LA / NY / SF / DC / arentfox.com

Data Use Rules in Different Business Scenarios: It’s All Contextual William A. Tanenbaum Co-Head, Technology Transactions

2

Presentation Overview

Corporate businesses plans lead to . . . . . . implementation of data collection and data use plans, leads to . . . . . . legal risks, calling for . . . . . . advance IT planning, and . . . litigation planning, which requires . . .– Understanding the different mindsets of Chief Technology Officer and

Chief Data Officers– Collaboration between litigators and technology transaction lawyers – Understanding outsourcing and RFP process

3

Business Scenarios to be Covered

1. Digital Redlining2. Big Box Retail Health Clinics3. PHI on Web-Hosted Databases 4. FCC vs. FTC 5. Terrorist Activity6. Data Breaches and Attorneys General

4

Business Scenarios (continued)

7. Ransomware8. Supply Chains and Class Actions9. Internet of Things and Privacy 10. Data Retention vs. Big Data

5

Data is the Asset

“Big Data” is real and data analytics is improved Business uses– Better internal operations – Development of new product and services

– New role for outsourcing: revenue generating vs. cost savings

– Data as asset for external monetizationFrenemies and data sharingCollision of privacy approaches: industrial companies vs. free-wheeling Internet companies

6

Data IP and Licenses

Vexing question: who owns the data? Scope of IP protection for data Solution often = data sharing > data ownership

7

1. Digital Redlining

Hypothetical: bank wants to offer different credit cards to different applicants based on applicant qualificationsBank buys data from external data sourcesRepurposing of data for use different from original collection (banking vs. advertising)Problem of “bad algorithms” Litigation risk: proceedings for “redlining”

8

Digital Redlining (continued)Litigation – Prepare defenses for regulatory actions and for

litigationTransactional aspects– Verify that audience and audience member attributes fit

intended use– Verify third party has right to convey to banks for

intended use supported by upstream data collection rights

– Heavy negotiations over reps and indemnities and – Carve-outs are the yellow flags

9

Learning from Litigators

Tech Transactional lawyers need to learn from litigators– Draft provisions for summary judgment– Draft for arbitrators because of prevalence in tech

disputesLitigators need to be aware that SOWs, SLAs are often source of disputes and are often “inherited” from draftsman who is not a lawyer– Complicates litigation and arbitration

10

Transactional Roles for Litigators

Most IT projects start with an RFPAdvisable for litigator to participate in designing RFP to identify litigation risks and asks for relevant information Best if RPF maps to MSA and SOWsCollaborate with tech transactional lawyers Drafting the right arbitration clause – discovery, arbitrator qualifications and selection process,

etc.)

11

2. Big Box Health Clinics

Hypo: big box retailer sets up captive hearing clinic in order to sell hearing aidsHearing doctors need transfer of health care data from hospital, but only need subset of electronic health recordsProblem if transfer has to be all of nothing Does HIPAA and patient’s consent form allow transfer without second consent?

12

Health Clinic (continued)

Problem for retailer: difficult for hospital to identify and transfer only hearing-related medical information Patient/customer upset of prior irrelevant surgeries are disclosed Illustrates that all privacy is contextual

13

Enabling Contextual Privacy Disclosures

Practical problem is that takes too long for the hospital to manually separate the relevant data Companies such as Microsoft suggest solution is to use software agents (a form of AI)But: risk of bad algorithms in AI and potential difficulty of “mining” data lake of patient electronic medical records Transaction/IT risks: need good IT integrator to deal with hospital records and outsourcing AI providerTransactions must be HIPAA compliant

14

3. Putting PHI on Web-Hosted Databases

Patient data is part of medical information posted to web-hosted databases for research or other use by third partiesDoes this violate consent obtained from patient – Review consent forms

HIPAA implications for third party useRe-use by ongoing chain of medical research endeavors

15

4. More Contextual Privacy: FCC vs. FTC Opt- out/Opt-in Rules

D.C. Circuit upheld FCC’s reclassification of broadband Internet access services as a Title II telecommunications service in 2014 Open Internet Order Forthcoming order will govern how broadband providers collect, use, protect and share subscriber PII

16

FCC (continued)

Privacy framework under consideration requires affirmative opt-in in order for broadband providers to share data with third parties This contrasts with FTC’s largely opt-out, case-by-case approach to privacy protectionThis will impact clients relying on data from broadband providersClients must address that contextual privacy in context of opt-in for some and opt-out for other purposes

17

5. Terrorist Activity

Hypo: client operate digital platformTerms of use give strong privacy rightsClient notices suspected terrorist activityClient wants to tell Department of Homeland Security and law enforcementChief Privacy Officer says disclosure will violate privacy termsSolution: obtain subpoenaPractical note: is a terrorist going to sue for violation of privacy terms of use?

18

Terrorism (continued)

Practical note: is an alleged terrorist actually going to sue for violation of privacy terms of use? But what if the client suspicion while in good faith turns out to be wrong? – Will the “terrorist” have a cause of action

notwithstanding the subpoena?

19

6. Outsourcing, Data Breaches and AGs

Many data breaches are caused by outsource vendors using technology with insufficient cybersecurity– Problems in switch from transition to steady-state

operations– Problems in updates– Problems in integrating technology from a client’s

multiple vendors

20

AGs (continued)

Risk is that large database breach will lead to investigations and actions by state attorneys generalClient may argue that it was the “victim” of the expert technology company it hiredBut repeated breaches undercut this argument

21

AGs (continued)

Litigator’s role: – Acquire understanding of outsourcing to argue that

client acted in good faith but was victim of its own expert

– Explain technology to AG staff that may not understand the technology fine points to that bolster client’s position

– Understand the political dimension of negotiating with the AC

– Retaining the right tech and cyber experts

22

Clients and Cybersecurity ExpertsWhich comes first, the lawyer or the forensics firm? Advising clients (and cyber firms) of the advantage of communications under attorney-client privilegeRisk is that client’s IT department gets ahead of the GC’s officeLitigators benefit from understanding how IT departments operate when problems arise, and how their communication with incumbent vendors can create difficulties

23

7. Ransomware

Ransomware is not a classic database breachData locked up -- not disclosedState database breach acts not triggered and statutory notices not requiredIssue: insurance carrier data lawyers “on retainer” are database breach lawyers and may not be qualified for ransomware

24

Ransomware (continued)

Client may need to fight to get insurance carrier to pay for non-panel lawyerIf pay ransom, hope is that criminal is an honest criminalEvidence that ransomware is business is existence of websites on how to pay ransomWill be your introduction to bitcoins

25

Ransomware (continued)

Who will you work with? – Cyber forensics firm– Internal IT department – IT outsource provider

Transactional planning– Set up IT outsourcing to operate an backup

system even if primary system is locked up– Often data not software is at risk

– Role of cloud computing

Footer Text

26

8. Supply Chain and Class Actions

Bad data is used in design of mass market products or processNew-class products can contain bad dataResult: defects in mass market products Risk: class action lawsuits Cybersecurity vs. class actions

Footer Text

27

Supply Chains and Class Actions (continued)

Data-related litigation planning for class actions– Class certification (State vs. Federal

requirements)– Sufficiency of injury– Plan for affirmative defenses– Pre-review of insurance coverage – Consider effect on stock price– PR planning

28

9. IoT and Privacy

Does the use of the Internet of Things create risk of violation of privacy terms?Risk: cyber weakness in IoT technology Risk: data will be secure but use will exceed scope of consentSource of risks: – Vendors of small connected devices often do not

bake security

29

IoT (continued) Source of risks: – Vendors of small connected devices often do not bake

security into the devices– Security is not upgraded

– If automated system-wide security is not technologically possible or not included, then manual upgrade process is the alternative and inherently problem laden

– Networked devices can be hacked– Even if devices are secure, data can be exposed during

transmission – Business benefits of IoT can inadvertently result in failure to

adhere to privacy terms and use can exceed the consent obtained

30

IoT (continued)

FTC guidance – In the Matter of The Benefits, Challenges, and

Potential Roles for the Government in Fostering the Advancement of the Internet of Things Docket No. 160331306-6306-01

– Mobile App Developers: Start with Security

31

10. Big Data vs. Document Retention

Conflict between: – GC’s goal of tailoring document (i.e., data)

retention periods to minimizing litigation risk– Marketing and business teams’ goal of retaining

customer and other data for long periods in order to conduct analytics of relevant data to generate revenue

Issue becomes: revenue vs. litigation riskRelated issue: protecting forensic analysis

32

Question and Answer

William A. TanenbaumCo-Head, Technology Transactions, Arent Fox LLPWilliam.Tanenbaum@arentfox.com

33

William A. Tanenbaum, Arent Fox LLPWilliam A. Tanenbaum was named as one of the Top Five IT lawyers in the country by Who’s Who Legal in 2016, and  was previously named as “Lawyer of the Year” in IT in New York by US News & World Report/Best Lawyers.  Chambers named Bill as one of only five lawyers in Band One in Outsourcing & Technology in New York, in Band Two nationally, and as a Leading Outsourcing Lawyer in its global edition. Legal500 found that he is a “Leading Authority” on Technology & Outsourcing.  He was selection for inclusion in the inaugural edition of Who’s Who Legal: Thought Leaders 2017.  Bill is a Past President of the International Technology Law Association.  He is currently a Vice President of the Society for Information Management (SIM) (New York Chapter), and industry CIO organization, and the only lawyer on the Board of Directors.

Clients endorse Bill as “a brilliant lawyer. I cannot imagine working with anyone else;” “brings extremely high integrity, a deep intellect, fearlessness and a practical, real-world mindset to every problem;” “efficient, solution-driven and makes excellent judgment calls” (Chambers); "one of the best IP lawyers I have worked with" and "knows exactly how to get a deal done” (Clean Tech and Who's Who Legal).