Sorry for interrupting, but there is something we need to tell you...

We have updated our Cookie Policy to reflect changes in the law on cookies used on websites in Europe. This website uses cookies to maximize your experience and help us to understand how we can improve it. To find out more click here.

Cookies are text files containing small amounts of data which are downloaded to your computer, or other device, when you visit a website. Cookies allow us to recognize your computer and improve your experience on our website. Some cookies are also necessary for the technical operation of our website. Please read our Cookie Policy which provides important information about the cookies we use, how we use them and how they can be deleted. Please remember that deleting cookies may affect your experience of our website.

Show less.

Accept and hide this message
Pillsbury Pillsbury Pillsbury

Global Sourcing

White Paper Sets Out UK Government’s Brexit Strategy
Authors: Tim Wright, Samuel J. Pearse
The UK Government has published a White Paper setting out its Principles and Objectives for exiting the EU.
Human Rights and Global Supply Chains
Author: Tim Wright
Fashion retailers need to be vigilant to prevent human rights abuses in their supply chains whilst complying with their legal obligations.
Brexit Back on Track
Author: Tim Wright
Parliament debates Brexit Bill with a view to triggering departure process by end of March.
Brexit and Procurement
Author: Tim Wright
UK’s Industrial Strategy announced—new Government contracting approach will favour UK-based firms after Brexit.
Japan steps into Brexit debate with a message to the UK and the EU
Authors: Anthony P. Raven, Tim Wright
The Japanese government has stepped into the Brexit debate with an unprecedented warning to the EU and the UK, saying that Japanese inbound investment into the UK could be put at risk by Brexit particularly if withdrawal negotiations are carried out behind closed doors over a protracted period.
Cybersecurity and the Role of ERISA Fiduciaries
Authors: Susan P. Serota, Christine L. Richardson, Allen Briskin, Jessica Lutrin
The Employee Retirement Income Security Act of 1974, as amended (ERISA), protects plan participant benefits and account balances by imposing high standards of care on the plan’s fiduciaries. Fiduciaries who do not follow these standards—most notably, the protection of participant personal and plan information—may be personally liable to restore losses to the plan. Recent technological advancements, especially in the area of cybersecurity, however, have only now become the focus of most ERISA fiduciaries. Due to the increasing frequency and sophistication of cyber-related threats to employee benefit plans, their trustees and third-party plan administrators and the potential financial repercussions, compliance with ERISA fiduciary standards will require implementation of a prudent cyber risk management strategy.
Negotiating Cybersecurity Contractual Protections for Retirement Plans
Authors: Jeffrey D. Hutchings, Susan P. Serota, Jessica Lutrin

This alert also was published as a bylined article on Law360 on June 3, 2016.

The ERISA Advisory Council1 recently announced that, as part of its goals for 2016, it will be focusing on cybersecurity issues affecting retirement plans and, in particular, the extent to which such issues relate to third-party administrators and vendors (TPAs) of retirement plans. By shining the spotlight on the role of TPAs in combatting cyber-related threats to retirement plans, this announcement demonstrates that retirement plan sponsors would be well-served to proactively assess the cyber risk profiles of their retirement plans. Specifically, retirement plan sponsors should focus on developing and implementing a comprehensive and effective risk management strategy that includes, among other actions, the implementation and periodic review of contractual protections in arrangements with their plans’ TPAs.
An Overview of Cybersecurity Issues Affecting Retirement Plans
Authors: Brian E. Finch, Jeffrey D. Hutchings, Christine L. Richardson, Susan P. Serota, Jessica Lutrin

This alert also was published as a bylined article in Law360 on March 15, 2016.

Retirement plan sponsors face ever-evolving cyber-related threats to plan assets and participant personal information. To combat such threats, plan sponsors should proactively assess the third-party service providers’ ability to detect, prevent and respond to cyberattacks against the retirement plan. In order to minimize a retirement plan’s overall cyber risk profile, its sponsor(s) must implement a cyber risk management strategy, including focusing on evaluating its third-party service providers’ cybersecurity programs, performing periodic assessments of such programs, and ensuring that the retirement plan has mitigated risks from losses in the event of a cyberattack.
Agreement Reached On New EU Data Protection Laws and Major New Fines
Authors: Rafi Azim-Khan, Steven P. Farmer, Rich Jones
European Union officials finally reached agreement this week on a new European data protection regulation (Regulation) that will essentially tear up existing European laws, introduce a brand new statutory regime and potentially subject companies doing business in Europe (including U.S. businesses) to fines of up to four percent of their annual global revenue.
Cybersecurity and the Aviation Sector: Recent Incidents Highlight Unique Risks
Authors: Mike Pierides, Brian E. Finch, Rafi Azim-Khan, Steven P. Farmer
Given the range of threats and the catastrophic impact an attack could have on an airline, strategizing to reduce the risk of breaches and implementing plans to deal with them once they occur should be prioritized at board level. We consider some recent examples of cyber incidents faced by the industry.
Four Things You Should Know about New York State’s Recent Advisory Opinion on the Taxation of Software as a Service (“SaaS”)
Authors: Richard E. Nielsen, Michael J. Cataldo
On May 15, 2015, the New York State Department of Taxation and Finance released Advisory Opinion TSB-A-15(2)S which concluded that sales of certain cloud computing services are not subject to New York State sales and use tax. The Advisory Opinion is noteworthy because of the Department’s position on the taxability of licensing prewritten software.
European “Cookie Sweep” Initiative – 15 - 19 September 2014 – Is Your Website Ready?
Authors: Rafi Azim-Khan, Steven P. Farmer
The European data protection authorities will be conducting a “cookie sweep” later this month, carrying out random spot checks on websites to assess for compliance with EU “cookie” laws. Businesses should therefore be checking their websites and cookie notices now to ensure they are compliant and fix any issues. Even if you are a non-EU (e.g. US) company it may catch you.
National Cybersecurity Framework Released – Has Your Organization Considered the Implications?
Authors: Catherine D. Meyer, Meighan E. O'Reardon, Deborah S. Thoren-Peden, Amy L. Pierce
On February 12, 2014, the National Institute of Standards and Technology (“NIST”) released the final version of its Framework for Improving Critical Infrastructure Cybersecurity (the “Cybersecurity Framework” or “Framework”) and the companion NIST Roadmap for Improving Critical Infrastructure Cybersecurity (the “Roadmap”). The final version is the result of a year-long development process which included the release of multiple iterations for public comment and working sessions with the private sector and security stakeholders. The most significant change from previous working versions is the removal of a separate privacy appendix criticized as being overly prescriptive and costly to implement in favor of a more general set of recommended privacy practices that should be “considered” by companies.
UK Amends TUPE Regulations
Authors: Tim Wright, Amina Adam
The Transfer of Undertakings (Protection of Employment) Regulations 2006 (“TUPE”) has been in the spotlight as part of the UK Government’s Employment Law Review. TUPE implements the EU Acquired Rights Directive (“ARD”) in the United Kingdom. Where TUPE applies, there is an automatic transfer of the employee’s employment – for the affected employees it is as if their employment contracts had originally been made with the new employer, with their continuity of service and, subject to a few exceptions, other employment rights all preserved.
Market Responses to the Affordable Care Act
As the U.S. moves toward full implementation of the Federal Affordable Care Act (ACA, also known as Obamacare), employers are seeing new challenges and opportunities in the provision of health coverage and other benefits to their employees.
UK Employment Law Reforms 2013
Authors: Tim Wright, Amina Adam
There are a number of important reforms being made to UK employment law this year, largely due to the enactment of the Enterprise and Regulatory Reform Act 2013 (“ERRA”). Many of the reforms under ERRA are being implemented over a period of time from 2013 and beyond, following a period of intensive consultation by the UK Government. Keeping track of all the proposed reforms can be a challenge. This Client Alert summarises the key reforms which have recently come into force and provides a timetable for the implementation of other key proposed reforms so that employers can start planning more effectively to accommodate the changes.
Meeting New OTC Swap Reconciliation Rules May Require Better Technology and Processes
Authors: Mike Pierides, Alistair J. Charleton
Although reconciliation of the key terms has been a best practice for over-the-counter derivative trades for some time (particularly with collateralised trades), the scale of the reconciliation exercise imposed by forthcoming regulations in the EU and U.S. has caused many market participants to undertake a fundamental review of the systems and processes in place. For many, compliance can only be achieved by utilising a third party for provision of an appropriate technology platform or an end-to-end service. With imminent compliance deadlines and the late development of the requirements themselves, functionality has understandably been the focus of any sourcing process. However, from a supply chain and outsourcing perspective, a key challenge remains the manner in which the financial services-specific regulations are applied to this type of third-party arrangement.
New Binding Corporate Rules Now Available for Data Processors
Authors: Steven P. Farmer, Simon J. Lightman, Meighan E. O'Reardon, Simon J. Lightman
In a further push towards “privacy by design,” the Article 29 Working Party, which is made up of representatives from the various EU data protection authorities, has recently approved the use of Binding Corporate Rules (“BCRs”) for international transfers of personal data by data processors effective as of January 1, 2013.
Pillsbury Global Sourcing Brochure
Better Design. Better Decisions. Better Results. Creating value isn’t easy. Creating value through strategic outsourcing is no exception. Whether the scope is regional or global, there is no single deal structure, delivery model or sourcing process that works in every situation. Pillsbury Global Sourcing tailors our approach to fit your business’ unique circumstances and goals.
Summer 2011
Post-Grant Proceedings at the Patent Office After Passage of the America Invents Act
Author: Patrick A. Doody
Pillsbury is monitoring the progress of the proposed America Invents Act (AIA) legislation being considered in the U.S. House of Representatives. Northern Virginia partner Patrick A. Doody recently presented his analysis of the proposed legislation.
January 25, 2017
Human Touch
Source: The Gulf
Author: Mike Pierides
Automation has myriad benefits but there are legal considerations to consider as artificial intelligence replaces humans.
December 20, 2016
The Rise of Automation
Source: The Oath
Author: Mike Pierides
Automation is the use of software programmes to undertake high volume and repetitive tasks, typically performed pursuant to prescribed scripts or rules. It has quickly become popular in the IT and business process outsourcing (BPO) sectors, but what legal considerations apply to automation?
IT insourcing: What do you need to know?
Source: ITProPortal
Authors: Caron Gosling, Mike Pierides
Following decades of businesses outsourcing IT functions and business processes to external suppliers, a recent trend is for some of these functions and processes to be brought back in-house, i.e. insourced. A recent IT sourcing study reports that more than a fifth of the top IT spending organizations in the UK are planning to ‘outsource less and insource more’.
The Legal View: Brexit
Only fools rush in (or out)
Source: Outsource Magazine
Author: Tim Wright
Outsource asked lawyers for their perspectives on the potential impact of Brexit in the outsourcing sector. In the first of several installments, the publication has compiled thoughts from some of the most prominent figures in outsourcing law from the UK, the rest of the EU and beyond. London-based Global Sourcing partner Tim Wright shared the following comments:
Brexit: the legal implications for procurement
Source: Supply Management
Author: Tim Wright
From a UK perspective, the English law regime governing procurement remains, for the time being, unchanged.
Transferring personal data from Europe: What it means for aviation
Source: MRO Network
Author: Steven P. Farmer
Earlier this year, the European Commission and the US Department of Commerce reached an accord on a new transatlantic data transfer protocol which it was hoped could be relied on by EU based exporters of personal data, including those in the aviation sector, to lawfully transfer data to the US.
New EU Data Laws & Cyber Security Breaches - Preparing For Change
Source: Hotel Business
Authors: Rafi Azim-Khan, Steven P. Farmer
As the volume of sensitive data that hotels store ever increases, the use of mobile devices to make and manage bookings continues to grow and cyber villains become ever more sophisticated, it is perhaps of no surprise that we hear about new instances of information theft and data loss in the hotel sector on a frequent basis.
Here’s What You Need to Know About the EU-US Privacy Shield
Source: Tech City News
Authors: Rafi Azim-Khan, Steven P. Farmer
Back in February, the European Commission and the US Department of Commerce reached an accord on a new transatlantic data transfer protocol.
Fit for purpose?
Source: Insurance Age
Author: Tim Wright
In a guest post for Insurance Age, Global Sourcing partner Tim Wright explains how different outsourcing models have their own challenges and advantages.
EU-US Privacy Shield: A viable alternative to Safe Harbour?
Authors: Rafi Azim-Khan, Steven P. Farmer
In a joint guest post, Rafi Azim-Khan, the European head of data privacy, and Steven Farmer, Counsel, for Pillsbury Law set out the reasons why cloud firms and users must tread carefully around Safe Harbour's replacement.
Piercing the bitcoin veil
Businesses should beware the risks of trading with a sanctioned entity
Source: City A.M.
Authors: Steven P. Farmer, Matthew Oresman
In January the EU and the US lifted economic and financial sanctions against Iran in a ground-breaking deal that unfroze billions of pounds of assets and opened up new markets for the first time since 2010.
The potential of RegTech and the FCA’s Call for Input
Author: Tim Wright

This article was originally published in E-Finance & Payments Law & Policy Journal on November 12, 2015.

RegTech is a financial services buzzword that essentially refers to the adoption of innovative technological solutions that are designed to enable more efficient and effective compliance with regulation. For example, RegTech solutions include activity monitoring and transaction reporting tools. Given that RegTech has the potential to be a growth area for the UK’s economy, the Financial Conduct Authority (‘FCA’) is among those now looking at it; the regulator published on 23 November a Call for Input asking how it can support RegTech’s adoption and development. Tim Wright, Partner at Pillsbury Winthrop Shaw Pittman LLP, discusses RegTech, the FCA’s Call for Input and the key questions asked.
Cybersecurity in the supply chain
Source: Outsource Magazine
Author: Tim Wright
EU data protection regulations: your responsibilities in the supply chain
Source: ITProPortal
Author: Tim Wright
New EU data protection regulations: what are the obligations for the outsourcing industry?
Source: Outsource Magazine
Author: Tim Wright
Five tips: Dealing with new EU data protection regulations
Source: Supply Management
Author: Tim Wright
Safety first when it comes to risk management
Source: Supply Management
Author: Tim Wright
Managing legal risk in the global supply chain
Source: Global Banking & Finance Review
Authors: Matthew Oresman, Tim Wright
How to prepare for the new payment card security requirements
Source: Information_Age
Author: Tim Wright
Banking Technology: Finding the Balance Between Cost-Effectiveness and Manageability
Source: Pillsbury's SourcingSpeak blog
Authors: Mike Pierides, Rich Jones
As the range of technology employed by the UK’s leading banks widens, the balance between cost-effectiveness and manageability of solutions becomes increasingly difficult to strike. Mike Pierides (Partner) and Rich Jones (Associate) from law firm Pillsbury examine some of the challenges banks face in sourcing the technology they need to stay competitive.
The Good, The Bad and The Downright Ugly of the Internet of Things
From Hacked Fridges and Baby Monitors to Cyber Security as a Crime, Big Brother and Big Data, the Internet of Things (IoT) Certainly Gets Its Fair Share of the Headlines
Source: Information Age
Author: Tim Wright

This article was originally published in Information Age on April 13, 2015.

Regulators around the world are increasingly concerned to ensure that security and privacy issues are taken seriously by device manufacturers.
March 2015
The Gathering Storm
Source: Data Centre News
Authors: Rafi Azim-Khan, Steven P. Farmer
Recent months have seen very major data protection law changes that affect not just UK or EU companies, but any companies which are deemed to be caught by ‘processing’ EU data. With data centres on the hook following these changes, Rafi Azim-Khan and Steven Farmer at Pillsbury Winthrop Shaw Pittman give an insight on what to expect.
Retailers Need to Tackle 'Inevitable' Cyber Threats
Author: Tim Wright
A recent study by IBM showed that although the number of attacks on retailers was down by 50 per cent in 2014, criminals still stole more than 61 million customer records.
Drones in UK Skies: An Increasingly Crowded Regulatory Airspace
Source: Computer Weekly
Author: Tim Wright
With drones or unmanned aerial vehicles (UAVs) becoming commonplace in the UK in both commercial and non-commercial applications, the law has been required to evolve and play catch-up.
February 2015
The U.K. Government’s Draft Codes to Clarify New Legislation on Communications Data Retention and Investigatory Powers
Source: Bloomberg BNA's World Data Protection Report
Authors: Rafi Azim-Khan, Steven P. Farmer

The U.K. government recently consulted on a proposed update of the Acquisition and Disclosure of Communications Data Code of Practice and a draft of a new Retention of Communications Data Code of Practice.

The consultation, which ran from December 9, 2014, to January 20, 2015, has now closed.
Spring 2015
‘Outsourcing Models’ for the Pharma and Biotech Industry
Source: European Pharmaceutical Contractor
Author: Tim Wright
Adopting the right model for any outsourcing is a key consideration. Typically, more time and effort needs to be invested in this key preparatory stage whereas, in practice, organisations, having made the decision to outsource, often rush headlong into engaging with potential suppliers and running the procurement phase. Ill thought out and overly complicated structures will cause the customer, in particular, problems in managing the deal over the term, often exacerbated by the original deal team moving on to new roles.
Privacy Compliance in Apps— an Important Agenda Item in 2015
Authors: Rafi Azim-Khan, Steven P. Farmer
A 2014 survey of over 1,200 of the top mobile apps in 19 countries by the Global Privacy Enforcement Network (“GPEN”) found that 85% of the apps reviewed were non-compliant, failing to provide even the most basic privacy information to users.
Supply Chain Professionals Need to Take Action on Modern Slavery
Author: Tim Wright

This article was originally published on SupplyManagement on November 24, 2014.

With reports of an increase in the number of reported victims of labour exploitation, the Home Office recently announced changes to the Modern Slavery Bill whereby large companies will be required to disclosure annually the steps taken to ensure their supply chains are “slavery free.”
How Insurance Outsourcing is Changing
Source: Global Reinsurance
Authors: Mike Pierides, Rich Jones

This article was originally published on Global Reinsurance on November 4, 2014.

The benefits of IT outsourcing are well-established, with efficiency savings and flexibility in meeting demand being key drivers of an insurer’s decision to outsource in the first place.

However, as insurers renew and update their sourcing arrangements, they need to view their key outsourcing relationships as being an integral part of their overall business strategy.
October 2014
Offshoring Health Information: Issues and Lingering Concerns
Source: American Health Lawyers Association’s Journal of Health & Life Sciences Law

Source: American Health Lawyers Association’s Journal of Health & Life Sciences Law
Authors: Allen Briskin, Gerry Hinkley, Joseph E. Kendall, Lisa C. Earl
Mobile Banking and Payments—The FCA's Thematic Review Explained
Source: Electronic Payments International
Authors: Mike Pierides, Rich Jones

This article was originally published in Electronic Payments International on October 13, 2014.

The UK’s Financial Conduct Authority issued in September a thematic review into mobile banking and payments. The report had a broad remit and covered issues ranging from consumer rights to technology and security issues. One of the five high level findings focused on how firms retain oversight and control of third parties and outsourced functions. Mike Pierides, partner, and Rich Jones, associate, within Pillsbury Winthrop Shaw Pittman’s Global Sourcing group, explain the interaction between banks and third parties, and the related risks, in the context of mobile banking.
The tweet spot
Source: Credit Today
Author: Tim Wright

This article was originally published on Credit Today on September 11, 2014.

The advent of social media has seen many financial institutions, including banks, credit card companies and payday lenders, look towards websites such as Twitter and Facebook to raise their profiles.
FCA Issues Considerations on the Procurement of Off-the-Shelf Technology Solutions
Source: Banking Technology
Authors: Mike Pierides, Simon J. Lightman

This article was originally published in Banking Technology on September 8, 2014.

The Financial Conduct Authority has recently issued a series of “considerations” for firms that are thinking about using third-party technology banking solutions. The considerations do not seek to tell firms how to structure their IT procurements but rather provide a useful framework for firms to demonstrate that their IT services are effective, resilient and secure in line with the FCA’s required outcomes. Mike Pierides, Partner, and Simon Lightman, Counsel, within Pillsbury Winthrop Shaw Pittman’s Global Sourcing group report.
Views on Right to be Forgotten, Big Data and Global Sourcing
This article was originally published in Bloomberg BNA’s Privacy Law Watch on August 22, 2014.
Source: Privacy Law Watch
Author: Brooke L. Daniels
In a landmark ruling, the European Court of Justice—the European Union’s top court—held that data subjects in the EU have the right to compel Google Inc. and other Internet search engines to remove search results linking to websites containing personal information about them.
The EU Article 29 Working Party's Guidance on the "Legitimate Interest" Ground for Processing Personal Data
This article was originally published in World Data Protection Report on June 7, 2014.
Author: Steven P. Farmer
August 2014
The U.K.’s New Data Retention and Investigatory Powers Act 2014: Affecting Communication Services Providers Based in the U.K. and Beyond
Source: Bloomberg BNA
Authors: Rafi Azim-Khan, Steven P. Farmer
The U.K. Data Retention and Investigatory Powers Act 2014 (the ‘‘DRIP Act’’) received Royal Assent on July 17, 2014, and came into force with immediate effect.
OECD Calls for Higher Focus on Outsourcing, IT and Supplier Risk
Source: Outsource Magazine
Author: Tim Wright
This article was originally published in Outsource Magazine on July 29, 2014.
March 2014
From a Sea of Data to Actionable Insights: Big Data and What it Means for Lawyers
Source: Intellectual Property & Technology Law Journal
Authors: John L. Barton, Michael Murphy
This article was originally published in 26 Intellectual Property & Technology Law Journal No. 3, March 2014, at 8.
Remain Vigilant: Managing Cybersecurity Risks in Third-Party Outsourcing Relationships
Source: Corporate Compliance Insights
Authors: Meighan E. O'Reardon, Aaron M. Oser
This article was originally published on February 27, 2014 and is reprinted with permission from Corporate Compliance Insights.
February 2014
Personal Data Transfers from the European Economic Area: Binding Corporate Rules Emerge as Increasingly Attractive Option
Source: World Data Protection Report (Bloomberg BNA)
Authors: Rafi Azim-Khan, Steven P. Farmer
This article was originally published in the February 2014, Volume 14, Number 3 issue of Bloomberg BNA's World Data Protection Report.
Repeal of Third Party Harassment Provisions in the Equality Act 2010
Authors: Tim Wright, Amina Adam
This article was originally published in on February 13, 2014.
A Contract Made in Two Places at Once?
Authors: Tim Wright, Tania Williams
This article was originally published in on February 2, 2014.
December 2013
Big Data and Cloud Solutions: Implications for Sourcing
Source: Practical Law
Authors: John L. Barton, Michael Murphy
This article was originally published in Practical Law Company's "Outsourcing Multi-Jurisdictional Guide 2013/14."
November 2013
U.K. Court of Appeal’s Award of Compensation for Distress to an Individual Following a Breach of the Data Protection Act: Opening the Floodgates for Claims by Individuals?
Source: World Data Protection Report
Authors: Steven P. Farmer
This article was published in World Data Protection Report, November 2013, published by Bloomberg BNA (
June 2013
Mobile Privacy Practices: Recent California Developments Indicate What's to Come
Source: Computer Law Review International
Authors: James Chang, Meighan E. O'Reardon, James G. Gatto
This article was originally published in the June 2013 issue of Computer Law Review International (CRi).
July 2013
Reconciliation + Regulation = Complication
Source: Risk Magazine
Authors: Mike Pierides, Alistair J. Charleton
An updated version of this article was published in the July 2013 issue of Risk.
April 2013
Personal Data Transfers from the European Economic Area: Time to Consider Binding Corporate Rules 2.0
Source: World Data Protection Report
Authors: Rafi Azim-Khan, Steven P. Farmer
What exactly is the ‘"best" solution for an international business needing to handle and transfer personal data across borders?
October 2012
A "Perfect Storm" of Data Law Changes; Are You Ready for a 2% of Global Turnover Fine?
Authors: Rafi Azim-Khan
Recent months and the EU January announcement have seen very major data protection law changes that affect not just UK or EU companies but any companies (particularly US) which are deemed to be caught by “processing” EU data.
July 2012
The Financial Services Authority
Source: E-Finance & Payments Law & Policy
Author: Tim Wright
As part of the wider Retail Distribution Review, the Financial Services Authority recently launched a consultation which follows its August 2011 Policy Statement outlining its proposed ban on commission payments by product providers to platform providers and cash rebates to consumers. Tim Wright, a Partner at Pillsbury Winthrop Shaw Pittman LLP, reviews the new rules proposed by the FSA.
Pillsbury Pillsbury Pillsbury