By Stephanie Overby, CIO | July 25th, 2014
IT leaders need to learn how to manage the evolving legal, privacy and compliance issues of SMAC contracts.
The convergence of social, mobile, analytics, and cloud technologies (SMAC) are complicating an already complex IT outsourcing value chain. But they’re also creating new legal and compliance issues for companies reliant on third-party providers for SMAC-related services.
Jumping into SMAC deals without addressing these issues could be as costly as sitting on the sidelines and missing out on the value that these new tools and services can deliver.
“The convergence of the SMAC technologies is truly revolutionary, creating enormous opportunities for those that embrace them and serious risks for those that fail to do so — or who overlook the legal pitfalls that SMAC technologies introduce,” says Brad Peterson, a Chicago-based partner in Mayer Brown’s business and technology sourcing practice. Laws written before SMAC-related capabilities existed do not address some of their unique risks.
Yet few companies are prepared to deal with the issues that are emerging along with these third-party SMAC systems and services. “Customers are not giving this enough attention today,” Peterson says. “They are caught up with the excitement and possibilities and not yet considering the pitfalls. People who look at pitfalls rapidly get stuck on the privacy issues, which loom large but are in some ways the easiest because they are relatively well understood.”
As companies forge new relationships with SMAC providers, it’s important that they review their contracts to secure data rights; protect data with contractual, operational and legal defenses; and manage the legal risks that can come with amassing, analyzing, and acting on SMAC-generated data, says Peterson.
Following are the five biggest legal risks associated with SMAC services and how companies can address them before signing contracts with new providers.
1. Restrictions or Lack of Rights to Use Data or Insights
Companies engaging with new SMAC providers may assume that they will retain the right to use, analyze or commercialize their own data gathered in the course of doing business. But there are a number of ways in which they may forfeit that right under these contracts. Confidentiality and intellectual property provisions and other restrictions on use of data abound in signed SMAC contracts. Companies should review their SMAC outsourcing deals closely to ensure that they don’t restrict their data use or analysis rights, says Peterson.
2. Data Value Leakage
Back in 2001, when AOL signed one of the first deals with Amazon to host its ecommerce site in what was yet to be called the cloud, AOL was inadvertently handing over to Amazon the keys to its data kingdom. Amazon wasn’t just interested in being an outsourcing provider; it wanted to get a hold of AOL user data that could improve the performance of Amazon’s recommendation engine, according From Big Data: A Revolution That Will Transform How We Live, Work, and Think by Viktor Mayer-Schonberger and Kenneth Cukier.
And they did: all that additional data value went to Amazon rather than AOL. More than a decade later, SMAC services customers are still at risk for data leakage with these deals. Companies should review all service provider contracts and forms and develop provisions that address data rights and licenses in order to increase the value gains from their own data, says Peterson.
3. Inability to Comply With Current or New Data Laws
Managing compliance with data protection laws in a global economy is no small task. Intellectual property (IP) and privacy protections for data and insights vary widely. European Union laws confer IP rights in databases but also give individuals the right to obtain information about — and, in some cases, require the removal of — their data companies have collected about them in their databases.
The EU also limits the use and transfer of personally identifiable information. No such protections exist in the U.S. where a patchwork of federal and state laws must be managed. Companies must make sure both they and their SMAC providers remain in compliance with evolving legislation around the world.
4. Liability for Failure to Protect, Analyze or Disclose Your Data
The more data a company and its SMAC providers collect, the greater the risk that the data will be exposed. And, in many cases, the cost of exposure outweighs the value of that data itself. Peterson advises companies to review their own data retention policies, which may have been written before they started collecting data generated by social media and mobile devices. They should do the same for any new providers.
5. Liability for Discriminatory or Other Illegal Uses of Conclusions Gleaned From SMAC
Errors and poor correlations are a real problem at the juncture of social, mobile, analytics and cloud services.
Even when data and analyses are accurate, actions taken based on the insights might violate laws. John Podesta, the White House advisor in charge of the Obama administration’s big data and privacy working group, in May raised concerns about “the potential for big data analytics to lead to discriminatory outcomes and to circumvent longstanding civil rights protections in housing, employment, credit, and the consumer marketplace.”
Companies, in working with their SMAC providers, might increase profits by analyzing social and mobile activity that could also amount to discriminatory or otherwise illegal use of that data.
Peterson says he expects to see new laws and expanded interpretations of existing laws that make companies liable for activities that might seem to be legal today. Companies should remain diligent to ensure both they and their SMAC providers remain in compliance with current and future laws.
Companies should not wait for the risks associated with social, mobile, analytics and cloud outsourcing contracts to be settled before addressing them. “Act now,” advises Peterson. “The risks are easier to mitigate and the value is easier to capture now than down the road.”