big data use and licensing: legal and practical strategies to...
TRANSCRIPT
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
Presenting a live 90-minute webinar with interactive Q&A
Big Data Use and Licensing: Legal and
Practical Strategies to Maximize its Value Navigating Issues of Anonymization, Due Diligence
and Salting the Database; Key Contractual Provisions
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
WEDNESDAY, MAY 3, 2017
Aaron K. Tantleff, Partner, Foley & Lardner, Chicago
Julie K. Kadish, Foley & Lardner, Chicago
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-961-8499 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can
address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 35.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
©2016 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not
clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500
Understanding Big Data: Practical Considerations to Legally
Maximizing its Value Aaron Tantleff
312.832.4367
May 3, 2017
6
Agenda
©2016 Foley & Lardner LLP
What is Big Data?
Using Big Data – Case Studies, Practical Considerations, Issue Spotting
Licensing Big Data – Key Contractual Provisions
What is Big Data?
Characteristics of Big Data and the value chain
8
What is Big Data?
Characteristics of Big Data
Volume
• Enterprise Data
• Transaction Data
• Social Media
• Public Data
Variety
• Structured/Unstructured
• Databases
• Data types
Velocity
• Data in Motion
• Algorithms
• Data Streams
• Real time
Value
• Modeling
• Prediction
• Management
Veracity
• Data Quality
• Uncertainty
• Security
Viability
• Selection
• Relevance
• Relationship
9
Types of Data to Protect
©2016 Foley & Lardner LLP
10
Importance of Protections
©2016 Foley & Lardner LLP
Protect corporate asset
Minimize potential liability
Protect business reputation
Establish diligence
11
The Big Data Value Chain
New Data Sources
Data cleansing, data matching
Relevant data Insights
Manage data Drive
decisions
Continuous feedback
Perform analytics
Using Big Data
Case studies, practical considerations, and issue spotting
13
Using Big Data – Case Studies
©2016 Foley & Lardner LLP
Realized that those who most need to take their medications were those most likely to forget. Created new product of beeping medicine caps and automated phone calls reminding patients of next dose.
Deploys customized software to monitor rail traffic and reduce congestion, enabling trains to operate at higher speeds. The company forecasts $200 million in savings by making trains run just 1 mph faster.
Reduced the time it takes to run clinical trial simulations by 98% by extending its internally hosted grid environment into the AWS Cloud. The company has also been able to optimize dosing levels, make drugs safer, and require fewer blood samples from clinical trial patients.
Attempting to reduce unplanned aircraft engine maintenance. A new-generation engine is able to collect about 5,000 parameters of data continuously while in flight. Using the data, Pratt & Whitney and IBM are trying to enable proactive maintenance.
Partnered with Uptake to develop a platform for predictive diagnostics to help Caterpillar customers monitor and optimize their fleets more effectively.
Created a voluntary research program using blood samples and other health information to study how gene’s affect one’s health.
14
Using Big Data – Practical Considerations
Anonymization
Due Diligence
Salting the Database
©2016 Foley & Lardner LLP
15
Anonymization – Must Do’s
Limit licensee’s use of the database to
datasets that have been anonymized
Ensure datasets provided are properly
de-identified and comply with
applicable privacy and security laws
Ensure licensor has necessary rights to
use and provide the identifiable
information
Provide licensee with notice should the
licensor discover that information
provided is not properly de-identified or
that it has reason to believe that such
data could be re-identified
©2016 Foley & Lardner LLP
Prohibit a licensee from re-identifying any
individuals or combining the dataset with
other datasets that would enable any
individuals to be re-identified
Prohibit licensees from using the data to take
any action based on re-identified data
Require licensee to notify licensor in the event
licensee determines that any individual was
re-identified or that it is determined that
individuals could be re-identified
Prohibit licensees from using the datasets for
unauthorized purposes
16
Due Diligence Questionnaire
©2016 Foley & Lardner LLP
Why use one?
Provides uniform,
ready-made framework
Ensures an “apples-to-
apples” comparison of responses
Confirms that all key areas
are addressed and not
overlooked
Creates easy means of
incorporating the
information directly into the contract
Places the third party on
notice that information security is a
key consideration
17
Salting the Database
©2016 Foley & Lardner LLP
• Common technique used by licensors to protect databases and detect unauthorized copying
What is it?
• Seasoning of a database with dummy or fake data that is difficult, if not impossible, to detect by others
How do you do it?
• Larger the database, the more difficult it would be for a third party to detect and remove the salted data
Why should you do it?
hello
hello3abc10
add “salt”
hash function
56e19cb123
18
Issue Spotting - License Rights
Broad versus limited use
– Broad: Licensor grants Licensee a non-exclusive right to reproduce and modify the Data.
– Limited: Licensor grants Licensee a non-exclusive right (a) to reproduce the Data and use it solely as set forth in Section _; and (b) to modify the Data solely as set forth in Section _ (Data Modification).
License to distribute
– Can Licensee distribute modified data?
– Be careful of extinguishing trade secret rights and licensor liability to third parties who contributed to the data
License conditional upon compliance with other terms
– If license grant is conditioned upon compliance, breach of the license grant means both a breach of contract and IP infringement
©2016 Foley & Lardner LLP
19
Issue Spotting – Use Restrictions
Restrictions on Marketing, Territory, or Device
– Licensee will not (a) use the Data to identify, market to, or otherwise make contact with any individual or entity; (b) store or process the Data or access it anywhere other than [TERRITORY]; or (c) store or process the Data from any device other than an Authorized Device.
Compliance with Privacy Policies
– If its possible to identify the promises made to consumers when the data was collected, then: Licensee will not use the Data in any way inconsistent with the Licensor attached Privacy Policy
Restrictions on Data use
– Licensee will not give any staff, contractors, or employees access to the Data for any purpose, exactly as strictly necessary to exercise Licensee’s rights granted in the Agreement
©2016 Foley & Lardner LLP
20
Issue Spotting – Data Ownership
Ownership of original data
– The Licensed Data remains Licensor’s sole and exclusive property, and Recipient receives no right, title, or interest in or to the Licensed Data, except to the limited extent set forth in Section __ (Data License)
©2016 Foley & Lardner LLP
Confirming IP Rights
– Licensee recognizes and agrees that: (a) the Data is valuable property of Licensor; (b) the Data includes trade secrets of Licensor; (c) the Data is an original compilation pursuant to United States copyright law; and (d) Licensor has dedicated substantial resources to collecting, managing, and compiling the Data.”
– Add restrictions on contesting ownership
21
Using Big Data – Legal Considerations
Website privacy policies and terms of use
Computer Fraud and Abuse Act (CFAA)
COPPA, CalOPPA
Fair Credit Reporting Act (FCRA)
Stored Communications Act (SCA)
Electronic Communications Privacy Act (ECPA)
©2016 Foley & Lardner LLP
Licensing Big Data
Key contractual provisions and sample language
23
Contractual Protections
©2016 Foley & Lardner LLP
Warranties
Information
Security
Requirements
Indemnification
Limitation of
Liability Confidentiality Audit Rights
24
Warranty – Best Practices
Available at the licensee’s discretion and
advisement
Licensee is generally responsible for
determining the applicability and legality
of the use of the dataset and any results
in its sole and absolute discretion
Losses and liabilities incurred by the
licensee based on any action or inaction
taken by the licensee, as between the
Licensor and the licensee, are those of
the licensee
©2016 Foley & Lardner LLP
Warranty Information
Security Indemnification
Limitation of Liability
Confidentiality Audit Rights
Licensor, to the best of their knowledge, has
the necessary rights to provide or otherwise
make the data available to the licensee
Licensor is not providing any data to the
licensee where licensor knows, or should
reasonably know, that they do not have the
rights to provide such data
The licensed data has not been manipulated
by the licensor or other parties in such a
manner as to render the data or the results
of any analytics performed on such data
questionable or worthless
25
Warranty – Best Practices (continued)
The data is not corrupt
Licensor did not insert malicious code
With respect to any “structured data,” the database is organized and formatted in a particular manner (which is disclosed to the licensee)
©2016 Foley & Lardner LLP
Warranty Information
Security Indemnification
Limitation of Liability
Confidentiality Audit Rights
26
Information Security - Warranties
Compliance with “best industry
practices relating to information
security”
This creates an evolving standard to keep pace
with advances in the industry as security
measures improve over time
Prohibit sending data and intellectual
property offshore to subcontractors or
affiliates unless specifically authorized
to do so by the customer
©2016 Foley & Lardner LLP
Warranty Information
Security Indemnification
Limitation of Liability
Confidentiality Audit Rights
Responses to the due diligence
questionnaire are true and correct
Questionnaire should be attached as an exhibit
to the contract
Compliance with state and federal laws
and regulations with respect to any
data that is subject to a state or federal
law or regulation (personally
identifiable information)
27
Information Security - Vendor & Business Partners
Require that licensee and any third party to secure and defend its information
systems and facilities from unauthorized access or intrusion
Participate in joint security audits
Periodically test its systems and facilities for vulnerabilities
Use appropriate encryption
Access control technology
Use proper methods and techniques for destruction of sensitive information
– (e.g., the DoD 5220-22-M Standard or NIST Special Publication 800-88, Guidelines for
Media Sanitization)
©2016 Foley & Lardner LLP
Warranty Information
Security Indemnification
Limitation of Liability
Confidentiality Audit Rights
28
Indemnification
Most licensors of Big Data are hesitant or refuse to offer any form of
indemnification to a licensee
Licensees can achieve certain forms of protection as a result of the licensee’s
negotiating power, the relationship between the parties, and the experience level
of the counsel and business team representing the licensor and licensee
Third party to hold licensor harmless from claims, damages, liabilities, and
expenses incurred as a result of a breach of the security obligations
– Third party should protect the licensor from lawsuits and other claims that result from
the third party’s failure to adequately secure its systems
©2016 Foley & Lardner LLP
Warranty Information
Security Indemnification
Limitation of Liability
Confidentiality Audit Rights
29
Limitation of Liability
Any breach of the license grant or infringement of the licensor’s intellectual
property rights by the licensee be excluded from the limitation of liability
– Without those exclusions, the licensor has essentially sold its rights in the database for
the value of the cap on damages
If the agreement disclaims all liability for consequential damages and caps
liability, equivalent to selling its rights in the database for such equivalence
Must include a carveout for breaches of privacy or confidentiality
©2016 Foley & Lardner LLP
Warranty Information
Security Indemnification
Limitation of Liability
Confidentiality Audit Rights
30
Confidentiality
Important to protect IP, including trade secrets and confidential information
Restrictions on a licensee’s ability to use, share, and otherwise disclose and
make the information available to third parties
– Restrictions and obligations with respect to the licensee’s ability to grant sublicenses
– Restrictions on ability to disclose licensed information
– Limitation on authorized parties to whom the licensee is allowed to disclose the
information
– Authorized third parties are subject to obligations of confidentiality no less stringent
than those set forth in the agreement between the licensor and the licensee
©2016 Foley & Lardner LLP
Warranty Information
Security Indemnification
Limitation of Liability
Confidentiality Audit Rights
31
Audit Rights
Purpose: to ensure compliance with
licensed scope such as
– Use of the database
– Compliance with security obligations
– Fees due
– Re-identification
Confidentiality
Regulatory audits
©2016 Foley & Lardner LLP
Warranty Information
Security Indemnification
Limitation of Liability
Confidentiality Audit Rights
Examples of Licensee requests:
Limited number of audits that can be conducted
in a given period of time
Audit shall not unreasonably interfere with or
disrupt the licensee’s business
Restrict ability to take multiple attempts at
uncovering a licensee’s noncompliance by
preventing a licensor from re-auditing records
that were previously audited and found to be
compliant
ATTORNEY ADVERTISEMENT. The contents of this document, current at the date of
publication, are for reference purposes only and do not constitute legal advice. Where
previous cases are included, prior results do not guarantee a similar outcome. Images of
people may not be Foley personnel.
© 2017 Foley & Lardner LLP
Questions? Aaron K. Tantleff
Partner
Foley & Lardner LLP
321 North Clark Street, Suite 2800
Chicago, Illinois 60654
(312) 832-4367
Julie K. Kadish
Associate
Foley & Lardner LLP
321 North Clark Street, Suite 2800
Chicago, Illinois 60654
(312) 832-4911