TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

The White House recently released draft legislation of the Consumer Privacy Bill of Rights Act of 2015 (the Act). The Act is based on seven key principles that extend beyond merely data use and security. Below we provide a brief summary of some notable aspects of the Act.

  • Scope. The Act would apply to “covered entities,” which are, with a few exceptions, persons that collect, create, process, retain, use, or disclose personal data in or affecting interstate commerce. This far-reaching scope is amplified by the fact that “personal data” is defined broadly to include information that is not generally available and is linked or linkable to an individual (e.g., unique identifiers).
  • Context. The context—the circumstances that surround a covered entity’s processing of personal data—plays an important role throughout the Act. For example, if personal data processing is not reasonable in light of the context, the covered entity, with some exceptions, would need to mitigate any identified privacy risks, including providing “heightened transparency and individual control,” which is only vaguely described.
  • Privacy Risk. Many provisions of the Act are based on privacy risk—the potential for personal data to cause emotional distress or physical, financial, or other harm—rather than a privacy rights approach. For example, covered entities would need to provide individuals with reasonable means to control the processing of their personal data “in proportion to the privacy risk.”
  • Privacy Practice Changes. The Act specifically addresses material changes to privacy practices and would require a covered entity to (i) provide clear and conspicuous descriptions of the changes in advance and (ii) provide individual controls designed to mitigate potential privacy risks related to previously collected personal data, which may include seeking express affirmative individual consent.
  • Business Records Exception. Processing personal data for the purposes of “customary business records”—data typically collected in the ordinary course of business that is retained for generally accepted purposes for that business—is a notable exception to some of the Act’s requirements.
  • Codes of Conduct. The Federal Trade Commission (FTC) would be involved with the approval of industry codes of conduct, which would be deemed compliant with the Act’s requirements and could lead to more predictability and flexibility in the Act’s implementation.
  • Enforcement. The FTC would have the ability to issue civil penalties. The FTC could not, however, seek civil penalties based on a covered entity’s conduct during the first 18 months of its existence or processing of personal data. The Act expressly excludes any private right of action.
  • Preemption. The Act would preempt state and local laws to the limited extent that such laws impose personal data processing obligations. The Act specifically excludes preemption of general consumer protection laws.

Because privacy advocates and the FTC have criticized the Act for being heavy on exceptions and light on consumer protections and enforcement, and because the business community has raised concerns regarding the Act’s lack of clarity and the risk of hampering innovation, it appears that there is a long road ahead for the Act, which may never make it through Congress.

Proponents of net neutrality, including U.S. President Barack Obama, scored a victory last week when the Federal Communications Commission (FCC) voted to adopt new rules expected to reclassify broadband Internet access as a telecommunication service. This will enable the FCC to regulate Internet service under Title II of the Communications Act.

Although the full text of the order has not yet been released, FCC Chairman Tom Wheeler previously released a fact sheet that outlines the key details, which we have summarized in our LawFlash on the topic.

Earlier this week, members of the California State Legislature announced a proposal that sets forth measures to further the state's proactive stance to privacy and consumer protection. The proposed set of bills, which consists of previously submitted proposals and bills yet to be drafted, arise from efforts of the recently formed Committee on Privacy and Consumer Protection and address a variety of issues that range from consumer goods to law enforcement techniques.

While describing these measures, California State Senator Ted Gaines, one of the legislators tasked with announcing the package, cautioned that “[t]he potential for data collection and the abuse is staggering. Our privacy is under assault.” High-level descriptions of some of the notable proposals from cybersecurity and privacy field include the following:

Superintendent of Financial Services for the New York State Department of Financial Services (DFS) Benjamin Lawsky recently commented about his cybersecurity concerns for the agency:

"I am deeply worried that we are soon going to see a major cyber attack aimed at the financial system that is going to make all of us to shudder. Cyber hacking could represent a systemic risk to our financial markets by creating a run or panic that spills over into the broader economy. Indeed, we are concerned that within the next decade (or perhaps sooner), we will experience an Armageddon‐type cyber event that causes a significant disruption in the financial system for a period of time—what some have termed a 'cyber 9/11.'"

Node4, a provider of cloud and data center services, reports positive news in the realm of IT outsourcing for small- and medium-sized enterprises (SMEs) in the United Kingdom (UK). Just how positive? Well, according to the Node4 2015 IT Infrastructure Report titled Responding to the IT Infrastructure Challenge, the quantity of UK SMEs surveyed for the report that fully outsource their IT infrastructure increased to 6% in 2015, a 600% increase from the 1% of UK SMEs surveyed for the 2014 report.

The growth represented by the survey respondents, together with a lack of change in the number of UK SMEs surveyed that outsource at least part of their IT infrastructure, indicate that even these small- and mid-sized business recognize the benefits offered by a fully outsourced solution. In addition to this growth, Node4 reports an overall positive outlook for the IT outsourcing industry for UK SMEs and explains its view of the pragmatic approach that UK SMEs are adopting as follows: “[w]hereas previously they may have shied away from giving up ‘control’ of their IT infrastructure, now cloud services and outsourcing are seen as a shortcut to achieving the streamlined IT provision that their business needs.”

The Personal Data Notification & Protection Act, (the Act) one of many security- and privacy-related legislative measures proposed by U.S. President Barack Obama last month, is intended to provide uniformity in the measures required of companies in the event of a security breach related to sensitive personally identifiable information. In addition to delineating the required procedures in the event of a breach, the proposed Act also aims to provide consistent standards for what constitutes a “security breach” and “sensitive personally identifiable information” at the federal level to supersede the numerous iterations of these concepts scattered throughout applicable state laws.

The definition of “security breach” provided under the proposed Act includes any “compromise of the security, confidentiality, or integrity of, or the loss of, computerized data that results in, or there is a reasonable basis to conclude has resulted in” unauthorized acquisition of or access to (including access for an unauthorized purpose or in excess of an authorized purpose) sensitive personally identifiable information. This definition also explicitly excludes authorized activities of federal or state law enforcement agencies or federal intelligence agencies. The proposed Act also provides a broad definition of “sensitive personally identifiable information” that includes data such as Social Security, driver’s license, or passport numbers; unique biometric data (e.g., fingerprints or retina images); and unique account identifiers, even when such data is not associated with an individual’s name. In addition, the proposed Act allows the Federal Trade Commission (FTC) to promulgate rules that modify the definition of sensitive personally identifiable information to achieve the proposed Act’s purpose.

In an analysis of certain issues that intersect cybersecurity and investment management, a recent Pension & Investments (P&I) article detailed the processes by which third-party service providers of retirement plans are being evaluated for their cybersecurity procedures. Among other professionals who provided input for the article, Morgan Lewis partners Marla Kreindler and Michael Pillion contributed valuable insight concerning the issue.

P&I observes that cybersecurity requirements are becoming increasingly important considerations for defined benefit and defined contribution plans in their selection of and contractual relationship with third-party investment service providers, a trend that is consistent with that being observed across myriad industries (and for good reason!). As noted in the article, managing cybersecurity risk with respect to third-party service providers involves multiple ongoing processes, including performing thorough due diligence of providers prior to their engagement; addressing specific security risks, processes, procedures, and liabilities as early as the request for proposal (RFP) stage and continuing throughout negotiations with a provider; and periodic monitoring of cybersecurity compliance for the duration of the relationship. As Ms. Kreindler explains in the article, "[u]ltimately (data security) is still the plan sponsor's responsibility. They can't just contract out responsibility for data breaches to third parties . . . . It's not just about the contract. It's who is the plan sponsor choosing as a service provider."

For good observations on outsourcing developments and expectations for the biopharmaceutical industry, check out the recently released results of the 2014–2015 Pharmaceutical and Biotechnology Survey from the appropriately named Nice Insight.

The survey results show that the average number of services outsourced per company and total outsourcing expenditures in the biopharma industry continued to increase in 2014. A primary driver of the increased spending was found to be a decreased emphasis on affordability as a factor when companies select a provider. Nice Insight interprets these results as consistent with a new pattern in biopharma outsourcing: rather than focusing on the bottom line, companies are aiming to obtain scientific expertise not possessed in-house in more of a true partnership model of outsourcing.

Q: What do Sourcing@MorganLewis and the Federal Trade Commission (FTC) have in common?
A: We’ve both been talking about the Internet of Things (IoT).

The FTC recently detailed potential industrywide risks with respect to the IoT and the FTC’s recommended approaches to address these risks in its staff report, Internet of Things: Privacy & Security in a Connected World. As our loyal readers may recall, we at Sourcing also recently spent some time discussing the IoT (see our previous IoT entries for a brief introduction to the IoT and a discussion of vehicle-to-vehicle communications). Today we will review the contents of the FTC report to provide summary takeaways for those involved in this developing industry.

What Risks Are Presented by IoT Use?

Much of the FTC report summarizes the positions of participants from a November 2013 FTC-hosted workshop on the IoT, including academics, consumer advocates, and representatives from government and industry. The scope of the workshop and the report was limited to IoT devices sold to or used by consumers and did not extend to business-to-business or other commercial machine-to-machine communications. The FTC describes various security and privacy risks concerning the IoT through these workshop summaries in the report.

For companies with numerous affiliates, and for a wide variety of third parties that provide services on behalf of companies and their affiliates in the ordinary course of business, crafting a sufficient license grant in software agreements is an often-overlooked concern. In many software licenses, licensors grant the contracting entity the right to use software, but the license may be silent on affiliate and/or third-party use or expressly prohibit third parties from using the software. If affiliates or third-party providers need to use the software for the licensee’s benefit, the licensee could potentially be in breach of the agreement.

What then do software customers need to consider when crafting a comprehensive license grant?

  1. Corporate structure. It is important to recognize that a company’s contracting entity may not be the same entity as those that employ software end users for many reasons, including potential tax and liability implications. Thus, companies should consider whether the software license grant should include usage rights for affiliates and potentially certain unaffiliated entities (e.g., joint ventures and strategic alliance partners). Licensees should review affiliate definitions because they come in several varieties, including definitions tied to "control" of the entity and definitions tied to ownership percentage thresholds. Additionally, licensees should consider including users in the event of an acquisition or divestiture (with the right to potentially split license rights in the event of a divestiture) and should review the license grant and related definitions to determine if they are broad enough to cover the actual and potential usage.
  2. Third parties (including staff augmentation, contractors, and consultants). In today’s marketplace, many companies rely on third parties to provide operational and technology services. Individuals who provide these services may be located on-site and use third-party systems or a potential licensee’s systems or may access the software remotely. The license grant should include access and usage rights for third parties that provide services to or on behalf of the licensee. If such third parties provide services that require remote access or installation of equipment not owned by the licensee, the license should be reviewed to determine if there are any restrictions on such usage.