TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

The California legislature passed five bills on September 13 to amend and clarify the scope of the California Consumer Privacy Act (CCPA). If the amendments are signed by the California governor by the October 13 deadline, they will become part of the CCPA, set to take effect on January 1, 2020. A LawFlash by Morgan Lewis partner Reese Hirsch and associates Kristin Hadgis, Lauren Groebe, and Terese Schireson discusses the key proposals in each amendment, such as:

Partner Barbara Melby, the leader of our technology, outsourcing, and commercial transactions practice, will be presenting “Intellectual Property Issues in Outsourcing” at Practising Law Institute’s (PLI’s) upcoming Outsourcing 2019: Innovation and Disruption program in New York. Barbara’s one-hour presentation will take place on Thursday, October 31 at 1:15 pm ET. She will discuss intellectual property (IP) issues in outsourcing, including the following topics:

  • Recognizing and avoiding common IP pitfalls
  • Copyright, patent, and trade secret issues from vendors’ and customers’ perspectives
  • IP representations, warranties, and indemnities in outsourcing transactions
  • Open source considerations
  • IP issues in cloud deals

A recent LawFlash by Morgan Lewis partners Ksenia Andreeva and Vasilisa Strizh and associate Anna Pirogova discusses a draft law proposed in Russia that would introduce heavy fines for violations of Russia’s data protection law and a variety of internet activity laws.

The primary federal data privacy law in Russia, On Personal Data, dated July 28, 2006 (the Personal Data Law), applies to “personal data operators,” which are entities that organize and carry out the processing of personal data and determine the purpose of individuals’ personal data processing. The proposed draft law, On Amending the Code of Administrative Offences of the Russian Federation, relates to the “localization requirement” of the Personal Data Law, which creates on obligation for personal data operators to collect, store, and otherwise process personal data of Russian citizens using databases and servers located in Russia.

Cybersecurity continues to be an issue at the forefront of many of our contract negotiations. Though not typically included in the “data security” section of an agreement, the level and scope of cyberinsurance coverage often plays an important factor in the discussions between customer and vendor.

On this topic, Morgan Lewis partners Mark Krotoski and Jeffrey Raskin will present an upcoming webinar as part of our firm’s Cyber Insurance Webinar Series to discuss ongoing developments in the cyberinsurance space, with a focus on the critical factors your company can consider as part of its overall cybersecurity protection strategy. The one-hour webinar, Cyber Insurance: Is Your Company Covered?, will take place on Tuesday, September 17, at 2:00 pm ET.

The January 1, 2020, deadline to comply with the California Consumer Privacy Act (CCPA) is fast approaching. Signed into law in the summer of 2018, the CCPA creates a variety of new consumer privacy rights and will require many companies to implement policies and procedures to manage and comply with new consumer-facing responsibilities. Catch up on the details of the CCPA in our previous post, this LawFlash, and the Morgan Lewis CCPA resource center.

An IAPP article by Annie Bai and Peter McLaughlin recently caught our attention, as it discusses the business risks of complying with the “verifiable consumer request” requirement under the CCPA. Under the CCPA, a California consumer may (1) request that a covered business provide access to the consumer’s personal information or (2) request that his or her personal information be deleted. Upon receiving such a request, the covered business must verify the identity of the requesting individual and respond. However, there is not much clarity in the CCPA regarding how a covered business must verify an individual’s identity.

In a recent Law360 article, Morgan Lewis lawyers Gregory Parks, Kristin Hadgis, and Terese Schireson discussed the recently passed bill in Nevada – Nevada Senate Bill 220 (SB 220) – that will require defined “operators” of websites or online services that are used for commercial purposes and collect personal data of Nevada consumers to comply with a consumer’s request not to sell personal information. SB 220 will be the first law of this scope in the United States that provides consumers with opt-out rights with respect to the sale of their data.

With SB 220 going into effect on October 1 of this year, it is time now for operators to implement measures to enable compliance with SB 220. The article offers helpful tips for compliance, including suggesting that affected operators establish designated addresses where consumers can submit requests.

As a follow-up to our recent post on third-party contract due diligence in outsourcing deals, this post focuses on how customers in outsourcing deals handle the disposition of legacy third-party contracts—one of the thorniest and most work-intensive work streams—once diligence has concluded.

The National Institute of Standards and Technology (NIST) recently circulated a draft white paper discussing recommended security practices to be adopted throughout the various phases of software development. The white paper provides three overarching reasons for integrating secure development practices throughout the software development lifecycle (SDLC) regardless of the development model (e.g., waterfall, agile), namely, “to reduce the number of vulnerabilities in released software, to mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and to address the root causes of vulnerabilities to prevent future recurrences.”

The white paper discusses the following four secure software development practices, and breaks down each topic by (1) practices, (2) tasks, (3) implementation examples, and (4) references.

Check out this recent LawFlash by Morgan Lewis partners Michael Pierides and Simon Lightman discussing the groundbreaking fines the United Kingdom’s Information Commissioner’s Office (ICO) proposed against two global organizations pursuant to the EU General Data Protection Regulation (GDPR). Under the GDPR, which seeks to promote transparent and responsible collection and maintenance of consumers’ personal information, applicable regulatory agencies can impose fines on organizations that do not comply with the strict GDPR standards.

Recently, the ICO issued fines to two companies following data breaches of their respective consumers in 2018. Under previous data protection laws, fines were limited to hundreds of thousands of dollars, but in the new era of the GDPR, the companies are facing fines of $227.5 million and $123.1 million, respectively. The issuance of these massive fines puts global companies on notice that the GDPR should be taken seriously, and that the ICO, in particular, will not hesitate to dispense unprecedented consequences for noncompliance.

The Federal Trade Commission (FTC) is seeking comments on the effectiveness of the amendments it made to the Children’s Online Privacy Protection Rule (COPPA Rule) in 2013, to determine whether additional changes are needed due to changes in technology since the last update.

Businesses with an online presence have long been aware of the requirements necessary to comply with the COPPA Rule, which requires online service providers to follow certain requirements in connection with the collection of information from children under 13 years old, including notice and verifiable consent. Although the FTC updated the rule in 2013, further changes to COPPA requirements and potential penalties should be expected, and online providers will need to implement such changes into their privacy policies and operational structures to ensure continued compliance.