TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

The German Federal Office for Information Security (BSI) has determined the suitability of an industry-specific security standard (B3S) with which hospitals can align their IT security measures. The B3S standard was developed by the German Hospital Association (DKG).

The importance of cybersecurity in the autonomous vehicle setting is well known, but nuance and complexity will be on our LiDAR (a pulsed laser that measures ranges) where the rubber meets the road.

The Challenging, Shifting Landscape

Cybersecurity is one of the key issues of the digital age, typically in the context of security and privacy of confidential or personal data. Cybersecurity is particularly challenging and important for technologies such as self-driving cars, where the real world and the digital, connected world meet and where cyber breaches could result in danger to life and property.

Autonomous vehicles are still in their infancy. Significant uncertainty surrounds this rapidly evolving ecosystem. Standards and regulations are still in a state of flux, and the “rules of the game” are still unclear: how, and how long, will human drivers/operators continue to be involved (along with their proclivity for risky, unpredictable and gullible behavior)? At this relative stage of immaturity, market participants are developing their own divergent solutions that will eventually need to seamlessly integrate, increasing the potential for cyber vulnerabilities. However, the opportunity (for both innovators and society at large) is clear, as smart, interconnected vehicles and systems promise remarkable improvements in efficiency and safety. The race is on.

The EU Commission issued its report on the third annual review of the functioning of the EU-US Privacy Shield (Privacy Shield) on October 23. The annual review and corresponding report is required of the Commission by the its July 2016 adequacy decision in which it found that the Privacy Shield ensures an adequate level of protection for personal data that has been transferred from the European Union (EU) to the United States. The goal of the review is to evaluate and publicly report on all aspects of the functioning of the Privacy Shield Framework.

Morgan Lewis partners Ksenia Andreeva, Anastasia Dergacheva, Vasilisa Strizh, and Brian Zimbler and associate Anastasia Kiseleva contributed the chapter on Russia for the recently released Data Protection & Privacy 2020, the eighth edition of the Lexology Getting the Deal Through publication.

Lexology Getting The Deal Through provides international expert analysis in key areas of law, practice, and regulation for corporate counsel, cross-border legal practitioners, and company directors and officers. The publication addresses many of the most important data protection and data privacy laws in force or in preparation throughout the globe, with a discussion of the same key data protection and privacy questions with analysis from leading practitioners in each of the featured jurisdictions.

As our loyal Tech & Sourcing readers know, we have been doing our best to keep you informed about the requirements of the California Consumer Privacy Act (CCPA) and what you can do to prepare as its January 1, 2020, effective date draws near. Continuing that vein, we invite you to an upcoming webinar wherein Morgan Lewis partners Reese Hirsch, Mark Krotoski, and Carla Oakley and associate Kristin Hadgis will provide an overview of the latest amendments to the CCPA, the state of the law and related regulations, and practical perspectives on CCPA compliance.

The Morgan Lewis team will discuss the following topics:

  • The new one-year exemption for employee data*
  • The new one-year exemption for B2B communications*
  • Other new amendments, including those related to the use of toll-free numbers and verifiable consumer requests*
  • Failed amendments and other issues to watch
  • Status of California attorney general regulations and a possible new ballot initiative
  • Other state laws influenced by the CCPA
  • Preparing for the January 1 effective date and 2020 enforcement date

We hope you will join us for the one-hour webinar on Tuesday, October 22 at 1:00 pm ET.

Register for the webinar now >

For a primer in advance of the webinar, catch up on our previous posts on the CCPA and recently proposed amendments, and check out the Morgan Lewis CCPA Resource Center for more.

*Indicates an amendment to the CCPA that has passed the California Legislature but, as of this writing, has not yet been signed into law by Governor Gavin Newsom.

The California legislature passed five bills on September 13 to amend and clarify the scope of the California Consumer Privacy Act (CCPA). If the amendments are signed by the California governor by the October 13 deadline, they will become part of the CCPA, set to take effect on January 1, 2020. A LawFlash by Morgan Lewis partner Reese Hirsch and associates Kristin Hadgis, Lauren Groebe, and Terese Schireson discusses the key proposals in each amendment, such as:

A recent LawFlash by Morgan Lewis partners Ksenia Andreeva and Vasilisa Strizh and associate Anna Pirogova discusses a draft law proposed in Russia that would introduce heavy fines for violations of Russia’s data protection law and a variety of internet activity laws.

The primary federal data privacy law in Russia, On Personal Data, dated July 28, 2006 (the Personal Data Law), applies to “personal data operators,” which are entities that organize and carry out the processing of personal data and determine the purpose of individuals’ personal data processing. The proposed draft law, On Amending the Code of Administrative Offences of the Russian Federation, relates to the “localization requirement” of the Personal Data Law, which creates on obligation for personal data operators to collect, store, and otherwise process personal data of Russian citizens using databases and servers located in Russia.

Cybersecurity continues to be an issue at the forefront of many of our contract negotiations. Though not typically included in the “data security” section of an agreement, the level and scope of cyberinsurance coverage often plays an important factor in the discussions between customer and vendor.

On this topic, Morgan Lewis partners Mark Krotoski and Jeffrey Raskin will present an upcoming webinar as part of our firm’s Cyber Insurance Webinar Series to discuss ongoing developments in the cyberinsurance space, with a focus on the critical factors your company can consider as part of its overall cybersecurity protection strategy. The one-hour webinar, Cyber Insurance: Is Your Company Covered?, will take place on Tuesday, September 17, at 2:00 pm ET.

The January 1, 2020, deadline to comply with the California Consumer Privacy Act (CCPA) is fast approaching. Signed into law in the summer of 2018, the CCPA creates a variety of new consumer privacy rights and will require many companies to implement policies and procedures to manage and comply with new consumer-facing responsibilities. Catch up on the details of the CCPA in our previous post, this LawFlash, and the Morgan Lewis CCPA resource center.

An IAPP article by Annie Bai and Peter McLaughlin recently caught our attention, as it discusses the business risks of complying with the “verifiable consumer request” requirement under the CCPA. Under the CCPA, a California consumer may (1) request that a covered business provide access to the consumer’s personal information or (2) request that his or her personal information be deleted. Upon receiving such a request, the covered business must verify the identity of the requesting individual and respond. However, there is not much clarity in the CCPA regarding how a covered business must verify an individual’s identity.

The National Institute of Standards and Technology (NIST) recently circulated a draft white paper discussing recommended security practices to be adopted throughout the various phases of software development. The white paper provides three overarching reasons for integrating secure development practices throughout the software development lifecycle (SDLC) regardless of the development model (e.g., waterfall, agile), namely, “to reduce the number of vulnerabilities in released software, to mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and to address the root causes of vulnerabilities to prevent future recurrences.”

The white paper discusses the following four secure software development practices, and breaks down each topic by (1) practices, (2) tasks, (3) implementation examples, and (4) references.