Tag Archive: privacy

What Happened in Vegas: Highlights from CES

Published by

As part of the National Association of Corporate Directors’ (NACD) continuing mission to help directors understand disruptive technologies and trends, I joined more than 175,000 attendees at the 2017 Consumer Electronics Show (CES) in Las Vegas. My team was doing a little reconnaissance work on your behalf. NACD will host a director-focused, member-exclusive Technology Symposium this July, and we wanted to get an advanced look at the most pressing governance implications of new technology. 

After three days of experiencing more than 3,800 vendors, you start to see past the shine of the latest gadgets and understand how the technology that underpins these products is poised to change the world. How those technologies are leveraged by companies is key to understanding the future of disruption, and as we discussed at last year’s Global Board Leaders’ Summit, convergence is the order of the day.

Voice and Motion-Enabled Artificial Intelligence (AI) Are Here to Stay

Whirlpool

A booth showcased one of many partnerships between Amazon and consumer products companies, including Whirlpool.

From controlling the radio volume with a wave of your hand to voice-controlled appliances, AI was everywhere. In fact, the most talked-about company at CES this year didn’t even have a booth. The Amazon logo appeared on products ranging from innovations by Whirlpool to debuting devices from smaller start-ups.

Why? Alexa, Amazon’s AI assistant, was ubiquitous on the show floor.

Alexa is leading the way in enhancing consumer products that implement voice-enabled technology. It is anticipated that Alexa will soon be programmed to power and interact with everything from your toaster to your Toyota.

It became apparent at CES that the future of voice-enabled AI is a person’s ability to speak naturally and rely on the computer to accurately transcribe information. This has significant impact for everyone from office workers to doctors who could rely on the technology to dictate notes to medical records.

John Hotta, a director in the healthcare space and NACD Board Leadership Fellow, was also on hand at CES. “Innovations in voice-activated technology also have huge implications for products, services, and the nature of work, as smart speakerphones or personal assistants such as Google Home or Amazon Dot replace direct user interface with a computer,” Hotta said.

Computer, You Can Drive My Car

CES exhibitors demonstrated the growing sophistication of autonomous vehicle technology. Last year Ford Motor Company CEO Mark Fields promised to turn the automaker from a car company to a mobility company. That strategy was on full display as Ford partnered with San Francisco-based start-up Chariot to show off one of its autonomous mini-buses, a vehicle that Ford hopes will “reinvent mass transit for commuters, companies, and fun-seekers with reliable and affordable service.”

Cloud

A wealth of connected, autonomous vehicles were on display.

Autonomous vehicles also buzzed high above the heads of CES attendees. As drone technology continues to evolve for both commercial and industrial use, autonomous vehicle technology is being applied to those vehicles as well. In a convergence of these trends, Mercedes exhibited a fully autonomous delivery vehicle equipped with two roof-mounted drones that facilitate package delivery from the van to the doorstep.

Another trend emerged at CES: the use of autonomous vehicles as a tool for vehicle safety. Thanks to the convergence of AI and the Internet of Things (IoT), vehicle-to-vehicle technology has enabled cars to talk to their passengers and to other vehicles on the road. As attendees at the 2016 NACD Global Board Leaders’ Summit may remember, Chris Gerdes, head of innovation at the Department of the Transportation (DOT), discussed how DOT is piloting this technology in cities across the U.S. to slash traffic fatalities, and nearly every major automaker is now getting in on the act. Hyundai and Cisco announced a partnership to leverage IoT technology to improve safety and improve congestion by connecting vehicles to municipal infrastructure.

Governance Implications

Collaboration is Key

Logos

Consumer products and technology companies are forging essential partnerships.

As technology becomes more ubiquitous and innovation becomes decentralized, companies are realizing they can’t go it alone. Consumer products companies are linking up with leading technology companies to build resilience to innovation. In addition to the proliferation of Alexa-linked products, Honda Motor Co. has teamed up with VISA to enable vehicle-based mobile payment systems that allow passengers to conduct transactions without leaving their cars. Apparel companies like Tory Burch and Fossil—companies that seem more at home at New York Fashion Week than at CES—also had large booths touting their new lines of wearables. And finally, in-house labs at big brands like Whirlpool are partnering with crowd-funding platforms like IndieGogo to launch new products. Like the auto companies profiled above, this is another example of convergence that directors would be wise to anticipate.

Private Eyes Are Watching You

The act of welcoming devices into our workplaces and homes that listen and watch our every move could revolutionize the way we live and work—and opens us to unprecedented privacy and security concerns. Coupled with a proliferation of smart products aimed specifically at tweens and children, smart devices present a whole host of liability issues that technology, legal, and regulatory experts are just starting to grapple with.

Amazon’s Alexa and Mattel have already made news for the unintended consequences of giving children access to this kind of technology. Additionally, U.S. courts are considering the legal implications of using recordings from these devices as evidence. One such case pits Amazon against prosecutors in who believe that data from an Amazon Echo might be key in solving a murder case.

In this rapidly evolving climate, directors should be asking questions about whether or not security is being integrated into product development now and in the future—from research and development, to plant upgrades, to policies that allow employees to use their own smart devices for work.

The Future of the Workforce

Ian Bremmer, president of Eurasia Group and a 2016 NACD Global Board Leaders’ Summit speaker, recently said, “Technology will surely create jobs. But virtually none of the people displaced will have the training for them.” The changing nature of the global economy threatens to make some American jobs obsolete. If CES made one point clear, it’s that the current concern over the decline in manufacturing and coal jobs pales in comparison to the potential changes that will come with widespread automation of jobs.

Car

Volkswagen exhibits its electric, autonomous I.D. concept car.

Remember the self-driving delivery van with the automated drones that deliver packages mentioned above? Think about that technology and then look at this interactive map of the top jobs by state. Last August, Uber Technologies acquired Otto, a self-driving truck company, further showing how 1.7 million middle-class jobs could disappear in short order. The American economy is facing a potential employment crisis the likes of which may be unprecedented.

It’s not just delivery drivers who are in danger. As Jane Fraser, CEO of Citigroup’s Latin America business said at Fortune magazine’s Most Powerful Women Summit in October, “we are expecting 500 billion objects to become connected to the internet and this automation is going to hollow out middle and working class jobs.”

This shift has huge implications for the American economy and its ability to compete on a global scale. Consider, for instance, that automated delivery of packages is only helpful if your company has a customer base that can afford to spend money on products. A recent report by the President’s Council of Economic Advisers lays out the dual challenges of educating a workforce that is ready for the jobs of the future, and the uphill battle of transitioning to an AI-based economy. This report is great reading for directors as they consider the role of the corporation in society, and could help the board shape individual company strategy in critical areas like innovation, talent development, and long-term value creation.

You can see, hear, and learn more about these trends at the 2017 Global Board Leader’s Summit. Stay tuned for information about our new director-focused, curated tour of the 2018 CES show next January.

Cross-Border Information Flows: Existing and Developing Challenges

Published by

In this digital age, an organization’s ability to collect, analyze, aggregate, associate, and securely share data around the world is mission-critical. However, an increasing number of laws have been adopted across the globe regulating and restricting the transfer of information, ranging in type from data privacy-focused regulations to national security-focused regulations.

web-meyer

Joan Meyer

michaelegan_bmckenzie

Michael Egan

Regulatory restrictions can present significant challenges for global organizations, as they could directly impact business transformations (e.g., new cloud sourcing arrangements, the collection of mobile and Internet data, big data analysis projects, and the like) and corporate compliance initiatives (e.g., auditing, monitoring, internal investigations, e-discovery, whistleblower hotlines, and other similar compliance undertakings).

Knowing what these restrictions are, how they impact the business, and how the organization is addressing compliance are key to the board’s oversight of data management practices, which are an increasingly fundamental business element.

Knowledge is Power

Because regulations are increasingly impacting how information may be collected, used, and transferred, it is essential for directors and executives to understand these regulations and to apply best practices. By doing so, boards can help their organizations mitigate the risk of exposure to regulatory noncompliance, in particular as the potential penalties for noncompliance become increasingly material. To accomplish this, boards must ensure that their organizations are informed of the five W’s of data to stay ahead of the compliance curve:

  • Who – Who are we, who are our data subjects, and who has access to our data?
  • Where – Where do we keep our data and where do we transfer our data?
  • Why – Why do we collect and transfer this data?
  • When –When are we retaining data and for how long, and when do we share it with others outside the organization?
  • What – What solutions do we have in place to safeguard regulated data and what elements are in place address any local requirements, including cross-border transfer requirements?

Data Privacy-Related Cross-Border Transfer Restrictions

Outside of the United States, many jurisdictions, including those in the European Union, regulate the collection, processing, and transfer of personal data via comprehensive data protection laws that cover a broad range of personal data and activities related to such information, including its collection, use, and transfer. Considering the ubiquity of data collection for marketing, commerce, and employment purposes, these regulations have significant implications for a broad range of businesses.

Personal data covered by these regulations is often broadly defined to include any information relating to, or that could be linked to, an identified or identifiable individual, including the following:

  • Name
  • Email address (including work email address)
  • Title
  • Telephone number
  • Payment card information
  • IP address

These regulations often restrict the transfer of such personal data across international borders unless certain conditions are met. The first question in the analysis is often whether the data is being transferred to a jurisdiction that provides similar or “adequate” protection for personal data.

If the answer is “no,” then investigate whether:

  1. adequate safeguards have been put in place or some other justification for the transfer can be relied upon; and/or
  2. whether a derogation applies (e.g., the data subject has consented to the transfer or the transfer is required for the performance of a contract).

It is important to note that accessing personal data remotely in a different jurisdiction from the one in which it is stored is often viewed by foreign regulators as a transfer to that other jurisdiction (e.g., viewing data stored in Germany from a computer in the U.S.). It is also noteworthy that United States’ legal protections for personal data frequently fail to meet the “adequacy” standards of authorities in more highly regulated jurisdictions, such as those in the European Union.

Data Privacy-Related Cross-Border Transfer Solutions

There are several solutions for organizations that need to transfer personal data across borders to countries that may not be deemed to provide “adequate” protection to personal data by certain foreign authorities, such as the United States. Boards should ask management teams to verify that one or more of the following solutions is in place to comply with applicable cross-border data transfer restrictions:

  • Consent – Where appropriate, ensure that the data subject has given his/her voluntary and unambiguous consent to the proposed transfer. It is important to note that this option may not be available for employee data in certain jurisdictions in which employees are generally not seen as able to provide voluntary consent to their employers, such as in Germany or France.
  • Data Transfer Agreements – Review whether or not contractual provisions designed to provide adequate protection to the personal data transferred are utilized by the organization both for internal cross-border transfers between affiliated entities and for transfers to third parties (e.g., the EU Standard Contractual Clauses).
  • Binding Corporate Rules – Determine whether the organization should adopt enhanced internal personal data protection policies and procedures within the group of companies, referred to as Binding Corporate Rules, and have those approved by the applicable regulators in order to rely on them as a solution.
  • EU-U.S. Privacy Shield Framework – For transfers of personal data from the European Economic Area to the United States, determine whether the recently approved EU-U.S. Privacy Shield Framework, which provides that organizations self-certified to the Framework are deemed to provide “adequate” protection to personal data by the European Commission, may be an appropriate solution.

These solutions will likely continue to evolve, along with the various regulations that impose the restrictions, in order to address the ever-changing digital marketplace. For example, under the new European General Data Protection Regulation (GDPR), which comes into effect in May of 2018, requirements around what constitutes valid data subject consent will have more prescriptive conditions and any new decisions by the European authorities deeming that a non-EU jurisdiction provides “adequate protection for personal data” will likely be subject to more rigorous requirements (although existing “adequacy” decisions will be grandfathered). The penalties are also increasing, with fines for violating the GDPR going up to EUR 20,000,000, or 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher. Furthermore, beyond data privacy-related cross-border transfer restrictions, boards should also be aware that there may be additional potentially applicable cross-border transfer restrictions on organizations, including those related to national security or state secrets.

Given the significant financial and regulatory burdens for non-compliance, boards need to understand how these cross-border transfer regulations may impact their organization and stay informed of their organization’s compliance position, and any risk decisions made related thereto, when it comes to both current and future data collections and uses.


As a partner at Baker & McKenzie LLP, Michael Egan advises clients across a range of industries regarding the legal aspects of global privacy and data protection, data security, information technology, and related restrictions on data collection and transfer. Joan Meyer chairs the North America Compliance, Investigations & Government Enforcement Practice Group at the firm. 

A Former White House CIO Discusses Data Hygiene and Cybersecurity Strategies

Published by

Consumers in the digital marketplace rarely think twice about allowing companies access to their personal information, and the companies that are amassing this data are enjoying the unprecedented business opportunities that such access entails. This exchange of information does, however, come with substantial liability risks; that information can easily fall into the wrong hands. This feature of the e-commerce landscape is causing both consumers and companies to ask: Is privacy dead in the Information Age? To explore this question, NACD Directorship Editor in Chief Judy Warner sat down with former White House Chief Information Officer and founder of consulting company Fortalice Theresa Payton during a Monday evening session at the 2015 NACD Global Board Leaders’ Summit.

Theresa Payton at 2015 Global Board Leaders' Summit

In short, privacy isn’t dead, but our concept of privacy is undergoing a transformation. Payton said that as business leaders and consumers, we need to have serious conversations about what the new—and correct—lines of privacy are. “We own some responsibilities as business leaders and government officials,” she said. “Data is hackable and breaches are inevitable. Don’t aid and abet hackers.”

It turns out that companies are inadvertently aiding and abetting hackers. First, some organizations fall victim to their own, outdated view of building cyber defenses: Set up as big a firewall as you can around the company’s data assets; install anti-malware and antivirus software—done. This is a losing defensive strategy; it fails to take into account the mechanics of how and why these major breaches continue to happen.

According to Payton, companies with poor data hygiene are the most susceptible to cyberattacks. When companies kept analog files, they would shred records when storage space was exhausted or when data reached a certain age. In a digital environment, storage space is cheap and seemingly limitless, meaning that data could—and probably will—live on servers for years. As time goes on and a company reorganizes, data is forgotten, creating prime points of entry for hackers. Adopting a data-“shredding” strategy is imperative.

In addition, the tools needed to hack into a system have become both affordable and readily available. Now anyone can be a hacker—and those who have chosen this path grow more adept at their craft every day. Taken altogether, this is a recipe for potential disaster.

Payton outlined best practices for maintaining optimal data hygiene:

  • Don’t keep all of your data in one place. For data you need to retain, “segment it to save it.” In other words, divide that information among multiple digital locations so that if one location is compromised, a hacker hasn’t gained access to the entirety of the data the company holds.
  • Create rules around when you no longer need data and set a schedule for “shredding” it.
  • “Shred” any data that you don’t need. Keep only data related to the attributes of consumer behaviors and get rid of the specifics (e.g., names and social security numbers). Doing so will reduce your risk of being held accountable when a breach happens.

Furthermore, she stressed that directors should be sure to ask certain questions as they work with management to hone the company’s cybersecurity strategies:

  • Have we identified our top critical assets—those that if held for ransom, lost, or divulged, would destroy us as a company?
  • Who has access to those assets? How do we grant access?
  • Have we drilled for a cyber breach disaster?
  • Do we have a liability plan that will cover the board should critical assets be breached?