Legal Issues In Big Data: 2017

By Fred Greguras, Attorney, Royse Law

Big Data is often characterized by the large volume of data, the wide variety of data types and the velocity at which the data must be processed. Data can come from many different sources, such as social media use, online purchases, licensed twitter data streams or sensors used in the Internet of Things (IoT).¹ Big Data is generated by everything around us at all times. Every interaction in ecommerce and social media produces it. Computer systems, sensors and mobile devices transmit it. Big Data comes from multiple sources at a high velocity, volume, variety and complexity. Optimal processing power and analytics capabilities are needed to extract actionable information from Big Data.²

Businesses need analytics to convert the large and complex data sets into actionable information in order to make better decisions and provide a business advantage over competitors. Big Data analytics is the process of collecting, organizing and analyzing large data sets to discover patterns and other useful information. Big Data analytics examines large amounts of data from various sources to find patterns, correlations, trends and other insights.³ Big Data analytics can help businesses better understand the information within the data and identify which data can help improve the effectiveness of business decisions.⁴

Analytics are developed by building models based on available data, and then running simulations, iterating the value of data points and monitoring how it impacts results. Current computing power can run millions of these simulations, iterating all the possible variables until it finds a pattern, correlation or insight that helps solve the problem.⁵

Data analytics are used extensively in consumer marketing. As most of us who carry mobile devices have experienced, analytics enable consumers to be targeted with specifically tailored advertising for products and services based on our individual preferences. Data analytics are also used to optimize supply chain and other logistics for businesses. UPS, for example, analyzes data from a large number of sources to optimize vehicle routes to save time, lower fuel costs and for predictive maintenance on vehicles.

Legal Issues in Big Data

Privacy. The legal risks of Big Data begin with consumer privacy. Laws and regulations have focused on the privacy and security of personal information. In addition, most websites, online services and mobile apps have a privacy policy agreement and terms of service agreement (also called terms of use, user agreement, etc.) that users accept by clicking or continuing to use. Click wrap type agreements are generally more enforceable than browse wrap type agreements.⁶ Having a privacy policy is a good business practice but it may also be required by law or by third party services that collect information through a website. Both privacy policies and terms of service (TOS) should be periodically reviewed to be certain they accurately reflect business practices, particularly with respect to the collection, use and sharing of personal information.

There is no single national law in the U.S. regulating the collection, use and sharing of personal information.⁷ There are federal and state laws and regulations that apply to certain types of personal information, such as financial or health information. There are also consumer protection laws that have been used to prohibit unfair or deceptive practices involving the disclosure of, and security procedures for protecting personal information.

An example of personal information that raises legal concerns is health information protected by the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). Data analytics is being applied to electronic medical records (EMR) to identify trends in patient care, epidemiology, treatment effectiveness, operational effectiveness and for other purposes. Predictive modeling using data from EMRs is being used for early diagnosis and to trigger warnings or reminders such as when a patient should get a new lab test or take other actions.⁸

The Federal Trade Commission Act is a consumer protection law that prohibits unfair or deceptive practices and has been applied to off-line and online privacy and data security policies.⁹ The online collection of personal information of children under 13 may trigger the Children's Online Privacy Protection Act.¹⁰ The Gramm-Leach-Bliley Act (GLBA) is a federal law that regulates how financial institutions must handle personal information.¹¹

The FTC issued a report on Big Data to provide guidance to companies about their Big Data practices.¹² The FTC limited its focus to the commercial use of consumer information, and its impact on low-income and underserved populations. The FTC urged companies to apply Big Data analytics in ways to provide benefits and opportunities to consumers, while avoiding actions that may violate consumer protection or equal opportunity laws, or detract from core values of inclusion and fairness.

California is the leader in state privacy laws. The California Online Privacy Protection Act applies to any person or company whose website, online service or mobile app collects personal information from California consumers.¹³ This law has broad geographical effect because of the widely accessible nature of online businesses. Excluding a California audience from access is not generally feasible. The law requires the operator to have a conspicuous privacy policy containing the following:

• A list of the categories of personally identifiable information the operator collects;
• A list of the categories of third parties with whom the operator may share such information;
• A description of the process (if any) by which the consumer can review and request changes to his or her personally identifiable information as collected by the operator;
• A description of the process by which the operator notifies consumers of material changes to the operator’s privacy policy;
• Whether or not a “do not track” signal is honored; and
• The effective date of the privacy policy.

The law also requires the operator to comply with the privacy policy.

There are also laws and regulations in other countries relating to data protection and privacy. Europe’s General Data Protection Regulation (GDPR) which becomes effective in May 2018 is a primary focus for business planning in 2017.¹⁴ This new EU data protection regulation will impose a greater compliance burden on businesses that offer goods and services to EU residents. A privacy policy also needs to contain the provisions required by the GDPR. The GDPR will apply unless the business does not offer goods or services to, or track or create profiles of, EU residents and does not have an “establishment” in the EU.

Security. The Security Standards for the Protection of Electronic Protected Health Information (HIPAA Security Rule)15 provide standards for protecting personal health information. The HIPAA Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.¹⁶ The GDPR also has a security standard requirement.

California was the first state to enact a security breach notification law.¹⁷ The law requires any person or business that owns or licenses computerized data that includes personal information to disclose any breach of the security of the data to all California residents whose unencrypted personal information was acquired by an unauthorized person.

Most of the early state security breach notification laws followed California's law and established requirements for notification of a security breach rather than defining security standards. As of June 2017, 48 states, as well as the District of Columbia, Guam, Puerto Rico and the US Virgin Islands have enacted laws requiring notification of security breaches involving personal information.¹⁸ Recently, some states have established requirements to avoid a security breach such as the Massachusetts regulation which specifies a detailed list of technical, physical and administrative security standards for protecting personal information that must be implemented.¹⁹ HIPAA and the GLBA also have security breach notification requirements.

While most attention has been on security threats to personal information, there also are security issues for non-personal information. Hackers changed chemical settings in a water treatment plant in a recently reported incident.²⁰ The analyst firm Forrester predicted there will be a large scale IoT security breach in 2017.²¹

Control over Data. Ownership rights to Big Data can provide a competitive advantage since the data owner controls how the data may be used and shared. For example, Twitter's data licensing business is its fastest growing revenue. Twitter sells its "firehose" of over 500 million daily tweets to various companies that try to turn the tweets into actionable information. Most of the business value in Big Data is in combining data from different sources. Ownership of data resulting from the analytics is also important. Rights to data are usually allocated in the privacy policy and TOS for websites, online services and mobile apps. Traditional signed agreements may be used in business to business transactions. For example, a signed agreement might be used between an IoT provider and its farm customers in a smart agriculture application.²² Joint ownership is a middle ground for ownership allocations in some business to business transactions.

Intellectual Property Protection. Some data analytics software appears to remain patentable after the Alice court decision²³ but patent holders and applicants will face challenges if they rely on computer execution of nothing more than routine algorithms. Inventive steps will be needed to make Big Data analytics software patentable.²⁴ Such a patent may lose its value over time since the algorithm may improve over the one described in the patent and additional patent applications may be needed. IBM probably has the largest patent portfolio in the Big Data sector.

Only some of the Big Data itself may be protected by copyright. Copyright applies to the form of expression not the meaning of text written by human authors. If there is only one way to express content then there is no copyright protection because there is no originality. Any data generated by machines or sensors will not be covered by copyright.²⁵ That means a large amount of Big Data will fall outside of copyright protection. User generated data such as a photo, video or other work posted to a social media site may be protected by copyright but the TOS will likely provide that ownership is assigned to the site operator.

Terms of Service Agreement. A TOS is the legal agreement that establishes the obligations and restrictions for using a website, mobile app or online service. The TOS includes provisions that reduce the risk of claims from users and others. There may be liability exposure if the data analytics software provides erroneous or no actionable information. Such liability is limited in the TOS primarily by limited warranty, disclaimers of warranties and limitation of liability provisions in the same way as for other contracts. The TOS may also cover scope of permitted use, restrictions on activities, disclaimers regarding content, indemnification, term and termination, copyright and other intellectual property rights, governing law, jurisdiction, dispute resolution and other issues.

Conclusion

Big Data is generated by everything around us at all times and includes both personal information and non-personal information. There are laws and regulations on privacy and security for personal information in the U.S. and elsewhere around the world. Collection, use and sharing of personal information must be consistent with a privacy policy and applicable laws and regulations. TOS and other agreements are used to establish the rules for other Big Data ownership and control and to mitigate risk. Data analytics is used to convert Big Data into actionable information that can provide value in a wide range of both consumer and business to business transactions.

1. http://searchcloudcomputing.techtarget.com/definition/big-data-Big-Data
2. https://www.ibm.com/big-data/us/en/
3. https://www.sas.com/en_us/insights/analytics/big-data-analytics.html#
4. http://www.webopedia.com/TERM/B/big_data_analytics.html
5. ttps://www.forbes.com/sites/bernardmarr/2017/03/14/the-complete-beginners-guide-to-big-data-in-2017/#783590c07365
6. See https://www.americanbar.org/publications/communications_lawyer/2015/january/click_here.html; http://bclawlab.org/eicblog/2017/4/26/are-your-mobile-application-or-website-terms-of-useprivacy-policies-legally-enforceable; http://www.deshlaw.com/legal-insights/ensuring-enforceability-of-terms-of-service-and-privacy-policy-on-mobile-applications on the enforceability of click and browse agreements.
7. https://uk.practicallaw.thomsonreuters.com/6-502-0467?transitionType=Default&contextData=(sc.Default)
8. http://www.datapine.com/blog/big-data-examples-in-healthcare/; http://www.ingrammicroadvisor.com/data-center/seven-big-data-examples-that-have-improved-healthcare-operations
9. 15 U.S.C. §§41-58
10. 15 U.S.C. §§6501-6506
11. 15 U.S.C. §§6801-6827
12. https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-or-exclusion-understanding-issues/160106big-data-rpt.pdf
13. California Business and professions Code §§ 22575-22579.
14. https://gdpr-info.eu/
15. 45 CFR §§ 160 and 164
16. https://www.hhs.gov/hipaa/for-professionals/security/index.html
17. California Civil Code §1798.82
18. http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx; http://www.steptoe.com/assets/htmldocuments/SteptoeDataBreachNotificationChart.pdf
19. 201 CMR § 17.00
20. http://www.infosecurity-magazine.com/news/water-treatment-plant-hit-by/
21. Predictions 2017: Security and Skills Will Temper Growth of IoT, https://internetofbusiness.com/iot-security-breach-2017-forrester/; see also https://www.scmagazine.com/gazing-ahead-security-predictions-part-4/article/578979/
22. http://royselawblog.com/the-internet-of-things-is-driving-smart-agriculture/
23. Alice Corporation Pty. Ltd. v. CLS Bank International, et al., 134 S. Ct. 2347 (June 19, 2014).
24. http://www.robinskaplan.com/resources/articles/protecting-big-data-systems-in-a-post-alice-world
25. U.S. Copyright Office, Compendium II of Copyright Office Practices § 503.03(a)