This is a live blog post from Legal Tech NY 2015. The topic is “Cybersecurity, Privacy and Data Protection Legal Challenges in the Digital Age”. [Editorial note inserted toward end of session. This session offered a very interesting and timely discussion but I did not hear any lessons for large law firms. So if you are looking for practical advice in your firm, you will not find it here.]

Speakers:

  • Erin E. Harrison, Incoming Editor in Chief, Law Technology News [Discussion Leader]
  • Eran Feigenbaum, Director of Security, Google Apps, Google
  • Jon Palmer, Assistant General Counsel – Litigation and Antitrust Legal and Corporate Affairs, Microsoft Corporation
  • Edward Palmieri, Director & Associate General Counsel, Privacy and Regulatory,
    Facebook
  • Laura Pirri, Legal Director, Products, Twitter
  • Ari Shahdadi, General Counsel, Tumblr

 

Here are my session notes. Please forgive any typos or inaccuracies; I post this as the session ends, without editing and little or no review. [Comments in square brackets are my editorial comments.]

Intro Remarks by Bill Carter, ALM President and CEO

ALM President and CEO Bill Carter starts with introductory remarks. This is the 34th LTNY. [Wow!, I’ve only been coming 25 years.] The name of Law Technology News to become LegalTech News, to bring the show and publication branding together. ALM committed to new tech.  Partnering with Stanford Codex for new, exciting, “disruptive” companies.  There will be a Shark Tank event on Thursday. [Sorry I have to miss that.]. Announces that Monica Bay retires, acknowledging that she is an icon. New editor-in-chief is Erin Harrison, former EIC at Inside Counsel.

Panel Discussion

[Enumerated points reflect each new moderator question.]

1. What are some of the root causes of breaches, how does Google handle? Eran… No work versus personal life in IT. Formerly, workers had more powerful tech in the office. But now, it’s often the opposite: consumers often have more powerful tech at home than in the office. So the blending of work and home and doing work everywhere contributed to security breaches. The issue is that hackers get a person’s credentials via phishing, hacking, and other means. It’s become clear that passwords are bad and we need to get away from them. We need new ways to authenticate users.

Eran says cloud providers are unique in providing defense in depth. Says that any cloud provider has deeper security than companies. Google has 500 security engineers, which dwarfs most organizations. This gives huge scale advantages. Likens it to a bank with armed guards vaults, and video. Contrasts this to typical organizations that struggle to patch systems. Cloud providers can more easily provide alerts to users about security risks, for example, alert that account accessed from unusual location.

2. Facebook hosts personal data from many around the world. How does F/B handle? Edward.. Diversity of cross functional groups – experts from legal, policy, tech – work together to decide and review on changes to service. Cross functional view helps create robust system. Facebook is also focusing on training. Focus on user trust angle; communicate well with users; launched a set of tools to help manage personal data; to explain how systems are secured; two-factor authentication; that users can makes choices that are available and easy. In tandem with privacy policy, FB launched a privacy tool, allows users to watch vignettes to understand choices. Conversation with users is key to maintaining trust.

3. Tumblr vendor had breach… what are the lessons learned?  Ari of Tumblr… Started by talking to vendor CMO, who said did not want to tell customers. Lesson One is don’t deal with CMO. Decided to rely less on third party cloud providers and do more internally to maintain control. Laura of Twitter chimes and agrees that it was critical to inform users. Thought it was great that tech companies got together to discuss the security situation. Ari says the major cloud providers now regularly talk to one another about security.

4. For Laura and Edward… To what degree does user trust influence products and what is privacy by design.  Laura of Twitter: to support global public conversation. On privacy by design and building products, there are two aspect. First is to structure the company the right way to ensure that privacy is considered. One team, my team, is product lawyers with privacy backgrounds. They are embedded in product development. Second, you think about giving choices re privacy. This means options and choices on privacy. For example, on Twitter, you can choose to Tweet with location or not and can subsequently delete location without deleting the Tweet. [I never Tweet with location.]

Edward of Facebook says that company understand that people speak to different circles of friends and the company enables selecting appropriate circle. Also notes the evolving mores and product evolves to reflect this. Users now use privacy control tools more than in past. For example, there is an activity log to review every action you have taken. You can manage that information.

5. How can providers avoid government access to consumer private data? Jon of Microsoft… Notes significant legal ambiguities.  MSFT challenged a search warrant issued by a magistrate in SDNY; that warrant seeks to obtain email from a customer, where that data were stored only in Ireland. [This case got a lot of mainstream media coverage.]  Lost in SDNY and MSFT now briefing for 2nd Circuit. Says this case raises 3 issues. First, does digital content have same privacy protection that physical documents have. MSFT argues yes, that email box should be treated the same as physical documents. Second, who owns the data? The answer dictates case outcome. MSFT believes customer owns the data. Under that view, government taking the data is a search and seizure. But if you presume that email content is akin to MSFT business records, then the legal outcome is the opposite. Law is still grappling with this. Third, what law applies? Which jurisdiction’s privacy law apply? MSFT says existing treaty covers this.

Jon notes that illegal access raises a completely different issue. Eran of Google argues that cloud providers are better equipped to prevent this than customers. Eran also notes that cloud providers store data in different and multiple locations, which makes the jurisdictional issues that much more difficult – and important.

Laura of Twitter talks about the mix of security, product design, litigation strategy, legal stand is all important. Users need to know social media companies are willing to stand up for user rights. Twitter is challenging DOJ national security letters that prohibit disclosing to users a request for disclosure.

[This concludes the panel discussion. I am not capturing audience Q&A here.]