TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

The Q2 2019 issue of Morgan Lewis’s Life Sciences International Review was recently released. The review includes updates relevant to the life sciences industry from across the world, including the United States, Europe, and Asia. The topics range from intellectual property and data privacy to international trade and labor and employment. We found it to be an excellent read for anyone interested in keeping up with current trends in the life sciences sector.

Two of the topics that we found to be of particular interest were about data privacy in the European Union and foreign investments in the United States biotechnology industry. The review looks at the opinion adopted by the European Data Protection Board (EDPB) regarding the interplay between the General Data Protection Regulation and the forthcoming Clinical Trials Regulation. The review also discusses the increased activity by the Committee on Foreign Investment in the United States (CFIUS) in scrutinizing life sciences transactions, which has led to several transactions being blocked or mitigated.

The Life Sciences International Review is a quarterly newsletter published by Morgan Lewis lawyers with important updates and insights for the life sciences sector. Be sure to look for the next publication coming in the fall!

The National Institute of Standards and Technology (NIST) recently circulated a draft white paper discussing recommended security practices to be adopted throughout the various phases of software development. The white paper provides three overarching reasons for integrating secure development practices throughout the software development lifecycle (SDLC) regardless of the development model (e.g., waterfall, agile), namely, “to reduce the number of vulnerabilities in released software, to mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and to address the root causes of vulnerabilities to prevent future recurrences.”

The white paper discusses the following four secure software development practices, and breaks down each topic by (1) practices, (2) tasks, (3) implementation examples, and (4) references.

We found interesting a recent Forbes article by Cody McLain that discussed the top trends to watch in the business process outsourcing (BPO) industry. The article highlighted the following four trends for 2019.

1. Increase in Process Automation

As artificial intelligence (AI) expands to nearly every aspect of our lives, the BPO industry is also impacted and must adapt to the AI revolution. The article estimates that nearly 40% of American jobs could be lost to automation by the 2030s. While BPO companies often thrive in completing manual tasks outsourced by their clients, if AI software were able to do those same services at a fraction of the cost, then BPO companies would lose as their clients choose the more cost-effective solution. The article suggests that BPO companies should adapt to the use of AI and switch their services to work alongside AI (such as managing and maintaining AI) to stay competitive.

The due diligence review of existing third-party contracts is a critical component of any outsourcing deal. For the company that is outsourcing part of its business functions to a third party, reviewing existing third-party contracts for certain key terms is an important part of the outsourcing process. Organization, attention to detail, and diligence are keys to a successful third-party contract review process.

The terms that need to be reviewed will be based on the scope of the outsourcing agreement, e.g., will contracts be assigned, terminated, or made available for the outsourcing provider to use. Once the deal constructs are established, Excel can be a useful tool to guide the review of the third-party contracts, by allowing the reviewer to insert the applicable language from each contract into the appropriate row or column. The Excel chart will become a reference guide for the key provisions and provide an overview and comparison between the third-party contracts.

Check out this recent LawFlash by Morgan Lewis partners Michael Pierides and Simon Lightman discussing the groundbreaking fines the United Kingdom’s Information Commissioner’s Office (ICO) proposed against two global organizations pursuant to the EU General Data Protection Regulation (GDPR). Under the GDPR, which seeks to promote transparent and responsible collection and maintenance of consumers’ personal information, applicable regulatory agencies can impose fines on organizations that do not comply with the strict GDPR standards.

Recently, the ICO issued fines to two companies following data breaches of their respective consumers in 2018. Under previous data protection laws, fines were limited to hundreds of thousands of dollars, but in the new era of the GDPR, the companies are facing fines of $227.5 million and $123.1 million, respectively. The issuance of these massive fines puts global companies on notice that the GDPR should be taken seriously, and that the ICO, in particular, will not hesitate to dispense unprecedented consequences for noncompliance.

The Federal Trade Commission (FTC) is seeking comments on the effectiveness of the amendments it made to the Children’s Online Privacy Protection Rule (COPPA Rule) in 2013, to determine whether additional changes are needed due to changes in technology since the last update.

Businesses with an online presence have long been aware of the requirements necessary to comply with the COPPA Rule, which requires online service providers to follow certain requirements in connection with the collection of information from children under 13 years old, including notice and verifiable consent. Although the FTC updated the rule in 2013, further changes to COPPA requirements and potential penalties should be expected, and online providers will need to implement such changes into their privacy policies and operational structures to ensure continued compliance.

The Stop Hacks and Improve Electronic Data Security (SHIELD) Act was signed into New York law by Governor Andrew Cuomo on July 25, after passing the New York State Assembly on June 17. The SHIELD Act takes effect on March 21, 2020, and will modernize New York’s current laws governing data breach notification and data security requirements with the intention of providing greater protection for consumer's private information, while holding companies accountable for providing such protections.

Read our previous post on the SHIELD Act for more information.

As lawmakers, policymakers, tech companies, and other data collectors try to determine how much access and control of consumer data is appropriate or acceptable, and how much notice and choice consumers should have, consumers will ultimately be the arbiter of such access and use.  

A recent New York Times article discusses the efforts of lawmakers to require internet companies to be more transparent with consumers regarding the data collected and the specific value associated with such data. The article goes on to say there is a growing sentiment that the imbalance of power between internet companies and consumers vis-à-vis the value of the data collected, and that consumers should know and benefit from the true value of the data they provide by utilizing the services.

Open source programs are becoming a best practice in the technology, telecom/media, and financial services industries. Companies are establishing open source best practices to streamline and organize the way their employees use open source, focusing on long-term business plans. Since open source, a collaborative development process, varies so greatly from traditional software practices (i.e., proprietary and closed), companies are creating their own open source programs and policies to manage how it is used and how it can work best for the company’s long-term goals. Naturally, large technology companies are leading the way in establishing open source best practices, but open source is becoming commonplace for both tech and non-tech companies.

Open source programs are typically created by a company’s software engineering or development department for informal use and then eventually grow to a “formal” program with a collection of policies and guidelines. These policies may include open source contributions, a list of acceptable licenses, and the use of OS code.

When an inventor of technology who is also a university employee wants to commercialize university-developed technology, it is customary for the university and the inventor to “spin out” the technology via a license agreement to a newly created company (a licensee company) that sets forth the terms of the license, including any necessary milestones for advancing the technology, restrictions on the use of the technology, and the royalties and other financial terms applicable to the licensing and commercialization of the technology.