By Fred Greguras, Attorney, Royse Law
Big Data is often characterized by the large volume of data, the wide variety of data types and the velocity at which the data must be processed. Data can come from many different sources, such as social media use, online purchases, licensed twitter data streams or sensors used in the Internet of Things (IoT).1 Big Data is generated by everything around us at all times. Every interaction in ecommerce and social media produces it. Computer systems, sensors and mobile devices transmit it. Big Data comes from multiple sources at a high velocity, volume, variety and complexity. Optimal processing power and analytics capabilities are needed to extract actionable information from Big Data.2
Businesses need analytics to convert the large and complex data sets into actionable information in order to make better decisions and provide a business advantage over competitors. Big Data analytics is the process of collecting, organizing and analyzing large data sets to discover patterns and other useful information. Big Data analytics examines large amounts of data from various sources to find patterns, correlations, trends and other insights.3 Big Data analytics can help businesses better understand the information within the data and identify which data can help improve the effectiveness of business decisions.4
Analytics are developed by building models based on available data, and then running simulations, iterating the value of data points and monitoring how it impacts results. Current computing power can run millions of these simulations, iterating all the possible variables until it finds a pattern, correlation or insight that helps solve the problem.5
Data analytics are used extensively in consumer marketing. As most of us who carry mobile devices have experienced, analytics enable consumers to be targeted with specifically tailored advertising for products and services based on our individual preferences. Data analytics are also used to optimize supply chain and other logistics for businesses. UPS, for example, analyzes data from a large number of sources to optimize vehicle routes to save time, lower fuel costs and for predictive maintenance on vehicles.
Legal Issues in Big Data
There is no single national law in the U.S. regulating the collection, use and sharing of personal information.7 There are federal and state laws and regulations that apply to certain types of personal information, such as financial or health information. There are also consumer protection laws that have been used to prohibit unfair or deceptive practices involving the disclosure of, and security procedures for protecting personal information.
An example of personal information that raises legal concerns is health information protected by the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). Data analytics is being applied to electronic medical records (EMR) to identify trends in patient care, epidemiology, treatment effectiveness, operational effectiveness and for other purposes. Predictive modeling using data from EMRs is being used for early diagnosis and to trigger warnings or reminders such as when a patient should get a new lab test or take other actions.8
The Federal Trade Commission Act is a consumer protection law that prohibits unfair or deceptive practices and has been applied to off-line and online privacy and data security policies.9 The online collection of personal information of children under 13 may trigger the Children's Online Privacy Protection Act.10 The Gramm-Leach-Bliley Act (GLBA) is a federal law that regulates how financial institutions must handle personal information.11
The FTC issued a report on Big Data to provide guidance to companies about their Big Data practices.12 The FTC limited its focus to the commercial use of consumer information, and its impact on low-income and underserved populations. The FTC urged companies to apply Big Data analytics in ways to provide benefits and opportunities to consumers, while avoiding actions that may violate consumer protection or equal opportunity laws, or detract from core values of inclusion and fairness.
Security. The Security Standards for the Protection of Electronic Protected Health Information (HIPAA Security Rule)15 provide standards for protecting personal health information. The HIPAA Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.16 The GDPR also has a security standard requirement.
California was the first state to enact a security breach notification law.17 The law requires any person or business that owns or licenses computerized data that includes personal information to disclose any breach of the security of the data to all California residents whose unencrypted personal information was acquired by an unauthorized person.
Most of the early state security breach notification laws followed California's law and established requirements for notification of a security breach rather than defining security standards. As of June 2017, 48 states, as well as the District of Columbia, Guam, Puerto Rico and the US Virgin Islands have enacted laws requiring notification of security breaches involving personal information.18 Recently, some states have established requirements to avoid a security breach such as the Massachusetts regulation which specifies a detailed list of technical, physical and administrative security standards for protecting personal information that must be implemented.19 HIPAA and the GLBA also have security breach notification requirements.
While most attention has been on security threats to personal information, there also are security issues for non-personal information. Hackers changed chemical settings in a water treatment plant in a recently reported incident.20 The analyst firm Forrester predicted there will be a large scale IoT security breach in 2017.21
Intellectual Property Protection. Some data analytics software appears to remain patentable after the Alice court decision23 but patent holders and applicants will face challenges if they rely on computer execution of nothing more than routine algorithms. Inventive steps will be needed to make Big Data analytics software patentable.24 Such a patent may lose its value over time since the algorithm may improve over the one described in the patent and additional patent applications may be needed. IBM probably has the largest patent portfolio in the Big Data sector.
Only some of the Big Data itself may be protected by copyright. Copyright applies to the form of expression not the meaning of text written by human authors. If there is only one way to express content then there is no copyright protection because there is no originality. Any data generated by machines or sensors will not be covered by copyright.25 That means a large amount of Big Data will fall outside of copyright protection. User generated data such as a photo, video or other work posted to a social media site may be protected by copyright but the TOS will likely provide that ownership is assigned to the site operator.
Terms of Service Agreement. A TOS is the legal agreement that establishes the obligations and restrictions for using a website, mobile app or online service. The TOS includes provisions that reduce the risk of claims from users and others. There may be liability exposure if the data analytics software provides erroneous or no actionable information. Such liability is limited in the TOS primarily by limited warranty, disclaimers of warranties and limitation of liability provisions in the same way as for other contracts. The TOS may also cover scope of permitted use, restrictions on activities, disclaimers regarding content, indemnification, term and termination, copyright and other intellectual property rights, governing law, jurisdiction, dispute resolution and other issues.