Tech lawyers are finding themselves in a regulatory environment that’s becoming more difficult to navigate by the day, with compliance stakes higher than ever, and the latest survey results bear this out. As part of Bloomberg Law’s 2021 Technology Transactions Survey, we asked attorneys who draft, negotiate, or advise on technology-related contracts or legal matters about the work they do, the concerns they have, and challenges they face. Their responses identify the ever-transforming kaleidoscope of state, federal, and international privacy and cybersecurity laws and regulations as a top source of unease.
Complexity and Cross-Jurisdictional Expertise
We asked survey respondents which areas they consider to be challenges that they face in their work on technology matters. The most popular responses, each selected by 63% of respondents, were “data & privacy legal & regulatory concerns” and “the need for technical understanding of complex subject matter.” The third most popular response, selected by 45% of respondents, was “the need for cross-jurisdictional (including international) expertise.”
We also asked survey respondents which potentially forthcoming legal or regulatory changes they are most concerned about in the context of their work on technology matters. “State privacy legislation” was the top answer, with 63% of respondents selecting that category.
The State, Federal, and Global Privacy Kaleidoscope
2023 is shaping up to be a big year for new state privacy laws, with the Virginia Consumer Data Protection Act, Colorado Privacy Act, and key provisions of the California Privacy Rights Act all taking effect then. While each statute comes with its own unique standards and exceptions, the process of preparing for one law could help tech lawyers and their multi-jurisdictional clients become better equipped to comply with the other two. For instance, data mapping, the process of identifying an organization’s data sources and analyzing how each data type is used and shared, is one strategy commonly implemented in preparation for new privacy requirements. The end result of such an organization-wide project can help inform a business’s decisions when updating vendor contract clauses and revising privacy policies prior to a new law (or, in this case, multiple laws) taking effect.
The survey results suggest that tech lawyers expect broad change. Although the U.S. has yet to pass any national consumer privacy legislation that applies across industries, the fact that 53% of survey respondents chose “federal privacy legislation” as a major area of legal and regulatory concern underscores their awareness that such a law could come into fruition.
While it does not fall under the category of legislation, the Federal Trade Commission recently made procedural changes to its complicated rulemaking process that should make it slightly less time-consuming for the agency to promulgate rules on consumer data privacy practices. The changes came shortly before the release of President Biden’s July 9 Executive Order on Promoting Competition in the American Economy, which encourages the FTC to exercise its rulemaking authority in the realm of “unfair data collection and surveillance practices,” among other areas.
“International privacy legislation” drew as much concern from survey respondents as federal privacy law developments—a result that, more than likely, is tied to the current state of confusion over the EU’s General Data Protection Regulation. A recent ruling from the Court of Justice of the European Union (CJEU) has made it possible for regulatory authorities in EU countries other than the one a company is based in to take over investigations in certain GDPR compliance-related matters, opening the door to heightened privacy enforcement. Experts have opined that GDPR enforcement already suffers from infighting and delays caused by conflicting interpretations and case backlogs, particularly when alleged violations affect more than just one EU member state.
But most of the internationally focused anxiety seems to stem from what has been described as a “data transfer mess” following the CJEU’s July 2020 invalidation of the EU-U.S. Privacy Shield, a widely relied-upon data transfer framework, without leaving any comparable legal solution in its place. In the absence of an agreed-upon transatlantic data sharing mechanism, U.S. companies subject to the GDPR will need to amend vendor contracts to incorporate EU-approved standard contractual clauses (SCCs), conduct transaction-specific risk assessments, and actively monitor and record their compliance efforts. In short, tech lawyers who advise on GDPR compliance will be keeping busy for a long time to come.
Managing Cyber-Risk Before the Next Big Hack
Although forthcoming changes in privacy laws clearly dominate the list of tech lawyers’ greatest concerns, to paraphrase a former NSA general counsel, you can’t have privacy without cybersecurity.
Amid U.S. supply chains and critical infrastructure providers experiencing one large-scale cyberattack after another over the last several months, a majority (57%) of survey respondents named potential changes to “cybersecurity-related regulations” as a top source of apprehension. While it is unfortunate that it took a series of massive ransomware strikes and other devastating hacks to raise awareness of existing technical vulnerabilities, attorneys representing major corporations, small businesses, and even municipalities now seem laser-focused on their clients’ data security practices.
One trend that has been gaining momentum since the early days of pandemic-induced remote work is the practice of moving systems and data from on-premises servers to the cloud. Although the cost of cloud migration can be significant, businesses that can afford it are able to rely on the cybersecurity expertise of cloud infrastructure software providers, many of which also deliver data backup solutions in the event that a ransomware attack or other catastrophic event cuts off access to information stored on a primary server. In-house attorneys have also been working more closely with their organization’s IT counterparts, as scrutiny of indemnification, incident response, insurance, and other data-related provisions in vendor contracts is an increasingly crucial component of maintaining strong cybersecurity policies and procedures.
This surge of interest in information security may not only help minimize the fallout from the next big cyberattack, but it could also help put attorneys and their clients in a better position to comply with future cybersecurity laws and regulations. Recent developments in this area have generally been tied to specific industries, such as the National Institute of Standards and Technology’s recently published software security guidance for government contractors and the Security and Exchange Commission’s reported consideration of updated cyber-risk disclosure rules for public companies. However, calls for national security incident reporting legislation have been getting louder as companies struggle to navigate the existing labyrinth of state- and industry-based notice requirements. The issue of whether a national breach notification standard would help make compliance less complicated for tech lawyers now sits in the hands of Congress.
Tech Challenges Mirrored in M&A Deals
All of these hurdles, risks, and concerns are now taking center stage in M&A. Mergers and acquisitions—which, technically speaking, comprise everything from a mega-merger to a minority stake investment—are both the path for inorganic growth chosen by many large technology companies and the mode of receiving investments for growth companies. And at the moment, both M&A overall and tech sector M&A are booming. In fact, 44% of respondents to our survey reported that they work on technology-related mergers and acquisitions deals.
For deal parties in this exciting market, these areas of concern boil down to the critical matter of making sure they’re not buying, or bringing in, unexamined risks. And, of course, the diligence process involves ensuring that the data, which is itself often a key transaction asset, is transferred in compliance with all applicable laws and regulations. So in a sense, all of the privacy and cybersecurity issues normally faced by a single company or entity are not only mirrored in an M&A deal, but are also amplified by the number of parties, the complexity of the transaction structure, and the jurisdictional reach of the parties. These factors can impact the rationale for the deal and its valuation. As a consequence, M&A lawyers, the experts they hire, and the in-house lawyers they support, must all stay on top of the latest data privacy and cybersecurity developments so that they are able to design a smart due diligence process, properly detect and assess risks, and account for them in well-drafted deal agreements.
Our survey results clearly demonstrate that the same challenges and worries are impacting tech lawyers working in a wide range of practice areas. While a majority of respondents handle commercial contracts (68%), technology or technology transactions (63%), or work in corporate law (58%), a significant amount reported working on issues ranging from M&A (35%) and e-commerce (29%) to labor and employment (26%) and real estate (22%). This diversity of subject matter shows just how important privacy and cybersecurity—and their corresponding pain points—have become to attorneys, no matter what type of law they may practice.
Bloomberg Law subscribers can find guidance on software license and cloud computing agreements, data security compliance clauses, and other technology transaction matters on our Practical Guidance: Information Technology resource page.
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content or click here to view the web version of this article.