TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

The January 1, 2020, deadline to comply with the California Consumer Privacy Act (CCPA) is fast approaching. Signed into law in the summer of 2018, the CCPA creates a variety of new consumer privacy rights and will require many companies to implement policies and procedures to manage and comply with new consumer-facing responsibilities. Catch up on the details of the CCPA in our previous post, this LawFlash, and the Morgan Lewis CCPA resource center.

An IAPP article by Annie Bai and Peter McLaughlin recently caught our attention, as it discusses the business risks of complying with the “verifiable consumer request” requirement under the CCPA. Under the CCPA, a California consumer may (1) request that a covered business provide access to the consumer’s personal information or (2) request that his or her personal information be deleted. Upon receiving such a request, the covered business must verify the identity of the requesting individual and respond. However, there is not much clarity in the CCPA regarding how a covered business must verify an individual’s identity.

When we represent customers in outsourcing and managed services transactions, we spend a significant amount of time drafting the exhibits for transition, which is typically a major project in and of itself. In order to help clients think about the major components of transition, we often provide the following checklist of common workstreams to facilitate our discussion.

  1. Governance – Governance is an overarching workstream that spans all phases of transition. A key component is the formation of a transition management office that is responsible for managing the overall transition (including performance and risk management) and coordinating with the company’s governance organization.
  2. Planning – Detailed design and implementation planning is critical to ensuring timelines are integrated and met, with all dependencies considered. Plans typically include the responsibilities of each party, anticipated completion dates, and acceptance criteria.

In a recent Law360 article, Morgan Lewis lawyers Gregory Parks, Kristin Hadgis, and Terese Schireson discussed the recently passed bill in Nevada – Nevada Senate Bill 220 (SB 220) – that will require defined “operators” of websites or online services that are used for commercial purposes and collect personal data of Nevada consumers to comply with a consumer’s request not to sell personal information. SB 220 will be the first law of this scope in the United States that provides consumers with opt-out rights with respect to the sale of their data.

With SB 220 going into effect on October 1 of this year, it is time now for operators to implement measures to enable compliance with SB 220. The article offers helpful tips for compliance, including suggesting that affected operators establish designated addresses where consumers can submit requests.

Ed Hansen, Val Gross, and Morgan Richman will run a highly interactive two-part program, “How to Make Complex Contracts and Negotiations Work: Tips and Practices You Can Use Today,” at the Eastern Regional SIGnature Event. The program will guide attendees through complex contracting and collaborative negotiating, providing actionable strategies that can be used in real-world scenarios right away.

In the first session, the team will define and deconstruct "complex" contracts. Attendees will learn techniques to simplify contracts and will learn how to transform a "bad" contract into a user-friendly document that constituents will want to use. The second session will focus on hardcore collaborative negotiating techniques. Using a scenario-based approach, participants will learn the hard skills necessary for building a collaborative negotiating environment, including how to avoid barriers to collaboration, how to achieve alignment, and how to address FUD—fear, uncertainty, and doubt.

As a follow-up to our recent post on third-party contract due diligence in outsourcing deals, this post focuses on how customers in outsourcing deals handle the disposition of legacy third-party contracts—one of the thorniest and most work-intensive work streams—once diligence has concluded.

The Q2 2019 issue of Morgan Lewis’s Life Sciences International Review was recently released. The review includes updates relevant to the life sciences industry from across the world, including the United States, Europe, and Asia. The topics range from intellectual property and data privacy to international trade and labor and employment. We found it to be an excellent read for anyone interested in keeping up with current trends in the life sciences sector.

Two of the topics that we found to be of particular interest were about data privacy in the European Union and foreign investments in the United States biotechnology industry. The review looks at the opinion adopted by the European Data Protection Board (EDPB) regarding the interplay between the General Data Protection Regulation and the forthcoming Clinical Trials Regulation. The review also discusses the increased activity by the Committee on Foreign Investment in the United States (CFIUS) in scrutinizing life sciences transactions, which has led to several transactions being blocked or mitigated.

The Life Sciences International Review is a quarterly newsletter published by Morgan Lewis lawyers with important updates and insights for the life sciences sector. Be sure to look for the next publication coming in the fall!

The National Institute of Standards and Technology (NIST) recently circulated a draft white paper discussing recommended security practices to be adopted throughout the various phases of software development. The white paper provides three overarching reasons for integrating secure development practices throughout the software development lifecycle (SDLC) regardless of the development model (e.g., waterfall, agile), namely, “to reduce the number of vulnerabilities in released software, to mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and to address the root causes of vulnerabilities to prevent future recurrences.”

The white paper discusses the following four secure software development practices, and breaks down each topic by (1) practices, (2) tasks, (3) implementation examples, and (4) references.

We found interesting a recent Forbes article by Cody McLain that discussed the top trends to watch in the business process outsourcing (BPO) industry. The article highlighted the following four trends for 2019.

1. Increase in Process Automation

As artificial intelligence (AI) expands to nearly every aspect of our lives, the BPO industry is also impacted and must adapt to the AI revolution. The article estimates that nearly 40% of American jobs could be lost to automation by the 2030s. While BPO companies often thrive in completing manual tasks outsourced by their clients, if AI software were able to do those same services at a fraction of the cost, then BPO companies would lose as their clients choose the more cost-effective solution. The article suggests that BPO companies should adapt to the use of AI and switch their services to work alongside AI (such as managing and maintaining AI) to stay competitive.

The due diligence review of existing third-party contracts is a critical component of any outsourcing deal. For the company that is outsourcing part of its business functions to a third party, reviewing existing third-party contracts for certain key terms is an important part of the outsourcing process. Organization, attention to detail, and diligence are keys to a successful third-party contract review process.

The terms that need to be reviewed will be based on the scope of the outsourcing agreement, e.g., will contracts be assigned, terminated, or made available for the outsourcing provider to use. Once the deal constructs are established, Excel can be a useful tool to guide the review of the third-party contracts, by allowing the reviewer to insert the applicable language from each contract into the appropriate row or column. The Excel chart will become a reference guide for the key provisions and provide an overview and comparison between the third-party contracts.

Check out this recent LawFlash by Morgan Lewis partners Michael Pierides and Simon Lightman discussing the groundbreaking fines the United Kingdom’s Information Commissioner’s Office (ICO) proposed against two global organizations pursuant to the EU General Data Protection Regulation (GDPR). Under the GDPR, which seeks to promote transparent and responsible collection and maintenance of consumers’ personal information, applicable regulatory agencies can impose fines on organizations that do not comply with the strict GDPR standards.

Recently, the ICO issued fines to two companies following data breaches of their respective consumers in 2018. Under previous data protection laws, fines were limited to hundreds of thousands of dollars, but in the new era of the GDPR, the companies are facing fines of $227.5 million and $123.1 million, respectively. The issuance of these massive fines puts global companies on notice that the GDPR should be taken seriously, and that the ICO, in particular, will not hesitate to dispense unprecedented consequences for noncompliance.