Tech, Cyber & Privacy

In General Counsel Memorandum 23-02, National Labor Relations Board General Counsel Jennifer Abruzzo announced a new and unprecedented prosecutorial initiative aimed at employers that utilize technology to monitor and manage employees in the workplace.

The US Department of Commerce’s Bureau of Industry and Security (BIS) released an interim final rule (IFR) on October 7, 2022, imposing additional export controls on certain advanced computing and semiconductor manufacturing items destined for the People’s Republic of China (China), with the goal of limiting China’s access to key US technologies.

Effective management of intellectual property is crucial in the contracting stages of technology projects. Various types of intellectual property can be subject to protection in an agreement and may receive different types of treatment. For example, copyright protection, patent protection, and know-how (trade secrets) are all subject to different rules when it comes to contracting.

The California Consumer Privacy Act (CCPA) exemptions for employee and business-to-business (B2B) personal information have not been extended, further complicating the privacy regulatory landscape for businesses in California. California employers must prepare to provide an array of new privacy rights to employees as of January 1, 2023, which is the effective date of the California Privacy Rights Act (CPRA) amending the CCPA.

The New York City Department of Consumer and Worker Protection recently published proposed rules providing guidance on the artificial intelligence law enacted in December 2021 that prohibits employers from using automated employment selection tools unless specific bias audit and notice requirements are met.

The Singapore Court of Appeal held in a recent decision that while emotional distress constitutes “loss or damage” for which the right of private action can be brought under Section 48O(1) of the Personal Data Protection Act 2012 of Singapore, a loss of control of personal data would not constitute “loss or damage.”

As of August 11, 2022, approval is now required by the UK Financial Conduct Authority (FCA) before acquiring direct or indirect control of an FCA-registered cryptoasset business. Failure to attain such approval is a criminal offense. This is due to the UK Money Laundering Regulations (MLRs) having been updated to apply the change in control regime under Part 12 of the Financial Services and Markets Act 2000 (FSMA), as modified by Schedule 6B of the updated MLRs, to FCA-registered cryptoasset exchange providers and custodian wallet providers.

Comprising tiers of specialized intellectual property (IP) courts within its court system, China bifurcated judicial and administrative proceedings for those seeking to protect and enforce against a patent infringement. The judicial route is more commonly used first which would see a case pass through the Intermediate People’s Courts, High People’s Courts, and ultimately, the Supreme People’s Court.

A group of state treasurers and state attorneys general (AG) have raised concerns that certain environmental, social, and governance (ESG) features of certain fund disclosures and other marketing collateral could create liability under state Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) and Anti-Boycott, Divestment, and Sanctions (Anti-BDS) laws. This is an issue that could impact government retirement plans and/or asset managers to public and private retirement plans.

The Department for Digital, Culture, Media & Sports (DCMS) confirmed on August 30, 2022, that it will push forward with tough new regulations and a code of practice to bolster the security and resilience of the United Kingdom’s electronic communications networks and services against current and future cyberthreats.

“Metaverse” is generally used to describe any virtual world where users can interact using digital avatars. There are seven layers to any metaverse: infrastructure, human interface, decentralization, spatial computing, creator economy, discovery, and experience (such as games, social interactions, esports, theater, and shopping). Users create an avatar and can then enter existing metaverses through a virtual reality headset or from a computer, tablet, or phone.

On July 18, 2022, the UK government published high-level proposals for its approach to regulating uses of artificial intelligence (AI), as part of its National AI Strategy and, more broadly, its UK Digital Strategy. The government is seeking public views on the approach, which is contained in a policy paper; a more detailed White Paper will be published in late 2022.

The US Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization raises important questions about data privacy. Fears that sensitive personal data could be used to identify and prosecute abortion ban violations were among the first questions raised by women, reproductive healthcare providers, employers, and a number of data aggregators. But organizations can take steps now to maximize compliance with data privacy laws and principles, and later to minimize the risk of disclosing this sensitive data post-Dobbs.

In cases involving digital assets, especially those with anonymous, unlocatable, or international parties, service of process can pose an existential challenge. Recent decisions arising out of cryptocurrency-related litigation in the United States and United Kingdom indicate that courts are increasingly embracing a flexible approach to service of process, which could alter the legal landscape in cases related and unrelated to digital assets.

For global healthcare companies that process personal information in Japan and/or import personal information from Japan, there are new requirements that must be considered in preparing data transfer or processing agreements, as well as internal and external privacy policies.

Key amendments to the Singapore Personal Data Protection Act take into account technological advances, new business models, and global developments in data protection legislation, and will have an effect on healthcare providers. Financial penalties for breaches will increase as of October 1, 2022.

The Cyberspace Administration of China (CAC) announced on July 21 that it fined China’s ride-hailing giant Didi 8.026 billion yuan ($1.2 billion) for illegally collecting customer information since 2015 and handling data in a way that endangered national security.

With a solid uptick in requests for assistance with outsourcing, cloud, and as-a-service contracts, 2022 has been busy from the get-go. ISG Index confirmed this trend across the market in its recent Q2 ISG Index Report presentation on July 13, highlighting as one of its three key takeaways that “contracting activity remains strong, with ADM, engineering and industry BPO leading the way.”

The world of personal mobility is changing. As countries seek to reduce carbon emissions and cut down on vehicular congestion in their cities, escooters, autonomous delivery robots, and drones (collectively, “micromobility”) have grown in popularity as new clean-energy personal mobility devices. According to the Pew Center, more than 30% of the world’s population lives in cities that are inhabited by more than one million people. Seeking to capitalize on this clean-energy movement in large urban markets, micromobility startups have raised more than $5.7 billion in funding in the last seven years, led by investment in autonomous delivery robots. Market analysts who have followed these trends project that the micromobility sector will be valuated at $300 billion to $500 billion by 2030. In the Automotive and Mobility Industry Group at Morgan Lewis, our lawyers are tracking these industry metrics as well as the current and future regulatory landscape for micromobility devices.

The Cyberspace Administration of China released for public consultation its long-awaited template for the cross-border data transfer agreement on June 30, 2022, under the draft Provisions on the Prescribed Agreement on Cross-border Data Transfer. The consultation period ends July 29, 2022.

As the challenges to and requirements governing data protection continue to evolve, data privacy remains a hot topic on the minds of security and compliance professionals around the world. If the last few years provide any indication, new developments in data privacy will likely keep pace.

As we all try to keep up with the Metaverse and as the healthcare system wilts under a data deluge, the convergence of realities in a shared online space is not merely a chance for practitioners and patients to find each other and interact in new ways, it’s also a rare opportunity to help a new paradigm sprout. The answers to detangling some sticky wickets of Health 2.0, like ensuring efficient, secure communications and exchanges between participants, may share a common thread: clear out (not just debug) the cobwebs and flip the crypt.

As part of our Spotlight series, Dion Bregman (who wears many hats at Morgan Lewis, such as deputy leader of the firm’s intellectual property practice, leader of the firm’s Patent Trial and Appeal Board (PTAB) team, managing partner of the firm's Silicon Valley office, and co-leader of the firm’s technology industry team) shares some of his meta thoughts. As a follow up to Dion’s recent participation in a panel discussion, An Introduction to the Metaverse, Dion provides insight into some important developments, issues, and opportunities, as we all continue to focus on Keeping Up with the Metaverse. 

On June 7, 2022, Senators Cynthia Lummis (R-WY) and Kirsten Gillibrand (D-NY) introduced the Responsible Financial Innovation Act (RFIA), a bipartisan effort to develop and provide greater regulatory clarity to the eclectic digital asset industry. Since releasing the text of the bill, Senators Lummis and Gillibrand launched a strong public lobbying campaign, discussing the bill at fundraisers, joint conference panel appearances, and other events as an opportunity for bipartisan cooperation and reassertion of US leadership in the distributed ledger technology fintech and investment space. The RFIA would create a more coherent and consistent regulatory framework for the digital asset industry, and encourage responsible financial innovation, flexibility, transparency, and robust consumer protection.

In October 2021, it was announced that Facebook would formally change its name to Meta as part of an ambitious new initiative called the “metaverse”—a convergence of physical, augmented, and virtual reality in a shared online space. Shortly after this announcement, we wrote a blog post, A Brief Overview of the Metaverse and the Legal Challenges It Will Present. Since then, metaverse trends have experienced phenomenal growth, with the emergence of new immersive virtual reality and collaborative spaces for human interactions, transactions, and data exchanges on decentralized networks.

On May 6, 2022, the UK government outlined its plans to boost competition and drive economic growth and innovation in a major regulatory reform aimed at big tech. The news comes in the wake of fears that a handful of tech giants disproportionately dominate the market, subjecting smaller businesses to predatory prices and ultimately harming consumers through higher prices as well as limited options and control over their online experiences.

During the estate planning process, it is important to ensure that your fiduciaries (the personal representatives of the estate, trustees, and agents named in the durable power of attorney) have the information necessary to access your assets and manage them in the event of your incapacity or death. While most assets are easily identifiable, one exception is digital assets, which can include cryptocurrency and nonfungible tokens (NFTs), as well as email, social media accounts, and financial applications such as PayPal and Venmo.

Our tracker covers the recent developments that companies need to know, including the 2022 Utah Consumer Privacy Act, amendments to the Virginia Consumer Data Protection Act, proposed federal legislation, and bills under consideration in more than two dozen states, as well as noteworthy local laws regulating the use of artificial intelligence and biometrics.

When two parties come together to discuss a new idea or potential collaboration, the parties are usually operating under the protection of a non-disclosure agreement (NDA). If the parties decide to work together, they will most likely enter into a services agreement outlining their respective rights and obligations, including intellectual property (IP) ownership and commercialization rights. Occasionally, parties operating solely under an NDA may start collaborating in a way that’s not fully covered by the NDA prior to entering into a services agreement because they’re just not at that stage of the relationship yet. Regardless of whether the parties are ready to enter into such an agreement, if there is any potential for IP to be created in connection with such a collaboration (even if it’s fairly informal), the agreement between the parties needs to address the rights of each party with respect to any such IP.

Perhaps signaling the increasing likelihood of a permanent telehealth solution for the Medicare program, the Office of Inspector General for the US Department of Health and Human Services (OIG) has established a “Featured Topics” resource page on its website dedicated to telehealth and OIG’s work in evaluating telehealth policies. This telehealth resource page serves as a compendium for all the reports OIG has completed or plans to undertake related to telehealth and virtual care technologies, including several audits and evaluations currently on OIG's 2022 work plan. In addition, the resource page provides a helpful overview of the manner in which telehealth fits into the larger Medicare regulatory framework.

Blockbuster Biologics Review, produced by our intellectual property lawyers, covers developments in inter partes review (IPR) and patent litigation challenges to blockbuster biologics.

China’s legal framework around data protection and security is governed broadly by three key pieces of legislation: the Cybersecurity Law, which came into effect in 2017, and the Data Security Law (DSL) and the Personal Information Protection Law (PIPL), both of which came into effect in 2021. Navigating the laws that operate in this space can be complex and there is significant overlap. For example, the Cybersecurity Law covers both hardware equipment and online tools, including internet technologies, and essentially anything that can impact cybersecurity. The DSL is concerned with data that is online, but also other data that is offline in paper or hard copy or any other form. It is also broadly defined to cover data processing activities like collection and storage. The PIPL is principally focused on personal data that could also be in any form, whether physical or not.

On March 11, 2022, the UK Financial Conduct Authority (FCA), the Bank of England, and the Office of Financial Sanctions Implementation (OFSI) released a joint statement reiterating that all UK financial services firms, including the cryptoasset sector, are expected to ensure compliance with economic sanctions.

In this article for ZD Akutell, Axel Spies addressed the Utah Consumer Privacy Act (UCPA) which became the fourth comprehensive US state privacy law with some provisions that depart from comprehensive privacy laws in California, Colorado, and Virginia.

The NRC held a public meeting on March 4 to discuss the issuance for public comment of draft regulatory guide (DG) DG-5061, Revision 1, Cyber Security Programs for Nuclear Power Reactors. DG-5061, Revision 1 would revise Regulatory Guide (RG) 5.71, which provides NRC licensees with guidance on meeting the cybersecurity requirements described in Section 73.54 of Title 10 of the Code of Federal Regulations, “Protection of digital computer and communication systems and networks.”

The Patent Trial and Appeal Board found in a recent inter partes review—DraftKings Inc. v. Interactive Games LLC—that DraftKings’ proposed combination of prior art would have been obvious when Interactive Games’ mobile gambling patent was filed, and was therefore unpatentable. The outcome of this case demonstrates the ineffectuality of arguing that there is no motivation to modify the primary reference because it works as is, as well as the importance of understanding whether an invention feature is truly necessary and whether removal of such would render the invention inoperable for its intended purpose.

The conflict in Ukraine has raised significant cybersecurity concerns for businesses in the United States and across the world, resulting in an increased focus on using cyberinsurance to mitigate any resulting losses. The conflict has also caused insurers to turn their attention to a rarely invoked exclusion in insurance policies: the war exclusion. Certain insurers have recently taken steps toward altering the language of such exclusions. As a result, evaluating the applicability of insurance coverage, including the specific language of any war exclusions contained the policy, is an important first step for businesses as they seek to protect themselves from cyberthreats.

The US Supreme Court held that the Copyright Act’s safe harbor provision for unintentional mistakes made in copyright registrations applies equally to mistakes of law and fact.

The European Union’s 25 February wave of sanctions build on, and significantly expand, its existing sanctions on Russia, imposing wide-ranging restrictions on the Russian economy—including in respect of Russia’s access to financial and capital markets—and the oil refining, aviation, and space sectors. More sanctions from the European Union are expected in the coming days, along with announcements on the disconnection of certain Russian banks from the SWIFT system.

The US Securities and Exchange Commission recently proposed a comprehensive framework of cybersecurity-related rules and amendments for investment advisers and investment companies. Although advisers and funds may have already implemented many of the requirements, some, such as incident reporting, are likely to prove burdensome and make the landscape surrounding cybersecurity risk management and compliance even more complex.

In this edition of our Spotlight series, we welcome David Plotinsky to discuss key issues that technology lawyers and professionals should keep in mind regarding tech transactions, foreign investment, and review by the Committee on Foreign Investment in the United States (CFIUS).

The Infrastructure Investment and Jobs Act (IIJA) is slated to provide unprecedented levels of federal spending toward physical infrastructure, allocating $1.2 trillion not only for funding roads, bridges, and rails, but also for funding projects like high-speed internet, electric grid modernization, and an electric vehicle (EV) charging station network.

The new Civil Cyber-Fraud Initiative of the US Department of Justice’s use of the punitive False Claims Act (FCA) and its whistleblower provisions has some important legal and risk management considerations for the health industry. Because enforcement will initially occur largely through civil investigations applying the FCA in the broadest possible way, healthcare organizations should undertake a priority assessment of their cybersecurity status to ensure that their practices can withstand hacks, whistleblowers, and government scrutiny.

The US Patent and Trademark Office is implementing a pilot program to allow participating applicants to defer responding to subject matter eligibility rejections until the earlier of a final disposition of the application, or a withdrawal or obviation of all other outstanding rejections.

Investment in UK technology companies continues apace, with 2021 marking another record year. The UK government announced in December 2021 that the UK tech sector achieved its “best year ever” in 2021 through investments totaling £29.4 billion, with record IPO capital raising and 37% of all funding coming from the United States. The United Kingdom is creating on average almost one $1 billion “unicorn” technology business a week, primarily fintechs followed by healthtech and enterprise software businesses.

The highly anticipated UK Supreme Court decision in Lloyd v. Google has brought into focus (1) the operation of the United Kingdom’s collective redress regime brought under the civil procedure rules, particularly the limitations of the “opt-out” regime, and (2) claims pursued as a result of data protection breaches. This LawFlash considers the significance of Lloyd v. Google in the overall context of the developments taking place in the collective action regime, and the impact of this judgment on future actions related to the misuse of data.

The Accounting and Corporate Regulatory Authority (ACRA) of Singapore is running a public consultation exercise from 17 December 2021 to 28 January 2022 to seek feedback from the public on proposed amendments to the Companies Act, Accountants Act, ACRA Act, Business Names Registration Act, Limited Liability Partnerships Act, Limited Partnerships Act, and Variable Capital Companies Act 2018 (collectively, the ACRA-administered legislation) relating to data, digitalization, and corporate transparency.

This past year has seen widespread excitement about non-fungible tokens (NFTs), with a plethora of players ranging from newspaper agencies to celebrities releasing their own NFTs. NFTs can take the form of songs, tweets, GIFs, virtual land, or images. Headlines report handsome profits from the sale of NFTs reaching millions of dollars, while naysayers view the craze over NFTs’ price as a bubble waiting to burst. This LawFlash discusses the legal issues surrounding NFTs in Singapore.

With the exponential growth of cyber threats, cloud computing and remote working, contract provisions regarding data security requirements have also expanded in size and frequency. It has become common practice to prepare schedules to detail (and limit) security requirements. Customers and vendors both have a vested interest in clearly identifying expectations and obligations for such requirements. In this week’s Contract Corner, we explore considerations when it comes to drafting security schedules.

The three federal banking agencies (i.e., the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency—collectively, the Agencies) published a final rule (the Rule) on November 23, 2021, requiring “banking organizations” to notify their primary federal regulator within 36 hours in the event of certain types of computer-security incidents. The Rule separately requires “bank service providers” to notify banking organization customers as soon as possible in the event of any incident that has or is reasonably likely to materially affect those customers for four or more hours.

Companies are transforming legacy systems, implementing automation and artificial intelligence tools, embedding digital capabilities into their products, shifting to cloud solutions and leveraging technology to better connect to their customers, personnel, and third parties, all at an unprecedented pace. The focus on businesses to get to market faster, reach a broader audience and provide real-time interaction has in turn put pressure on legal and sourcing documents to keep up. The complexity and volume of the numbers of projects (and contracts) can be daunting — especially for companies that have not yet elevated the importance of the technology law function within their organizations.

The Federal Trade Commission recently finalized a long-discussed update to its cybersecurity Safeguards Rule that includes more specific criteria for what financial institutions must implement as part of their information security programs. Among other key changes, many companies are likely to be impacted by an expansion of the rule’s scope to include “finders,” which may allow such businesses (including fintech firms) to avoid the current regulatory burden and confusion of state law requirements.

The United States has a long history of reviewing cross-border investment (FDI) to assess the national security implications of these types of transactions. With more than 20,000 to 40,000 FDIs a year, most transactions, however, occur outside the purview of US government review.

US President Joe Biden’s Working Group on Financial Markets (PWG), along with the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC), released a report on the risks and legislative recommendations for stablecoins, recommending that issuers be limited to insured depository institutions.

Following an initial announcement in early 2021, the UK government has recently launched its first National Artificial Intelligence (AI) Strategy. This new strategy indicates that the United Kingdom may be planning on diverging from the legislative approach taken by the EU Commission in its “AI package.”

As law firms begin planning for office returns, partners Tess Blair and Tara Lawler and associate William Childress wrote an article for The Legal Intelligencer focusing on the basics of the preservation and collection of records, the central principle of proportionality, and the importance of cooperation during discovery.

The US Court of Appeals for the Federal Circuit’s recent decision on an appeal from the Patent Trial and Appeal Board to limit prior art for design patent applications to only analogous fields may make it easier for applicants to obtain design patents and more difficult for challengers to invalidate them.

On September 2, 2021, the US District Court for the Eastern District of Virginia granted the United States Patent and Trademark Office’s (USPTO’s) motion for summary judgement, finding that an artificial intelligence (AI) system cannot be named as an inventor on a patent.

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently issued an “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.” This advisory continues prior advisory comments strongly discouraging companies from making ransomware payments and suggests proactive steps for mitigating ransomware risks, including actions that OFAC would consider to be “mitigating factors” in any related enforcement action.

Hinting that the US Department of Labor (DOL) is currently working on guidance related to cryptocurrency, the Acting Assistant Secretary for the DOL’s Employee Benefits Security Administration recently commented that the DOL finds the prospect of cryptocurrency investments in 401(k) plan lineups “troubling.” This may be a sign of DOL focus on the increasing frequency of ERISA plan investments in cryptocurrency vehicles, including funds with cryptocurrency exposures.

Various Chinese regulators announced a blanket ban on all cryptocurrency transactions and mining, the latest in a concerted effort to address illicit activities conducted using digital assets. The announcement on September 24, 2021, authored by a group of agencies including the China Securities Regulatory Commission and the People’s Bank of China, among others, represents the government’s most direct and sweeping action against cryptocurrencies to date. “Virtual currency derivative transactions are all illegal financial activities and are strictly prohibited,” the People’s Bank of China said on its website.

As the availability and variety of digital health tools continue to increase, evidence is also being presented that those tools are having a meaningful impact on health outcomes. A recent report, Digital Health Trends 2021: Innovation, Evidence, Regulation, and Adoption, offered by the IQVIA Institute for Human Data Science, looks at the proliferation of digital health tools, recent innovations in the market, and contributions and barriers to their adoption.

Through legislation, Connecticut has incentivized businesses to conform to one or more industry recognized cybersecurity frameworks. As we recently discussed, cybersecurity incidents and risks are taking centerstage. Under Connecticut’s recently enacted Public Act No. 21-119, An Act Incentivizing the Adoption of Cybersecurity Standards for Business (the Act), as further described below, a business that implements a qualifying cybersecurity program is shielded from punitive damages in connection with any data breach-related tort claim that is brought in, or under the laws of, Connecticut.

The Centers for Medicare and Medicaid Services (CMS) recently released a table copy of its calendar year 2022 Medicare physician fee schedule proposed rule. The proposed rule is chock full of policy updates concerning telehealth, remote physiologic monitoring (RPM), and new remote therapeutic monitoring codes. Coming on the heels of the significant telehealth waivers put in place during the COVID-19 public health emergency (PHE), CMS proposes to continue the steady expansion of virtual care options with this rule.

The Federal Communications Commission on June 17, 2021, unanimously approved relaxed rules regarding the importation and marketing of a broad range of radiofrequency devices, such as computer equipment, smartphones, wireless audio equipment, Wi-Fi routers, Internet of Things devices, and more.

China’s new Data Security Law includes more expansive and restrictive requirements on data localization, mandatory security level certification, and severe penalties on unauthorized foreign transfer of data.

The Basel Committee on Banking Supervision (Basel Committee), a committee of global central bankers and regulators, issued a Consultative Document on June 10 on the prudential treatment of cryptoasset exposures for international banks (the Proposal). The Basel Committee has asked for comments by September 10, 2021.

Importers of EU data will need to analyze each data transfer for compliance with the new Standard Contractual Clauses; solely relying on data subjects’ consents may not be sufficient.

We repeatedly warned over the past few months (here, here, and here), that officials at the highest levels of the DOL were signaling that the DOL would begin an audit initiative focusing on retirement plan cybersecurity practices. Despite plan fiduciaries having had just a handful of weeks to digest the DOL’s only actionable guidance on cybersecurity and privacy matters, the wait is over. We can confirm that the DOL has begun issuing information and document requests under this new initiative, and the requests are probing and indicate serious inquiry by the DOL.

Following the Schrems II decision last year, there have been many questions about the status of international data transfers between the European Union and United States. The European Commission (the Commission) has now adopted a new set of Standard Contractual Clauses (SCCs) for international data transfers (the New SCCs), effective 27 June 2021. The New SCCs take into account some of the requirements under Schrems II and confirm how to carry out an assessment of a third country’s legal framework.

In response to arguments made by the US government in an appeal pending before the US Supreme Court, members of Congress requested an investigation into the adequacy of due process afforded to Patent Trial and Appeal Board litigants, in particular the amount of supervision and arbitrary control exercised by the director of the US Patent and Trademark Office over PTAB decisionmaking.

As is clear from recent news reports, cybersecurity hacks and breaches have been trending upward for some time, and there has been a noticeable uptick over the last several months—including in the energy industry. As a result, President Joseph Biden has committed his administration, in large part through the American Jobs Plan and his executive order of May 12, to strengthen cybersecurity across the nation.

The European Securities and Markets Authority (ESMA) on May 10 published final guidelines on outsourcing to cloud service providers (ESMA Guidelines) to help firms and competent authorities identify, address, and monitor the risks and challenges arising from cloud outsourcing arrangements. Subject to a few clarifications, the ESMA Guidelines are broadly consistent with the draft guidelines.

The US Department of Labor (DOL) issued three long-awaited pieces of subregulatory guidance on April 14, addressing the cybersecurity practices of retirement plan sponsors, service providers, and plan participants, respectively. The guidance provides an important window into the DOL’s expectations of what ERISA’s prudence standards require with respect to cybersecurity matters.

As noted in our recent blog post, the US Department of Labor (DOL) has repeatedly signaled that it would be turning its focus toward the intersection of cybersecurity practices and ERISA’s fiduciary duties. On April 14, 2021, the DOL stopped signaling and started acting, issuing three pieces of subregulatory guidance addressing the cybersecurity practices of retirement plan sponsors, their service providers, and plan participants respectively.

When negotiating a digital health collaboration agreement between a tech company and a life sciences company, whether for the development of artificial intelligence or other software, the provision of data hosting and analysis services, or a more complex collaboration, the parties should consider the following.

We recently noted that the UK Financial Conduct Authority (FCA) published the outcome of a review into the factors that determine failure or success when implementing technology change in the financial services sector and discussed the importance of this review for firms seeking to improve the operational resiliency of their technology change management process.

Having recently announced the launch of the new UK Cyber Security Council, the UK government has followed up by announcing its plans to publish a new National Artificial Intelligence Strategy (the AI Strategy) later this year.

As part of its five-year, £1.9 billion ($2.65 million) national cybersecurity strategy, the UK government on February 9 announced the launch of the UK Cyber Security Council (Council), a new independent body to support career opportunities and set professional standards for the UK’s cybersecurity sector. The Council will be formally launched on March 31, 2021.

Artificial intelligence magnifies the ability to analyze personal information in ways that may intrude on privacy interests. In fact many of the most interesting data sets for AI are those with a great deal of personal information.

The European Data Protection Board (EDPB) has finally released its much anticipated guidance following the Schrems II decision in July 2020, which invalidated the "Privacy Shield" system that allowed the transfer of personal data to the United States. EDPB also released draft new Standard Contractual Clauses (SCCs) that allow for data transfers from processors who are exporters as well as new SCCs for controllers who are exporters.

Partner Mark Krotoski was quoted in a Law360 article about lingering questions around the formation of federal rules called for under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 requiring critical infrastructure entities to report cyber incidents.

After participating in ILTACON 2022, partner Scott Milner shared his thoughts on the conference with eDiscovery Today.

German industry and trade associations are actively lobbying for amendments to the European Commission’s proposed Artificial Intelligence Act (AIA) but three challenges remain that threaten the success of the first attempt to regulate artificial intelligence (AI) by a uniform law from cradle to grave.

FRANKFURT, July 14, 2022: Morgan Lewis is representing global digital infrastructure investment firm DigitalBridge Group Inc. on the antitrust and foreign direct investment aspects of its acquisition of a 51% ownership stake in GD Towers.

Partner Tomoko Fuminaga spoke to <em>Asia Business Law Journal</em> about Japan&rsquo;s Act on the Protection of Personal Information (APPI). &ldquo;Abstract descriptions of the purpose of using personal information would not be sufficient under the amended APPI, and business operators must carefully describe the purpose of use of personal information,&rdquo; Tomoko said.

Partner Reece Hirsch was quoted in a Law360 article on the California Privacy Protection Agency’s first draft of regulations for the California Privacy Rights Act (CPRA).

Chief knowledge management and practice services officer Colleen Nihill participated in a roundtable on the growing uses of artificial intelligence (AI), which was covered in a Fortune article.

In this article for ZD Aktuell, Dr. Axel Spies addressed the Connecticut Data Privacy Act signed into law by the governor which joins other states which have implemented similarly comprehensive data privacy legislation.

The growth of the non-fungible token (NFT) market has caused law firms to adjust focus—building up their talent pools and services for this increasingly important space.

Partner Pulina Whitaker spoke with Global Data Review about the UK government’s plan to introduce its new Data Reform Bill.

A recent PYMNTS.com article looks at China’s tech regulatory landscape, noting that the “decision by the Chinese authorities brings back the debate about how far it is necessary to go in regulating Big Tech companies to get more competition in the market and the unintended consequences of having additional rules.”

In an article commemorating World IP Day, partner Rachelle Dubow discusses the importance of the 2022 theme, “IP and Youth: Innovating for a Better Future,” noting that it helps shine a light on the possibilities for working in the IP area.

Earlier this month, the US Food and Drug Administration issued its latest draft guidance on medical device cybersecurity, essentially replacing its 2018 version amid rising cyber-related threats.

Partner Reece Hirsch discussed the recent passage of the Utah Consumer Privacy Act (UCPA) in an article published by Infosecurity Magazine.

In an interview with Legaltech News, partner Scott Milner spoke about his work as co-leader of Morgan Lewis’s eData practice, discussing what it means to be an innovation firm and the challenges facing the legal tech industry.

Partner Nick Bolter and associate Martin Whittle authored an article for World Trademark Review discussing the decision from the High Court of England and Wales in Easygroup Ltd v. Beauty Perfectionists Ltd.

The conflict in Ukraine has raised significant cybersecurity concerns for businesses in the United States and across the world, resulting in an increased focus on using cyberinsurance to mitigate any resulting losses. The conflict has also caused insurers to turn their attention to a rarely invoked exclusion in insurance policies: the war exclusion. Certain insurers have recently taken steps toward altering the language of such exclusions. As a result, evaluating the applicability of insurance coverage, including the specific language of any war exclusions contained the policy, is an important first step for businesses as they seek to protect themselves from cyberthreats.

In an article on the proposed Health Data Use and Privacy Commission Act, HealthLeaders Media cites a recent blog post from partner Reece Hirsch and associate Sydney Swanson.

Partners Tess Blair and Scott Milner were recognized as 2022 AI Visionaries by Relativity ODA LLC.

A Payments Dive article reports on the approaching March 1 deadline for major “buy now, pay later” (BNPL) firms to provide their responses to the Consumer Financial Protection Bureau (CFPB).

Due to the pandemic-fueled shift toward online and mobile app shopping, the “buy now, pay later” (BNPL) market has experienced sharp growth. In an article for Bloomberg Law, lawyers Eamonn Moran and Robin Nunn discuss the current regulatory landscape on point-of-sale BNPL financing.

Partner Ksenia Andreeva and trainee associate Dmitry Simbirtsev wrote an article for DataGuidance looking at the status of biometric data and its governance under Russian laws pertaining to personal data.

Associate Jake Harper spoke with Xtelligent Healthcare Media about key pieces of telehealth legislation moving through Congress in 2022 and the factors that could potentially stop their passage, as well as the additional regulations needed to advance telehealth usage.

Partner Giovanna Cinelli spoke with Global Investigations Review about the ongoing delays within the US Office of Foreign Assets Control (OFAC), and how lawyers often have little insight to their cause.

Partner Pulina Whitaker spoke to Legaltech News about her outlook for privacy law in the upcoming year.

With no sign of ransomware attacks slowing down in 2022, partner Kristin Hadgis told Bloomberg Law that a preplanned response can mitigate the related legal, reputational, and regulatory risks that businesses could face.

According to a recent report from the Department of Health and Human Services, since the start of the pandemic sweeping policy changes made by the Centers for Medicare and Medicaid Services have led to a surge in virtual doctor visits.

Partner Steven Frank joined NVIDIA’s The AI Podcast to discuss working with his wife, Andrea Frank, a professional curator of art images, to authenticate artistic masterpieces with the help of artificial intelligence (AI). He told the podcast that convolutional neural networks (CNNs), a deep learning algorithm, can be used “to recognize and classify many different things,” including paintings.

The fact that the financial services sector has been and continues to be transformed by technology is incontestable.

Security Management cited a LawFlash written by Morgan Lewis partners Todd Liao, Lesli Ligorner, Reece Hirsch, Gregory Parks, and Pulina Whitaker, along with associate Yuting Zhu, regarding China’s new Personal Information Protection Law (PIPL).

Morgan Lewis partner Vasilisa Strizh and associate Anastasia Kiseleva co-authored the Russia chapter of The Legal 500’s 2021 edition of its Blockchain Country Comparative Guide, a country-specific Q&A that provides readers an overview of blockchain laws and regulations applicable in Russia.

Partner David Sirignano spoke with Pensions & Investments about the complexities of navigating the current cryptocurrency regulatory landscape. “Whenever we get on the phone with a client that’s got some product idea, we have team members that have experience in commodities markets, tax people, persons familiar with money transfers and securities lawyers,” said David, explaining that “these products do touch on all of these areas and it’s sometimes hard to steer the client in the right direction.”

Partner Liz Goldberg and associate Emily Rickard authored an article for International Employment Lawyer discussing the Department of Labor’s (DOL’s) potential focus on cryptocurrency, and the increasing frequency of Employment Retirement Income Security Act (ERISA) plan investments in cryptocurrency vehicles. “As cryptocurrency makes possible inroads into ERISA plans, the DOL is taking notice and expressing concern,” they write.

Partner Reece Hirsch joined the Berkeley Center for Law and Technology’s (BCLT’s) Expert Series podcast to discuss the Data Protection Act of 2021.

Partners Lesli Ligorner and Todd Liao spoke with SHRM about the Personal Information Protection Law, which will go into effect in China beginning November 2021.

Partner Pulina Whitaker authored an article for Intellectual Property Magazine discussing the European Commission’s June 28, 2021 approval of two decisions granting the United Kingdom the status of having “adequate” data protection laws so that transfers of personal data from the European Union are not restricted.

Partner Reece Hirsch spoke with Law360 about some of the hot topics in cybersecurity and privacy law in 2021.

Partner Ksenia Andreeva, associate Anastasia Kiseleva, and trainee associate Alena Neskoromyuk authored a Q&A for Thomson Reuters Data Privacy Advisor providing a summary of key data localization requirements in Russia. It identifies applicable laws, sector-specific requirements, exceptions, and cross-border data transfer requirements.

Morgan Lewis partner Elizabeth Goldberg was quoted in a Law360 article regarding the new policies emerging in the employment benefits area.

After California and Virginia, the state of Colorado has now also reformed its data protection law: On June 8th, 2021, the legislature of this state passed the Colorado Privacy Act (CPA).

Partner Pulina Whitaker authored an article for The Legal Diary regarding the UK government’s plan to develop a National Health Service (NHS) database of all general practitioner records from the last decade. Pulina highlights the potential data privacy challenges.

Partner Elizabeth Goldberg was quoted by Bloomberg Law in an article about the US Department of Labor’s (DOL’s) release of its cybersecurity guidance for retirement plans. According to the article, Elizabeth said that the guidance reveals how seriously the DOL’s Employee Benefits Security Administration is taking the threat of cybersecurity and that all service providers, whether or not they are fiduciaries, should take note of potential enforcement actions.

Partners Matthew Hawes and Elizabeth Goldberg provided their insights to PlanSponsor regarding the US Department of Labor’s (DOL’s) release of its first cybersecurity guide for ERISA plans. Under the new guidelines, the DOL indicates that protecting participant information is a fiduciary issue and that plans have a responsibility to address them.

The e-Discovery and Information Governance Law Review, published by Law Business Research, make up an essential information tool for practitioners, in-house counsel, governments and corporate officers. Both a desktop reference tool and an online resource, The Law Reviews series handpicks key and developing areas of law and provides detailed insight from those who have on-the-ground experience.

A recent decision of the Queen's Bench Division of the England and Wales High Court (U. v. 15.1.2021-[2021] EWHC 56 (QB) - Soriano v Forensic News) is arguably the first final judgment on the territorial scope of the GDPR.

At the end of December 2020, the use of the EU standard contractual clauses if the recipient of the data transmission had to adhere to the GDPR was controversially discussed in the Beck blog.