TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

The seventh edition of Data Protection & Privacy, published annually by Getting the Deal Through, provides answers from practitioners around the globe regarding key questions in international privacy and data protection laws and regulations.

Our colleagues Ksenia Andreeva, Anastasia Dergacheva, Anastasia Kiseleva, Vasilisa Strizh, and Brian Zimbler contributed this year’s Russia chapter, providing insight on a wide variety of issues under Federal Law No. 152-FZ on Personal Data dated 27 July 2006, the main law governing the protection of personal data in Russia. This comprehensive chapter is a go-to resource for understanding the legislative framework for data protection and privacy in Russia, including the obligations of data controllers and data processors and the rights of data subjects.

The full edition is available online with additional chapters covering various jurisdictions around the world.

The California Consumer Privacy Act (CCPA) was signed into law this summer, as described in our prior post and this LawFlash. The CCPA creates a variety of new consumer privacy rights and will require many companies to reassess and modify their business processes in the collection and use of personal information. This comprehensive new privacy law, similar in some ways to the EU’s General Data Protection Regulation (GDPR), will therefore require many organizations doing business in California to implement new policies and procedures to be in compliance by the January 1, 2020, deadline.

The landmark CCPA is also a work in progress. To help guide companies and institutions through the challenges presented by the CCPA, Morgan Lewis has set up a CCPA resource center that will be continuously updated with content as new developments arise.

One such development is a recent set of amendments passed by the California Legislature. To help explain the current state of the CCPA, the recent amendments, and issues that remain to be debated and clarified, our colleagues Reece Hirsch, Mark Krotoski, and Carla Oakley will be hosting a webinar on October 16 at 1:00–2:00 pm ET.

We hope you register for this webinar and visit the CCPA resource center to stay up to date on important developments in this new regulatory environment.

London partner Pulina Whitaker recently published a LawFlash discussing how the United Kingdom’s exit from the European Union will make the UK a “third country”—meaning that unrestricted cross-border transfers of data will no longer automatically be able to take place between the UK and the EU—and considers whether the UK will be “adequate” after Brexit.

The first edition of Blockchain & Cryptocurrency Regulation 2019, published by Global Legal Insights, provides in-depth analysis of the developing arena of the regulation of blockchain and cryptocurrency, and country-by-country analysis of issues including government attitudes and definition, cryptocurrency regulation, sales regulation, taxation, money transmission laws and anti-money laundering requirements, promotion and testing, ownership and licensing requirements, mining, and border restrictions.

Continuing the firm’s thought leadership in this emerging field, Morgan Lewis lawyers Vasilisa Strizh, Anastasia Kiseleva, and Dmitry Dmitriev have written the chapter providing insight on the approach in Russia.

President Donald Trump signed the NIST Small Business Cybersecurity Act, S. 770 (formally known as the “Min Street Cybersecurity Act”) into law on August 14.

The new act amends the National Institute of Standards and Technology Act requiring it within the next year, in consultation with the heads of other appropriate federal agencies, to “disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks” and to require the National Institute of Standards and Technology (NIST) to consider small businesses when it “facilitates and supports the development of voluntary, consensus-based, industry-led guidelines and procedures to cost-effectively reduce cyber risks to critical infrastructure.”

The US Department of Homeland Security (DHS) hosted the first National Security Summit on July 31 in New York City. In attendance were US Vice President Mike Pence, senior members of the DHS and other federal agencies, as well as industry leaders from sectors including telecom, finance, and energy. One of the major announcements to come out of this summit was the formation of the National Risk Management Center, including a new supply chain risk management task force.

The World Bank announced on August 10 that 70 years after its first bond transaction, it will be issuing the first bond to use entirely blockchain technology, in part to help the bank gain experience in the use of blockchain. The World Bank’s innovation lab partnered with the Commonwealth Bank of Australia (CBAUF) and Microsoft on this endeavor almost a year in the making.

Blockchain is a growing list of records, or “blocks” linked using cryptography and resistant to modification since it is essentially an open, distributed ledger that can record transactions between two parties efficiently and verifiable in a permanent way. This means that once data is recorded, the data in a block cannot be altered without altering all later blocks, which requires majority consensus of the network. Just imagine all the people around the world agreeing to verify a single block and all subsequent blocks!

This July, the 2018 Cost of Data Breach Study: A Global Overview was released as an independent study by Ponemon Institute, LLC, sponsored by IBM Security. The study breaks down the rising costs of data breaches and the likelihood of an organization experiencing a future data breach, with information derived through interviews with more than 2,200 professionals from 477 organizations that have experienced a breach in the last 12 months.

The study does not focus on “mega breaches,” which are breaches that exceed 1 million records. However, for the first time this year the annual study offers separate insights into data breaches that resulted in the exposure of more than 1 million compromised records:

  • Mega breaches of 1 million records yield an average total cost of $40 million
  • Mega breaches of 50 million records yield an average total cost of $350 million

Moscow partners Anastasia Dergacheva and Brian L. Zimbler and associate Kseniya Lopatkina recently published a LawFlash on the new rules in Russia for platforms that aggregate information from online stores. Federal Law No. 250-FZ, signed on July 29, 2018, provides additional protection for consumers acquiring goods and services through online platforms. For more information on the effects of this new law, read the LawFlash.

European financial institutions (competent authorities, credit institutions, and investment firms as defined in EU Regulation No. 575/2013, collectively Institutions) have been instructed to comply with the European Banking Authority’s (EBA’s) recommendations when outsourcing to cloud service providers (Recommendations) as of July 1, 2018.

With cloud-based solutions offering new products geared to potentially reduce infrastructure costs and improve services, outsourcing to cloud-based services providers is becoming progressively more popular by Institutions. This trend has prompted the EBA to issue the Recommendations, with the expectation that Institutions will use their best efforts to comply.