Cybersecurity, Privacy and Data Protection – Legal Challenges in the Digital Age
LegalTech New York 2015 kicked off today with a panel on “Cybersecurity, Privacy and Data Protection Legal Challenges in the Digital Age.” Erin Harrison, the incoming editor-in-chief of ALM’s Legaltech News, moderated a panel of privacy and security experts from some of the most visible companies out there:
- Eran Feigenbaum, director of security, Google Apps, Google
- Jon Palmer, assistant general counsel, Litigation and Antitrust Legal and Corporate Affairs, Microsoft Corporation
- Edward Palmieri, director and associate general counsel, Privacy and Regulatory, Facebook
- Laura Pirri, legal director, Products, Twitter
- Ari Shahdadi, general counsel, Tumblr
The set of companies represented here is important, because they are among the most visible digital companies out there, and all serve consumers that are extremely vulnerable to privacy and financial breaches at the same time they are often unaware of those risks. In that sense, the companies on the panel represent the bleeding edge of these issues – but by no means are they unique. All types of enterprises today face the same challenges as they move to more digital and cloud-based solutions, and a few themes about how to deal with them emerged from this panel.
For this audience, of course, the conversation was really about the changing role of the legal function and its integration in all aspects of modern corporations, reaching all the way upstream into product design.
A central issue faced by all of these companies is that they are depending on the trust of their users. Users of these products face the risk of privacy and financial breaches, whether they are aware of those risks or not. The key idea that emerged from the panel was the idea that privacy protection is not a separate concept independent from the rest of what a vendor does. It’s not just an issue for the lawyers, it’s an issue for teams of product developers, marketers, IT pros, risk managers, and lawyers. Pirri from Twitter called it “Privacy by Design.” It entails engaging lawyers and their expertise on the front end, advising on product development. At Twitter, that approach has resulted in a mix of notices and disclosures built into the product, but also granular controls that allow users to change their personal experience and release of information.
There is a big change represented here that will trickle down into other industries: the role of the lawyer. Whether they are in-house or serving as outside counsel, lawyers are typically engaged only on the front end, advising on risks of certain practices, or on the back end, dealing with breaches. If the experience of these companies will trickle down to other industries, then lawyers can expect to be engaged throughout the product development cycle. That is a major shift in the role of lawyers, but it will become the norm, not the exception.
Responding to breaches and government action
Another area that’s undergoing an evolution is the enterprise’s response to privacy and security breaches. The panelists were fairly consistent in advocating for more transparency than most enterprises might currently be comfortable with. Shahdadi of Tumblr recounted a specific example where one of their cloud vendors experienced a breach, and the vendor’s CMO, the primary contact in the relationship, was inclined to cover up rather than talk about the breach publicly, and some of the click-wrap licenses that were a part of the user agreement actually hindered certain disclosures. Tumblr’s approach to breaches now includes a more proactive assessment of partnerships and agreements with third parties, to ensure that they don’t hinder transparency.
Sometimes privacy and data security is threatened by illegal acts; but sometimes a company’s data security is threatened by government action. Palmer of Microsoft talked about a high-profile case, currently on appeal in the 2nd Circuit, involving user data held on servers in Ireland that was sought under a judge’s warrant. The case raises all the issues that will play out over the coming years: whether digital content is required the same level of protection as physical documents; whether customers or the hosts of online systems like Microsoft are the real owners of the content (and thus authorized to respond to government requests); and which nation’s law applies.
Regarding this issue of government-driven access to private data, this panel made it clear that there is a fairly long to-do list to bring law and policy up to date. Google’s Feigenbaum has a slightly more expansive view of the jurisdictional issues that Palmer raised. His view was that the whole beauty of the cloud is that data is not confined by national borders or legal regimes, which makes access to data both more risky but also more secure from disasters.
In the end, however, the panel expressed a certain optimism about the direction of that discussion – “it’s in everybody’s interest that consumers trust the cloud,” said Palmer. Ultimately, multi-jurisdictional solutions will be needed, but they are a ways off.
There is plenty of privacy and data security work for lawyers in every industry in the years to come, and it’s not just in these high-profile tech companies – every industry is moving both customer-facing and back-office data into the cloud. This panel highlighted the importance that lawyers be engaged on two fronts. First, there is the policy and litigation front, where lawyers have always played a role in guiding their company and industry interest through policymaking arenas. Second, however, is the lawyer’s role in product development and design, where lawyers might not be accustomed to working on cross-functional teams in order to embed legal protections in products right from the start. That form of collaboration will increasingly become the norm and will be a role for many lawyers.