TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

Cybersecurity continues to be an issue at the forefront of many of our contract negotiations. Though not typically included in the “data security” section of an agreement, the level and scope of cyberinsurance coverage often plays an important factor in the discussions between customer and vendor.

On this topic, Morgan Lewis partners Mark Krotoski and Jeffrey Raskin will present an upcoming webinar as part of our firm’s Cyber Insurance Webinar Series to discuss ongoing developments in the cyberinsurance space, with a focus on the critical factors your company can consider as part of its overall cybersecurity protection strategy. The one-hour webinar, Cyber Insurance: Is Your Company Covered?, will take place on Tuesday, September 17, at 2:00 pm ET.

The January 1, 2020, deadline to comply with the California Consumer Privacy Act (CCPA) is fast approaching. Signed into law in the summer of 2018, the CCPA creates a variety of new consumer privacy rights and will require many companies to implement policies and procedures to manage and comply with new consumer-facing responsibilities. Catch up on the details of the CCPA in our previous post, this LawFlash, and the Morgan Lewis CCPA resource center.

An IAPP article by Annie Bai and Peter McLaughlin recently caught our attention, as it discusses the business risks of complying with the “verifiable consumer request” requirement under the CCPA. Under the CCPA, a California consumer may (1) request that a covered business provide access to the consumer’s personal information or (2) request that his or her personal information be deleted. Upon receiving such a request, the covered business must verify the identity of the requesting individual and respond. However, there is not much clarity in the CCPA regarding how a covered business must verify an individual’s identity.

In a recent Law360 article, Morgan Lewis lawyers Gregory Parks, Kristin Hadgis, and Terese Schireson discussed the recently passed bill in Nevada – Nevada Senate Bill 220 (SB 220) – that will require defined “operators” of websites or online services that are used for commercial purposes and collect personal data of Nevada consumers to comply with a consumer’s request not to sell personal information. SB 220 will be the first law of this scope in the United States that provides consumers with opt-out rights with respect to the sale of their data.

With SB 220 going into effect on October 1 of this year, it is time now for operators to implement measures to enable compliance with SB 220. The article offers helpful tips for compliance, including suggesting that affected operators establish designated addresses where consumers can submit requests.

As a follow-up to our recent post on third-party contract due diligence in outsourcing deals, this post focuses on how customers in outsourcing deals handle the disposition of legacy third-party contracts—one of the thorniest and most work-intensive work streams—once diligence has concluded.

The National Institute of Standards and Technology (NIST) recently circulated a draft white paper discussing recommended security practices to be adopted throughout the various phases of software development. The white paper provides three overarching reasons for integrating secure development practices throughout the software development lifecycle (SDLC) regardless of the development model (e.g., waterfall, agile), namely, “to reduce the number of vulnerabilities in released software, to mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and to address the root causes of vulnerabilities to prevent future recurrences.”

The white paper discusses the following four secure software development practices, and breaks down each topic by (1) practices, (2) tasks, (3) implementation examples, and (4) references.

Check out this recent LawFlash by Morgan Lewis partners Michael Pierides and Simon Lightman discussing the groundbreaking fines the United Kingdom’s Information Commissioner’s Office (ICO) proposed against two global organizations pursuant to the EU General Data Protection Regulation (GDPR). Under the GDPR, which seeks to promote transparent and responsible collection and maintenance of consumers’ personal information, applicable regulatory agencies can impose fines on organizations that do not comply with the strict GDPR standards.

Recently, the ICO issued fines to two companies following data breaches of their respective consumers in 2018. Under previous data protection laws, fines were limited to hundreds of thousands of dollars, but in the new era of the GDPR, the companies are facing fines of $227.5 million and $123.1 million, respectively. The issuance of these massive fines puts global companies on notice that the GDPR should be taken seriously, and that the ICO, in particular, will not hesitate to dispense unprecedented consequences for noncompliance.

The Federal Trade Commission (FTC) is seeking comments on the effectiveness of the amendments it made to the Children’s Online Privacy Protection Rule (COPPA Rule) in 2013, to determine whether additional changes are needed due to changes in technology since the last update.

Businesses with an online presence have long been aware of the requirements necessary to comply with the COPPA Rule, which requires online service providers to follow certain requirements in connection with the collection of information from children under 13 years old, including notice and verifiable consent. Although the FTC updated the rule in 2013, further changes to COPPA requirements and potential penalties should be expected, and online providers will need to implement such changes into their privacy policies and operational structures to ensure continued compliance.

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act was signed into New York law by Governor Andrew Cuomo on July 25, after passing the New York State Assembly on June 17. The SHIELD Act takes effect on March 21, 2020, and will modernize New York’s current laws governing data breach notification and data security requirements with the intention of providing greater protection for consumer's private information, while holding companies accountable for providing such protections.

Read our previous post on the SHIELD Act for more information.

As lawmakers, policymakers, tech companies, and other data collectors try to determine how much access and control of consumer data is appropriate or acceptable, and how much notice and choice consumers should have, consumers will ultimately be the arbiter of such access and use.  

A recent New York Times article discusses the efforts of lawmakers to require internet companies to be more transparent with consumers regarding the data collected and the specific value associated with such data. The article goes on to say there is a growing sentiment that the imbalance of power between internet companies and consumers vis-à-vis the value of the data collected, and that consumers should know and benefit from the true value of the data they provide by utilizing the services.

Open source programs are becoming a best practice in the technology, telecom/media, and financial services industries. Companies are establishing open source best practices to streamline and organize the way their employees use open source, focusing on long-term business plans. Since open source, a collaborative development process, varies so greatly from traditional software practices (i.e., proprietary and closed), companies are creating their own open source programs and policies to manage how it is used and how it can work best for the company’s long-term goals. Naturally, large technology companies are leading the way in establishing open source best practices, but open source is becoming commonplace for both tech and non-tech companies.

Open source programs are typically created by a company’s software engineering or development department for informal use and then eventually grow to a “formal” program with a collection of policies and guidelines. These policies may include open source contributions, a list of acceptable licenses, and the use of OS code.