IoT), highlighting the need for a risk-based approach that (1) accounts for the various components, capabilities, users, environments, life cycles, and complexities of the IoT ecosystem, and (2) engages the corresponding stakeholders. Given the near boundless opportunities—and risks—deriving from its connectivity, a connected device should not be designed and managed in isolation.

The following key themes emerged throughout the BSA policy principles:

In a recent Wall Street Journal article, cybersecurity journalist Catherine Stupp drew attention to the massive surge in internet-connected devices expected to be in use by the end of 2020. This increase in the Internet of Things, which refers to internet-connected devices ranging from televisions and automobiles to fitness tools and medical devices, presents several challenges to the world of cybersecurity.

The article not only urges manufacturers of internet-connected devices to apply cybersecurity techniques to increase security, but also asks large companies buying devices to incentivize good security practices by only purchasing devices with proper safeguards. The California Consumer Privacy Act, which took effect January 1, 2020, takes a step in the right direction by no longer allowing manufacturers to sell internet-connected devices with weak default passwords. Stay tuned for future developments as cybersecurity races to keep pace with the growth of connected devices.

Russia has amended its main laws governing the internet to allow the government to restrict access to the internet and to control internet traffic in emergency situations.

Federal Law No. 90-FZ of 1 May 2019 introduced a set of amendments to the Federal Law on Communications and the Federal Law on Information, Information Technologies and on Protection of Information (the Amendments). The Amendments are colloquially referred to as the “sovereign runet law” or the “law on the secured internet.”

Every January, electronics manufacturers descend upon Las Vegas for the annual Consumer Electronics Show (CES) to showcase their latest and greatest forays in devices. Not surprisingly, there was no shortage of shiny fresh connected devices with new and evolving applications in everything from workouts and personal care to the more usual suspects of television and virtual assistants. With Internet of Things (IoT) becoming more ubiquitous, it was only a matter of time before legislation followed. On September 28, 2018, California enacted the United States’ first IoT law, set to go into effect January 1, 2020, just in time for next year’s CES.

As 2018 comes to a close, we have once again compiled all the links to our Contract Corner blog posts, a regular feature of Tech & Sourcing @ Morgan Lewis. In these posts, members of our global technology, outsourcing, and commercial transactions practice highlight particular contract provisions, review the issues, and propose negotiating and drafting tips. If you don’t see a topic you are interested in below, please let us know, and we may feature it in a future Contract Corner.

The Pittsburgh session of the annual Cyberlaw Update for the Pennsylvania Bar Institute (PBI) will take place on Tuesday, July 17. Moderated by Morgan Lewis partner Peter Watt-Morse, the update enters its 21st year and this year’s seminar will focus on current hot-button issues including blockchain and cryptocurrency and security and privacy concerns related to social media, IOT, GDPR, and the Dark Web.

Speakers at the all-day event include Mr. Watt-Morse and of counsel Emily Lowe, who will be speaking on privacy and security concerns regarding social media from both a policy and regulatory standpoint in the wake of the disclosures related to Cambridge Analytics; and associate Ben Klaber who will be reviewing such concerns as they apply to the burgeoning market of Internet of Things (IoT) devices.

Just when we finally figured out how to contract for “cloud” services and SaaS, here comes blockchain—the next disruptor for IT, businesses and, yes, us lawyers.

So what is blockchain? This is one of the best definitions that we have found from the Wall Street Journal, CIO Explainer: What Is Blockchain?

A blockchain is a data structure that makes it possible to create a digital ledger of transactions and share it among a distributed network of computers. It uses cryptography to allow each participant on the network to manipulate the ledger in a secure way without the need for a central authority. Once a block of data is recorded on the blockchain ledger, it’s extremely difficult to change or remove. When someone wants to add to it, participants in the network—all of which have copies of the existing blockchain—run algorithms to evaluate and verify the proposed transaction. If a majority of nodes agree that the transaction looks valid…then the new transaction will be approved and a new block added to the chain.

The UK government recently released a policy paper outlining proposed requirements for makers of Internet of Things (IoT) devices to take certain actions to better protect IoT devices from growing cybersecurity threats. Secure by Design: Improving the cyber security of consumer Internet of Things Report was released by the UK’s Department for Digital, Culture, Media & Sport and contains a draft Code of Practice for manufacturers of consumer IoT devices and services.

Galvanized by a confluence of charged factors—like privacy, cybersecurity, children, and the Internet of Things (IoT)—and sparked by recent assertions of Children’s Online Privacy Protection Act (COPPA) regulatory power, the US Federal Trade Commission (FTC) entered into a pioneering settlement with electronic toy manufacturer VTech regarding a breach of children’s personal information. The FTC’s message to companies is crystal clear: when it comes to kids’ data, transparency and security are elemental.

Scarce Insulation from COPPA

The COPPA Rule explains what operators of websites and online services must do to protect children’s privacy and safety online, and the FTC serves as the enforcer. As we previously discussed, the FTC released updated guidance in response to concerns about the security of data collected and used by internet-connected products geared toward children. The FTC noted that COPPA defines “website or online service” broadly and specifically listed connected toys and IoT devices within the COPPA Rule’s purview. Although the FTC released a policy that permits collecting a recording of a child’s voice without parental consent in certain situations, such circumstances are narrowly limited to the sole and limited purpose of replacing written words—say, an instruction—and the recording must be immediately destroyed.