Defending Big Data

From: Law Technology News

Corporations eager to exploit their massive customer data risk alienating consumers and regulators if they stumble on privacy and security.

By Monica Bay

We’ve all experienced the “ick” factor — that queasy feeling that a company has just a bit too much information about you. Sure, you love that Apple‘s Genius has figured out what music you like, and recommends artists you may not yet have discovered. Yes, you like the book recommendations that pop up on Amazon.com, and tolerate eBay’s constant suggestions based on your past purchases (who can’t use another baseball jersey?) Maybe it was a tad creepy that Netflix Inc. recommended a slew of criminal procedurals shortly after you watched a two-day marathon of Law & Order Criminal Intent episodes while recovering from a flu bug. (See “Why Netflix Thinks I’m Gay,” bit.ly/LTN1210b, and In re: Netflix Privacy Litigation www.videoprivacyclass.com.)

It was definitely over the top that you found your picture in a Facebook advertisement for that product that you had “liked” (bit.ly/LTN1210e).

But did you know that Target‘s algorithms can determine with astounding accuracy that you are in your second trimester of pregnancy — because you started buying scent-free lotions, wash cloths, hand sanitizers, and cotton balls? And that Target then can tailor the advertising flyer that is sent to your home to include coupons on baby food, diapers, and other necessities of a newborn? You might find that downright invasive. Especially if you are a high school student who hasn’t yet been exactly candid with her father. Your subsequent upset stomach may be triggered by something more than morning sickness.

Makes you want to actually read those Terms of Service agreements, right? (bit.ly/LTN2012f)

Charles Duhigg, an investigative reporter with The New York Times, wrote about the Target data project in his new book, The Power of Habit: Why We Do What We Do in Life and Business (bit.ly/LTN1210c). (The New York Times Magazine ran an excerpt, “How Companies Learn Your Secrets” bit.ly/LTN1210d.) Duhigg, who will present the January 31, 2013, keynote address at LegalTech New York, details how Big Data, freely provided by customers, is a gold mine of knowledge about consumer habits that can be used to influence future behavior of both the consumers and the companies — and explores corporate responsibilties to understand and manage the potential consequences of using that data.

Corporations like Target, Amazon, Apple, and Netflix — as well as other retailers, financial institutions, health care providers, insurance and pharmaceutical companies, and e-commerce — track vast amounts of personal data and keep tabs on how and when we spend our money. Just think about how much information we provide to corporations every day — credit cards, airline elite memberships, health provider records, bank accounts, passwords, and all those affinity program ID tags that hang from your keychain.

The Target pregnancy story also helps us understand why lawyers, IT staff, and data professionals are perking up their ears about Big Data and its laundry list of potentially thorny legal, ethical, and technological issues — as well as job opportunities. EWeek.com recently reported that there’s a hiring frenzy for data scientists and IT specialists, who can conduct “high-level data analyses and apply it to business projections and modeling.” Top five cities: San Francisco, Washington, D.C., Boston, St. Louis, and Toronto.

What exactly is this new buzzword? “Big Data is an imprecise term increasingly used to characterize the escalating accumulation of data — especially in data sets too large, too raw, or too unstructured for analysis using conventional techniques,” says Paul Bond, a partner at Reed Smith and member of its data security, privacy, and management practice group. Today, humans “create 2.5 quintillion bytes of data each day — an amount so large that 90 percent of all the data in the world has been created in just the past two years, explains IBM on its Big Data website (bit.ly/LTN1210h). That’s the equivalent of the content that could be stored on 57.5 billion 32 GB Apple iPads, says data center ViaWest. (See “The Relative Size of Internet Data,” bit.ly/LTN1210j.)

IBM, active in Big Data long before it had the moniker, offers extensive hardware and software to support data collection, mining, and analyzis. “Data comes from everywhere: sensors used to gather climate information, posts to social media sites, digital pictures and videos, purchase transaction records, and cell phone GPS signals to name a few,” says IBM.

The company defines four dimensions of Big Data:

• Volume (e.g., if you convert 350 billion annual meter readers you can better predict power consumption).

• Velocity (for time-sensitive processes such as catching fraud, Big Data must be analyzed as it streams to maximize value).

• Variety (structured and unstructured data can include text, sensor data, audio, video, log files, and more).

• Veracity (one third of business leaders say they currently don’t trust the information they are using to make decisions). “Establishing trust in Big Data presents a huge challenge as the variety and number of sources grows,” says IBM.

Other key technology players in corporate Big Data management include Oracle, Intel, EMC², and SAS, among many others.

BIG DATA GOES VIRAL

If you think that Big Data has suddenly gone viral, you aren’t far off the mark, say lawyers in its trenches. “In some ways Big Data — and related privacy and security issues — is brand new, but in many ways it is part of an evolutionary path that the profession (and many of us individually) have been on for a couple of decades,” says Mark Melodia, co-chair of Reed Smith’s practice group. “Privacy, secrecy, and information security have always been professional obligations for a lawyer, part of our oath and part of our tool kit.”

Today, it’s in-your-face loud, as consumers push back. For legal professionals, Big Data’s tipping point was the May 18 initial public offering of Facebook, asserts Melodia. The IPO “drove home to even casual observers the increasingly close relationship between data collection and corporate value,” he says. At the time of the IPO, Facebook had almost 1 billion users; “the activity of the users is the main asset of the company.” The massive amount of data generated 24/7 on the site’s pages and walls “not only helps Facebook’s advertisers target their ads, this Big Data is a considerable commodity in and of itself,” says Melodia. “Facebook seemed to acknowledge as much by changing its privacy policy to a data use policy ahead of the IPO.”

“Shareholders will demand that public companies look to monetize all the personal data they collect, to the full extent the law and public sentiment will allow,” says Melodia, who is based in Princeton, N.J.

But the mighty can be vulnerable, he cautions. “Companies that have risen in value on the wings of Big Data can be equally subject to a dramatic fall should data collection, ownership, and use become stymied in red tape and litigation,” says Melodia.

A secondary driver for Big Data’s high profile was the “tectonic legal and political shift” to consumer rights that began in the 1990s in the United States, Melodia says. That earthquake included new privacy laws, and consequent security obligations, such as the Gramm-Leach-Bliley Act (requiring financial organizations to safeguard sensitive information and explain data sharing), and the Health Insurance Portablility and Accountability Act of 1996 (protecting health information), he explains. Then it “exploded,” he says, “with state breach notification statutes (starting in California and spreading in record time to nearly every state today). [That] “set the stage for the current ‘frenemies’ relationship between much of Big Data and its customers.”

Another growth factor may be inertia. Storage is cheap these days, and many businesses have realized that it is easier to buy additional servers and not dispose of data, instead of deciding what data to archive and what to destroy, observes Jonathan Redgrave, of the eponymous law firm based in Minneapolis. The firm has nine full-time and two part-time lawyers. “With the simultaneous improvements of algorithms, analytical tools, and processing power, as well as the wide-scale affordability of software, businesses began leveraging vast repositories of data to seek competitive advantages,” he notes. “As organizations culled through this data, various privacy and data security questions arose, which led to appropriate security controls and their implementation. Of course, issues relating to legal discovery and investigations follow in short order,” he says.

Just as in electronic data discovery, there are also concrete dangers in keeping legacy data, such as enhanced risk that “smoking gun” information might be revealed that would have otherwise been benignly destroyed in the course of established retention policies. (See “Girding for Battle,” and “What Lurks Within,” LTN, Dec. 2011.) This year’s dominant EDD topic, predictive coding — aka techology-assisted review — provides just a hint of Big Data’s capabilities.


NEW GROWTH

New practice and support groups are sprouting faster than tweenage girls buy tickets for a Taylor Swift concert. That’s good news for lawyers, as well as IT and information governance professionals.

» In July, Holland & Knight launched a new data privacy and security unit, led by partners Christopher Cwalina and Steven Roosa, who left Reed Smith to take on the task. The unit is housed within the firm’s public policy and regulation practice group.

» Also in July, Hunton & Williams’ internal think tank, the Centre for Information Policy Leadership, announced a new multi-industry “Ethical Analytics” program to develop voluntary Big Data guidelines. Ten (or more) participating companies are tasked to define issues, establish a vocabulary, and develop a framework for responsible use of analytics. Said president Martin Abrams: “It is important that we arrive at an approach for analytics that promotes the use of analytics, … protects the individual, and can be applied across a global marketplace.”

» In May, the International Legal Technology Association launched a security group, called LegalSEC, “based on the simple notion that securing our clients’ data is everyone’s responsibility,” says executive director Randi Mayes. “Starting at the highest executive level, tighter, smarter security must be supported, developed, communicated, and trained.”

Chaired by Robert DuBois, IT director of Devine Millimet & Branch, it will develop programs addressing standardization and certification, mobile device management, “bring your own devices,” social media, SharePoint, physical workspace, compliance, records management, and more. In the press release, Mayes framed ILTA’s rationale: “Are we overreacting? How can we trust the state of secure systems when many of the major players themselves are targets of successful hacks?” Clients, she says, demand higher security standards, but are they asking too much? “It’s a tangled maze, a cloudy lens, an ever-changing, ever-moving target. It’s really difficult to know what to do.”

» In April, Goldberg Segalla created a cyber-risk and social media practice group, lead by partners Daniel Gerber and John Jablonski (a member of LTN ‘s board). The team includes 14 lawyers, and calls in IT specialists as needed. “We have had lawyers advising clients on cyber-risk, social media risks, and data breach risk management, response, and litigation for about two years now,” says Jablonski. Key agenda: Comprehensive approach to minimizing risks related to online activities, electronic storage, and electronic record keeping practices of national and international businesses. With the world becoming more reliant every day on electronically stored data, remote network access, and social media, the potential liability implications for businesses continues to grow exponentially. “We provide services to help companies, insurers, and professionals effectively manage these risks and protect their interests when faced with cyberliability that could put their business and their reputation on the line. We also provide cybersecurity audits to the insurance and reinsurance industry, and have helped insurers develop cyber-risk insurance policies to cover cyber-risks,” says Jablonski. — M.B.


GROUND ZERO

On any given day, you’re likely to find Reed Smith’s Melodia in court, defending financial institutions in class action suits, the ground zero for trying to find the correct balance between smart business practices that fuel corporate growth and abusing individual’s privacy and security.

The firm, which ranks 19th on the 2012 AmLaw 100, has 1,700 lawyers in 23 offices worldwide. Its Big Data unit “grew from the litigation trenches,” and was launched in 2006, says Melodia. Since then, the team has defended 70+ class actions arising from alleged privacy violations, data thefts and breaches, as well as claims of data misuse involving websites and targeted advertising, he says.

Like other firms, Reed Smith and Orrick, Herrington & Sutcliffe have found that class action activity — along with data breaches and resultant regulatory activity — are the most visible Big Data conflicts. But the growing consumer pushback has changed class action agendas, observes Melodia.

“For the past two years the focus of the class action litigation has shifted from answering the question, ‘Why did you lose my information?’ to ‘Why do you have my information and why didn’t you tell me you were going to use it to do that?’

The new wave of class actions, he says, “puts directly at issue fundamental questions arising from a Big Data economy,” including:

• What does a reasonable expectation of privacy mean in a Sally Fields culture in which self-worth (and possibly company-worth) is determined by everybody desperately wanting to be liked?

• Who “owns” consumer information that is shared on websites or in commercial transactions?

• Is technology the answer or the problem?

• What does “harm” mean in this context?

• Can all of these questions be answered by simply writing clear enough disclosures and terms and conditions for consumers to read?

What has changed in Big Data since the ’90s “is ubiquity — i.e., the wider range of interaction that average consumers have with the internet, minute-to-minute,” says Antony Kim, co-leader of Orrick, Herrington & Sutcliffe’s Internet safety, security, and privacy practice group. Kim, based in Washington, D.C., shares leadership with two Silicon Valley partners, Gabriel Ramsey (internet safety and security, litigation), and Stephanie Sharron (counseling and transactions).

This includes social networking, coupled with powerful mobile internet capabilities, “and the real value of storing and processing more and more sensitive data (personal or commercial) in networked environments,” he says. This includes social networking, coupled with powerful mobile internet capabilities, “and the real value of storing and processing more and more sensitive data (personal or commercial) in networked environments.”

Ultimately, as in most litigation, security and privacy class actions often do not go to trial, Kim notes. “They are either concluded on dispositive motions or class certification fails, or they settle. And regulator actions, for example, by the Federal Trade Commission, almost invariably end in negotiated consent decrees.”

January 1, 2012 marked the formal launch of Orrick’s “new” practice group, but the team has been in operation since 2009, so you can put it in the “veteran” column. Orrick, which ranks 16th on the Am Law roster, has 1,100 lawyers worldwide.

Orrick’s unit has 35 lawyers, including three former assistant U.S. attorneys and a former Federal Trade Commission trial lawyer. Team members are based in the U.S., London, Munich, Paris, Beijing, Shanghai, and Tokyo.

They pull lawyers from several practice groups, including intellectual property, litigation, and corporate business. Many sub-specialties are represented, such as technology transactions, emerging companies, employment, insurance recovery. Transactional attorneys advise clients on the technology deals that give life to these new business models; litigators tackle disputes and regulatory investigation, says Kim.

Five non-lawyer professionals — three in IT and network security, an information/data management specialist, and a paralegal — are located at Orrick’s global operations center in Wheeling, W. Va., and can be rapidly deployed to conduct large investigations, forensics, and testing operations.

The group’s technology tool kit includes Guidance Software’s EnCase digital forensics suite; AccessData‘s Forensic Toolkit; e-fense’s Helix Enterprise 3; a cyber-security tool providing incident response, computer forensics and e-discovery tools; ProDiscover Forensics; Palantir, which offers data integration, search and recovery, knowledge management, and collaboration; and IBM i2Analyst’s Notebook, which offers assisted analysis and visualization capacities; among others.

The group’s agenda breaks into two categories:

• Enforcement and proactive measures: Lawyers, investigators, computer forensic professionals, and Internet security specialists identify, locate, and prosecute cases against entities involved in Internet abuses, including cybersquatting/typosquatting; trade secret misappropriation/corporate espionage; copyright and trademark infringement; online advertising fraud; financial fraud; spam; phishing; malware; and other technical abuses.

• Defensive counseling, advocacy and risk management: With former government attorneys, as well as consumer and HR experts, this group focuses on core Internet business issues, including regulatory compliance and investigations; litigation and adversarial proceedings; consumer and employee policies and procedures; data security and breach management; evaluating online revenue models and risk profile analysis; data/records management; and e-discovery.

“Organizations throughout the world — whether they are technology companies whose business models rely on the ability to collect, use, analyze, and leverage data, or large multinationals with extensive supply chain and distribution networks — must confront the challenges associated with data privacy, digital security, and Internet safety. This is our client base,” explains Kim.

Analytics “can be used to drive traffic to a company’s website, drive e-commerce and advertising revenue, identify trends and patterns of consumer behavior, provide insights into medical and healthcare initiatives, not to mention the diverse array of public policy and educational concerns,” Kim says.

“Our clients care about the contractual, legal, and regulatory issues that apply to the collection, storage, use, transfer, and analysis of these large data sets because data is the relevant currency for our digital world, and reputational and commercial successes hinge on managing data proactively from start to finish.”

Big Data also is “a hot political topic on the Hill,” Kim observes. “Legislators (around the world) are keen to regulate it, enforcement agencies particularly in the U.S. are increasingly getting involved with record-level fines in areas that used to be self-regulated by industry, and the media/blogosphere can’t seem to get enough of the latest big data breach.

Other key practice areas are allocation of rights and responsibilities to data in commercial business transactions, and cybercrime legislation that keeps getting proposed, but not passed, says Kim, who offers startling statistics: The Financial Services Information Sharing and Analysis Center — the trade group that represents the security interests of the financial industry — has reported “staggering” numbers. Since 2005, financial institutions have reported to the Federal Deposit Insurance Corp. and the Financial Crimes Enforcement Network (part of the U.S. Department of the Treasury) a cumulative $477 million in consumer loss from online banking fraud, he says. “These are real, reported actual losses.” Consider, Kim says, that “it’s estimated that 20 lines of code is all it takes for a keylogger to steal your online credentials.”

“The emphasis in these statutes are public/private partnerships to incentivize threat information-sharing, allowing both companies and the government to better harden defenses and also to better develop enforcement measures against cybercriminals,” he says. “But balancing features such as liability mitigation for private parties sharing threat data, privacy interests, Fourth Amendment concerns — particularly in the context of the Internet, where any forms of control are met with vocal opposition — make this a long, slow process.”

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published.

Please Answer: *