big data and security attorneys

Legal Issues in Big Data: 2017

Big data refers to the collection and analysis of large and complex data sets. The data sets are so large that they cannot be analyzed using traditional techniques. Instead, data analytics tools are applied to process a wide variety of data types at very high speeds.

Big data comes from multiple sources at a high velocity, volume, variety, and degree of complexity. It is generated by everything around us at all times. For example, data can originate from our use of social media, online purchases, streaming, and sensors used in the Internet of Things (IoT).[1] Every interaction in e-commerce and social media produces it. Computer systems, sensors, and mobile devices transmit it. Thus, optimal processing power and analytics capabilities are needed to extract meaningful information from big data.[2]

Businesses need data analytics to convert the large and complex data sets into actionable information in order to make better decisions and provide a business advantage over competitors. Big data analytics is the process of collecting, organizing, and analyzing large data sets to discover patterns and other useful information. Big data analytics examines large amounts of data from various sources to find patterns, correlations, trends, and other insights to help businesses[3] better understand the information within the data and identify which data can help improve the effectiveness of business decisions.[4]

Analytics are developed by building models based on available data and then running simulations, iterating the value of data points and monitoring how it impacts results. Current computing power can run millions of these simulations, thereby iterating all the possible variables until it finds a pattern, correlation, or insight to help solve a problem.[5]

Data analytics are used extensively in consumer marketing. As most of us who carry mobile devices have experienced, data analytics enable consumers to be targeted with specifically tailored advertising for products and services based on our individual preferences.  Data analytics are also used to optimize supply chain and other logistics for businesses. UPS, for example, analyzes data from a large number of sources to optimize vehicle routes to save time, lower fuel costs, and support predictive maintenance on vehicles.

Consumer Privacy

The legal risks of big data begin with consumer privacy. There is no single, comprehensive federal U.S. law regulating the collection, use, and sharing of personal information.[6] Instead, a myriad of laws and regulations are imposed at the federal and state levels to apply to certain types of personal information, such as financial or health information. These laws and regulations focus on the privacy and security of personal information. There are also consumer protection laws that have been used to prohibit unfair or deceptive practices involving the disclosure of, and security procedures for, protecting personal information.

Most websites, online services, and mobile apps have a privacy policy. Implementing and enforcing a privacy policy is not only a good business practice, but it may also be required by law or by third party services that collect information through a website. Likewise, terms of service (TOS) should be periodically reviewed to determine whether they accurately reflect business practices, particularly with respect to the collection, use, and sharing of personal information. A user may accept the TOS and privacy policy by affirmatively checking a box or by simply continuing to use the service. The former type of acceptance, a “clickwrap” agreement, is generally more enforceable than the latter type of acceptance, a “browsewrap” agreement.[7]

An example of personal information that raises legal concerns is health information, which is protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended. Currently, data analytics is being applied to electronic medical records (EMR) to identify trends in patient care, epidemiology, treatment effectiveness, operational effectiveness, and other purposes. Predictive modeling using data from EMRs is being used for early diagnosis and to trigger warnings or reminders, such as when a patient should get a new lab test or take other actions. [8] 

In addition to HIPAA, there are other statutes that regulate the collection, use and sharing of personal information. The Federal Trade Commission Act is a consumer protection law that prohibits unfair or deceptive practices and has been applied to off-line and online privacy and data security policies.[9] The online collection of personal information of children under 13 may trigger the Children’s Online Privacy Protection Act.[10] The Gramm-Leach-Bliley Act (GLBA) is a federal law that regulates how financial institutions must handle personal information.[11]

The FTC issued a report on big data to provide guidance to companies about their big data practices.[12] The FTC limited its focus to the commercial use of consumer information and its impact on low-income and underserved populations. It urged companies to apply big data analytics in ways to provide benefits and opportunities to consumers, while avoiding actions that may violate consumer protection or equal opportunity laws, or otherwise detract from the core values of inclusion and fairness.

Because there is no comprehensive federal law regulating data collection, use, and sharing, some states have enacted their own laws. California, in particular, is the leader in state privacy laws. The California Online Privacy Protection Act applies to any person or company whose website, online service, or mobile app collects personal information from California consumers.[13] This law has broad geographical effect due to the widely accessible nature of online businesses. Excluding a California audience from access is generally not feasible. The law requires the operator to have a conspicuous privacy policy containing the following:

  • A list of the categories of personally identifiable information the operator collects;
  • A list of the categories of third parties with whom the operator may share such information;
  • A description of the process (if any) by which the consumer can review and request changes to his or her personally identifiable information as collected by the operator;
  • A description of the process by which the operator notifies consumers of material changes to the operator’s privacy policy;
  • Whether or not a “do not track” signal is honored; and
  • The effective date of the privacy policy.

The law also requires the operator to comply with the privacy policy.

There are also laws and regulations in other countries relating to data protection and privacy. Europe’s General Data Protection Regulation (GDPR), which becomes effective in May 2018, is a primary focus for business planning in 2017.[14] This new EU data protection regulation will impose a greater compliance burden on businesses that offer goods and services to EU residents. A business’ privacy policy also needs to contain the provisions required by the GDPR. In addition to the privacy policy, the GDPR also has a security standard requirement.The GDPR will apply unless the business does not offer goods or services to, or track or create profiles of, EU residents and does not have an “establishment” in the EU.

Security of Personal Information

The Security Standards for the Protection of Electronic Protected Health Information (HIPAA Security Rule)[15] provide standards for protecting personal health information. The HIPAA Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.[16]

California was the first state to enact a security breach notification law.[17] The law requires any person or business that owns or licenses computerized data that includes personal information to disclose any data security breach to all California residents whose unencrypted personal information was acquired by an unauthorized person.

Most of the early state security breach notification laws followed California’s law and established requirements for notification of a security breach rather than defining security standards. As of June 2017, 48 states, as well as the District of Columbia, Guam, Puerto Rico and the US Virgin Islands have enacted laws requiring notification of security breaches involving personal information.[18] Recently, some states have established requirements to avoid a security breach. For example, the Massachusetts regulation specifies a detailed list of technical, physical, and administrative security standards for protecting personal information that must be implemented.[19] HIPAA and the GLBA also have security breach notification requirements.

While most attention has centered on security threats to personal information, there are also security issues for non-personal information. For example, in a recent incident, hackers changed chemical settings in a water treatment plant.[20] Additionally, the analyst firm Forrester predicted that there will be a large scale IoT security breach in 2017.[21]

Control over Data

Ownership rights to big data can provide a competitive business advantage since the data owner controls how the data may be used and shared. For example, Twitter’s data licensing business is its fastest growing revenue. Twitter sells its “firehose” of over 500 million daily tweets to various companies that try to turn the tweets into actionable information. Most of the business value in big data is derived from combining data from different sources. Ownership of data resulting from the data analytics is also important. Rights to data are usually allocated in the privacy policy and TOS for websites, online services and mobile apps. Traditional signed agreements may be used in business-to-business transactions. For example, a signed agreement might be used between an IoT provider and its farm customers in a smart agriculture application.[22] Joint ownership is a middle ground for ownership allocations in some business-to-business transactions.

Intellectual Property Protection.

Some data analytics software appears to remain patentable after the Alice court decision,[23] but patent holders and applicants will face challenges if they rely on computer execution of nothing more than routine algorithms. Inventive steps will be needed to make big data analytics software patentable.[24] Such a patent may lose its value over time because an algorithm may improve over the one described in the patent, thereby requiring additional patent applications to be filed. IBM probably has the largest patent portfolio in the big data sector.

Only some of the big data itself may be protected by copyright. Copyright law provides an exclusive right that applies to a form of expression, not the meaning of text written by human authors. If there is only one way to express content, then there is no copyright protection because there is no originality. Any data generated by machines or sensors will not be covered by copyright.[25] That means a large amount of big data will fall outside of copyright protection. User generated data such as a photo, video or other work posted to a social media site may be protected by copyright but the TOS will likely provide that ownership is assigned to the site operator.

Terms of Service Agreement

A TOS is a legal agreement that establishes the obligations and restrictions for using a website, mobile app or online service. The TOS includes provisions that reduce the risk of claims from users and others. There may be liability exposure if the data analytics software provides erroneous or no actionable information. Such liability is limited in the TOS primarily by limited warranty, disclaimers of warranties and limitation of liability provisions in the same way as for other contracts. The TOS may also cover scope of permitted use, restrictions on activities, disclaimers regarding content, indemnification, term and termination, copyright and other intellectual property rights, governing law, jurisdiction, dispute resolution and other issues.

Conclusion

Big data is generated by everything around us at all times and includes both personal information and non-personal information. Data analytics is used to convert big data into actionable information that can provide value in a wide range of both consumer transactions as well as business-to-business transactions. With regard to personal information, there are laws and regulations in place for the privacy and security of such information both in the U.S. and around the world. A business’ collection, use, and sharing of personal information must be consistent with its privacy policy and applicable laws and regulations. TOS and other agreements are used to establish the rules for other big data ownership and control and to mitigate risk.

 

[1] “Big Data,” http://searchcloudcomputing.techtarget.com/definition/big-data-Big-Data.

[2] “What is Big Data?” https://www.ibm.com/big-data/us/en/.

[3] “Big Data Analytics: What it is and Why it Matters,” https://www.sas.com/en_us/insights/analytics/big-data-analytics.html#.

[4] “Big Data Analytics,” http://www.webopedia.com/TERM/B/big_data_analytics.html.

[5] “The Complete Beginner’s Guide to Big Data in 2017,” https://www.forbes.com/sites/bernardmarr/2017/03/14/the-complete-beginners-guide-to-big-data-in-2017/#783590c07365.

[6] “Data Protection in the United States: Oveview,” https://uk.practicallaw.thomsonreuters.com/6-502-0467?transitionType=Default&contextData=(sc.Default) .

[7] See “From the Chair: ‘Click Here to Accept the Terms of Service,’” https://www.americanbar.org/publications/communications_lawyer/2015/january/click_here.html; http://bclawlab.org/eicblog/2017/4/26/are-your-mobile-application-or-website-terms-of-useprivacy-policies-legally-enforceable.

[8] “Examples of Big Data Analytics in Healthcare That Can Save People,” http://www.datapine.com/blog/big-data-examples-in-healthcare/; “Seven Big Data Examples That Have Improved Healthcare Operations,” http://www.ingrammicroadvisor.com/data-center/seven-big-data-examples-that-have-improved-healthcare-operations.

[9] Federal Trade Commission Act, 15 U.S.C. §§ 41-58.

[10] Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501-06.

[11] Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-27.

[12] “Big Data: A Tool for Inclusion or Exclusion?” https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-or-exclusion-understanding-issues/160106big-data-rpt.pdf.

[13]  California Business and Professions Code §§ 22575-79.

[14] “General Data Protection Regulation (GDPR),” https://gdpr-info.eu/.

[15] Health Insurance Portability and Accountability Act of 1996, 45 CFR §§ 160, 164.

[16] “The Security Rule,” https://www.hhs.gov/hipaa/for-professionals/security/index.html.

[17] California Civil Code § 1798.82.

[18] “Security Breach Notification Laws,” http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx; “Comparison of US State and Federal Security Breach Notification Laws,” http://www.steptoe.com/assets/htmldocuments/SteptoeDataBreachNotificationChart.pdf.

[19] “Standards for the Protection of Personal Information of Residents of the Commonwealth,” 201 CMR § 17.00.

[20]  “Water Treatment Plant Hit by Cyber-Attack,” http://www.infosecurity-magazine.com/news/water-treatment-plant-hit-by/.

[21] “Predictions 2017: Security and Skills Will Temper Growth of IoT,”  https://internetofbusiness.com/iot-security-breach-2017-forrester/; see also “Gazing Ahead: Security Predictions, Part 4,” https://www.scmagazine.com/gazing-ahead-security-predictions-part-4/article/578979/.

[22] “The Internet of Things is Driving Smart Agriculture,” http://royselawblog.com/the-internet-of-things-is-driving-smart-agriculture/.

[23] Alice Corporation Pty. Ltd. v. CLS Bank Int’l, 134 S. Ct. 2347 (June 19, 2014).

[24] “Protecting Big Data Systems in a Post-Alice World,” http://www.robinskaplan.com/resources/articles/protecting-big-data-systems-in-a-post-alice-world.

 [25] U.S. Copyright Office, Compendium II of Copyright Office Practices § 503.03(a).

Fred Greguras
fgreguras@rroyselaw.com
1Comment

Post A Comment

X