TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

As we start 2022, as part of our Spotlight series, we connect with Reece Hirsch, the co-head of Morgan Lewis’s privacy and cybersecurity practice, to discuss the recent policy statement issued by the US Federal Trade Commission regarding the Health Breach Notification Rule and how it applies to health app developers that handle consumers’ sensitive health information. Our Tech & Sourcing @ Morgan Lewis blog also published a summary of the policy statement.

As 2021 comes to a close, we have once again compiled all the links to our Contract Corner blog posts, a regular feature of Tech & Sourcing @ Morgan Lewis. In these posts, members of our global technology, outsourcing, and commercial transactions practice highlight particular contract provisions, review the issues, and propose negotiating and drafting tips.
Broad awareness has been made about cyberattacks in the form of phishing that typically use email messages to lure victims into divulging sensitive information or opening a link that allows malware to infiltrate their device. Companies have learned how to combat phishing by training employees to recognize such scam attempts and report them as phishing to protect their organizations. “Vishing” is another tactic used by scammers that, while less familiar, is no less invasive and dangerous.
In our January 2021 blog post The Right to Repair in Massachusetts Rolls Forward, we discussed how Massachusetts voters in November 2021 approved Question One, a ballot initiative amending the commonwealth’s 2012 Right to Repair Law. The amendment provides that motor vehicles sold in Massachusetts, beginning with 2022 models, be required “to equip any such vehicles that use telematics systems—systems that collect and wirelessly transmit mechanical data to a remote server—with a standardized open access data platform. Owners of motor vehicles with telematics systems would get access to mechanical data through a mobile device application.” With authorization of the owner, such telematics data will be available to independent repair facilities and dealerships not otherwise affiliated with the manufacturer of the vehicle, who will “send commands to the vehicle for repair, maintenance, and diagnostic testing.” In turn, a contractual relationship between the manufacturer and the independent repair facility will no longer be required in order for such data to be shared.
According to recent guidance from the US Federal Trade Commission (FTC), providers of health apps and connected devices that collect consumers’ health information must comply with the FTC’s Health Breach Notification Rule, 16 CFR Part 318, and therefore are required to notify consumers and others when their health data is breached.

With high-profile ransomware attacks occurring over the last few months, cybersecurity is back on the agenda in Washington, DC. We invite you to an upcoming webinar during which Morgan Lewis partners Ezra Church, Kristin Hadgis, and Daniel Skees will review recent actions taken by the Biden-Harris administration to address cybersecurity threats to critical infrastructure and to enhance the protection of sensitive data. They will also consider how the administration’s approach could affect future regulatory initiatives.

On June 4, 2021, the European Commission adopted its long-anticipated updated Standard Contractual Clauses (New SCCs) for use by organizations transferring personal data outside of the European Economic Area (EEA) to third countries that do not provide adequate protections in respect of personal data. For more information, read our June 10 LawFlash, New European Standard Contractual Clauses Adopted for International Data Transfers. In this post we look at some of the things that organizations will need to consider when updating their current standard contractual clauses (SCCs).
The United Kingdom’s Department for Digital, Culture, Media & Sport (DCMS) is requesting views on supply chain cybersecurity, which it will look to incorporate into its new National Cyber Security Strategy.
For UK companies choosing between hiring employees or using independent contractors, there are important legal risks that must be taken into consideration. In addition, agile and remote workforces are a hot topic as companies around the world are considering new ways of working following the COVID-19 pandemic. However, in the post-Brexit United Kingdom, the idea that people can work in any place at any time presents tax, data protection, and employment law challenges.
Last week, we posted on the guidance issued by the US Department of Labor (DOL) for plan sponsors, plan fiduciaries, recordkeepers, and plan participants on cybersecurity best practices. Last week’s post focused on the guidance provided for hiring a service provider. In this week’s post, we will highlight some the DOL’s cybersecurity program best practices for use by recordkeepers and other service providers responsible for plan-related IT systems and data.