ALM Properties, Inc.
Page printed from: Corporate Counsel
Select 'Print' in your browser menu to print this document.
Defending Big Data
Law Technology News
We've all experienced the "ick" factor that queasy feeling that a company has just a bit too much information about you. Sure, you love that Apple's Genius has figured out what music you like, and recommends artists you may not yet have discovered. Yes, you like the book recommendations that pop up on Amazon.com, and tolerate eBay's constant suggestions based on your past purchases (who can't use another baseball jersey?) Maybe it was a tad creepy that Netflix Inc. recommended a slew of criminal procedurals shortly after you watched a two-day marathon of Law & Order Criminal Intent episodes while recovering from a flu bug. (See "Why Netflix Thinks I'm Gay," bit.ly/LTN1210b, and In re: Netflix Privacy Litigation www.videoprivacyclass.com.)
It was definitely over the top that you found your picture in a Facebook advertisement for that product that you had "liked" (bit.ly/LTN1210e).
But did you know that Target's algorithms can determine with astounding accuracy that you are in your second trimester of pregnancy because you started buying scent-free lotions, wash cloths, hand sanitizers, and cotton balls? And that Target then can tailor the advertising flyer that is sent to your home to include coupons on baby food, diapers, and other necessities of a newborn? You might find that downright invasive. Especially if you are a high school student who hasn't yet been exactly candid with her father. Your subsequent upset stomach may be triggered by something more than morning sickness.
Makes you want to actually read those Terms of Service agreements, right? (bit.ly/LTN2012f)
Charles Duhigg, an investigative reporter with The New York Times, wrote about the Target data project in his new book, The Power of Habit: Why We Do What We Do in Life and Business (bit.ly/LTN1210c). (The New York Times Magazine ran an excerpt, "How Companies Learn Your Secrets" bit.ly/LTN1210d.) Duhigg, who will present the January 31, 2013, keynote address at LegalTech New York, details how Big Data, freely provided by customers, is a gold mine of knowledge about consumer habits that can be used to influence future behavior of both the consumers and the companies and explores corporate responsibilties to understand and manage the potential consequences of using that data.
Corporations like Target, Amazon, Apple, and Netflix as well as other retailers, financial institutions, health care providers, insurance and pharmaceutical companies, and e-commerce track vast amounts of personal data and keep tabs on how and when we spend our money. Just think about how much information we provide to corporations every day credit cards, airline elite memberships, health provider records, bank accounts, passwords, and all those affinity program ID tags that hang from your keychain.
The Target pregnancy story also helps us understand why lawyers, IT staff, and data professionals are perking up their ears about Big Data and its laundry list of potentially thorny legal, ethical, and technological issues as well as job opportunities. EWeek.com recently reported that there's a hiring frenzy for data scientists and IT specialists, who can conduct "high-level data analyses and apply it to business projections and modeling." Top five cities: San Francisco, Washington, D.C., Boston, St. Louis, and Toronto.
What exactly is this new buzzword? "Big Data is an imprecise term increasingly used to characterize the escalating accumulation of data especially in data sets too large, too raw, or too unstructured for analysis using conventional techniques," says Paul Bond, a partner at Reed Smith and member of its data security, privacy, and management practice group. Today, humans "create 2.5 quintillion bytes of data each day an amount so large that 90 percent of all the data in the world has been created in just the past two years, explains IBM on its Big Data website (bit.ly/LTN1210h). That's the equivalent of the content that could be stored on 57.5 billion 32 GB Apple iPads, says data center ViaWest. (See "The Relative Size of Internet Data," bit.ly/LTN1210j.)
IBM, active in Big Data long before it had the moniker, offers extensive hardware and software to support data collection, mining, and analyzis. "Data comes from everywhere: sensors used to gather climate information, posts to social media sites, digital pictures and videos, purchase transaction records, and cell phone GPS signals to name a few," says IBM.
The company defines four dimensions of Big Data:
BIG DATA GOES VIRAL
If you think that Big Data has suddenly gone viral, you aren't far off the mark, say lawyers in its trenches. "In some ways Big Data and related privacy and security issues is brand new, but in many ways it is part of an evolutionary path that the profession (and many of us individually) have been on for a couple of decades," says Mark Melodia, co-chair of Reed Smith's practice group. "Privacy, secrecy, and information security have always been professional obligations for a lawyer, part of our oath and part of our tool kit."
"Shareholders will demand that public companies look to monetize all the personal data they collect, to the full extent the law and public sentiment will allow," says Melodia, who is based in Princeton, N.J.
But the mighty can be vulnerable, he cautions. "Companies that have risen in value on the wings of Big Data can be equally subject to a dramatic fall should data collection, ownership, and use become stymied in red tape and litigation," says Melodia.
A secondary driver for Big Data's high profile was the "tectonic legal and political shift" to consumer rights that began in the 1990s in the United States, Melodia says. That earthquake included new privacy laws, and consequent security obligations, such as the Gramm-Leach-Bliley Act (requiring financial organizations to safeguard sensitive information and explain data sharing), and the Health Insurance Portablility and Accountability Act of 1996 (protecting health information), he explains. Then it "exploded," he says, "with state breach notification statutes (starting in California and spreading in record time to nearly every state today). [That] "set the stage for the current 'frenemies' relationship between much of Big Data and its customers."
Another growth factor may be inertia. Storage is cheap these days, and many businesses have realized that it is easier to buy additional servers and not dispose of data, instead of deciding what data to archive and what to destroy, observes Jonathan Redgrave, of the eponymous law firm based in Minneapolis. The firm has nine full-time and two part-time lawyers. "With the simultaneous improvements of algorithms, analytical tools, and processing power, as well as the wide-scale affordability of software, businesses began leveraging vast repositories of data to seek competitive advantages," he notes. "As organizations culled through this data, various privacy and data security questions arose, which led to appropriate security controls and their implementation. Of course, issues relating to legal discovery and investigations follow in short order," he says.
Just as in electronic data discovery, there are also concrete dangers in keeping legacy data, such as enhanced risk that "smoking gun" information might be revealed that would have otherwise been benignly destroyed in the course of established retention policies. (See "Girding for Battle," and "What Lurks Within," LTN, Dec. 2011.) This year's dominant EDD topic, predictive coding aka techology-assisted review provides just a hint of Big Data's capabilities.
On any given day, you're likely to find Reed Smith's Melodia in court, defending financial institutions in class action suits, the ground zero for trying to find the correct balance between smart business practices that fuel corporate growth and abusing individual's privacy and security.
The firm, which ranks 19th on the 2012 AmLaw 100, has 1,700 lawyers in 23 offices worldwide. Its Big Data unit "grew from the litigation trenches," and was launched in 2006, says Melodia. Since then, the team has defended 70+ class actions arising from alleged privacy violations, data thefts and breaches, as well as claims of data misuse involving websites and targeted advertising, he says.
Like other firms, Reed Smith and Orrick, Herrington & Sutcliffe have found that class action activity along with data breaches and resultant regulatory activity are the most visible Big Data conflicts. But the growing consumer pushback has changed class action agendas, observes Melodia.
"For the past two years the focus of the class action litigation has shifted from answering the question, 'Why did you lose my information?' to 'Why do you have my information and why didn't you tell me you were going to use it to do that?'
The new wave of class actions, he says, "puts directly at issue fundamental questions arising from a Big Data economy," including:
What has changed in Big Data since the '90s "is ubiquity i.e., the wider range of interaction that average consumers have with the internet, minute-to-minute," says Antony Kim, co-leader of Orrick, Herrington & Sutcliffe's Internet safety, security, and privacy practice group. Kim, based in Washington, D.C., shares leadership with two Silicon Valley partners, Gabriel Ramsey (internet safety and security, litigation), and Stephanie Sharron (counseling and transactions).
This includes social networking, coupled with powerful mobile internet capabilities, "and the real value of storing and processing more and more sensitive data (personal or commercial) in networked environments," he says. This includes social networking, coupled with powerful mobile internet capabilities, "and the real value of storing and processing more and more sensitive data (personal or commercial) in networked environments."
Ultimately, as in most litigation, security and privacy class actions often do not go to trial, Kim notes. "They are either concluded on dispositive motions or class certification fails, or they settle. And regulator actions, for example, by the Federal Trade Commission, almost invariably end in negotiated consent decrees."
January 1, 2012 marked the formal launch of Orrick's "new" practice group, but the team has been in operation since 2009, so you can put it in the "veteran" column. Orrick, which ranks 16th on the Am Law roster, has 1,100 lawyers worldwide.
Orrick's unit has 35 lawyers, including three former assistant U.S. attorneys and a former Federal Trade Commission trial lawyer. Team members are based in the U.S., London, Munich, Paris, Beijing, Shanghai, and Tokyo.
They pull lawyers from several practice groups, including intellectual property, litigation, and corporate business. Many sub-specialties are represented, such as technology transactions, emerging companies, employment, insurance recovery. Transactional attorneys advise clients on the technology deals that give life to these new business models; litigators tackle disputes and regulatory investigation, says Kim.
Five non-lawyer professionals three in IT and network security, an information/data management specialist, and a paralegal are located at Orrick's global operations center in Wheeling, W. Va., and can be rapidly deployed to conduct large investigations, forensics, and testing operations.
The group's technology tool kit includes Guidance Software's EnCase digital forensics suite; AccessData's Forensic Toolkit; e-fense's Helix Enterprise 3; a cyber-security tool providing incident response, computer forensics and e-discovery tools; ProDiscover Forensics; Palantir, which offers data integration, search and recovery, knowledge management, and collaboration; and IBM i2Analyst's Notebook, which offers assisted analysis and visualization capacities; among others.
The group's agenda breaks into two categories:
"Organizations throughout the world whether they are technology companies whose business models rely on the ability to collect, use, analyze, and leverage data, or large multinationals with extensive supply chain and distribution networks must confront the challenges associated with data privacy, digital security, and Internet safety. This is our client base," explains Kim.
Analytics "can be used to drive traffic to a company's website, drive e-commerce and advertising revenue, identify trends and patterns of consumer behavior, provide insights into medical and healthcare initiatives, not to mention the diverse array of public policy and educational concerns," Kim says.
"Our clients care about the contractual, legal, and regulatory issues that apply to the collection, storage, use, transfer, and analysis of these large data sets because data is the relevant currency for our digital world, and reputational and commercial successes hinge on managing data proactively from start to finish."
Big Data also is "a hot political topic on the Hill," Kim observes. "Legislators (around the world) are keen to regulate it, enforcement agencies particularly in the U.S. are increasingly getting involved with record-level fines in areas that used to be self-regulated by industry, and the media/blogosphere can't seem to get enough of the latest big data breach.
Other key practice areas are allocation of rights and responsibilities to data in commercial business transactions, and cybercrime legislation that keeps getting proposed, but not passed, says Kim, who offers startling statistics: The Financial Services Information Sharing and Analysis Center the trade group that represents the security interests of the financial industry has reported "staggering" numbers. Since 2005, financial institutions have reported to the Federal Deposit Insurance Corp. and the Financial Crimes Enforcement Network (part of the U.S. Department of the Treasury) a cumulative $477 million in consumer loss from online banking fraud, he says. "These are real, reported actual losses." Consider, Kim says, that "it's estimated that 20 lines of code is all it takes for a keylogger to steal your online credentials."
"The emphasis in these statutes are public/private partnerships to incentivize threat information-sharing, allowing both companies and the government to better harden defenses and also to better develop enforcement measures against cybercriminals," he says. "But balancing features such as liability mitigation for private parties sharing threat data, privacy interests, Fourth Amendment concerns particularly in the context of the Internet, where any forms of control are met with vocal opposition make this a long, slow process."
Cynthia O'Donoghue, co-chair of Reed Smith's practice group, is based in London and joined the firm in 2008. She and Melodia oversee a global team of 40 attorneys with backgrounds in engineering, software development, cybersecurity, technology, and in-house experience at banks and insurance providers. The team also helps clients build long-term compliance programs, as well as create contingency plans for emergencies and works with companies to help them effectively identify and execute revenue opportunities while respecting obligations to customers.
O'Donoghue leads the international matters, with lawyers based in England, France, Germany, Greece, Dubai, Hong Kong, and Beijing. Typical international challenges include "bet-the-company litigation over privacy issues; guidance through major incidents of data theft, loss, and unauthorized access; and practical privacy compliance advice around emerging technology or changing business practices," she says.
A key difference between the U.S. and international agendas is that "few other countries actually have a mechanism to allow class action suits," she says. "Secondly, in the rest of the world, many areas of Big Data collection, processing, and use are highly regulated." About 90 countries have some type of data protection and/or privacy laws that govern the use of Big Data, she notes. (See, "International Operations.")
The practice group's includes smartphones, mainly BlackBerrys, but they test mobile apps with iPhones, iPads, and Android devices. They also uses Little Snitch Network Monitor for real-time traffic information from applications. For website testing, the team uses a Macbook Pro and runs several virtual machines (both Windows and Apple operating systems) to observe website behavior. Also: Wireshark, Ghostery by Evidon, and Mozilla developer tools to examine information collection and technology deployment.
Like all the interviewed firms asserted, a cross-discipline approach is crucial to the success of a Big Data practice group, says the Reed Smith team. "Our clients require more than simply a team of litigators and data security and privacy experts," says Melodia. "The future of our economy and society is up for grabs, and now is the time for thought leadership on practical data stewardship," says Bond, who noticed a common denominator at his firm:
"All of these Reed Smith lawyers share a technology bent in their practices, and, if they had time to look back, nearly all would have to admit that the legal work that they are doing today simply did not exist 10 years ago. The trick, of course, is to figure out what the questions and opportunities will be 10 years from now!"
This article originally appeared in Law Technology News.