M2M Evolution Interviews: Ross Buntrock, Partner, Arent Fox LLP
August 19, 2014
Ross Buntrock of Arent Fox puts IoT data privacy and security under a legal lens.
Ross Buntrock, Partner, Arent Fox LLP provides legal insight into the data privacy and security environment amidst the rise of ubiquitous connectivity and the Internet of Things (IoT).
Give us some background on Arent Fox.
BUNTROCK: As far as the firm is concerned, we’ve got about 400 lawyers that are spread between D.C., New York, Los Angeles, and San Francisco. I’m the head of our Communications, Technology, and Mobile group, and we cover things like privacy, privacy audits, and data security. We work with a lot of carriers, so I deal with people who are interested in acquiring spectrum, IP litigation, TCP litigation, etc. So it’s a broad portfolio and deep in a lot of different areas.
Personally, I started off on the competitive telecom side and have just evolved as the industries have converged. Some of our clients are API developers. One of our bigger clients is a company called Twilio, which is an API that provides telecom functionality to apps like Uber or other customer service apps. So it’s a pretty interesting group of folks that we deal with.
What are some of the biggest questions people are asking you in regards to data privacy?
BUNTROCK: The biggest thing I get questions about this day in age, since we’re not just dealing with domestic obligations, is around the international requirements of moving data. So if you’re going into western Europe if you’re a US-based company, there are different obligations in terms of data storage, so that sort of cross border data movement is a big question we get.
The other thing we do a lot of is privacy and data security policy. The US has a pretty unique patchwork quilt of privacy obligations that depends on if you’re talking about financial, health, etc. We have a siloed approach depending on what area you’re dealing with, so also helping people understand what that patchwork quilt is and how it applies to their business model or the data that they’re handling. The good news/bad news is in terms of privacy policies is it’s a relatively low bar, so you can have as comprehensive or as uncomprehensive of a privacy policy as you’d like. The best piece of advice I give people is that whatever you have in your privacy policy, and we can write you a good one that is tailored to what you’re doing, you have to do what you say you’re going to do or not do. That’s the biggest problem I see, especially with startups, is they’ll say “okay, we know we have to have a privacy policy,” and go out and cut and paste something from a competitors website and it has nothing to do with what they’re actually doing and the way they run their business. That’s when you get into trouble with the FTC and with state attorneys general is you say you’re doing something that you’re not doing or you say that you’re not handling data in a way that you are. Do what you say you’re going to do and you can generally stay out of trouble.
Given the rise of connectivity, are we in a situation where companies could potentially have to draft policies for multiple geographic locations? How does this effect startups?
BUNTROCK: Yes. In fact the best example relating to not even the policies but the practices is the right to be forgotten in some European countries where you’ve got Google now having to take down certain pieces of information about people, whether it’s an arrest or some negative story. That’s the best example of how multinational companies, or even companies that don’t necessarily have a point of presence in those countries but have customers in those countries, are going to have to tailor their policies to apply the appropriate standards on a country-by-country or region-by-region basis, which obviously is difficult.
If you have customers in Siberia or customers in Ukraine, whatever. We dealt with a slightly different question outside of the privacy and data security context, but where you had Crimean assets that were seized and suddenly where Ukrainian law applied we had to go back and apply Russian law. So it’s kind of shifting sands.
It depends on where you are but ideally we try to be in touch with these people to help them comply with whatever body of law that they’re doing business. We have a lot of international experience and work with local law firms in almost any country that you’ve ever heard of to do compliance work before there’s an issue or remediation if there becomes an issue. We do have an emerging companies practice that works with startup companies that offers a package of hours for a different set of rates, which addresses the biggest problem most startups face when trying to hire a law firm that they can’t hire affordably the expertise that they probably need. So our plan is that we’ll give you a break and hopefully at some point you’ll become a successful company and we’ll have a great relationship.
For new companies or emerging technologies, what are some of the most overlooked legal issues, or best practices for protect your business?
BUNTROCK: There are two that come to mind. Number one is the privacy and data security elements. There has been tons of press, whether it’s the Target breach or Neiman Marcus – name the breach of the month. So building into your technology, whether it’s an app or piece of hardware, people really need to be focused on staying ahead of the bad guys. That means a lot of different things depending on the context of the technology or the platform you’re talking about, but that’s number one.
Another is in e-health or mobile health, and the new healthcare law poses some pretty major liability and some pretty hefty burdens in terms of managing HIPAA obligations. The mobile health market is a multi-billion dollar per year market and growing, but the biggest thing when I talk to startups is that they are aware of HIPAA but they don’t really know what it imposes upon them. Even if they are just one piece of the overall puzzle that is handing data off from one entity to another, that liability extends to them.
What do developers need to keep in mind with device or application data that could be handled by multiple parties, using HIPAA as an example?
BUNTROCK: From a practical perspective, apart from understanding the specific obligations that HIPAA imposes on various parties in the chain of the custody of that data, you want to make sure that with whatever agreements or contracts you have in place you’re not taking on any liability for HIPAA breaches. That’s a big thing because everyone is doing this finger pointing and trying to push the liability back on the other person and asking for indemnity. For me, that’s Contracts 101 for anyone who’s playing in that sandbox.
The obligations I alluded to previously about liability, again in the broadest sense, if you’re touching that data you’re basically considered to be an agent for the purposes of liability analysis. In this realm, that’s the biggest trap to watch out for. There’s some statutory framework around what you can do within the context of a contract, and the statute has various definitions as to who is an agent for the purposes of HIPAA under the healthcare law. But there is room within your agreements to make sure that, by definition, you are actually taking on responsibility for what you’re doing and not assumed to be doing something broader. So, if you’re only handling a specific subset of data that you could argue is outside the definition of a HIPAA-covered piece of information, then you should look at that too.
What are the potential penalties people could run into if this data isn’t handled properly, again specifically to HIPAA?
BUNTROCK: There’s really not a primary action. There are various fines and then there are other, broader breach penalties that could apply at both the state and federal levels. You could run into the millions of dollars of liability depending on the size of a breach or the exposure of a particular piece of data. More commonly this would be a large number of people that would be affected by an alleged mishandling or an alleged improper “share,” but the monetary fines can apply both through federal statutes and arguably through state statutes that deal with breaches, as there are various state HIPAA obligations as well. So it can get hairy fast.
Do you see any big pieces of legislation that are coming that could affect the tech sector?
BUNTROCK: You’ve got a couple of different pieces of legislation that are dealing with the fallout from the Snowden/NSA scandal, and if you pick up the paper today, you’ll see there’s disagreement between some of the big tech sector giants that are usually relatively on the same page with regards to what they want to see in this type of legislation.
Number two, I think the biggest legislation you’re going to see, which has been introduced a couple of times by Senator Franken, is location-based privacy legislation. That really freaks people out even though they like having coupons served to them based on their location or knowing where their friends are. Anytime that these things get misused it leads to people getting concerned, so I think you’re going to see a location-based privacy bill, if not a comprehensive piece of privacy legislation in the next 5-10 years.
The other thing that we keep an eye on and deal with is native advertising issues. The most recent example of it was when Facebook recently announced that they’re not only going to use your online data from Facebook but they’re going to pull in data from across your browsing history to serve you relevant ads. There is a huge movement, and I’m supportive of it, to have that advertising industry rely upon its own best practices and self regulation. If there are a number of bad actors out there that are peeing in the pool, we’re going to see the FTC step in to take action, and they’ve already done that. But it could lead to legislation that could potentially hamstring an industry that most consumers feel that they benefit from. So targeted advertising legislation might be the third legislative initiative that could happen.
That brings up an interesting point because anymore the platform or product itself is not the money maker. The money maker is the data and services that result from the product or platform.
BUNTROCK: The aggregation of all this data across all these different platforms is where the money is at, and the actors in this sector are leveraging these huge amounts of data that are being collected about all of us. Another issue that’s come up is using that kind of data for discriminatory hiring practices, discriminatory lending practices, and while someone may not be looking at my actual credit report, but if they’re profiling me and see that my ex-wife filed for bankruptcy or my best friends are all criminals, they can find out a lot about you through the aggregation of data across different platforms. So that’s something that’s become an issue as well.
Arent Fox LLP