Networked information has become the lifeblood of commerce and global competition as organizations turn to increasingly sophisticated technologies and processes for deriving critical patterns, forecasts and market opportunities from customer data and other business information. Facing pressure to match competitors' data innovations and avoid legal pitfalls - including costly lawsuits and public backlash if privacy laws are violated in the process – businesses increasingly feel under siege atop growing volumes of data.
In this Q&A, Pillsbury attorneys Joshua B. Konvisser,Wayne C. Matus and Catherine D. Meyer, members of the firm's Privacy, Data Security & Information Use practice, explain how the stakes of harnessing information are forcing companies to rethink their approaches, and creating an expanded role for legal advisors in the boardroom.
Q. Data privacy has been a corporate issue for some time, what is different today?
Konvisser: Historians will tell you that in the past century we evolved from an industrial economy to a modern service economy, but in the recent past –particularly in the last decade – we have really become an "information economy." Information has reached the point where it is a company's greatest asset, more than factory machinery, distribution and branding, because real-time data is the engine that now drives a company's strategy around all of these elements of production. Just look at how supply chains and shipping are viewed as on-demand resources, able to reflect even minute data-driven decisions; or the speed with which companies want to perceive pivotal changes in customer tastes, and reposition their products accordingly. As a concrete example, retailers with a quick time-to-market based on real-time monitoring of fashion trends, such as H&M, are gaining ground over more traditional competitors.
Meyer: Another shift is the growing value businesses place on information as a game changer for getting ahead of markets and competitors. This is in addition to the appreciation executives have traditionally had for customer records and other files from a privacy and security perspective, due to liability. The result is a perceptible collision between traditionally more risk-averse management cultures tilted toward "do no harm, at all cost," and more entrepreneurial or aggressive approaches that want to use all information in the most innovative and legal ways possible. The balance varies in different organizations, and it ultimately determines their investments and risk tolerance in this area.
Q. Are specific technologies helping redefine data strategies?
Matus: Technology is the most pervasive – if not the most important – catalyst, because it tirelessly generates new information and helps draw new value from existing records. Look at how social-networking Web sites are affording unprecedented views into customers' interests, preferences and relationships, for example. The phenomenal rise of mobile applications on smart phones and wireless devices stands to further transform the information marketplace, particularly as devices have increasingly powerful hardware, embedded GPS, cameras and mobile commerce capabilities. An "app" can reach a connected consumer quickly and utilize all of these tools for businesses.
Konvisser: The mobile outlook is perhaps the most tantalizing and provocative, because everyone's life converges on these devices; they handle our work and personal needs seamlessly and follow us everywhere. Because of this, the gold rush to build apps for the most popular handhelds has to-date arguably focused more on assured functionality than data security and privacy disclosures. The average user currently has little visibility into how the apps actually work, including the information they gather or "where" it goes. The FTC recently held a privacy roundtable that examined whether wireless carriers, for example, should require app developers courting their customers to follow specific privacy practices. There will certainly be a much greater focus on mobile applications and privacy this year.
Q. How are businesses faring when it comes to leveraging all these new platforms and information?
Meyer: Quite honestly, it has really created somewhat of a bunker mentality. Businesses feel on the defensive on all fronts. They realize they ignore information's strategic value at their own peril, yet they struggle with how best to correlate and manage data across departments, or even across suppliers and partners. Plus, there is the omnipresent risk of costly legal action or public outcry if customers and regulators think legal boundaries are crossed.
Konvisser: The result is that, as privacy and legal advisors, we increasingly have corporations and departments turning to their general counsel's office, and to us, with new plans for processing their data and saying, in effect, "Can we do this?" Historically, the answer, all too often, has been "no".
We are now working with clients to plan proactively so that they can "get to yes" by developing a holistic strategy around information and data use that enables them to balance issues, such as their rights in the intellectual property of others, the intellectual property protection of their own assets, and the disparate privacy regimes of the jurisdictions in which they do business.
Q. Could new or updated privacy laws provide the guidance companies and consumers need?
Matus: Laws typically provide crucial guidance and uniformity, and we can expect more of them. Unfortunately, however, because of different approaches taken in different markets, there has been no harmonization across geographies and the current legal regime leaves data users facing a disparate set of rules, where they have no choice but to turn to privacy lawyers to help them determine a safe course of conduct.
Additional legislation could help reconcile the different approaches, but that would require a fundamental philosophical change within the U.S. or by the rest of the world. This is highly unlikely in the foreseeable future. Again, the best strategy remains to plan in advance and think about all of the jurisdictions your business may touch, so that you can operate in a compliant manner across the board.
Q. What are some examples of innovative data projects that might be problematic to deploy more broadly?
Konvisser: I recently received a call from a news publication's circulation office to renew my subscription, and the sales agent noted that a number of specific sections of the publication were slated to expand in the print edition. These happen to be the same sections that I had routinely browsed on my smart phone. In other words, my reading habits were studied and used to create a more compelling product. As a customer, I might find value in this revelation, but you can also see where a subscriber might be troubled to learn their news searches were being logged or "monitored."
Matus: The pervasiveness of GPS into everyday devices and vehicles is also transformational. Today an insurance company, for example, might decide to offer me the incentive of lower premiums if I permit them to monitor my car's operation and location. Policyholders and the insurer might benefit from such arrangements if the data is collectively used to lower costs through efficiency and fraud detection. However, this model depends on a rebalancing of trust and value on the consumer's end. There is also the issue of "what," specifically, the insurer would ultimately learn through the monitoring, and which attributes they could legally factor into policy decisions.
Meyer: Another popular data strategy we have seen emerge and evolve is the supermarket "club card" model, in which customers generally can buy goods at special "member" prices, provided they register to have purchases and buying habits logged against a customer profile. Due to the significant compliance requirements gathering personally-identifiable information (PII) has around the world; companies have to think hard about how to tailor such programs. What derives the most value? Do you really need the customer's name, or is it sufficiently insightful to require more basic demographic information, such as age or gender?
Q. With these in mind, how do you recommend companies pursue the green light for new data initiatives?
Matus: First, it helps to gauge the criticality of these programs to your business. The needs of an advertising firm, for example, are not the same as a resort, auto manufacturer or financial institution. This is important because you need a consistent data culture across an enterprise to frame things like opportunity, ROI and risk tolerance.
Konvisser: Legal advisers, whether in the GC's office or outside counsel, also need to become more involved and work collaboratively with the business team from the outset as businesses take up these deliberations.
For years the process was draw up a project and submit to lawyers for approval, but this dated sequence is counterproductive in the information economy. Just as attorneys must prioritize enabling innovation within applicable laws, business stakeholders have to realize they are less likely to feel "stifled" if they engage legal and compliance officers early on, describe their requirements, and are prepared to work together to develop options that achieve the strategic business goals, protect the value of the information assets, and are compliant with various applicable legal regimes.
Meyer: Business leaders should also look for external advisors offering not only objectivity, but also familiarity with new technologies' implications and how these are shaping laws here and abroad. Executives need to hear about emerging data applications, business models and lessons learned along the way, in addition to "yes" or "no."