03 Jul Legal Issues in Big Data: 2017
Big data refers to the collection and analysis of large and complex data sets. The data sets are so large that they cannot be analyzed using traditional techniques. Instead, data analytics tools are applied to process a wide variety of data types at very high speeds.
Big data comes from multiple sources at a high velocity, volume, variety, and degree of complexity. It is generated by everything around us at all times. For example, data can originate from our use of social media, online purchases, streaming, and sensors used in the Internet of Things (IoT). Every interaction in e-commerce and social media produces it. Computer systems, sensors, and mobile devices transmit it. Thus, optimal processing power and analytics capabilities are needed to extract meaningful information from big data.
Businesses need data analytics to convert the large and complex data sets into actionable information in order to make better decisions and provide a business advantage over competitors. Big data analytics is the process of collecting, organizing, and analyzing large data sets to discover patterns and other useful information. Big data analytics examines large amounts of data from various sources to find patterns, correlations, trends, and other insights to help businesses better understand the information within the data and identify which data can help improve the effectiveness of business decisions.
Analytics are developed by building models based on available data and then running simulations, iterating the value of data points and monitoring how it impacts results. Current computing power can run millions of these simulations, thereby iterating all the possible variables until it finds a pattern, correlation, or insight to help solve a problem.
Data analytics are used extensively in consumer marketing. As most of us who carry mobile devices have experienced, data analytics enable consumers to be targeted with specifically tailored advertising for products and services based on our individual preferences. Data analytics are also used to optimize supply chain and other logistics for businesses. UPS, for example, analyzes data from a large number of sources to optimize vehicle routes to save time, lower fuel costs, and support predictive maintenance on vehicles.
The legal risks of big data begin with consumer privacy. There is no single, comprehensive federal U.S. law regulating the collection, use, and sharing of personal information. Instead, a myriad of laws and regulations are imposed at the federal and state levels to apply to certain types of personal information, such as financial or health information. These laws and regulations focus on the privacy and security of personal information. There are also consumer protection laws that have been used to prohibit unfair or deceptive practices involving the disclosure of, and security procedures for, protecting personal information.
An example of personal information that raises legal concerns is health information, which is protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended. Currently, data analytics is being applied to electronic medical records (EMR) to identify trends in patient care, epidemiology, treatment effectiveness, operational effectiveness, and other purposes. Predictive modeling using data from EMRs is being used for early diagnosis and to trigger warnings or reminders, such as when a patient should get a new lab test or take other actions. 
In addition to HIPAA, there are other statutes that regulate the collection, use and sharing of personal information. The Federal Trade Commission Act is a consumer protection law that prohibits unfair or deceptive practices and has been applied to off-line and online privacy and data security policies. The online collection of personal information of children under 13 may trigger the Children’s Online Privacy Protection Act. The Gramm-Leach-Bliley Act (GLBA) is a federal law that regulates how financial institutions must handle personal information.
The FTC issued a report on big data to provide guidance to companies about their big data practices. The FTC limited its focus to the commercial use of consumer information and its impact on low-income and underserved populations. It urged companies to apply big data analytics in ways to provide benefits and opportunities to consumers, while avoiding actions that may violate consumer protection or equal opportunity laws, or otherwise detract from the core values of inclusion and fairness.
- A list of the categories of personally identifiable information the operator collects;
- A list of the categories of third parties with whom the operator may share such information;
- A description of the process (if any) by which the consumer can review and request changes to his or her personally identifiable information as collected by the operator;
- Whether or not a “do not track” signal is honored; and
Security of Personal Information
The Security Standards for the Protection of Electronic Protected Health Information (HIPAA Security Rule) provide standards for protecting personal health information. The HIPAA Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
California was the first state to enact a security breach notification law. The law requires any person or business that owns or licenses computerized data that includes personal information to disclose any data security breach to all California residents whose unencrypted personal information was acquired by an unauthorized person.
Most of the early state security breach notification laws followed California’s law and established requirements for notification of a security breach rather than defining security standards. As of June 2017, 48 states, as well as the District of Columbia, Guam, Puerto Rico and the US Virgin Islands have enacted laws requiring notification of security breaches involving personal information. Recently, some states have established requirements to avoid a security breach. For example, the Massachusetts regulation specifies a detailed list of technical, physical, and administrative security standards for protecting personal information that must be implemented. HIPAA and the GLBA also have security breach notification requirements.
While most attention has centered on security threats to personal information, there are also security issues for non-personal information. For example, in a recent incident, hackers changed chemical settings in a water treatment plant. Additionally, the analyst firm Forrester predicted that there will be a large scale IoT security breach in 2017.
Control over Data
Intellectual Property Protection.
Some data analytics software appears to remain patentable after the Alice court decision, but patent holders and applicants will face challenges if they rely on computer execution of nothing more than routine algorithms. Inventive steps will be needed to make big data analytics software patentable. Such a patent may lose its value over time because an algorithm may improve over the one described in the patent, thereby requiring additional patent applications to be filed. IBM probably has the largest patent portfolio in the big data sector.
Only some of the big data itself may be protected by copyright. Copyright law provides an exclusive right that applies to a form of expression, not the meaning of text written by human authors. If there is only one way to express content, then there is no copyright protection because there is no originality. Any data generated by machines or sensors will not be covered by copyright. That means a large amount of big data will fall outside of copyright protection. User generated data such as a photo, video or other work posted to a social media site may be protected by copyright but the TOS will likely provide that ownership is assigned to the site operator.
Terms of Service Agreement
A TOS is a legal agreement that establishes the obligations and restrictions for using a website, mobile app or online service. The TOS includes provisions that reduce the risk of claims from users and others. There may be liability exposure if the data analytics software provides erroneous or no actionable information. Such liability is limited in the TOS primarily by limited warranty, disclaimers of warranties and limitation of liability provisions in the same way as for other contracts. The TOS may also cover scope of permitted use, restrictions on activities, disclaimers regarding content, indemnification, term and termination, copyright and other intellectual property rights, governing law, jurisdiction, dispute resolution and other issues.
 “Big Data Analytics: What it is and Why it Matters,” https://www.sas.com/en_us/insights/analytics/big-data-analytics.html#.
 “Big Data Analytics,” http://www.webopedia.com/TERM/B/big_data_analytics.html.
 “The Complete Beginner’s Guide to Big Data in 2017,” https://www.forbes.com/sites/bernardmarr/2017/03/14/the-complete-beginners-guide-to-big-data-in-2017/#783590c07365.
 “Data Protection in the United States: Oveview,” https://uk.practicallaw.thomsonreuters.com/6-502-0467?transitionType=Default&contextData=(sc.Default) .
 See “From the Chair: ‘Click Here to Accept the Terms of Service,’” https://www.americanbar.org/publications/communications_lawyer/2015/january/click_here.html; http://bclawlab.org/eicblog/2017/4/26/are-your-mobile-application-or-website-terms-of-useprivacy-policies-legally-enforceable.
 “Examples of Big Data Analytics in Healthcare That Can Save People,” http://www.datapine.com/blog/big-data-examples-in-healthcare/; “Seven Big Data Examples That Have Improved Healthcare Operations,” http://www.ingrammicroadvisor.com/data-center/seven-big-data-examples-that-have-improved-healthcare-operations.
 Federal Trade Commission Act, 15 U.S.C. §§ 41-58.
 Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501-06.
 Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-27.
 “Big Data: A Tool for Inclusion or Exclusion?” https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-or-exclusion-understanding-issues/160106big-data-rpt.pdf.
 California Business and Professions Code §§ 22575-79.
 Health Insurance Portability and Accountability Act of 1996, 45 CFR §§ 160, 164.
 “The Security Rule,” https://www.hhs.gov/hipaa/for-professionals/security/index.html.
 California Civil Code § 1798.82.
 “Security Breach Notification Laws,” http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx; “Comparison of US State and Federal Security Breach Notification Laws,” http://www.steptoe.com/assets/htmldocuments/SteptoeDataBreachNotificationChart.pdf.
 “Standards for the Protection of Personal Information of Residents of the Commonwealth,” 201 CMR § 17.00.
 “Water Treatment Plant Hit by Cyber-Attack,” http://www.infosecurity-magazine.com/news/water-treatment-plant-hit-by/.
 “Predictions 2017: Security and Skills Will Temper Growth of IoT,” https://internetofbusiness.com/iot-security-breach-2017-forrester/; see also “Gazing Ahead: Security Predictions, Part 4,” https://www.scmagazine.com/gazing-ahead-security-predictions-part-4/article/578979/.
 “The Internet of Things is Driving Smart Agriculture,” http://royselawblog.com/the-internet-of-things-is-driving-smart-agriculture/.
 Alice Corporation Pty. Ltd. v. CLS Bank Int’l, 134 S. Ct. 2347 (June 19, 2014).
 “Protecting Big Data Systems in a Post-Alice World,” http://www.robinskaplan.com/resources/articles/protecting-big-data-systems-in-a-post-alice-world.