Companies have always had to address the legal risks inherent in doing business and seek to mitigate them. Twenty years after the advent of the internet, it is clear that the rate of technological innovation has only increased. While there has been a lot of speculation on the changes that disruptive technologies can and will produce, less known but no less vital are the new legal challenges they create.
While seeking not to oversimplify the effects that these technologies will have on business, legal practice, and legislation, the two common threads running through discussions about the legal risks they pose are data security and consumer privacy. This article addresses legal issues and risk in these technology areas: Bring Your Own Device (BYOD), big data, the Internet of Things (IoT), cloud/Software as a Service (SaaS), and social media.
Enterprises should embrace a multi-disciplinary approach when dealing with legal risks associated with these technologies. All the relevant stakeholders have to contribute to understanding and mitigating the legal risks brought about by technological innovation. In previous articles I have written about the strategic importance of the CIO and the role of C-suite engagement. Just as important, and strategic, is the perspective that legal counsel brings to the table.
BYOD is no longer a trend. Many employees fully expect it, and it’s increasingly difficult for companies to just say no. BYOD pits the needs of the enterprise for IT control and data security against employee concerns about freedom and privacy. One must add to this complex scenario the various laws governing employee relations and rights. IT decision makers cannot afford to remain unaware of the legal implications of BYOD programs.
- Data loss: The single greatest risk with BYOD is the potential loss of enterprise data. It can happen in a frightening number of ways: forgetting a device in a public place, malware, or insecure Wi-Fi networks. Losing company data can be costly and embarrassing. With personal devices, there is no way for a company to ensure that only their staff members will have access to them. If an employee in the healthcare industry, for example, loses a device containing patient data, the risks of litigation and regulatory response could be substantial.
- Wiping a mobile device: A common protection for BYOD data loss is for a company to completely wipe the data from a lost mobile device; companies should obtain consent from employees to take this measure. But what if a firm wipes mobile data by mistake? And what happens if an employee had media downloads on the device to the tune of hundreds of dollars? If an employee refuses to sign a waiver permitting data wiping, what can a company do? Legal ambiguities and pitfalls abound in this kind of approach. And have you adequately warned staff that their personal devices — and possibly all the personal information that’s on them — could be subject to legal discovery?
Here are two major takeaways: you need an effective BYOD policy, and the right tech solution is critical.
Firms have to write a BYOD policy that is clear and enforceable, and avoids regulatory investigation and possible litigation. The policy should also define for staff the protocols for security incidents. If your mobile access policy does not accomplish all of this, work with your legal counsel to craft one that does.
Regarding tech solutions, your primary concern should be to avoid storing enterprise data on personal devices. It is difficult for enterprises to assert control over employees’ private devices, and as long as company data resides on those devices, security is at risk. Earlier this year I covered a BYOD solution that does not permit users to download company data to their devices. No solution is ideal or foolproof, but it will pay dividends to carefully research the best solution for your firm.
With big data, the potent and agile technologies, enormous amounts of information, and the analytical benefits are all very impressive. We don’t yet know its full potential, and along with the efforts that many will make to predict it, enterprises, consumer groups, and legislators need to examine the risks to data security and individual privacy.
- Large data sets: In big data the amounts of information are very large and come from multiple sources. Despite the efforts of collectors and analyst firms to de-identify data from smartphones, geo-location platforms, and other sensitive sources, without adequate protections hackers can potentially re-identify individuals; this could result in litigation and is a very real risk (the amounts and concentrations of data are tempting for criminal interests). It has been argued that big data could open up more automated forms of discrimination when private sector firms (e.g., health insurance providers) make complicated decisions about consumers. This is an area where consumer advocacy and legislation have to play a role.
- Legal discovery: With large datasets and the types of raw, unprocessed data involved, a firm’s efforts to limit the scope of legal discovery could prove difficult; this could open up sensitive and proprietary information to outsiders’ scrutiny. Regarding the use and publication of big data analyses, an enterprise has to evaluate the potential legal risks. And with an eye to the pitfalls of storing diverse kinds of consumer data, IT leaders need to ask exactly what kinds of information their company should collect and retain.
Before the legal issues are better defined, companies need a set of best practices and effective solutions to mitigate the pitfalls. More and more, big data services are provided by third parties; businesses must review procedures and contracts to ensure data breaches and re-identification of consumers are less likely. Best practices include auditing access to data, monitoring and logging of actions, and clarifying the chain of data custody. A key success factor is executive leadership. Enterprise-wide efforts have the potential benefit of making risk management an integral part of corporate culture.
It will be necessary to anticipate and investigate the profound changes and legal risks that IoT will create. Some analysts expect IoT will pose data security and legal risks that go well beyond BYOD. Predictions about the number of “cyber-physical devices” by the year 2020 range from 20 billion to 50 billion. With myriads of networked devices constantly and quietly collecting sensitive information, IoT may ultimately force society to redefine and therefore re-legislate what constitutes privacy in a post-IoT world. Here are some of the legal issues enterprises need to consider.
- Data ownership and product liability: Once IoT devices are purchased and enabled, who will own the data they collect? The answer may depend on the nature of the product, customer opt-in choices, and the user agreement. Some expect that data control will reside with the manufacturer, while others believe this will be a thorny, ongoing issue. In that vein, how will IoT manufacturers be held liable if devices provide false or misleading data? There are already precedents with GPS manufacturers. A key legal protection for companies will be not misrepresenting their products.
- Customer privacy concerns: How will consumers be given reasonable notices about privacy and be able to indicate their preferences when the devices have no user interfaces? What will that mean when billions of these devices are in use and a single household or business could have a sizable number of them? Forgoing individual privacy will create some rather Orwellian possibilities. Whatever the new IoT normal becomes, businesses should respect consumer privacy and seek to make data anonymous, as well as be open and transparent about their uses of data.
Network security may not be a primary competence for many IoT device makers, and that will have to change. Due to the nature and volume of the data collected, it is not a matter of when or if criminal interests will target IoT networks. Both the government and relevant industry sectors will have to be proactive in this regard.
The cloud business model
The cloud’s benefits — agility, scalability, and lower costs — are well known, and it has become a well-established, albeit still disruptive, technology. But it’s never wise to lower your legal defenses. A careful review of the legal risks for cloud providers and customers is necessary.
- Data security: One of the main differences between traditional software and a cloud/SaaS agreement is where customer data is located. In a SaaS transaction, a customer is storing some of its potentially sensitive data with the cloud provider. A firm has to ask tough questions and get solid assurances in a cloud agreement. What happens if the cloud provider closes its doors? How will the customer’s data be returned? What happens to data access if a customer can’t pay a bill? What about disaster recovery? Who within the SaaS provider will have access to the firm’s data?
- Service level agreements (SLAs): SLAs, the written commitments a service provider makes regarding levels of service, support, and downtime penalties, have become a standard element of the cloud business model. From a contractual and marketing perspective, SaaS businesses cannot avoid making commitments — what’s critical is knowing what you can and should promise and what goes too far. Crafting the right agreement for a cloud-based firm demands technological know-how and experience in drafting and negotiating SaaS business contracts. In addition, if you rely on a third party to provision your cloud services, you shouldn’t make contractual commitments to clients that the hosting provider can’t or won’t support.
- Data encryption and legal discovery: Most standard cloud contracts state that the provider will comply with all subpoenas for data, which means a cloud provider will straightaway provide company data to the entity issuing the subpoena — potentially without the customer’s knowledge. That sounds like a nasty surprise for most enterprises. Encryption of data stored with a cloud provider can give an added layer of protection in such cases. Even if a firm has to comply, at least it will need to provide the encryption key for the data, and thus be alerted to an unfolding legal process.
It is now a full decade into the social media era, but the unpredictable nature of user-generated content and the ongoing legal risks make social media part of the discussion, even if the pitfalls are relatively better known.
- Privacy and posting sensitive information: The Federal Trade Commission has issued its privacy guidelines regarding the protection of online personal data, which businesses and legal advisors need to be apprised of. For employees, there is inherent risk in placing personal information online about schedules and activities; these can enable tracking. There is also the risk of inadvertently sharing sensitive or confidential information through social media. Clear, written guidelines about appropriate posting and sharing are necessary.
- Employment screening: We have all heard the horror stories about people getting turned down for jobs because of things they posted on social media sites, but risk can go both ways. Businesses need to refrain from using a site such as Facebook during the hiring process. If litigation uncovers that an employer learned about sensitive personal information (such as age, family status, political profile, or sexual orientation) via social networks, and then turned down a candidate on the basis of information it would not otherwise be privy to, it can be held liable.
- Intellectual property: Along with vigilant online reputation management, a business has to monitor its brand online to protect its registered trademarks. Not challenging third-party uses of a registered trademark could result in its loss via abandonment. Think of brands such as Kleenex, Xerox, Thermos, and Coca-Cola and the legal efforts they have undertaken to protect their brand names. The US government does not monitor third-party usage, so it is up to the trademark holder to do so.
- Social media policy: This is a must. Write a clear, effective, and enforceable privacy and social media policy. Train your staff on its provisions and implications, and above all be consistent when enforcing it.
We don’t yet know how the legal issues that these disruptive technologies produce will play out in business practices, legal risk management, government regulation and legislation, civil litigation, and consumers’ notions and reasonable expectations of privacy. IT leaders and their company’s legal advisors will need to continually monitor developments in these areas.
This is a partial introduction to a highly dynamic and important topic. What else would you add to this conversation, in terms of best practices to implement and risk management considerations? Let us know in the discussion.
Disclaimer: TechRepublic and Tech Pro Research are CBS Interactive properties.