TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

One of the major changes introduced by the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which was signed into New York law last year, is scheduled to take effect this week.

The SHIELD Act modernized New York’s laws by (1) expanding the data elements that may trigger data breach notification to include certain biometric information, user names or email addresses, and account, credit card, or debit card numbers, if circumstances would permit account access without a security code or other information; (2) broadening the definition of a breach to include unauthorized “access” (in addition to unauthorized “acquisition”); and (3) creating a new reasonable security requirement for companies to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of” the private information of New York residents. The first two changes took effect on October 23, 2019, while the third will take effect on March 21, 2020.

Please join us in our Philadelphia office for our annual Technology, Outsourcing & Commercial Contracts Networking Roundtable. The roundtable will feature an in-depth discussion of hot topics relating to the increased connectivity of our businesses, including privacy concerns, data rights, cloud solutions, and contracting for the use of connected devices. Stay connected with us at the networking reception following the discussions.

We hope you’ll join us in Philadelphia on Thursday, April 16, 2020, from 3:30–5:30 pm ET.

Register now >>

Please join us for an in-depth discussion of subcontracting provisions and their effect on commercial transactions with technology, outsourcing, and commercial transactions of counsel Emily Lowe. Topics will include:

  • Flow-down obligations
  • Royalties and compensation
  • Termination

We hope you’ll join us on Wednesday, March 11, 2020, from 12:00–1:00 pm ET.

Register now >>

Please join us on February 26 for the next installment of the Morgan Lewis M&A Academy, where technology, outsourcing, and commercial transactions partners Mike Pierides and Anastasia Dergacheva, and intellectual property partner Ksenia Andreeva will discuss the intricacies of drafting data protection provisions in outsourcing and other services transactions.

Please join us on February 25 for the next installment of the Morgan Lewis M&A Academy, where technology, outsourcing, and commercial transactions partners Vito Petretti and David G. Glazer will discuss key considerations in structuring and negotiating transition services agreements in the context of M&A transactions.

Morgan Lewis has recently issued several LawFlashes on the 2019 Novel Coronavirus (COVID-19) outbreak, providing a number of resources for businesses across the globe dealing with various compliance challenges and unanswered questions. In this rapidly changing situation, for example, employers must carefully balance concerns related to employee and public safety with protecting employees from unnecessary medical inquiries, harassment, and discrimination.

To help guide companies through this multifaceted public health crisis, Morgan Lewis has launched Responding to the 2019 Novel Coronavirus to keep on top of developments as they unfold.

Please join us on February 18 for the next installment of the Morgan Lewis M&A Academy, where technology, outsourcing, and commercial transactions partner Doneld G. Shelkey, litigation partner Ezra D. Church, and labor and employment partner Lee Harding will discuss key privacy and security issues in both corporate and commercial contexts. Topics will include:

  • Regulated industries
  • Impact on cross-border deals
  • Security issues in M&A deals
  • Privacy issues in M&A deals

The Morgan Lewis M&A Academy, a 24-part series of tailored webinars led by a diverse team of firm lawyers, provides a comprehensive M&A overview and is ideal for learning about the latest M&A issues and developments. It is geared not only toward M&A professionals but also toward specialists with particular areas of focus (e.g., benefits, intellectual property, tax), whether they deal with M&A issues regularly or occasionally.

We hope you’ll join us on Tuesday, February 18, 2020, from 12:30–1:30 pm ET.

Register now >>

The US Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) published a report on January 27 outlining various industry practices and approaches to managing and combating cybersecurity risks and maintaining operation resiliency. The OCIE observed these practices through conducting thousands of examinations, and hopes that organizations can use the report to enhance their own cybersecurity preparedness and operational resiliency.

For years, there has been a persistent trend toward outsourcing retirement plan recordkeeping and other administrative responsibilities. Although historically more prevalent for defined contribution plans, this outsourcing trend has been accelerating for defined benefit plans thanks, in part, to the prevalence of frozen plans (i.e., no more benefit accruals) and the potential for administrative cost savings. But service providers will be quick to remind plan fiduciaries that lightening the administrative load does not include transferring fiduciary duties. When selecting and monitoring a service provider, one key issue facing retirement plan fiduciaries is their duty with respect to the privacy and security of plan participant data.

As we previously discussed, managing and administering retirement plans also mean managing and protecting an extensive trove of personal data. Although there is no overarching privacy law governing retirement plans, fiduciaries must adhere to the “prudent expert” standard of care in fulfilling their duties, and, in the current environment, it can be expected that courts will be sympathetic to assertions that privacy and security of plan participant data are within the scope of those duties. Given that fiduciaries are personally liable for their fiduciary breaches and considering the cost of a data breach can be in the millions of dollars, the sensible course of action for retirement plan fiduciaries is to be continuously diligent and attentive regarding data privacy and security. This extends to diligence and care in the structuring of the outsourcing agreement.

The Clearing House (the oldest banking association and payments company in the United States) recently released a model agreement as a voluntary starting point to facilitate data sharing between financial institutions and fintech companies.

The model agreement is intended to provide a standardized foundation that speeds up data access agreement negotiations; as the Clearing House notes, “[L]egal agreements between banks and fintechs have sometimes taken 12 months or more to be developed and finalized and have become a significant bottleneck to API adoption.” Additionally, the model agreement is designed to reflect the Consumer Financial Protection Bureau’s consumer protection principles on data sharing and aggregation, providing confidence to the contracting parties that the terms address key regulatory issues.