Arent Fox LLP. Rules for data collection, aggregation, sharing, use and protection all depend on the business and legal context. One size does not fit all.

1. LA / NY / SF / DC / arentfox.com
Data Use Rules in Different
Business Scenarios: It’s All Contextual

2. Presentation Overview
Corporate businesses plans lead to . . .
. . . implementation of data collection and data use
plans, leads to . . .
. . . legal risks, calling for . . .
. . . advance IT planning, and
. . . litigation planning, which requires . . .
– Understanding the different mindsets of Chief Technology
Officer and Chief Data Officers
– Collaboration between litigators and technology
transaction lawyers
– Understanding outsourcing and RFP process
2

3. Business Scenarios to be Covered
1. Digital Redlining
2. Big Box Retail Health Clinics
3. PHI on Web-Hosted Databases
4. FCC vs. FTC
5. Terrorist Activity
6. Data Breaches and Attorneys General
3

4. Business Scenarios (continued)
7. Ransomware
8. Supply Chains and Class Actions
9. Internet of Things and Privacy
10. Data Retention vs. Big Data
4

5. Data is the Asset
“Big Data” is real and data analytics is improved
Business uses
– Better internal operations
– Development of new product and services
– New role for outsourcing: revenue generating vs. cost
savings
– Data as asset for external monetization
Frenemies and data sharing
Collision of privacy approaches: industrial
companies vs. free-wheeling Internet companies
5

6. Data IP and Licenses
Vexing question: who owns the data?
Scope of IP protection for data
Solution often = data sharing > data
ownership
6

7. 1. Digital Redlining
Hypothetical: bank wants to offer different
credit cards to different applicants based on
applicant qualifications
Bank buys data from external data sources
Repurposing of data for use different from
original collection (banking vs. advertising)
Problem of “bad algorithms”
Litigation risk: proceedings for “redlining”
7

8. Digital Redlining (continued)
Litigation
– Prepare defenses for regulatory actions and for
litigation
Transactional aspects
– Verify that audience and audience member
attributes fit intended use
– Verify third party has right to convey to banks for
intended use supported by upstream data
collection rights
– Heavy negotiations over reps and indemnities and
– Carve-outs are the yellow flags
8

9. Learning from Litigators
Tech Transactional lawyers need to learn from
litigators
– Draft provisions for summary judgment
– Draft for arbitrators because of prevalence in tech
disputes
Litigators need to be aware that SOWs, SLAs
are often source of disputes and are often
“inherited” from draftsman who is not a lawyer
– Complicates litigation and arbitration
9

10. Transactional Roles for Litigators
Most IT projects start with an RFP
Advisable for litigator to participate in designing
RFP to identify litigation risks and asks for
relevant information
Best if RPF maps to MSA and SOWs
Collaborate with tech transactional lawyers
Drafting the right arbitration clause
– discovery, arbitrator qualifications and selection
process, etc.)
10

11. 2. Big Box Health Clinics
Hypo: big box retailer sets up captive hearing
clinic in order to sell hearing aids
Hearing doctors need transfer of health care
data from hospital, but only need subset of
electronic health records
Problem if transfer has to be all of nothing
Does HIPAA and patient’s consent form allow
transfer without second consent?
11

12. Health Clinic (continued)
Problem for retailer: difficult for hospital to
identify and transfer only hearing-related
medical information
Patient/customer upset of prior irrelevant
surgeries are disclosed
Illustrates that all privacy is contextual
12

13. Enabling Contextual Privacy Disclosures
Practical problem is that takes too long for the
hospital to manually separate the relevant data
Companies such as Microsoft suggest solution is
to use software agents (a form of AI)
But: risk of bad algorithms in AI and potential
difficulty of “mining” data lake of patient electronic
medical records
Transaction/IT risks: need good IT integrator to
deal with hospital records and outsourcing AI
provider
Transactions must be HIPAA compliant
13

14. 3. Putting PHI on Web-Hosted Databases
Patient data is part of medical information
posted to web-hosted databases for research
or other use by third parties
Does this violate consent obtained from
patient
– Review consent forms
HIPAA implications for third party use
Re-use by ongoing chain of medical research
endeavors
14

15. 4. More Contextual Privacy: FCC vs. FTC Opt-
out/Opt-in Rules
D.C. Circuit upheld FCC’s reclassification of
broadband Internet access services as a Title
II telecommunications service in 2014 Open
Internet Order
Forthcoming order will govern how broadband
providers collect, use, protect and share
subscriber PII
15

16. FCC (continued)
Privacy framework under consideration requires
affirmative opt-in in order for broadband
providers to share data with third parties
This contrasts with FTC’s largely opt-out, case-
by-case approach to privacy protection
This will impact clients relying on data from
broadband providers
Clients must address that contextual privacy in
context of opt-in for some and opt-out for other
purposes
16

17. 5. Terrorist Activity
Hypo: client operate digital platform
Terms of use give strong privacy rights
Client notices suspected terrorist activity
Client wants to tell Department of Homeland
Security and law enforcement
Chief Privacy Officer says disclosure will violate
privacy terms
Solution: obtain subpoena
Practical note: is a terrorist going to sue for
violation of privacy terms of use?
17

18. Terrorism (continued)
Practical note: is an alleged terrorist actually
going to sue for violation of privacy terms of
use?
But what if the client suspicion while in good
faith turns out to be wrong?
– Will the “terrorist” have a cause of action
notwithstanding the subpoena?
18

19. 6. Outsourcing, Data Breaches and AGs
Many data breaches are caused by outsource
vendors using technology with insufficient
cybersecurity
– Problems in switch from transition to steady-state
operations
– Problems in updates
– Problems in integrating technology from a client’s
multiple vendors
19

20. AGs (continued)
Risk is that large database breach will lead to
investigations and actions by state attorneys
general
Client may argue that it was the “victim” of the
expert technology company it hired
But repeated breaches undercut this
argument
20

21. AGs (continued)
Litigator’s role:
– Acquire understanding of outsourcing to argue
that client acted in good faith but was victim of its
own expert
– Explain technology to AG staff that may not
understand the technology fine points to that
bolster client’s position
– Understand the political dimension of negotiating
with the AC
– Retaining the right tech and cyber experts
21

22. Clients and Cybersecurity Experts
Which comes first, the lawyer or the forensics
firm?
Advising clients (and cyber firms) of the
advantage of communications under attorney-
client privilege
Risk is that client’s IT department gets ahead of
the GC’s office
Litigators benefit from understanding how IT
departments operate when problems arise, and
how their communication with incumbent vendors
can create difficulties
22

23. 7. Ransomware
Ransomware is not a classic database breach
Data locked up -- not disclosed
State database breach acts not triggered and
statutory notices not required
Issue: insurance carrier data lawyers “on
retainer” are database breach lawyers and
may not be qualified for ransomware
23

24. Ransomware (continued)
Client may need to fight to get insurance
carrier to pay for non-panel lawyer
If pay ransom, hope is that criminal is an
honest criminal
Evidence that ransomware is business is
existence of websites on how to pay ransom
Will be your introduction to bitcoins
24

25. Ransomware (continued)
Who will you work with?
– Cyber forensics firm
– Internal IT department
– IT outsource provider
Transactional planning
– Set up IT outsourcing to operate an backup
system even if primary system is locked up
– Often data not software is at risk
– Role of cloud computing
Footer Text 25

26. 8. Supply Chain and Class Actions
Bad data is used in design of mass market
products or process
New-class products can contain bad data
Result: defects in mass market products
Risk: class action lawsuits
Cybersecurity vs. class actions
Footer Text 26

27. Supply Chains and Class Actions (continued)
Data-related litigation planning for class
actions
– Class certification (State vs. Federal
requirements)
– Sufficiency of injury
– Plan for affirmative defenses
– Pre-review of insurance coverage
– Consider effect on stock price
– PR planning
27

28. 9. IoT and Privacy
Does the use of the Internet of Things create
risk of violation of privacy terms?
Risk: cyber weakness in IoT technology
Risk: data will be secure but use will exceed
scope of consent
Source of risks:
– Vendors of small connected devices often do not
bake security
28

29. IoT (continued)
Source of risks:
– Vendors of small connected devices often do not bake
security into the devices
– Security is not upgraded
– If automated system-wide security is not technologically
possible or not included, then manual upgrade process is the
alternative and inherently problem laden
– Networked devices can be hacked
– Even if devices are secure, data can be exposed during
transmission
– Business benefits of IoT can inadvertently result in
failure to adhere to privacy terms and use can exceed
the consent obtained
29

30. IoT (continued)
FTC guidance
– In the Matter of The Benefits, Challenges, and
Potential Roles for the Government in Fostering
the Advancement of the Internet of Things Docket
No. 160331306-6306-01
– Mobile App Developers: Start with Security
30

31. 10. Big Data vs. Document Retention
Conflict between:
– GC’s goal of tailoring document (i.e., data)
retention periods to minimizing litigation risk
– Marketing and business teams’ goal of retaining
customer and other data for long periods in order
to conduct analytics of relevant data to generate
revenue
Issue becomes: revenue vs. litigation risk
Related issue: protecting forensic analysis
31

32. Question and Answer
William A. Tanenbaum
Co-Head, Technology Transactions, Arent
Fox LLP
William.Tanenbaum@arentfox.com
32

33. William A. Tanenbaum, Arent Fox LLP
William A. Tanenbaum was named as one of the Top Five IT lawyers in the country
by Who’s Who Legal in 2016, and was previously named as “Lawyer of the Year”
in IT in New York by US News & World Report/Best Lawyers. Chambers named
Bill as one of only five lawyers in Band One in Outsourcing & Technology in New
York, in Band Two nationally, and as a Leading Outsourcing Lawyer in its global
edition. Legal500 found that he is a “Leading Authority” on Technology &
Outsourcing. He was selection for inclusion in the inaugural edition of Who’s Who
Legal: Thought Leaders 2017. Bill is a Past President of the International
Technology Law Association. He is currently a Vice President of the Society for
Information Management (SIM) (New York Chapter), and industry CIO
organization, and the only lawyer on the Board of Directors.
Clients endorse Bill as “a brilliant lawyer. I cannot imagine working with anyone
else;” “brings extremely high integrity, a deep intellect, fearlessness and a
practical, real-world mindset to every problem;” “efficient, solution-driven and
makes excellent judgment calls” (Chambers); "one of the best IP lawyers I have
worked with" and "knows exactly how to get a deal done” (Clean Tech and Who's
Who Legal).
33