Legal Risk Mitigation Strategies and Some Current Business Litigation Risks (Technology Related) Tracy Edmundson

Business Risk Management – Generally Much of what business attorneys (and other professional service providers such as accountants, consultants, insurance brokers, etc.) do is assist businesses with identifying and mitigating risk, otherwise known as risk management. All of a company’s advisors should be coordinated in assisting the company with risk management. Business advisors should take a multi-disciplinary approach to risk management – often think of risk management solely in the context of financial impact (reserves, insurance, etc.), but is really a part of fundamental business strategy. August 23, 2018 GDPR Overview

May Break Risks Down By Business Process Product Realization Process (Engineering and R&D) Demand Creation Process (Sales and Marketing) Supply Chain Process (Vendors and AP) Production Process (Manufacturing) Order Fulfillment Process (Shipping/Fulfillment) AR Process (Receipt of Payment/Collections) Other Key Business Processes (Specific To Business) August 23, 2018 GDPR Overview

Risk Management Process Identify the Risk Analyze the Risk Evaluate (or Rank) the Risk Treat the Risk – (minimize, mitigate, deal with residual risk) Monitor and review the Risk (i.e., wash, rinse and repeat) August 23, 2018 GDPR Overview

Treat the Risk – Legal Risk Mitigation A Business Attorney’s Toolbox Contains Multiple Risk Mitigation Strategies: Corporate Organizational and Governance Structure Risk Management in Corporate Policies and Procedures Risk Allocation in Contracts Proper Role of Insurance or Hedging Legal, Regulatory, and Standards Compliance August 23, 2018 GDPR Overview

Technology Risks Are Common Technology Risks Are Among The Most Pervasive Faced By Companies Data and Systems Security Data Privacy Compliance Product and Service Delivery (meet customer requirements and expectations) Other legal, regulatory, and compliance (product and software validations, regulatory agency compliance, cross-border compliance issues) Obsolescence August 23, 2018 GDPR Overview

Risk Mitigation Strategies – Risk Allocation Risk Allocation – as between two parties, who is responsible for assuming a particular risk and what are the consequences for failure to do so; Typically allocated in a contract of some sort; Common contractual areas: Scope of Work, Description of Services, Specifications, etc. (what the parties are doing for each other) Representations and Warranties Indemnities Insurance requirements Limitations on liability, remedies, warranties, etc. Areas you might not think of – choice of law, venue and jurisdiction; (anti-) assignment provisions, confidentiality, etc. August 23, 2018 GDPR Overview

Insurance Most businesses have typical coverages – General Liability, Property/Casualty, Automobile, Worker’s Comp., D&O, Employment Risk, etc. Technology/Cyber-Liability risk coverages should be considered standard for any business. Technology-Related E&O/Products/Completed Operations – addresses risk of businesses that deliver technology related goods or services (or for which technology is embedded in their goods and services). Cyber-Liability – addresses risks related to mishandling of customer or employee data. August 23, 2018 GDPR Overview

Legal, Regulatory, and Standards Compliance Data Privacy and Security – HIPAA, SOX, State Data Privacy Regulations, FCC/FTC. Products and Services – do your products or services comply with any third-party standards, requirement of any state or federal (or international) law, or any applicable state or federal (or international) regulations. Some regulatory issues beyond privacy – many standards and regulations address details of how products and services are designed, validated, tested, monitored, and specifications of the products or services. Examples – FDA, EPA, EU, IEEE, ANSI, ISO. Compliance must be built into key business processes. August 23, 2018 GDPR Overview

Some Areas of Current Technology Risk Management Headaches BYOD – Bring your own devices; Software and Device Management – maintenance, updates and patches. Data Privacy. EDI/Vendor Management. IoT – Internet of Things. PCI-DSS Compliance (credit card processing). ADA Compliance. Trade and Tariff Risks. Export Control Licenses. August 23, 2018 GDPR Overview

ADA Compliance Is currently a “hotbed” of potential class-action litigation; Claims currently are along the lines of any business website, electronic presences, application, or software may be a “place of public accommodation” and must be accessible; Many businesses have never considered ADA Accessibility with respect to their electronic presence; No regulatory recognized standard – de facto standard is the World Wide Web Consortium’s (W3C) Web Content Accessibility Guidelines 2.0 (WCAG 2.0) at Level A and Level AA. Basically, provides for all content to be visually and audibly accessible for people with accessibility issues. August 23, 2018 GDPR Overview

IoT Internet of Things devices are becoming ubiquitous; Uses are outpacing capability to secure, monitor, track and manage the devices; Many businesses incorporate IoT devices into their goods and services without considering the underlying security, origin, reliability, etc. of the devices; Unintended consequences abound ; Will be a major area of litigation in the coming years. August 23, 2018 GDPR Overview

Trade and Tariff Trade Wars and Tariffs create potential unmanaged financial and regulatory risks. Many businesses did not factor in increased tariffs in costing/pricing methodology. Agreements can allocate risk between purchaser and supplier. Increased Customs enforcement and review of tariff codes – delayed shipments. August 23, 2018 GDPR Overview

Export Controls Have more changes in sanctions and restrictions; Definition of controlled technology is changing; Iran; Huawei; Likely more Chinese issues going forward. August 23, 2018 GDPR Overview

Questions? Thank You! August 23, 2018 GDPR Overview