Q: What do Sourcing@MorganLewis and the Federal Trade Commission (FTC) have in common?
A: We’ve both been talking about the Internet of Things (IoT).

The FTC recently detailed potential industrywide risks with respect to the IoT and the FTC’s recommended approaches to address these risks in its staff report, Internet of Things: Privacy & Security in a Connected World. As our loyal readers may recall, we at Sourcing also recently spent some time discussing the IoT (see our previous IoT entries for a brief introduction to the IoT and a discussion of vehicle-to-vehicle communications). Today we will review the contents of the FTC report to provide summary takeaways for those involved in this developing industry.

What Risks Are Presented by IoT Use?

Much of the FTC report summarizes the positions of participants from a November 2013 FTC-hosted workshop on the IoT, including academics, consumer advocates, and representatives from government and industry. The scope of the workshop and the report was limited to IoT devices sold to or used by consumers and did not extend to business-to-business or other commercial machine-to-machine communications. The FTC describes various security and privacy risks concerning the IoT through these workshop summaries in the report.

For companies with numerous affiliates, and for a wide variety of third parties that provide services on behalf of companies and their affiliates in the ordinary course of business, crafting a sufficient license grant in software agreements is an often-overlooked concern. In many software licenses, licensors grant the contracting entity the right to use software, but the license may be silent on affiliate and/or third-party use or expressly prohibit third parties from using the software. If affiliates or third-party providers need to use the software for the licensee’s benefit, the licensee could potentially be in breach of the agreement.

What then do software customers need to consider when crafting a comprehensive license grant?

  1. Corporate structure. It is important to recognize that a company’s contracting entity may not be the same entity as those that employ software end users for many reasons, including potential tax and liability implications. Thus, companies should consider whether the software license grant should include usage rights for affiliates and potentially certain unaffiliated entities (e.g., joint ventures and strategic alliance partners). Licensees should review affiliate definitions because they come in several varieties, including definitions tied to "control" of the entity and definitions tied to ownership percentage thresholds. Additionally, licensees should consider including users in the event of an acquisition or divestiture (with the right to potentially split license rights in the event of a divestiture) and should review the license grant and related definitions to determine if they are broad enough to cover the actual and potential usage.
  2. Third parties (including staff augmentation, contractors, and consultants). In today’s marketplace, many companies rely on third parties to provide operational and technology services. Individuals who provide these services may be located on-site and use third-party systems or a potential licensee’s systems or may access the software remotely. The license grant should include access and usage rights for third parties that provide services to or on behalf of the licensee. If such third parties provide services that require remote access or installation of equipment not owned by the licensee, the license should be reviewed to determine if there are any restrictions on such usage.

CIO magazine has named its top 10 outsourcing trends for 2015. Speaking with consultants, lawyers, and service providers, CIO predicts a big year ahead for the multibillion-dollar industry as both standardization and flexibility become big drivers in the marketplace over the next 12 months. This year may also witness a new era of faster sourcing decisions and the end of an old standby: the request for proposal (RFP) process.

Among the key trends, pricing and market response remain the biggest drivers. Sourcing experts predict a shift in the cost of outsourcing as companies on both sides of deals embrace outcome-based pricing as a hedge against expensive, upfront investment costs. Analysts also expect to see businesses opting for multisource cloud-based solutions rather than the tower-based outsourcing model that has been dominant in the industry for years. Such a decentralized approach should drive down costs while decreasing the risk inherent in sole-supplier outsourcing arrangements.

Finally, as customers look to make quick decisions on whether to use new and rapidly evolving technologies, outsourcing providers expect to see fewer RFPs. Instead of the time-consuming RFP process, procurement teams will face pressure to integrate outsourced solutions on a faster timeline than the RFP typically allows, and business discussions with providers about the integration outsourcing proposals and solutions are likely to proceed in parallel with legal negotiations.

Check out the full top 10 here.

As the number of apps available from foreign-based companies to consumers in the United States continues to grow, the Federal Trade Commission (FTC) has issued a pointed warning to application developers whose product offerings target children in the United States. In a letter sent last month to BabyBus, a China-based mobile app developer, the FTC warned the company that its apps were not in compliance with the Children’s Online Privacy Protection Act (COPPA). Although not the first time that the FTC has advised foreign companies of their COPPA obligations, this is first time since the FTC revised its COPPA rules in mid-2013 that the agency has publicly warned a foreign-based company of noncompliance.

Stating that BabyBus advertises in various app stores as “a leader in early childhood education software,” with approximately 60 apps using cartoon characters that teach children letters, numbers, shapes, and music, the FTC noted that the apps “appear to collect precise geolocation information that is transmitted to third parties” without the appropriate consent. Under COPPA, websites and online services involved in commerce in the United States and directed at children under 13 must provide notice of such practices and obtain verifiable parental consent before collecting, using, or disclosing any personal information—including GPS-based locations—from children. As the FTC reminded BabyBus, foreign-based companies that make commercial apps available to consumers in the United States are subject to these COPPA requirements.

New Jersey Governor Chris Christie signed into law last week a bill that requires health insurance and care providers that do business in the state to encrypt patient information and healthcare data. The new law arose from the discovery of a series of data breaches involving approximately 1 million New Jersey patients’ healthcare information.

The measure goes into effect on August 1 and will apply to health insurance carriers, including health service corporations, hospital service corporations, and health maintenance organizations authorized to issue New Jersey health benefit plans. It bars such health insurance carriers from collecting a patient’s name linked with his or her Social Security number, driver’s license or other state identification number, address, and other identifiable health information unless this data is encrypted or otherwise unusable by an unauthorized third party. Furthermore, the law requires security measures to extend beyond a simple password and mandates that health insurance carriers implement safeguards that render the data unreadable, undecipherable, or otherwise unusable by someone who can bypass the password protection. The law applies to all end-user computers, such as desktops and laptops, and all data and information transmitted via public networks.

Following a New York federal judge’s ruling last year that a warrant issued under the Electronic Communications Privacy Act (ECPA) could reach private content stored in data centers outside of the United States, Microsoft has asked the U.S. Court of Appeals for the Second Circuit to limit the warrant request and reach of the ECPA only to data stored domestically. The outcome of the appeal, which may ultimately head to the U.S. Supreme Court, could have lasting implications for the cloud-computing industry.

The case originated with a request from the government to retrieve records from an account on Microsoft’s Web-based email system. Microsoft turned over address book information and other records stored in U.S. data centers but refused to retrieve email stored offshore in Ireland. Microsoft requested that the government comply with the processes set forth in the U.S.-Ireland Mutual Legal Assistance Treaty (MLAT), but a magistrate judge determined that the ECPA “does not implicate principles of extraterritoriality.” The judge further found that the MLAT process would be too “burdensome and uncertain” for Congress to have intended that the government use it. The magistrate ordered Microsoft to turn over all requested data, even data stored overseas.

If you are a fan of writing product or service reviews for sites such as Yelp, then California law just made it a lot easier for you to do so. The state recently passed a new law that makes it unlawful to include nondisparagement clauses in consumer contracts. Nondisparagement clauses generally restrict individuals from making statements or taking any other action that negatively affects an organization, including its reputation, products, services, management, or employees.

The new law, codified at California Civil Code section 1670.8, which took effect January 1, specifically provides that “a contract or proposed contract for the sale or lease of consumer goods or services may not include a provision waiving the consumer’s right to make any statement regarding the seller or lessor or its employees or agents, or concerning the goods or services.” It is also “unlawful to threaten or to seek to enforce a provision made unlawful under this section, or to otherwise penalize a consumer for making any statement protected under this section.”

As business adoption continues to grow, cloud computing and cloud-based systems have again been selected as major technology trends for 2015. Gartner’s recent industry overview focused on how mobile adoption and the need to maintain services and applications across multiple systems will drive more businesses toward cloud-based products. Meanwhile, as analysts continue to predict a $200 billion market for public cloud computing within the next five years, business leaders have begun to embrace cloud services for reasons that extend well beyond promised information technology (IT) cost savings.

In its annual cloud survey of business executives, consultants at KPMG examined why organizations move to the cloud, and even as nearly half cited cost effectiveness, the need to meet the demands of a mobile workplace comes in as a close second. Of IT decision makers surveyed, 42% say that mobile considerations drive the cloud conversion—a jump of nearly 30 points since 2012. The two biggest factors behind mobile adoption are increased productivity and employee satisfaction. These go hand-in-hand as employees are able to use their mobile devices to access their work systems and be productive while on the go.

As international agreements, particularly those in the technology sector, continue to become more common, how can you increase your chances of a predictable interpretation should “breach of contract” become an Olympic contest for your organization?

A natural inclination is to push for U.S. law in your international agreements and call it a day if you can come to terms. New York is widely regarded as an international forum for international agreements, for example. But there are a few aspects to international law that you should consider when deciding how dispute resolution should be negotiated in your agreements:

  • Not all foreign jurisdictions play nice with judgments issued by U.S. courts. For example, China will not enforce a U.S. court judgment. Accordingly, savvy Chinese companies are quick to jump on proposals to take, for example, New York law and choice of forum provisions because a judgment in any dispute would not be enforceable, and the U.S. entity would have to bring a new action on the merits in Chinese courts to seek enforcement. Not ideal.

Websites are facing lawsuits alleging that the information collected and transmitted about viewers of their video content violates the Video Privacy Protection Act (VPPA), a 1988 law originally aimed at prohibiting video rental companies from disclosing the video tape rental records of consumers. In recent years, federal courts have held that the law applies to all video, regardless of technical format. Even more recently, plaintiffs are using the law to apply to website operators that host streaming video.

The Video Privacy Protection Act

The VPPA prohibits a video tape service provider from knowingly disclosing, to any person, personally identifiable information concerning any consumer of the provider without the consumer’s informed, written consent. VPPA provides for a private right of action, including statutory damages not less than $2,500 per consumer plus attorneys’ fees. Ouch.