Last week, we discussed three important changes to California’s data breach law that become effective January 1, 2015. Part two of this series looks at the data breach report recently released by the California Attorney General.

California Data Breach Report

In October, the California Attorney General’s data breach report presented key findings on breaches occurring in California and recommendations for lawmakers and affected industries. Notable findings and recommendations from the report are summarized below.

  • Data breaches are on the rise. Among other findings, the report found that the number of data breaches in California increased by 28% from 2012 to 2013, with “intentional unauthorized intrusions into computer systems” showing the biggest increase among breach categories and accounting for 53% of reported incidents.

Data breaches continue to make headlines, ringing alarms for companies at risk and for the regulators who look to control the risks involved. Recent actions by California’s legislature and Attorney General are key developments by state government authorities and are likely signals of similar actions that other states will take. In part one of this two-part series, we discuss California’s newly amended data breach statute. In part two, we will discuss the recently released data breach report by California’s Attorney General.

California’s New Data Breach Law

On September 30, California’s governor signed Assembly Bill No. 1710 into law, which makes three important changes to California’s data breach statute.

Is the Internet of Things the next big thing? From the cloud to Big Data to software robots, it seems there is always a new buzzword for emerging technologies. According to Gartner, the Internet of Things (IoT) is the buzzword of the moment, as it recently reached the peak of the “Hype Cycle.” In the first post of this two-part series, we take a quick look at (1) the meaning of the IoT, (2) what analysts are saying about its future, and (3) some key legal issues related to the IoT.

What is the Internet of Things?

A universally accepted definition of the IoT does not yet exist. Perform a simple web search and you will find many variations on what the IoT encompasses. One particularly helpful definition comes from McKinsey Global Institute, which defines what it calls the “Internet of All Things” as, “Linking machinery, equipment, and other physical assets with networked sensors and actuators to capture data and manage performance, enabling machines to collaborate and even act on new information independently.”

Big Data: It is in the news every day, and industry researchers can't say enough about the potential value of data and predictions for the data analytics market. So it seems like a natural progression that the rights to use aggregated, de-identified data provided or generated in connection with service relationships are in the spotlight. Procurement outsourcers want to leverage the cost and payment data they receive from suppliers on behalf of clients to benchmark what is "market." Human resources service providers want to leverage data regarding employee behavior and acceptability (such as with self-help) to enhance their services and improve the user experience. Information technology service providers want to aggregate performance data, including service-level commitments, to demonstrate and market their best-in-breed systems and processes. So, what do customers need to think about when a vendor requests a provision stating that it can use the customer's data in an aggregated, de-identified form? Set forth below are five key questions for customers to consider.

With its latest iOS release, Apple may have charted a new course for the payment industry. On October 20, the company rolled out its new payment service, Apple Pay, to users of the iPhone 6 and iPhone 6 Plus. Apple Pay uses near-field communication (NFC) and tokenization technology with the iPhone’s built-in fingerprint reader to provide what experts say is a more secure payment method than traditional credit cards.

Companies spend millions of dollars on third-party software products to automate and integrate their operations—from operating systems (OS) for mainframe and distributed systems, to enterprise resource planning (ERP) software, to end user applications. For companies with software and systems shared across business units, implementing corporate changes, such as a divestiture, can be a challenge. Few companies have software strategies—or contractual provisions to support such strategies—that enable them to implement a divestiture without significant diligence, including the following:

  • Identification of business unit dedicated and shared software
  • Review of contract terms that allow for assignment (in whole or in part)
  • Review of contract terms that allow for use as part of post-divestiture transition services
  • Development of a software vendor communication plan and, if necessary, negotiation approach

We spend a significant amount of time working with clients to perform software diligence in contemplation of a divestiture or similar corporate action. Set forth below are a few pointers for lawyers and contract and sourcing professionals to consider when licensing software, managing software portfolios, and engaging pre- and post-divestiture activities.

Information Services Group (ISG) predicts an increase in outsourcing transaction activity for quarter four of 2014. Despite a slow third quarter, ISG expects the outsourcing industry’s busy fourth quarter to create double-digit growth in global annual contract value compared to 2013. It also forecasts this pickup in deal activity to continue into 2015.

In its analysis of the Americas region, the only region with year-over-year third-quarter growth, ISG noted that higher information technology outsourcing contract counts through the first nine months of 2014 reflects the trend toward more contracts and increased multisourcing. ISG also highlighted significant business process outsourcing growth in the financial services, energy, and manufacturing industries.

Check out the full Global ISG Outsourcing Index here.

Over the last two weeks, we discussed contract provisions designed to address the implementation of preventive security measures, as well as responding to security incidents. Our third and final blog post in this series focuses on contractual provisions that address the allocation of liability for breaches that result in security incidents.

Because of the potential for large-scale damages from a security incident, customers and service providers are generally very focused on the allocation of liability in indemnification and liability provisions. Below we list some key issues to consider when drafting these contract provisions.

Cloud computing solutions offer many advantages over traditional enterprise systems, including cost-saving potential, access to enhanced applications, and consumption flexibility. However, with recent security breaches at major banks and retailers, security concerns regarding the storage of proprietary or sensitive data in the cloud may discourage the adoption of these solutions in enterprise environments.

Last week, we discussed contract provisions that focused on documenting security requirements and monitoring security commitments. These provisions are designed to require the implementation of proactive measures to protect data and systems and to reduce the risk of security incidents. In this Contract Corner post, we switch focus to contract provisions that address a security incident if one occurs. In an earlier post, we outlined practical steps to take in response to an incident, including communications with authorities and cyber insurance matters. Below we list some key issues to consider when drafting contract provisions regarding these response measures.