This document provides an overview of William A. Tanenbaum's presentation on data use rules in different business scenarios. It discusses 10 scenarios involving issues like digital redlining, health data privacy, data breaches, ransomware, supply chain risks, and the internet of things. For each scenario, it outlines the relevant legal and transactional risks, such as litigation risks, regulatory actions, contractual issues, and privacy compliance. It emphasizes that privacy is contextual and depends on the specific business uses and types of data involved. It also discusses collaboration between lawyers to address these challenges.
Date Use Rules in Different Business Scenarios: It's All Contextual William Tanenbaum
Arent Fox LLP. Rules for data collection, aggregation, sharing, use and protection all depend on the business and legal context. One size does not fit all.
Date Use Rules in Different Business Scenarios:It's All Contextual William Tanenbaum
All privacy is contextual. Like that, the legal rules for collecting, aggregating, sharing and protecting data, including through IP, are specific to the context. One size does not fit all.
Date Use Rules in Different Business Scenarios: It's All Contextual William Tanenbaum
Arent Fox LLP. Rules for data collection, aggregation, sharing, use and protection all depend on the business and legal context. One size does not fit all.
Date Use Rules in Different Business Scenarios:It's All Contextual William Tanenbaum
All privacy is contextual. Like that, the legal rules for collecting, aggregating, sharing and protecting data, including through IP, are specific to the context. One size does not fit all.
As the platform Enhanced Contact Tracing (ECT) was founded on, i2 can help contact tracing teams ingest both unstructured and structured data, perform automated analysis, and increase analysts' productivity and effectiveness by collating COVID-19 information.
Quick Start Guide to IT Security for BusinessesCompTIA
IT security is constantly changing, which means it can be hard for businesses to keep up. This guide from CompTIA educates IT solution providers on the importance of providing clients with up-to-date IT security, identifies the risks of inadequate or poor security, and examines the technology shifts and factors affecting security in in the workplace.
Bill Waites
Forensic Expert Witness & Consultant
Patents, Software Development Life Cycle, Project Management, Information Technology, Business Processes and Methods, Transactions, Software, IT Applications, Contract Deliverables and Breach, Commercial Litigation, Computers, CAD/CAM, Sensor Based Automated Systems, Internet, Email, E-Discovery, Industry Business Applications, Outsourcing, Radio Frequency Identification – RFID chips
Mental Health and Crime
A PIL in the Supreme Court raises some complex questions, including how can culpability be assessed for sentencing those with mental illnesses By Professor Upendra Baxi
Gowlings - November 12, 2014
In an ever-increasing digital world, all businesses face challenges in managing and protecting sensitive and confidential information. In this presentation Gowlings and Marsh Canada Limited addressed best practices for responding to a cyber breach, and what types of insurance may be available to respond to such a loss. Topics included:
• Trends, and the evolution of cyber insurance/products
• The D&O connection, cyber is a strategic business risk
• Risk Management Strategies
• Best Practices in Breach Response.
Data Loss Prevention (DLP) - Fundamental Concept - ErykEryk Budi Pratama
Presented at APTIKNAS (Indonesia ICT Business Association) DKI Jakarta regular webinar.
Title:Data Loss Prevention: Fundamental Concept in Enabling DLP System
2 July 2020
Legal challenges for big data companiesRoger Royse
This powerpoint is on legal challenges for big data vendors. The challenges include issues regarding data privacy and security, compliance, and service level guarantees.
Defining a Legal Strategy ... The Value in Early Case AssessmentAubrey Owens
Early Case Assessment provides the framework for litigators to identify and analyze electronically stored information in response to a litigation hold and.or discovery request.
Property & Casualty: Deterring Claims Leakage in the Digital AgeCognizant
For property and casualty insurers, the persistent and vexing problem of claims leakage can be effectively curtailed by applying digital technology with cutting-edge clarity.
Wake-Up Call (Current IT Security Scenario of Nepal-2014)Bijay Senihang
With Rise if of IT related business, there is always rise of IT Security Risk. A presentation by Bijay Limbu senihang regarding current IT security scenario of Nepal.
As the platform Enhanced Contact Tracing (ECT) was founded on, i2 can help contact tracing teams ingest both unstructured and structured data, perform automated analysis, and increase analysts' productivity and effectiveness by collating COVID-19 information.
Quick Start Guide to IT Security for BusinessesCompTIA
IT security is constantly changing, which means it can be hard for businesses to keep up. This guide from CompTIA educates IT solution providers on the importance of providing clients with up-to-date IT security, identifies the risks of inadequate or poor security, and examines the technology shifts and factors affecting security in in the workplace.
Bill Waites
Forensic Expert Witness & Consultant
Patents, Software Development Life Cycle, Project Management, Information Technology, Business Processes and Methods, Transactions, Software, IT Applications, Contract Deliverables and Breach, Commercial Litigation, Computers, CAD/CAM, Sensor Based Automated Systems, Internet, Email, E-Discovery, Industry Business Applications, Outsourcing, Radio Frequency Identification – RFID chips
Mental Health and Crime
A PIL in the Supreme Court raises some complex questions, including how can culpability be assessed for sentencing those with mental illnesses By Professor Upendra Baxi
Gowlings - November 12, 2014
In an ever-increasing digital world, all businesses face challenges in managing and protecting sensitive and confidential information. In this presentation Gowlings and Marsh Canada Limited addressed best practices for responding to a cyber breach, and what types of insurance may be available to respond to such a loss. Topics included:
• Trends, and the evolution of cyber insurance/products
• The D&O connection, cyber is a strategic business risk
• Risk Management Strategies
• Best Practices in Breach Response.
Data Loss Prevention (DLP) - Fundamental Concept - ErykEryk Budi Pratama
Presented at APTIKNAS (Indonesia ICT Business Association) DKI Jakarta regular webinar.
Title:Data Loss Prevention: Fundamental Concept in Enabling DLP System
2 July 2020
Legal challenges for big data companiesRoger Royse
This powerpoint is on legal challenges for big data vendors. The challenges include issues regarding data privacy and security, compliance, and service level guarantees.
Defining a Legal Strategy ... The Value in Early Case AssessmentAubrey Owens
Early Case Assessment provides the framework for litigators to identify and analyze electronically stored information in response to a litigation hold and.or discovery request.
Property & Casualty: Deterring Claims Leakage in the Digital AgeCognizant
For property and casualty insurers, the persistent and vexing problem of claims leakage can be effectively curtailed by applying digital technology with cutting-edge clarity.
Wake-Up Call (Current IT Security Scenario of Nepal-2014)Bijay Senihang
With Rise if of IT related business, there is always rise of IT Security Risk. A presentation by Bijay Limbu senihang regarding current IT security scenario of Nepal.
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
I developed "Cyber Security 101: Training, awareness, strategies for small to medium sized business" for the second annual Small Business Summit on Security, Privacy, and Trust, co-hosted by ADP in New Jersey, October 2013.
Fog Computing is a paradigm that extends Cloud computing and services to the edge of the network. Similar to Cloud, Fog provides data, compute, storage, and application services to end-users. The motivation of Fog computing lies in a series of real scenarios, such as Smart Grid, smart traffic lights in vehicular networks and software defined networks.
The Most Wonderful Time of the Year for Health-IT...NOTCompliancy Group
The Compliancy Group offers FREE HIPAA education with industry experts from across the industry. This months webinar with Axis Technology focuses on Health IT and the challenges that come with it. Register for our upcoming webinars at www.compliancy-group.com/webinar
Presentation to the Texas Bar CLE program on Contract Drafting, Review and Negotiation on December 5, 2017 in Austin, Texas, by Cybersecurity & Data Privacy Attorney Shawn Tuma, on October 19, 2017. For more information visit www.businesscyberrisk.com
Legal Issues Associated with Third-Party Cyber RiskShawn Tuma
Cybersecurity & Data Privacy Attorney Shawn Tuma delivered the presentation Legal Issues Associated with Third-Party Risk at the ISACA CSX 2017 North America conference in Washington, DC.
California Consumer Protection Act (CCPA) is
one such law that empowers the residents of
California, United States to have enhanced
privacy rights & consumer protection. It is the
most comprehensive US state privacy law to
date.
the Defense Department and General Services Administration report on improving cyber security and resilience through acquisition. This report, developed as part of the President’s Executive Order on Cyber Security, forms the baseline for a fundamental shift in federal procurement policy. In short, going forward cyber security is going to be a core consideration in federal procurements. Contractors will likely find cyber security obligations embedded in their contracts, and may even find themselves excluded from the procurement process if certain cyber security benchmarks are not met.
The report spells out six key recommendations:
1) Institute Baseline Cybersecurity Requirements as a Condition of Contract Award for Appropriate Acquisitions
2) Address Cybersecurity in Relevant Training
3) Develop Common Cybersecurity Definitions for Federal Acquisitions
4) Institute a Federal Acquisition Cyber Risk Management Strategy
5) Include a Requirement to Purchase from Original Equipment Manufacturers, Their Authorized Resellers, or Other “Trusted” Sources, Whenever Available, in Appropriate Acquisitions
6) Increase Government Accountability for Cyber Risk Management
Chapter 3: Evaluating Risk
Terms
Risk
How likely this is to happen and how badly it will hurt.
Disaster
An event that disrupts a critical business function
Business Interruption
Something that disrupts the normal flow of business operations.
Attributes of Risk
Risk
Predictability
Location
Impact
Advanced Warning
Time of Day
Scope
Day of Week
Likelihood
Risk Analysis
Process that identifies the probable threats to your business
Analysis used as basis for assessment later in the process
Assessment compares risk analysis to what you have in place
Begins with determining what are essential functions to business
Scope
Determined by the potential damage and/or cost
Cost of downtime
Cost of lost opportunity
Five Layers of Risk
External Risk
Risk to local facility
Data systems
Individual department
Own workstation
External Risk
Natural Disaster
Fire
Hurricanes
Storms
Earthquake
Tornado
Civil Risk
Riots
Labor Disputes
Manufactured Risk
Industrial Sites
Transportation
Facility-wide Risk
Electricity
Telephones
Water
Climate Control
Data Network
Data Systems
Data Communication Network
Telecomm System
Data Systems
Shared computers and LANs
Viruses
Departmental Risk
Key Operating Equipment
Lack of Data Systems
Vital Records
Desk’s risk
Determine Tools Used
Locked Down?
Severity of Risk
Time of Day
Day of Week
Location
Making the Assessment
Scoring
Sorting
Analyze the data
Summary
Determine cost of downtime
Identify risks at five layers
Determine impact of risk
Identify outside sources
Prioritize risks
Q. Perform a search on the Web for articles and stories about social engineering attacks or reverse social engineering attacks. Find an attack that was successful and describe how it could have been prevented.
Social engineering, in the field of cyber-attacks and security systems being referred as psychological manipulation of people into performing actions or misuse of confidential information. It largely involves human interaction and manipulating people into breaking security procedures and company practices/rules in order to breach the security networks, computer system, obtain financial documents when not supposed.
To discuss it at large, the recent social engineering attack I found where victim is the giant retail company in United States called Target corporation. Target is the 8th largest retailer company in North America. The incident happened at target’s point of sale systems in the year 2013. The result of incident has enabled hackers to gain access to a sum of 40million user credit and debit card information. So, it is pretty huge.
The incident happened because for target has given remote access to its network including payment (which should be secure and isolated from other networks) to its Air conditioning vendor Fazio mechanical services. The hackers tried with phishing ema ...
Chapter 3: Evaluating Risk
Terms
Risk
How likely this is to happen and how badly it will hurt.
Disaster
An event that disrupts a critical business function
Business Interruption
Something that disrupts the normal flow of business operations.
Attributes of Risk
Risk
Predictability
Location
Impact
Advanced Warning
Time of Day
Scope
Day of Week
Likelihood
Risk Analysis
Process that identifies the probable threats to your business
Analysis used as basis for assessment later in the process
Assessment compares risk analysis to what you have in place
Begins with determining what are essential functions to business
Scope
Determined by the potential damage and/or cost
Cost of downtime
Cost of lost opportunity
Five Layers of Risk
External Risk
Risk to local facility
Data systems
Individual department
Own workstation
External Risk
Natural Disaster
Fire
Hurricanes
Storms
Earthquake
Tornado
Civil Risk
Riots
Labor Disputes
Manufactured Risk
Industrial Sites
Transportation
Facility-wide Risk
Electricity
Telephones
Water
Climate Control
Data Network
Data Systems
Data Communication Network
Telecomm System
Data Systems
Shared computers and LANs
Viruses
Departmental Risk
Key Operating Equipment
Lack of Data Systems
Vital Records
Desk’s risk
Determine Tools Used
Locked Down?
Severity of Risk
Time of Day
Day of Week
Location
Making the Assessment
Scoring
Sorting
Analyze the data
Summary
Determine cost of downtime
Identify risks at five layers
Determine impact of risk
Identify outside sources
Prioritize risks
Q. Perform a search on the Web for articles and stories about social engineering attacks or reverse social engineering attacks. Find an attack that was successful and describe how it could have been prevented.
Social engineering, in the field of cyber-attacks and security systems being referred as psychological manipulation of people into performing actions or misuse of confidential information. It largely involves human interaction and manipulating people into breaking security procedures and company practices/rules in order to breach the security networks, computer system, obtain financial documents when not supposed.
To discuss it at large, the recent social engineering attack I found where victim is the giant retail company in United States called Target corporation. Target is the 8th largest retailer company in North America. The incident happened at target’s point of sale systems in the year 2013. The result of incident has enabled hackers to gain access to a sum of 40million user credit and debit card information. So, it is pretty huge.
The incident happened because for target has given remote access to its network including payment (which should be secure and isolated from other networks) to its Air conditioning vendor Fazio mechanical services. The hackers tried with phishing ema.
Navigating Risk In Data & Technology TransactionsMMMTechLaw
Presentation: Negotiating risk management terms for data & technology contracts.
The information herein is presented for educational and informational purposes and is not intended to constitute legal advice. Additional information is at www.mmmtechlaw.com/privacy-policy-and-disclaimer/ .
David WITH Goliath: How Big Companies Do Deals with Small Cloud and Social Me...William Tanenbaum
Conventional deal structures do not always work when big companies engage small cloud and social media companies as part of marketing and digital business. To go live you need to go smart. Legal documents need to enable, not delay. Due diligence is important: Are you picking a winner or a loser? Would you invest in this company? Is security backed in or will you be subject to a privacy breach and a reputational hit? Are the investors in it for the long haul or are they taking a flier?
Social Business =Cloud + Big Data + Social Media + Mobile ComputingWilliam Tanenbaum
Cloud Computing is an inflection point, and is the technology that enable Big Data and predictive analytics. In combination with Big Data, Social Media and Mobile Computing, it constitutes how mainstream business use Cloud
In 2020, the Ministry of Home Affairs established a committee led by Prof. (Dr.) Ranbir Singh, former Vice Chancellor of National Law University (NLU), Delhi. This committee was tasked with reviewing the three codes of criminal law. The primary objective of the committee was to propose comprehensive reforms to the country’s criminal laws in a manner that is both principled and effective.
The committee’s focus was on ensuring the safety and security of individuals, communities, and the nation as a whole. Throughout its deliberations, the committee aimed to uphold constitutional values such as justice, dignity, and the intrinsic value of each individual. Their goal was to recommend amendments to the criminal laws that align with these values and priorities.
Subsequently, in February, the committee successfully submitted its recommendations regarding amendments to the criminal law. These recommendations are intended to serve as a foundation for enhancing the current legal framework, promoting safety and security, and upholding the constitutional principles of justice, dignity, and the inherent worth of every individual.
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselThomas (Tom) Jasper
Military Commissions Trial Judiciary, Guantanamo Bay, Cuba. Notice of the Chief Defense Counsel's detailing of LtCol Thomas F. Jasper, Jr. USMC, as Detailed Defense Counsel for Abd Al Hadi Al-Iraqi on 6 August 2014 in the case of United States v. Hadi al Iraqi (10026)
WINDING UP of COMPANY, Modes of DissolutionKHURRAMWALI
Winding up, also known as liquidation, refers to the legal and financial process of dissolving a company. It involves ceasing operations, selling assets, settling debts, and ultimately removing the company from the official business registry.
Here's a breakdown of the key aspects of winding up:
Reasons for Winding Up:
Insolvency: This is the most common reason, where the company cannot pay its debts. Creditors may initiate a compulsory winding up to recover their dues.
Voluntary Closure: The owners may decide to close the company due to reasons like reaching business goals, facing losses, or merging with another company.
Deadlock: If shareholders or directors cannot agree on how to run the company, a court may order a winding up.
Types of Winding Up:
Voluntary Winding Up: This is initiated by the company's shareholders through a resolution passed by a majority vote. There are two main types:
Members' Voluntary Winding Up: The company is solvent (has enough assets to pay off its debts) and shareholders will receive any remaining assets after debts are settled.
Creditors' Voluntary Winding Up: The company is insolvent and creditors will be prioritized in receiving payment from the sale of assets.
Compulsory Winding Up: This is initiated by a court order, typically at the request of creditors, government agencies, or even by the company itself if it's insolvent.
Process of Winding Up:
Appointment of Liquidator: A qualified professional is appointed to oversee the winding-up process. They are responsible for selling assets, paying off debts, and distributing any remaining funds.
Cease Trading: The company stops its regular business operations.
Notification of Creditors: Creditors are informed about the winding up and invited to submit their claims.
Sale of Assets: The company's assets are sold to generate cash to pay off creditors.
Payment of Debts: Creditors are paid according to a set order of priority, with secured creditors receiving payment before unsecured creditors.
Distribution to Shareholders: If there are any remaining funds after all debts are settled, they are distributed to shareholders according to their ownership stake.
Dissolution: Once all claims are settled and distributions made, the company is officially dissolved and removed from the business register.
Impact of Winding Up:
Employees: Employees will likely lose their jobs during the winding-up process.
Creditors: Creditors may not recover their debts in full, especially if the company is insolvent.
Shareholders: Shareholders may not receive any payout if the company's debts exceed its assets.
Winding up is a complex legal and financial process that can have significant consequences for all parties involved. It's important to seek professional legal and financial advice when considering winding up a company.
Responsibilities of the office bearers while registering multi-state cooperat...Finlaw Consultancy Pvt Ltd
Introduction-
The process of register multi-state cooperative society in India is governed by the Multi-State Co-operative Societies Act, 2002. This process requires the office bearers to undertake several crucial responsibilities to ensure compliance with legal and regulatory frameworks. The key office bearers typically include the President, Secretary, and Treasurer, along with other elected members of the managing committee. Their responsibilities encompass administrative, legal, and financial duties essential for the successful registration and operation of the society.
How to Obtain Permanent Residency in the NetherlandsBridgeWest.eu
You can rely on our assistance if you are ready to apply for permanent residency. Find out more at: https://immigration-netherlands.com/obtain-a-permanent-residence-permit-in-the-netherlands/.
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptxanvithaav
These slides helps the student of international law to understand what is the nature of international law? and how international law was originated and developed?.
The slides was well structured along with the highlighted points for better understanding .
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
Date Use Rules in Different Business Scenarios: It's All Contextual
1. LA / NY / SF / DC / arentfox.com
Data Use Rules in
Different Business
Scenarios: It’s All
Contextual
William A. Tanenbaum Co-Head,
Technology Transactions
2. Presentation Overview
Corporate businesses plans lead to . . .
. . . implementation of data collection and data use
plans, leads to . . .
. . . legal risks, calling for . . .
. . . advance IT planning, and
. . . litigation planning, which requires . . .
– Understanding the different mindsets of Chief Technology
Officer and Chief Data Officers
– Collaboration between litigators and technology
transaction lawyers
– Understanding outsourcing and RFP process
2
3. Business Scenarios to be Covered
1. Digital Redlining
2. Big Box Retail Health Clinics
3. PHI on Web-Hosted Databases
4. FCC vs. FTC
5. Terrorist Activity
6. Data Breaches and Attorneys General
3
4. Business Scenarios (continued)
7. Ransomware
8. Supply Chains and Class Actions
9. Internet of Things and Privacy
10. Data Retention vs. Big Data
4
5. Data is the Asset
“Big Data” is real and data analytics is improved
Business uses
– Better internal operations
– Development of new product and services
– New role for outsourcing: revenue generating vs. cost
savings
– Data as asset for external monetization
Frenemies and data sharing
Collision of privacy approaches: industrial
companies vs. free-wheeling Internet companies
5
6. Data IP and Licenses
Vexing question: who owns the data?
Scope of IP protection for data
Solution often = data sharing > data
ownership
6
7. 1. Digital Redlining
Hypothetical: bank wants to offer different
credit cards to different applicants based on
applicant qualifications
Bank buys data from external data sources
Repurposing of data for use different from
original collection (banking vs. advertising)
Problem of “bad algorithms”
Litigation risk: proceedings for “redlining”
7
8. Digital Redlining (continued)
Litigation
– Prepare defenses for regulatory actions and for
litigation
Transactional aspects
– Verify that audience and audience member
attributes fit intended use
– Verify third party has right to convey to banks for
intended use supported by upstream data
collection rights
– Heavy negotiations over reps and indemnities and
– Carve-outs are the yellow flags
8
9. Learning from Litigators
Tech Transactional lawyers need to learn from
litigators
– Draft provisions for summary judgment
– Draft for arbitrators because of prevalence in tech
disputes
Litigators need to be aware that SOWs, SLAs
are often source of disputes and are often
“inherited” from draftsman who is not a lawyer
– Complicates litigation and arbitration
9
10. Transactional Roles for Litigators
Most IT projects start with an RFP
Advisable for litigator to participate in designing
RFP to identify litigation risks and asks for
relevant information
Best if RPF maps to MSA and SOWs
Collaborate with tech transactional lawyers
Drafting the right arbitration clause
– discovery, arbitrator qualifications and selection
process, etc.)
10
11. 2. Big Box Health Clinics
Hypo: big box retailer sets up captive hearing
clinic in order to sell hearing aids
Hearing doctors need transfer of health care
data from hospital, but only need subset of
electronic health records
Problem if transfer has to be all of nothing
Does HIPAA and patient’s consent form allow
transfer without second consent?
11
12. Health Clinic (continued)
Problem for retailer: difficult for hospital to
identify and transfer only hearing-related
medical information
Patient/customer upset of prior irrelevant
surgeries are disclosed
Illustrates that all privacy is contextual
12
13. Enabling Contextual Privacy Disclosures
Practical problem is that takes too long for the
hospital to manually separate the relevant data
Companies such as Microsoft suggest solution is
to use software agents (a form of AI)
But: risk of bad algorithms in AI and potential
difficulty of “mining” data lake of patient electronic
medical records
Transaction/IT risks: need good IT integrator to
deal with hospital records and outsourcing AI
provider
Transactions must be HIPAA compliant
13
14. 3. Putting PHI on Web-Hosted Databases
Patient data is part of medical information
posted to web-hosted databases for research
or other use by third parties
Does this violate consent obtained from
patient
– Review consent forms
HIPAA implications for third party use
Re-use by ongoing chain of medical research
endeavors
14
15. 4. More Contextual Privacy: FCC vs. FTC Opt-
out/Opt-in Rules
D.C. Circuit upheld FCC’s reclassification of
broadband Internet access services as a Title
II telecommunications service in 2014 Open
Internet Order
Forthcoming order will govern how broadband
providers collect, use, protect and share
subscriber PII
15
16. FCC (continued)
Privacy framework under consideration requires
affirmative opt-in in order for broadband
providers to share data with third parties
This contrasts with FTC’s largely opt-out, case-
by-case approach to privacy protection
This will impact clients relying on data from
broadband providers
Clients must address that contextual privacy in
context of opt-in for some and opt-out for other
purposes
16
17. 5. Terrorist Activity
Hypo: client operate digital platform
Terms of use give strong privacy rights
Client notices suspected terrorist activity
Client wants to tell Department of Homeland
Security and law enforcement
Chief Privacy Officer says disclosure will violate
privacy terms
Solution: obtain subpoena
Practical note: is a terrorist going to sue for
violation of privacy terms of use?
17
18. Terrorism (continued)
Practical note: is an alleged terrorist actually
going to sue for violation of privacy terms of
use?
But what if the client suspicion while in good
faith turns out to be wrong?
– Will the “terrorist” have a cause of action
notwithstanding the subpoena?
18
19. 6. Outsourcing, Data Breaches and AGs
Many data breaches are caused by outsource
vendors using technology with insufficient
cybersecurity
– Problems in switch from transition to steady-state
operations
– Problems in updates
– Problems in integrating technology from a client’s
multiple vendors
19
20. AGs (continued)
Risk is that large database breach will lead to
investigations and actions by state attorneys
general
Client may argue that it was the “victim” of the
expert technology company it hired
But repeated breaches undercut this
argument
20
21. AGs (continued)
Litigator’s role:
– Acquire understanding of outsourcing to argue
that client acted in good faith but was victim of its
own expert
– Explain technology to AG staff that may not
understand the technology fine points to that
bolster client’s position
– Understand the political dimension of negotiating
with the AC
– Retaining the right tech and cyber experts
21
22. Clients and Cybersecurity Experts
Which comes first, the lawyer or the forensics
firm?
Advising clients (and cyber firms) of the
advantage of communications under attorney-
client privilege
Risk is that client’s IT department gets ahead of
the GC’s office
Litigators benefit from understanding how IT
departments operate when problems arise, and
how their communication with incumbent vendors
can create difficulties
22
23. 7. Ransomware
Ransomware is not a classic database breach
Data locked up -- not disclosed
State database breach acts not triggered and
statutory notices not required
Issue: insurance carrier data lawyers “on
retainer” are database breach lawyers and
may not be qualified for ransomware
23
24. Ransomware (continued)
Client may need to fight to get insurance
carrier to pay for non-panel lawyer
If pay ransom, hope is that criminal is an
honest criminal
Evidence that ransomware is business is
existence of websites on how to pay ransom
Will be your introduction to bitcoins
24
25. Ransomware (continued)
Who will you work with?
– Cyber forensics firm
– Internal IT department
– IT outsource provider
Transactional planning
– Set up IT outsourcing to operate an backup
system even if primary system is locked up
– Often data not software is at risk
– Role of cloud computing
Footer Text 25
26. 8. Supply Chain and Class Actions
Bad data is used in design of mass market
products or process
New-class products can contain bad data
Result: defects in mass market products
Risk: class action lawsuits
Cybersecurity vs. class actions
Footer Text 26
27. Supply Chains and Class Actions (continued)
Data-related litigation planning for class
actions
– Class certification (State vs. Federal
requirements)
– Sufficiency of injury
– Plan for affirmative defenses
– Pre-review of insurance coverage
– Consider effect on stock price
– PR planning
27
28. 9. IoT and Privacy
Does the use of the Internet of Things create
risk of violation of privacy terms?
Risk: cyber weakness in IoT technology
Risk: data will be secure but use will exceed
scope of consent
Source of risks:
– Vendors of small connected devices often do not
bake security
28
29. IoT (continued)
Source of risks:
– Vendors of small connected devices often do not bake
security into the devices
– Security is not upgraded
– If automated system-wide security is not technologically
possible or not included, then manual upgrade process is the
alternative and inherently problem laden
– Networked devices can be hacked
– Even if devices are secure, data can be exposed during
transmission
– Business benefits of IoT can inadvertently result in
failure to adhere to privacy terms and use can exceed
the consent obtained
29
30. IoT (continued)
FTC guidance
– In the Matter of The Benefits, Challenges, and
Potential Roles for the Government in Fostering
the Advancement of the Internet of Things Docket
No. 160331306-6306-01
– Mobile App Developers: Start with Security
30
31. 10. Big Data vs. Document Retention
Conflict between:
– GC’s goal of tailoring document (i.e., data)
retention periods to minimizing litigation risk
– Marketing and business teams’ goal of retaining
customer and other data for long periods in order
to conduct analytics of relevant data to generate
revenue
Issue becomes: revenue vs. litigation risk
Related issue: protecting forensic analysis
31
32. Question and Answer
William A. Tanenbaum
Co-Head, Technology Transactions, Arent
Fox LLP
William.Tanenbaum@arentfox.com
32
33. William A. Tanenbaum, Arent Fox LLP
William A. Tanenbaum was named as one of the Top Five IT lawyers in the country
by Who’s Who Legal in 2016, and was previously named as “Lawyer of the Year”
in IT in New York by US News & World Report/Best Lawyers. Chambers named
Bill as one of only five lawyers in Band One in Outsourcing & Technology in New
York, in Band Two nationally, and as a Leading Outsourcing Lawyer in its global
edition. Legal500 found that he is a “Leading Authority” on Technology &
Outsourcing. He was selection for inclusion in the inaugural edition of Who’s Who
Legal: Thought Leaders 2017. Bill is a Past President of the International
Technology Law Association. He is currently a Vice President of the Society for
Information Management (SIM) (New York Chapter), and industry CIO
organization, and the only lawyer on the Board of Directors.
Clients endorse Bill as “a brilliant lawyer. I cannot imagine working with anyone
else;” “brings extremely high integrity, a deep intellect, fearlessness and a
practical, real-world mindset to every problem;” “efficient, solution-driven and
makes excellent judgment calls” (Chambers); "one of the best IP lawyers I have
worked with" and "knows exactly how to get a deal done” (Clean Tech and Who's
Who Legal).
33