TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

Check out this recent LawFlash by Morgan Lewis partners Michael Pierides and Simon Lightman discussing the groundbreaking fines the United Kingdom’s Information Commissioner’s Office (ICO) proposed against two global organizations pursuant to the EU General Data Protection Regulation (GDPR). Under the GDPR, which seeks to promote transparent and responsible collection and maintenance of consumers’ personal information, applicable regulatory agencies can impose fines on organizations that do not comply with the strict GDPR standards.

Recently, the ICO issued fines to two companies following data breaches of their respective consumers in 2018. Under previous data protection laws, fines were limited to hundreds of thousands of dollars, but in the new era of the GDPR, the companies are facing fines of $227.5 million and $123.1 million, respectively. The issuance of these massive fines puts global companies on notice that the GDPR should be taken seriously, and that the ICO, in particular, will not hesitate to dispense unprecedented consequences for noncompliance.

The Federal Trade Commission (FTC) is seeking comments on the effectiveness of the amendments it made to the Children’s Online Privacy Protection Rule (COPPA Rule) in 2013, to determine whether additional changes are needed due to changes in technology since the last update.

Businesses with an online presence have long been aware of the requirements necessary to comply with the COPPA Rule, which requires online service providers to follow certain requirements in connection with the collection of information from children under 13 years old, including notice and verifiable consent. Although the FTC updated the rule in 2013, further changes to COPPA requirements and potential penalties should be expected, and online providers will need to implement such changes into their privacy policies and operational structures to ensure continued compliance.

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act was signed into New York law by Governor Andrew Cuomo on July 25, after passing the New York State Assembly on June 17. The SHIELD Act takes effect on March 21, 2020, and will modernize New York’s current laws governing data breach notification and data security requirements with the intention of providing greater protection for consumer's private information, while holding companies accountable for providing such protections.

Read our previous post on the SHIELD Act for more information.

As lawmakers, policymakers, tech companies, and other data collectors try to determine how much access and control of consumer data is appropriate or acceptable, and how much notice and choice consumers should have, consumers will ultimately be the arbiter of such access and use.  

A recent New York Times article discusses the efforts of lawmakers to require internet companies to be more transparent with consumers regarding the data collected and the specific value associated with such data. The article goes on to say there is a growing sentiment that the imbalance of power between internet companies and consumers vis-à-vis the value of the data collected, and that consumers should know and benefit from the true value of the data they provide by utilizing the services.

Open source programs are becoming a best practice in the technology, telecom/media, and financial services industries. Companies are establishing open source best practices to streamline and organize the way their employees use open source, focusing on long-term business plans. Since open source, a collaborative development process, varies so greatly from traditional software practices (i.e., proprietary and closed), companies are creating their own open source programs and policies to manage how it is used and how it can work best for the company’s long-term goals. Naturally, large technology companies are leading the way in establishing open source best practices, but open source is becoming commonplace for both tech and non-tech companies.

Open source programs are typically created by a company’s software engineering or development department for informal use and then eventually grow to a “formal” program with a collection of policies and guidelines. These policies may include open source contributions, a list of acceptable licenses, and the use of OS code.

When an inventor of technology who is also a university employee wants to commercialize university-developed technology, it is customary for the university and the inventor to “spin out” the technology via a license agreement to a newly created company (a licensee company) that sets forth the terms of the license, including any necessary milestones for advancing the technology, restrictions on the use of the technology, and the royalties and other financial terms applicable to the licensing and commercialization of the technology.

Executive Order 13873 was issued on May 15 with the goal of “Securing the Information and Communications Technology and Services Supply Chain.” The order ultimately seeks to manage the national security risk that can exist in information and communications technology (ICT) transactions between those subject to US jurisdiction and those subject to the jurisdictions of foreign adversaries. The order defines “information and communications technology or services” as “any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including transmission, storage, and display.” A “foreign adversary” is defined in the order as “any foreign government or foreign non-government person engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons.”

In this Contract Corner, we are highlighting considerations for drafting sublicense provisions in the context of an Intellectual Property License.

  • Definition of Sublicense. A sublicense in the context of an IP license is any agreement where the licensee grants a third party rights to any of the licensed IP. This provision is often overly broad, but can be tailored to include standard exceptions (e.g., ordinary course agreements with End Users, distributors, etc.) in order to avoid an overly broad definition and to make sure that the royalty calculations are clear. It is also important to clarify the definition of End User in the sublicensing context, and to note that the sublicensee (or one of its affiliates) could be an End User if it uses the licensed IP for its own internal purposes.

Internet-connected devices contributing to the Internet of Things (IoT) are projected to exceed 50 billion devices by 2025, according to the Federal Trade Commission’s Bureau of Consumer Protection in its June 2018 comments on the Consumer Product Safety Commission’s notice of public hearing and request for written comments on “The Internet of Things and Consumer Product Hazards.” Such widespread use of and access to these internet-connected devices—which can collect personal data from their users—has spurred legislative movement toward introducing security standards for IoT devices. These initial steps start with the US government’s use of IoT devices through the Senate’s third proposed bill on the subject, S.734. The bill, known as the Internet of Things Cybersecurity Improvement Act of 2019, aims to manage cybersecurity risks regarding secure development, identity management, patching, and configuration management of “covered devices.” Under the proposed bill, a “covered device” is one that can connect to the internet, has data processing capabilities, and “is not a general-purpose computing device.” The covered devices at the focus of this bill refer to devices “owned or controlled by” the federal government.

The European General Data Protection Regulation (GDPR) took effect in May 2018, requiring companies that handle or process EU residents’ personal information to conform to practices that seek to more fully protect consumer sensitive information. Companies that fall under this category, known as data controllers, must secure consumer consent or another legally acceptable method of gathering personal information, notify individuals of the personal information that is collected and how it will be used, and limit the collection and maintenance to necessary information for a limited period of time. The individuals whose personal information is gathered also have a right to access the information, limit its use, and withdraw their consent from data controllers for such use.