TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

Morgan Lewis partner Barbara Melby, the leader of our technology, outsourcing, and commercial transactions practice, has been invited to present at an upcoming Practising Law Institute (PLI) event, Outsourcing 2018: ITO, BPO and Cloud, in New York City. Barbara’s one-hour presentation will take place Friday, November 2, at 11:15 am. She will discuss intellectual property issues in outsourcing, including the following topics:

  • Recognizing and avoiding common IP pitfalls
  • Copyright, patent, and trade secret issues from vendors’ and customers’ perspectives
  • IP representations, warranties, and indemnities in outsourcing transactions
  • Open-source considerations
  • IP issues in cloud deals

The presentation is part of a two-day PLI outsourcing event November 1–2 at the PLI New York Center, 1177 Avenue of the Americas (2nd floor), New York. You can also access the event via webcast and various groupcast locations.

To register, visit the Outsourcing 2018: ITO, BPO, and Cloud event page.

Drafting and negotiating the data protection provisions in services agreements can be one of the trickier and more time-consuming aspects of the contracting process. One of our prior Contract Corner series from 2014 discussed the importance of documenting security requirements and monitoring security commitments, addressing security incidents, and key issues to consider when drafting liability provisions. In this Contract Corner, we revisit some of these issues based on the latest contracting trends that we are seeing for services agreements and dive into additional considerations when addressing key data safeguard provisions.

Assess and Define the Data

At the outset of the contracting process, it is important for the deal team and the key stakeholders to evaluate and properly define the types of data that the service provider will access or process as part of the services. A sound understanding of the scope of data involved in a services transaction helps establish expectations up front and will drive a contract that contains the right level of security requirements and an appropriate allocation of liability for security breaches. The contract should then reflect the output of this internal assessment through carefully crafted defined terms that will flow throughout the data safeguard provisions.

The seventh edition of Data Protection & Privacy, published annually by Getting the Deal Through, provides answers from practitioners around the globe regarding key questions in international privacy and data protection laws and regulations.

Our colleagues Ksenia Andreeva, Anastasia Dergacheva, Anastasia Kiseleva, Vasilisa Strizh, and Brian Zimbler contributed this year’s Russia chapter, providing insight on a wide variety of issues under Federal Law No. 152-FZ on Personal Data dated 27 July 2006, the main law governing the protection of personal data in Russia. This comprehensive chapter is a go-to resource for understanding the legislative framework for data protection and privacy in Russia, including the obligations of data controllers and data processors and the rights of data subjects.

The full edition is available online with additional chapters covering various jurisdictions around the world.

This week we welcome new partners to our outsourcing and commercial transactions practice, Mike Pierides and Simon Lightman. The arrival of Mike and Simon, along with associate Sarah Bryan, adds further strength to our outsourcing and commercial transactions team and brings our capabilities to the firm’s London office. Mike and Simon will lead the expansion of our practice in Europe, the Middle East, and Asia, where both have extensive experience representing a wide range of clients on major outsourcing and complex commercial transactions.

The California Consumer Privacy Act (CCPA) was signed into law this summer, as described in our prior post and this LawFlash. The CCPA creates a variety of new consumer privacy rights and will require many companies to reassess and modify their business processes in the collection and use of personal information. This comprehensive new privacy law, similar in some ways to the EU’s General Data Protection Regulation (GDPR), will therefore require many organizations doing business in California to implement new policies and procedures to be in compliance by the January 1, 2020, deadline.

The landmark CCPA is also a work in progress. To help guide companies and institutions through the challenges presented by the CCPA, Morgan Lewis has set up a CCPA resource center that will be continuously updated with content as new developments arise.

One such development is a recent set of amendments passed by the California Legislature. To help explain the current state of the CCPA, the recent amendments, and issues that remain to be debated and clarified, our colleagues Reece Hirsch, Mark Krotoski, and Carla Oakley will be hosting a webinar on October 16 at 1:00–2:00 pm ET.

We hope you register for this webinar and visit the CCPA resource center to stay up to date on important developments in this new regulatory environment.

London partner Pulina Whitaker recently published a LawFlash discussing how the United Kingdom’s exit from the European Union will make the UK a “third country”—meaning that unrestricted cross-border transfers of data will no longer automatically be able to take place between the UK and the EU—and considers whether the UK will be “adequate” after Brexit.

The first edition of Blockchain & Cryptocurrency Regulation 2019, published by Global Legal Insights, provides in-depth analysis of the developing arena of the regulation of blockchain and cryptocurrency, and country-by-country analysis of issues including government attitudes and definition, cryptocurrency regulation, sales regulation, taxation, money transmission laws and anti-money laundering requirements, promotion and testing, ownership and licensing requirements, mining, and border restrictions.

Continuing the firm’s thought leadership in this emerging field, Morgan Lewis lawyers Vasilisa Strizh, Anastasia Kiseleva, and Dmitry Dmitriev have written the chapter providing insight on the approach in Russia.

Nearly every form of service agreement contains a provision restricting the ability of one or both parties to subcontract their obligations. A typical provision (with a standard quick and dirty markup) might look like this:

“Vendor shall not subcontract any of its obligations under this Agreement without the express prior written consent of Customer, which such consent shall not be unreasonably withheld. The subcontractors set forth on Schedule X are hereby approved by Customer.

These limitations are often included as a standard part of the legal boilerplate without much thought, but can present significant problems, especially given the broad use and incorporation of third-party technologies and services.

It seems that there are many forces at play that are almost designed to create or exacerbate change anxiety. Professionals in industries whose business models depend on stoking our change anxiety bombard us with article after article on social media. Industry conferences that consistently display whichever adoption curve you’re supposed to be on at the moment—hinting that you’re seriously behind where you should be, with the looming possibility that you’re about to go out of business because of it. Yesterday it was the cloud, today it’s RPA and AI (or IA depending upon whom you ask), and tomorrow it will be something else.

But even with all of this change coming at us, perhaps most troubling is that feeling that if you just stop for a minute to think and reflect, you may be labeled as entrenched, unwilling to adapt, a dinosaur, or something worse.

The transformational programs that we work on tend to reveal many of the stresses that permeate our clients’ professional lives. In deal work, one of the first places you see this is when a request for proposal (RFP) is being drafted that is supposed to reflect a progressive vision.

President Donald Trump signed the NIST Small Business Cybersecurity Act, S. 770 (formally known as the “Min Street Cybersecurity Act”) into law on August 14.

The new act amends the National Institute of Standards and Technology Act requiring it within the next year, in consultation with the heads of other appropriate federal agencies, to “disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks” and to require the National Institute of Standards and Technology (NIST) to consider small businesses when it “facilitates and supports the development of voluntary, consensus-based, industry-led guidelines and procedures to cost-effectively reduce cyber risks to critical infrastructure.”