The document discusses data privacy, ownership, and the Internet of Things (IoT). It notes that while companies own data collected and correlations made, users have rights to control their personal data. Laws like GDPR protect personally identifiable information (PII), and breaches can result in costly class actions, clean-up costs, and fines if PII is collected without consent. The document recommends mitigating risks by following privacy- and security-by-design practices and obtaining user consent in privacy policies.

1. Tech Talk: Data Privacy,
Ownership & IoT
December 11, 2017, 12:30 pm- 12:45 pm
By Lily Lim, Partner, Finnegan Henderson
The Intersection of IoT and Robotics: How Sensors, Data, and
Intelligence Are Redefining Industry
1

2. IoT Data: Ownership and Rights
Data Collected
Correlations Made
with Data Collected
Personally
Identifiable
Information
Company has ownership
rights:
Copyright, Trade Secrets,
Know-how, Patents
Company has ownership
rights to data that is mined
or correlated
Users Have Rights to
Control Their Personal
Data
2

3. Laws Protecting PII
 Personally Identifiable Information (PII)
 Federal Statutes
 Financial Records: Gramm-Leach-Bliley Act
 Health Records: HIPAA
 Educational Records: FERPA
 Interception of Communications: Electronic Communications Privacy
Act
 State Laws:
 Massachusetts Defines PII as: Person’s last name, first initial,
combined with SSN, driver’s license, bank account, credit card
account,
 California Constitutional Right to Privacy
 Illinois: PII includes user names with password & biometric data
 European General Data Protection Regulation (GDPR)
3

4. Data Collected
Cost of Breach of Privacy Data (External Attack)
 Class Actions:
 Target Breach: over $300 Million
 Home Depot: over $250 Million to date
(Forbes Magazine estimates total in recurring
expenses will be $10 Billion).
 Deal Devalued:
 Yahoo! Breach: Verizon cut $350 Million from
its deal with Yahoo! after the news of the
breach was released.
 Clean-up/ Rebuild costs:
 Sony Pictures Entertainment Breach
(Copyrighted materials, not yet released
movies, Sony’s trade secrets like business
negotiations):
 Clean-up costs $35 Million for FY 2015.
 Rebuilding Sony’s computer systems
estimated at $83 Million.
4

5. Open Source Software Vulnerabilities
 Apache Open Source License (Web
Servers) :
 Apache Strut vulnerability
 Equifax breach September 2017
(personal data for 143 million
people leaked)
 Apache Struts web-application
software had a bug (CVE-2017-
5638) for which Apache released a
patch in March 6, 2017.
 Equifax did not apply the patch
and the breach started in May
2017.
5
Data Collected

6. Bluetooth Vulnerabilities
 Bluetooth Vulnerability:
 USCERT (United States Computer
Emergency Readiness Team) issued
warning
 BlueBorne: potentially affecting millions of
IoT devices, mobile phones, and
computers.
 Remote attacker can take control of
affected devices
 Impacted systems:
 Windows, iOS, Android
 Affected Vendors:
 Apple, Google, Microsoft, Samsung,
Android
 Patches available for Windows, and iOS,
but patching for Android was delayed due
to disperse ecosystem
 USCERT Recommended action: disable
Bluetooth
6
Data Collected

7. IoT Data: Penalties When PII Collected Without
User Consent
 Data Mining Contacts from Email
Accounts
 Google Buzz allegedly automatically pulled
contacts from users’ Gmail accounts into a social
network without informing them.
 FTC Consent Decree: Google agreed to
implement a comprehensive privacy program and
to 20 years of privacy audits.
 Sweeping Up WiFi Passwords
 Google Street View: collection of passwords, email
and personal information from unsecured networks
collected by Google cars while the collected
location data for Street View.
 Google agreed to: $7 Million fine; self-policing of
employees, teaching public how to fend off privacy
violations.
7
Data Collected

8. Data Handling “Mishaps”
 Uber’s “God View” Tool and “GreyBall”
Program
 FTC is inquiring about Uber’s “data-handling
mishaps” including employees’ “misuse of
‘god view,’ a tool that had previously let
employees closely track individual riders,
such as politicians and celebrities.”.
 Department of Justice reportedly opened a
criminal probe regarding Uber’s use of its
Greyball program, which allegedly helped it
circumvent scrutiny from local transportation
regulators
8
Data Collected

9. Maximizing Data Set Values By Mitigating PII Risks
 Companies can use PII and sell it:
 Privacy-By-Design and Security-By-Design
 Rather than address privacy and security issues on the back end
of a product cycle, companies are making efforts to integrate
privacy and security into earlier phases of the design cycle.
 Privacy Policy: User Consent
Data Collected
9

10. Lily Lim, Partner
Finnegan Henderson
Intellectual property, cybersecurity, and privacy law.
Ms. Lim provides strategic counseling on cybersecurity and privacy
best practices, including security-by-design and privacy-by-design,
utilizing her depth of knowledge in both law and technology. Ms. Lim
is a Certified Information Privacy Professional (CIPP/US). Ms. Lim is
a frequently invited speaker and contributes to the Sedona
Conference Working Group on data security and privacy issues.
Ms. Lim has prevailed at trial and on appeal in cases involving
patent, copyright, and trade secret disputes in federal court and
before the U.S. International Trade Commission (ITC). She
represents U.S. and international clients whose technologies include
integrated circuits, satellite technologies, wireless devices, software,
and medical devices and diagnostic equipment. Ms. Lim also
provides strategic pre-litigation counseling regarding negotiating
patent and software licenses and international manufacturing and
marketing agreements.
Prior to joining private practice, Ms. Lim served as a law clerk to the
Honorable S. Jay Plager of the U.S. Court of Appeals for the
Federal Circuit. She also worked as a spacecraft navigation
engineer at NASA’s Jet Propulsion Laboratory.
Email:
Lily.Lim@Finnegan.com
10Copyright 2017