Date Use Rules in Different Business Scenarios: It's All Contextual
Download as PPTX, PDF0 likes173 views
The document discusses various business scenarios related to data use and legal risks, including digital redlining and ransomware. It emphasizes the importance of collaboration between technology and legal professionals to address issues such as data ownership, privacy compliance, and the implications of big data. Additionally, it highlights the challenges posed by emerging technologies like the Internet of Things and the ongoing conflicts between data retention policies and litigation risks.
Date Use Rules in Different Business Scenarios: It's All Contextual
- 1. LA / NY / SF / DC / arentfox.com Data Use Rules in Different Business Scenarios: It’s All Contextual
- 2. Presentation Overview Corporate businesses plans lead to . . . . . . implementation of data collection and data use plans, leads to . . . . . . legal risks, calling for . . . . . . advance IT planning, and . . . litigation planning, which requires . . . – Understanding the different mindsets of Chief Technology Officer and Chief Data Officers – Collaboration between litigators and technology transaction lawyers – Understanding outsourcing and RFP process 2
- 3. Business Scenarios to be Covered 1. Digital Redlining 2. Big Box Retail Health Clinics 3. PHI on Web-Hosted Databases 4. FCC vs. FTC 5. Terrorist Activity 6. Data Breaches and Attorneys General 3
- 4. Business Scenarios (continued) 7. Ransomware 8. Supply Chains and Class Actions 9. Internet of Things and Privacy 10. Data Retention vs. Big Data 4
- 5. Data is the Asset “Big Data” is real and data analytics is improved Business uses – Better internal operations – Development of new product and services – New role for outsourcing: revenue generating vs. cost savings – Data as asset for external monetization Frenemies and data sharing Collision of privacy approaches: industrial companies vs. free-wheeling Internet companies 5
- 6. Data IP and Licenses Vexing question: who owns the data? Scope of IP protection for data Solution often = data sharing > data ownership 6
- 7. 1. Digital Redlining Hypothetical: bank wants to offer different credit cards to different applicants based on applicant qualifications Bank buys data from external data sources Repurposing of data for use different from original collection (banking vs. advertising) Problem of “bad algorithms” Litigation risk: proceedings for “redlining” 7
- 8. Digital Redlining (continued) Litigation – Prepare defenses for regulatory actions and for litigation Transactional aspects – Verify that audience and audience member attributes fit intended use – Verify third party has right to convey to banks for intended use supported by upstream data collection rights – Heavy negotiations over reps and indemnities and – Carve-outs are the yellow flags 8
- 9. Learning from Litigators Tech Transactional lawyers need to learn from litigators – Draft provisions for summary judgment – Draft for arbitrators because of prevalence in tech disputes Litigators need to be aware that SOWs, SLAs are often source of disputes and are often “inherited” from draftsman who is not a lawyer – Complicates litigation and arbitration 9
- 10. Transactional Roles for Litigators Most IT projects start with an RFP Advisable for litigator to participate in designing RFP to identify litigation risks and asks for relevant information Best if RPF maps to MSA and SOWs Collaborate with tech transactional lawyers Drafting the right arbitration clause – discovery, arbitrator qualifications and selection process, etc.) 10
- 11. 2. Big Box Health Clinics Hypo: big box retailer sets up captive hearing clinic in order to sell hearing aids Hearing doctors need transfer of health care data from hospital, but only need subset of electronic health records Problem if transfer has to be all of nothing Does HIPAA and patient’s consent form allow transfer without second consent? 11
- 12. Health Clinic (continued) Problem for retailer: difficult for hospital to identify and transfer only hearing-related medical information Patient/customer upset of prior irrelevant surgeries are disclosed Illustrates that all privacy is contextual 12
- 13. Enabling Contextual Privacy Disclosures Practical problem is that takes too long for the hospital to manually separate the relevant data Companies such as Microsoft suggest solution is to use software agents (a form of AI) But: risk of bad algorithms in AI and potential difficulty of “mining” data lake of patient electronic medical records Transaction/IT risks: need good IT integrator to deal with hospital records and outsourcing AI provider Transactions must be HIPAA compliant 13
- 14. 3. Putting PHI on Web-Hosted Databases Patient data is part of medical information posted to web-hosted databases for research or other use by third parties Does this violate consent obtained from patient – Review consent forms HIPAA implications for third party use Re-use by ongoing chain of medical research endeavors 14
- 15. 4. More Contextual Privacy: FCC vs. FTC Opt- out/Opt-in Rules D.C. Circuit upheld FCC’s reclassification of broadband Internet access services as a Title II telecommunications service in 2014 Open Internet Order Forthcoming order will govern how broadband providers collect, use, protect and share subscriber PII 15
- 16. FCC (continued) Privacy framework under consideration requires affirmative opt-in in order for broadband providers to share data with third parties This contrasts with FTC’s largely opt-out, case- by-case approach to privacy protection This will impact clients relying on data from broadband providers Clients must address that contextual privacy in context of opt-in for some and opt-out for other purposes 16
- 17. 5. Terrorist Activity Hypo: client operate digital platform Terms of use give strong privacy rights Client notices suspected terrorist activity Client wants to tell Department of Homeland Security and law enforcement Chief Privacy Officer says disclosure will violate privacy terms Solution: obtain subpoena Practical note: is a terrorist going to sue for violation of privacy terms of use? 17
- 18. Terrorism (continued) Practical note: is an alleged terrorist actually going to sue for violation of privacy terms of use? But what if the client suspicion while in good faith turns out to be wrong? – Will the “terrorist” have a cause of action notwithstanding the subpoena? 18
- 19. 6. Outsourcing, Data Breaches and AGs Many data breaches are caused by outsource vendors using technology with insufficient cybersecurity – Problems in switch from transition to steady-state operations – Problems in updates – Problems in integrating technology from a client’s multiple vendors 19
- 20. AGs (continued) Risk is that large database breach will lead to investigations and actions by state attorneys general Client may argue that it was the “victim” of the expert technology company it hired But repeated breaches undercut this argument 20
- 21. AGs (continued) Litigator’s role: – Acquire understanding of outsourcing to argue that client acted in good faith but was victim of its own expert – Explain technology to AG staff that may not understand the technology fine points to that bolster client’s position – Understand the political dimension of negotiating with the AC – Retaining the right tech and cyber experts 21
- 22. Clients and Cybersecurity Experts Which comes first, the lawyer or the forensics firm? Advising clients (and cyber firms) of the advantage of communications under attorney- client privilege Risk is that client’s IT department gets ahead of the GC’s office Litigators benefit from understanding how IT departments operate when problems arise, and how their communication with incumbent vendors can create difficulties 22
- 23. 7. Ransomware Ransomware is not a classic database breach Data locked up -- not disclosed State database breach acts not triggered and statutory notices not required Issue: insurance carrier data lawyers “on retainer” are database breach lawyers and may not be qualified for ransomware 23
- 24. Ransomware (continued) Client may need to fight to get insurance carrier to pay for non-panel lawyer If pay ransom, hope is that criminal is an honest criminal Evidence that ransomware is business is existence of websites on how to pay ransom Will be your introduction to bitcoins 24
- 25. Ransomware (continued) Who will you work with? – Cyber forensics firm – Internal IT department – IT outsource provider Transactional planning – Set up IT outsourcing to operate an backup system even if primary system is locked up – Often data not software is at risk – Role of cloud computing Footer Text 25
- 26. 8. Supply Chain and Class Actions Bad data is used in design of mass market products or process New-class products can contain bad data Result: defects in mass market products Risk: class action lawsuits Cybersecurity vs. class actions Footer Text 26
- 27. Supply Chains and Class Actions (continued) Data-related litigation planning for class actions – Class certification (State vs. Federal requirements) – Sufficiency of injury – Plan for affirmative defenses – Pre-review of insurance coverage – Consider effect on stock price – PR planning 27
- 28. 9. IoT and Privacy Does the use of the Internet of Things create risk of violation of privacy terms? Risk: cyber weakness in IoT technology Risk: data will be secure but use will exceed scope of consent Source of risks: – Vendors of small connected devices often do not bake security 28
- 29. IoT (continued) Source of risks: – Vendors of small connected devices often do not bake security into the devices – Security is not upgraded – If automated system-wide security is not technologically possible or not included, then manual upgrade process is the alternative and inherently problem laden – Networked devices can be hacked – Even if devices are secure, data can be exposed during transmission – Business benefits of IoT can inadvertently result in failure to adhere to privacy terms and use can exceed the consent obtained 29
- 30. IoT (continued) FTC guidance – In the Matter of The Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things Docket No. 160331306-6306-01 – Mobile App Developers: Start with Security 30
- 31. 10. Big Data vs. Document Retention Conflict between: – GC’s goal of tailoring document (i.e., data) retention periods to minimizing litigation risk – Marketing and business teams’ goal of retaining customer and other data for long periods in order to conduct analytics of relevant data to generate revenue Issue becomes: revenue vs. litigation risk Related issue: protecting forensic analysis 31
- 32. Question and Answer William A. Tanenbaum Co-Head, Technology Transactions, Arent Fox LLP William.Tanenbaum@arentfox.com 32
- 33. William A. Tanenbaum, Arent Fox LLP William A. Tanenbaum was named as one of the Top Five IT lawyers in the country by Who’s Who Legal in 2016, and was previously named as “Lawyer of the Year” in IT in New York by US News & World Report/Best Lawyers. Chambers named Bill as one of only five lawyers in Band One in Outsourcing & Technology in New York, in Band Two nationally, and as a Leading Outsourcing Lawyer in its global edition. Legal500 found that he is a “Leading Authority” on Technology & Outsourcing. He was selection for inclusion in the inaugural edition of Who’s Who Legal: Thought Leaders 2017. Bill is a Past President of the International Technology Law Association. He is currently a Vice President of the Society for Information Management (SIM) (New York Chapter), and industry CIO organization, and the only lawyer on the Board of Directors. Clients endorse Bill as “a brilliant lawyer. I cannot imagine working with anyone else;” “brings extremely high integrity, a deep intellect, fearlessness and a practical, real-world mindset to every problem;” “efficient, solution-driven and makes excellent judgment calls” (Chambers); "one of the best IP lawyers I have worked with" and "knows exactly how to get a deal done” (Clean Tech and Who's Who Legal). 33