TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

Check out this recent LawFlash by Morgan Lewis partners Michael Pierides and Simon Lightman discussing the groundbreaking fines the United Kingdom’s Information Commissioner’s Office (ICO) proposed against two global organizations pursuant to the EU General Data Protection Regulation (GDPR). Under the GDPR, which seeks to promote transparent and responsible collection and maintenance of consumers’ personal information, applicable regulatory agencies can impose fines on organizations that do not comply with the strict GDPR standards.

Recently, the ICO issued fines to two companies following data breaches of their respective consumers in 2018. Under previous data protection laws, fines were limited to hundreds of thousands of dollars, but in the new era of the GDPR, the companies are facing fines of $227.5 million and $123.1 million, respectively. The issuance of these massive fines puts global companies on notice that the GDPR should be taken seriously, and that the ICO, in particular, will not hesitate to dispense unprecedented consequences for noncompliance.

Executive Order 13873 was issued on May 15 with the goal of “Securing the Information and Communications Technology and Services Supply Chain.” The order ultimately seeks to manage the national security risk that can exist in information and communications technology (ICT) transactions between those subject to US jurisdiction and those subject to the jurisdictions of foreign adversaries. The order defines “information and communications technology or services” as “any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including transmission, storage, and display.” A “foreign adversary” is defined in the order as “any foreign government or foreign non-government person engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons.”

Internet-connected devices contributing to the Internet of Things (IoT) are projected to exceed 50 billion devices by 2025, according to the Federal Trade Commission’s Bureau of Consumer Protection in its June 2018 comments on the Consumer Product Safety Commission’s notice of public hearing and request for written comments on “The Internet of Things and Consumer Product Hazards.” Such widespread use of and access to these internet-connected devices—which can collect personal data from their users—has spurred legislative movement toward introducing security standards for IoT devices. These initial steps start with the US government’s use of IoT devices through the Senate’s third proposed bill on the subject, S.734. The bill, known as the Internet of Things Cybersecurity Improvement Act of 2019, aims to manage cybersecurity risks regarding secure development, identity management, patching, and configuration management of “covered devices.” Under the proposed bill, a “covered device” is one that can connect to the internet, has data processing capabilities, and “is not a general-purpose computing device.” The covered devices at the focus of this bill refer to devices “owned or controlled by” the federal government.

The European General Data Protection Regulation (GDPR) took effect in May 2018, requiring companies that handle or process EU residents’ personal information to conform to practices that seek to more fully protect consumer sensitive information. Companies that fall under this category, known as data controllers, must secure consumer consent or another legally acceptable method of gathering personal information, notify individuals of the personal information that is collected and how it will be used, and limit the collection and maintenance to necessary information for a limited period of time. The individuals whose personal information is gathered also have a right to access the information, limit its use, and withdraw their consent from data controllers for such use.

Even with the standard independent contractor provision in a Master Services Agreement, when employees of the contractor work at a client's site, there can be a heightened risk for joint employment liability, especially where such employees were hired by the contractor as part of an outsourcing arrangement. The US Department of Labor (DOL) recently issued a Notice of Proposed Rulemaking (NPRM) to update its interpretation of the standard for establishing joint-employer liability under the Fair Labor Standards Act (FLSA). The proposal is “designed to promote certainty for employers and employees, reduce litigation, promote greater uniformity among court decisions, and encourage innovation in the economy” by making clear employers’ and joint employers’ respective obligations to pay the appropriate employee wages and overtime for a workweek.

More than 1,000 Support Anti-Terrorism by Fostering Effective Technologies Act (SAFETY Act) of 2,002 approvals have been granted by the US Department of Homeland Security (DHS) since the act’s inception. Many professional sports teams in the National Football League, Major League Baseball, and National Basketball Association have had their venues certified under the SAFETY Act. For example, New Era Field for the Buffalo Bills became the 14th NFL stadium to receive a SAFETY Act certification in October 2018. However, professional sports leagues do not have a monopoly on large sporting events that garner huge crowds—some universities have football stadiums with capacity for more than 100,000 people.

New York has increased its effort to enforce cybersecurity by creating a new unit designed to combat cybercrime and protect individuals’ sensitive data from attacks.

On May 22, New York appointed former federal prosecutor Justin Herring to lead the state’s newly created Cybersecurity Division at the New York Department of Financial Services (DFS).

Russia has amended its main laws governing the internet to allow the government to restrict access to the internet and to control internet traffic in emergency situations.

Federal Law No. 90-FZ of 1 May 2019 introduced a set of amendments to the Federal Law on Communications and the Federal Law on Information, Information Technologies and on Protection of Information (the Amendments). The Amendments are colloquially referred to as the “sovereign runet law” or the “law on the secured internet.”

The Federal Trade Commission (FTC) is requesting comments on proposed amendments to two rules addressing the privacy and security of customer information under the Gramm-Leach-Bliley Act. The FTC plans to publish the notices in the Federal Register in the near future.

Russia’s Central Bank, the financial markets regulator in Russia, might soon receive the right to block websites. On 24 January, the State Duma, the lower house of the Russian parliament, approved amendments in the first reading to the Federal Law "On Information, Information Technologies and Protection of Information" and the Civil Procedure Code (the Proposed Amendments).

The Proposed Amendments are designed to give the Central Bank the right to block websites violating financial market legislation or used to maintain fraudulent activities.