Sourcing Speak

UK telecoms regulator issues call for input on Internet of Things

Posted July 30, 2014

Ofcom has published a call for input, entitled “Promoting investment and innovation in the Internet of Things“, regarding issues that might affect the development of the emerging Internet of Things (IoT) sector in the United Kingdom. Ofcom is the UK’s independent regulator and competition authority for the UK communications industry. It regulates the TV and radio sectors, fixed line telecoms, mobile devices, postal services, plus the airwaves over which wireless devices operate. It operates under a number of Acts of Parliament, in particular the Communications Act 2003.

IoT (which is also referred to as Cloud of Things or CoT) describes the interconnection of multiple machine to machine (M2M) applications and covers a variety of protocols, domains and applications (see J. Höller, V. Tsiatsis, C. Mulligan, S. Kamouskos, S. Avesand, D. Boyle: From Machine-to-Machine to the Internet of Things: Introduction to a New Age of Intelligence. Elsevier, 2014). These technologies and methodologies underpin smart applications and embedded devices that enable the exchange of data across multiple industry sectors, such as heart monitoring implants, factory automation sensors, industrial robotics applications, automotive sensors and biochip transponders. A 2013 report by Gartner suggested that by 2020 there will be nearly 26 billion connected IoT devices.

EU adopts new regulation on cross-border electronic identification and e-signatures

Posted July 25, 2014

By Pillsbury's Global Sourcing Team

Pillsbury's Global Sourcing Team

The General Affairs Council, on 23 July 2013, adopted a regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the Internal Market. Until the new regulation, the E-Signatures Directive (1999/93/EC) provided the only EU rules relating to e-signatures and said nothing about trust services. The E-Signatures Directive is to be repealed with effect from July 2016 when, with some exceptions, the new regulation will start to apply.

The new regulation sets out rules for cross-border electronic trust services (electronic identification schemes) within the EU (the new rules will only cover cross-border aspects of electronic identification; issuing means of electronic identification remains a national prerogative. The general position at English law remains unchanged – sophisticated electronic signatures are not necessary for the formation of a binding contract) and creates a legal framework for:

electronic signatures,
seals and time stamps,
electronic documents,
electronic registered delivery services, and
certificate services for website authentication.

OECD calls for increased focus on Outsourcing, IT and Supplier Risk

Posted July 3, 2014

By Pillsbury's Global Sourcing Team

Pillsbury's Global Sourcing Team

At a recent conference, the Twelfth Annual Corporate Accountability Conference, 12 June 2014, Cercle National Des Armées, Paris, Pierre Poret, Counsellor, Directorate for Financial and Enterprise Affairs at the The Organisation for Economic Co-operation and Development, told the audience, referring to the OECD’s Risk Management and Corporate Governance report, that “too often, in the enterprise, there was little or no board-level responsibility, with the burden (and oversight responsibility) [for risk management] effectively stopping at the level of the line manager“. According to Monsieur Poret, the OECD’s findings showed that companies’ boards often played only a very limited role in risk management and that risk management standards were often set at too high a level, with outsourcing and supplier-related risk a key but much overlooked risk.

FCA Chief announces Project Innovate: Helping Firms Meet the Technological and Regulatory Challenge

Posted June 18, 2014

By Pillsbury's Global Sourcing Team

Pillsbury's Global Sourcing Team

The head of the UK’s Financial Conduct Authority, Chief Executive Martin Wheatley,

used a speech at Bloomberg, London given on 3 June 2014 to promote the FCA’s Project Innovate (the drafted text of Martin Wheatley’s speech can be read at http://www.fca.org.uk/news/making-innovation-work). The FCA is the regulatory body that,

following reforms introduced by the Financial Services Act 2012, succeeded the Financial Services Authority. It has supervisory powers over the conduct of over 50,000 financial services firms in the UK, and authority to regulate the prudential standards of those firms not covered by the Prudential Regulation Authority. The PRA regulates deposit takers, insurers and significant investment firms.

The UDAAP Trap: How Financial Institutions can Avoid Penalties when Using Third Party Services

Posted June 9, 2014

By Pillsbury's Global Sourcing Team

Pillsbury's Global Sourcing Team

In Part 1, we noted that financial institutions could find themselves potentially liable for committing an alleged Unfair, Deceptive, or Abusive Act or Practice (UDAAP) as a result of the actions of certain types of external service providers, particularly those that interface directly with customers. In this Part 2, we will discuss how financial institutions can mitigate the risk of UDAAP enforcement actions through their contracting strategies with their service providers.

A New Wrinkle of Risk

In some ways, the CFPB’s UDAAP authority resembles other regulatory regimes in that it places compliance obligations on both the issuer of the product as well as the third-party service provider that helps effectuate a transaction involving such a product. For example, export control laws place Office of Foreign Assets Control compliance obligations on both parties to a transaction. Data protection laws apply both to the controller as well as the processor of data. HIPAA protections for health information apply to the covered entity and its business associates.

The Internet of Things–Avoid Getting Eaten by the Wolf in Sheep’s Clothing

Posted May 23, 2014

By Joshua B. Konvisser

Joshua B. Konvisser

With the number of (internet) connected devices rapidly surpassing the number of internet people (actually, all people whether or not connected), we take this opportunity to explore some of the legal complexity brought about by all of this connectivity.

First, some background:

Cisco Internet Business Solutions Group predicts 25 Billion devices will be connected by 2015, and 50 Billion by 2020;

Database Marketing Outsourcing

Posted May 13, 2014

By Jeffrey D. Hutchings

Jeffrey D. Hutchings

Database marketing outsourcing is a strategic transaction for retailers. This type of outsourcing can facilitate the integration of diverse marketing channels e.g., web, social media, catalog and in-store sales) and enable more targeted and effective marketing to consumers.

Database marketing encompasses a potentially broad array of services, including:

Implementation and hosting of a CRM database marketing solution;

Enterprise Infrastructure Management Is Not a Part-Time Job

Posted May 6, 2014

By Joseph E. Nash and Roger C. Roy Jr.

Joseph E. Nash

Roger C. Roy Jr.

We recently completed a major renegotiation of a very large, longstanding infrastructure outsourcing contract. As is typical with renegotiations, there were areas of the contract that required changes and areas the client wanted to leave alone. In this case, scope (and the presumed current solution) was to be left alone as the focus of concern was thought to be on other areas of the relationship. However, the need to update a seemingly simple exhibit – the Key Supplier Personnel list – told the client they had reason to be a lot more concerned about the supplier’s current solution.

Like most IT outsourcing contracts, this one had the typical provisions around Key Supplier Personnel (KSP) (e.g., full-time,

employees of the supplier, rules about replacing the KSP, commitments to tenure on the account, etc.). When asked to update the KSP exhibit, the supplier came back with three names – the Account Executive, Deputy Account Executive and the Business Manager (yep, the person in charge of billing the client). That was it. Not a single person with technical knowledge of the client’s critical systems or technologies. Nobody involved with actually running the client’s IT environment on a day-to-day basis.

How Significant is the Wyndham Case to the US Cybersecurity Legal Landscape?

Posted April 15, 2014

By Pillsbury's Global Sourcing Team

Pillsbury's Global Sourcing Team

The security community has been abuzz this week with the US. District Court of New Jersey’s April 7 ruling in Federal Trade Commission v. Wyndham Worldwide Corporation, et al. (see http://www.adlawaccess.com/wp-content/uploads/sites/137/2014/04/Opinion.pdf). Wyndham had asserted in a motion to dismiss that the Federal Trade Commission (“FTC”) did not have the authority to pursue enforcement actions against the hotelier related to data security. The District Court denied the motion and held that the FTC may in fact pursue claims related to data security under Section 5(a) of the FTC Act’s prohibition on unfair or deceptive acts or practices affecting commerce (see 15 U.S.C. 45(a)). While the significance of the holding is being debated in the legal community, this week’s decision highlights the Federal Government’s increasing emphasis on requiring certain baseline cybersecurity practices by the private sector.

The background facts of the case are fairly straightforward. The FTC brought suit against Wyndham Worldwide, Corp. in the wake of three separate security breaches that occurred between 2008 and 2011 and resulted in the theft of guests’ personal information (e.g., payment card account numbers, expiration dates, and security codes). The FTC alleges that after the initial two security incidents, Wyndham failed to implement reasonable and appropriate security measures which exposed consumers’ personal information to unauthorized access and resulted in consumer injury. Specifically, the FTC alleges that there were several problems with the Wyndham’s information security practices including wrongly configured software, weak passwords, and insecure computer servers.

So what does the Court’s holding mean for the private sector? Since, up until this case, the FTC’s data security actions have been settled out of court, this case marks the first time that the courts have ruled on the merits of the FTC’s authority related to data security actions. Fundamentally, the decision affirms that the FTC has the power to pursue enforcement actions for unreasonable cybersecurity practices under existing laws. The Court, however, cautioned that “this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” It is also important to note that the Court’s decision did not include a verdict on Wyndham’s liability in the matter (interested parties should continue to watch as the matter continues).

Why Indemnities Matter

Posted April 4, 2014

By Pillsbury's Global Sourcing Team

Pillsbury's Global Sourcing Team

Most business clients would rather be in the dentist’s chair than sit through negotiation of the indemnity and liability provisions of their agreement. Admit it: your eyes glaze over, time appears to visibly slow down, and you wonder at how the lawyers can find this stuff interesting enough to argue about.

As dull as they appear to be, there are some significant issues that can arise from the indemnity clause. One issue that I see more often than not is that suppliers try to put a financial limit on their indemnification obligations.

Sometimes the supplier will agree to remove the limitation, but not always. What are the consequences of having a limitation on an indemnification obligation,

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: