Not that long ago, companies were concerned about the ramifications of putting all their data in a cloud, including how they would get that data out, so only certain discrete aspects of systems and storage infrastructure were being moved to the cloud. Fast forward a few years and, for cost and other reasons, the current trend is for companies to make wholesale replacements of services and move those services to the cloud. With more software and services being offered in the cloud, it’s important to understand the responsibilities of each party and the risk allocation between them.

Shared Responsibility

Cloud services agreements generally employ a “shared responsibility model,” which is an allocation of responsibilities between the cloud provider and the customer. Issues arise when either cloud services agreements are used for multiple business units and services without a clear understanding of the responsibilities of the customer with respect to the data they’re moving to the cloud, or the customer does not understand that it has its own distinct responsibilities with respect to its data.

Among the many ways in which artificial intelligence (AI) technologies are enhancing business functions, the inefficiencies and labor-intensive organizational aspects of the contracting process present many fertile opportunities for improvement through the application of AI. A recent article in the Harvard Business Review discusses the contracting challenges current AI technology can help to alleviate and the contracting process changes required to adapt to AI contracting tools, as well as understanding the limits of AI.

Dealing with Contract Volume Using AI

As the article notes, one of the most significant contracting challenges facing organizations is managing a high volume of agreements. Even with a centralized database for contract documents, organizations often have no efficient way to extract data from those contracts or see, for example, how a warranty clause is worded across a number of different customer agreements. AI software tools can extract that data from contract documents and clarify and organize content, which can help organizations contract more efficiently and manage existing contracts more effectively.

Tracking and Enforcing Contracting Language Standards

Another significant challenge in the contracting process, especially for high-volume customer or vendor contracts based on standard templates, is ensuring conformity to template language and efficiently tracking deviations from form language. For instance, if an organization is seeking to impose uniform contract terms around the use of company trademarks and trade names, AI software tools can help track that language across divisions and could be configured to recognize keywords that indicate the trademark usage language is needed in a contract.

In the upcoming GSVLabs Fidelity Accelerator program event, Morgan Lewis partner Don Shelkey of our Boston office will participate in a mentorship event for financial technology startups focused on intellectual property issues. The GSVLabs event is part of a broader program focused on mentoring financial technology startups on a broad range of business and legal issues.

The event will be held on February 14, 2018, in Boston.

Earlier this week, the US Federal Trade Commission (FTC) settled a complaint against the operator of an online talent search company, asserting that the talent search company’s collection and disclosure of children’s personal information violated the Children’s Online Privacy Protection Act (COPPA) by failing to obtain parental consent, failing to provide adequate notices, and failing to implement the appropriate restrictions in compliance with COPPA. Under the terms of the settlement, the company agreed to pay $235,000.

The FTC’s complaint asserted that the company collected the information of more than 100,000 children under age 13, but failed to disclose to parents or the public how that data was collected, used, or disclosed. Though the website privacy policy stated that the company would not knowingly collect personal information from children under 13, according to the FTC’s complaint, the company imposed no restrictions on users who indicated they were under the age of 13 and did not take steps to verify whether legal guardians were creating the children’s accounts. According to the complaint, much of the information collected was available on publicly visible user profiles.

When it comes to cybersecurity and data breaches, smaller businesses do not necessarily make less likely targets. According to a recent report on the state of cybersecurity in small and medium-sized businesses by the Ponemon Institute, 61% of small and medium-sized businesses experienced a cyberattack in 2017, a 6% increase from 2016. Similarly, the report said 54% of small and medium-sized businesses experienced data breaches (up from 50% in 2016). In a recent article in Entrepreneur, CEO of Simple SEO Group Brendan Egan discusses some of the biggest cybersecurity threats facing small businesses today.

The Risk of Leaks in the Internet of Things

As we have previously discussed on this blog (see here and here), the security of internet of things (IoT) devices has been a growing concern for both government and industry, due in part to a number of high profile attempted cyberattacks using IoT devices. The connected nature of IoT devices and real-time data collection that makes IoT a powerful tool for organizations also creates multiple potential backdoors into the organization. To prevent IoT devices from being targeted by hackers, it is important to observe security best practices such as changing default passwords and, for manufacturers, providing unique default usernames and passwords that are difficult to crack. As we have previously discussed, among other organizations, the US Department of Homeland Security has issued guidance to help stakeholders account for security in the development, manufacturing, implementation, and use of IoT devices.

Join us on February 21 for a dynamic and gripping discussion on intelligent automation (IA) and its impact on businesses and the workforce. Barbara Melby, a partner in our technology, outsourcing, and commercial transactions group, and Victoria Phelan, a managing director of shared services and outsourcing at KPMG, will address such IA topics as

  • how IA is changing traditional business models,
  • the impact on labor and talent in the workforce, and
  • the impact on the services and outsourcing contract.

Just register, and we’ll do the rest!

Join us for a discussion on the five leading trends that will impact outsourcing deals in 2018. Morgan Lewis partners Barbara Melby and Ed Hansen and senior attorney Ada Finkel will address robotics and automation, data privacy and security, big data, customer experience, and business transformation. Specific issues will include

  • how to derive benefits from automation technologies,
  • crafting provisions to prevent and allocate responsibility for a data breach,
  • structuring data rights for business strategies of today and the future,
  • new strategies for refocusing on internal and external customers, and
  • leveraging the contract process to drive new technologies and business process redesign.

Register for the event and begin 2018 in style!

Galvanized by a confluence of charged factors—like privacy, cybersecurity, children, and the Internet of Things (IoT)—and sparked by recent assertions of Children’s Online Privacy Protection Act (COPPA) regulatory power, the US Federal Trade Commission (FTC) entered into a pioneering settlement with electronic toy manufacturer VTech regarding a breach of children’s personal information. The FTC’s message to companies is crystal clear: when it comes to kids’ data, transparency and security are elemental.

Scarce Insulation from COPPA

The COPPA Rule explains what operators of websites and online services must do to protect children’s privacy and safety online, and the FTC serves as the enforcer. As we previously discussed, the FTC released updated guidance in response to concerns about the security of data collected and used by internet-connected products geared toward children. The FTC noted that COPPA defines “website or online service” broadly and specifically listed connected toys and IoT devices within the COPPA Rule’s purview. Although the FTC released a policy that permits collecting a recording of a child’s voice without parental consent in certain situations, such circumstances are narrowly limited to the sole and limited purpose of replacing written words—say, an instruction—and the recording must be immediately destroyed.

The Illinois Biometric Information Privacy Act (IBIPA) has been grabbing headlines of late as class action lawsuits under IBIPA’s private right of action are piling up, but an Illinois state appeals court recently held that a plaintiff “must allege some actual harm,” potentially stemming the flood of litigation.


Noting that biometric identifiers are biologically unique and permanent (unlike, for example, passwords) and thus irreparably problematic if compromised, IBIPA regulates the collection, retention, disclosure, and destruction of biometric identifiers and biometric information.

Under the statute, “biometric identifiers” are retina or iris scans, fingerprints, voiceprints, and hand or face geometry scans. Some exceptions, such as writing samples, written signatures, and physical descriptions, are specifically listed. The second category of regulated data, “biometric information,” broadly includes any information “based on an individual’s biometric identifier used to identify an individual.” Companies, therefore, can’t evade the purview of the law by converting a biometric identifier into a new identifier—say, a unique number.

RPA & Cognitive Congress Dallas (RPA Congress) is bringing together service delivery and automation professionals on January 17−18 for a frank and pragmatic discussion about robotic process automation (RPA), the benefits and opportunities of this technology, and the real-world challenges of implementation. This discussion will address the organizational transformation necessary to fully maximize returns, including quantifying, unlocking, scaling, and supercharging RPA.

Ed Hansen, a partner in our technology, outsourcing, and commercial transactions group, will be running the three-part “The Power of Collaboration” series at the RPA Congress. This trio of audience-driven, live-content creation sessions integrated into the main two-day agenda is designed to ensure attendees leave with their RPA, artificial intelligence, and robotics questions answered. The Power of Collaboration series will include submissions of questions and issues, collective prioritization and discussion, team solution development, and panel Q&A. Ed will foster a competitive atmosphere and focus on the toughest questions first.