Tech & Sourcing @ Morgan Lewis

TECHNOLOGY TRANSACTIONS, OUTSOURCING, AND COMMERCIAL CONTRACTS NEWS FOR LAWYERS AND SOURCING PROFESSIONALS
Broad awareness has been made about cyberattacks in the form of phishing that typically use email messages to lure victims into divulging sensitive information or opening a link that allows malware to infiltrate their device. Companies have learned how to combat phishing by training employees to recognize such scam attempts and report them as phishing to protect their organizations. “Vishing” is another tactic used by scammers that, while less familiar, is no less invasive and dangerous.
In our January 2021 blog post The Right to Repair in Massachusetts Rolls Forward, we discussed how Massachusetts voters in November 2021 approved Question One, a ballot initiative amending the commonwealth’s 2012 Right to Repair Law. The amendment provides that motor vehicles sold in Massachusetts, beginning with 2022 models, be required “to equip any such vehicles that use telematics systems—systems that collect and wirelessly transmit mechanical data to a remote server—with a standardized open access data platform. Owners of motor vehicles with telematics systems would get access to mechanical data through a mobile device application.” With authorization of the owner, such telematics data will be available to independent repair facilities and dealerships not otherwise affiliated with the manufacturer of the vehicle, who will “send commands to the vehicle for repair, maintenance, and diagnostic testing.” In turn, a contractual relationship between the manufacturer and the independent repair facility will no longer be required in order for such data to be shared.
According to recent guidance from the US Federal Trade Commission (FTC), providers of health apps and connected devices that collect consumers’ health information must comply with the FTC’s Health Breach Notification Rule, 16 CFR Part 318, and therefore are required to notify consumers and others when their health data is breached.

As a reminder, China’s new Data Security Law (DSL), which entails more expansive and restrictive requirements on data localization, mandatory security level certification, and severe penalties for unauthorized foreign transfer of data, will come into effect on September 1, 2021. The DSL will potentially affect all business operators in China, including multinational corporations. Our privacy and cybersecurity team recently published a more detailed analysis of the DSL. If you have any specific questions, don’t hesitate to reach out to your Morgan Lewis contact for assistance.

Read the full LawFlash >>

On June 4, 2021, the European Commission adopted its long-anticipated updated Standard Contractual Clauses (New SCCs) for use by organizations transferring personal data outside of the European Economic Area (EEA) to third countries that do not provide adequate protections in respect of personal data. For more information, read our June 10 LawFlash, New European Standard Contractual Clauses Adopted for International Data Transfers. In this post we look at some of the things that organizations will need to consider when updating their current standard contractual clauses (SCCs).
There are often misconceptions in connection with negotiating intellectual property (IP) development agreements with developers located in Russia. This post details five common misconceptions and provides tips for complying with applicable laws in connection with such agreements.
The European Securities and Markets Authority (ESMA) on May 10 published final guidelines on outsourcing to cloud service providers (ESMA Guidelines) to help firms and competent authorities identify, address, and monitor the risks and challenges arising from cloud outsourcing arrangements. Subject to a few clarifications, the ESMA Guidelines are broadly consistent with the draft guidelines.
The UK Prudential Regulation Authority (PRA) published a policy statement (PS7/21) and a supervisory statement (SS2/21) on clarifying and modernizing regulatory expectations of outsourcing and third-party risk management on March 29. The expectations in PS7/21 and SS2/21 are relevant to banks, PRA-designated investment firms, insurers, and branches of overseas banks and insurers and apply not just to “outsourcing” but also non-outsourcing material or high-risk service arrangements. The expectations apply at a legal entity level rather than at a group level (save for expectations on intragroup arrangements).
The United Kingdom’s Digital Regulation Cooperation Forum (DRCF) on March 10 announced in its 2021–2022 workplan that the UK Financial Conduct Authority (FCA) will join as a full member from April 1, 2021.
If you have been involved with SaaS agreements or agreements that are for, or are enabled by, cloud services, you have seen or even drafted provisions relating to the right to use data processed on or generated through the use of the cloud platform.