R&G Tech Studio Presents: Data, Privacy & Cybersecurity Partner Fran Faircloth (Podcast) – Privacy Protection
In this episode of the R&G Tech Studio, data,
privacy & cybersecurity partner Fran Faircloth sits down with
technology, media & telecommunications co-lead Ed Black to
discuss how she counsels clients on a wide variety of privacy and
cybersecurity concerns, including cyberattacks and data breaches,
and how it's helpful that she has a couple FBI agents on speed
dial that she can contact whenever needed.
Transcript:
Ed Black: Hi, I'm Ed Black, an attorney
at Ropes & Gray, and I want to welcome everyone to the latest
edition of the R&G Tech Studio podcast. In this
edition, we have my friend and partner, Fran Faircloth, in the
data, privacy, and cybersecurity practiceâjust a wonderful
attorney. Fran, thank you so much for joining the podcast. Before
we jump inâand I do want to talk about your practice, because
it's in a super interesting areaâbut before we jump in,
who are you, and what are the basics?
Fran Faircloth: I am a partner in our data,
privacy, and cybersecurity group. I'm based in our D.C.
officeâI live here with my husband and my two daughters. And
I spend my time helping clients figure out privacy and
cybersecurity questionsâthat could be a range of anything
from making sure they have the right policies in place to helping
them deal with a ransomware attack. We help a really broad range of
clients, technologically sophisticated businesses, but they can
really be in any sector. Just in the last year, they've ranged
from the CEO of SolarWinds, who we've been representing in the
wake of the unprecedented cyberattack that happened there, to
businesses that include an HR company for the entertainment
industry and a company that helps prevent school violence and
bullying. So, it's really just across-the-board companies where
they're using technology and data in ways that we need to
figure out how to help protect to make it useful for them.
Ed Black: That's a huge area. Can you give
me some examples of the kind of problems clients have and the kind
of solutions that you help bring to them?
Fran Faircloth: Sure. Just as one example, in
the past year, we've seen a lot of increase in use of
technology everywhere, especially since COVID, so more monitoring
and videoing, and use of tracking in offices and retail stores, and
even in schools, to some extent. And along with that, there's
been an increase in fears about Orwellian-type surveillance in the
media and in popular opinion. We've had a lot of clients that
have been trying to figure out how to handle those fears, how to
respond to those fears, so that they still can have the value and
social benefit of their technology and highlight those positive
aspects of their products. So, just as a specific example, I
mentioned a minute ago I've been working with a company that
uses AI to help prevent suicide and student violence, through
things like logging of student activity and using the AI to watch
for things that could be indicators. And, I think, everyone would
agree that preventing school violence, especially in our current
climate, is something that we definitely want, but this client and
others that have similar technology have been getting a lot of
criticism for being "overly intrusive" and
"spying" on students. And so, that's been a struggle
that I've been helping them address through things like
communications with regulators and interest groups; and making sure
that they are putting reasonable protections in place, like
de-identification and data minimization, so that they can still
harness the value of the data-driven AI to protect students and
prevent student deaths, while balancing that against the impact on
students' privacy.
Ed Black: Wow. Now, that type of scanning and
monitoring stuff with the AI, that is a bleeding-edge concern. I
have to say, though, that when I think about data and privacy, and
data cybersecurity issues that I've heard about in the press
over the past few years, a lot of it deals with these
"hacks," with a cybersecurity breach of some kind that
results not only in a lot of loss of data, but then an
organization: first they're victimized by the hackers, and then
they've got lawsuits to contend with, and regulators. Does your
practice also embrace that more traditional cybersecurity
incident?
Fran Faircloth: Yes, absolutely. And I think
part of the value of the practice is that we work with clients
across the board from setting up policies to working through the
incident. So, for example, one of our clients is Bombas, the sock
companyâI love their socks. We started out working with them,
actually, in the context of a transaction. And over the course of
our relationship with them, ended up working with them on a couple
of data breach incidents, and helping them to sort through what
happened in those incidents, who needed to receive notice, and
carried that all the way through to communications with regulators
about the incident, and class action litigation that came out of
the incident that we were able to settle successfully for the
client. It's a very holistic view of helping clients protect
against these events and helping them deal with them when they
happen.
Ed Black: One of the things that I used to hear
from clients, just in general, is, "Data privacy and
cybersecurity issues, those are 'specialized' issues. In my
industry, we don't have them." But it seems to me, that
even if you're not collecting credit card data, or filming
students at schoolâobviously, kids in school, very
sensitiveâyou read about in the paper these ransomware
attacks and other things that seem to be going after all sorts of
things. How do you see data protection and cybersecurity
evolving?
Fran Faircloth: Our client base, I think, has
really just expanded so much in the past few years because of this.
We're now seeing clients come in who didn't have a lot of
credit card information or that very, kind of traditional,
sensitive consumer information. So, they didn't traditionally
think that this was an area that they needed to spend a lot of time
on, and even they are facing these risks, especially with the
evolution of ransomware. We had a client just recently who they
don't collect personal medical information at allâall
they do is work with manufacturing or compounding of drugs. So,
"sensitive" in the sense that you need to get this right,
but not in the sense of they have a lot of personal information
that would need to be protected. But they got hit with a ransomware
attack that shut down their operation in ways that they didn't
realize before this happened was a risk that they were subject to.
And so, helping them work through that, and figuring out what
happens when you get hit with a ransomware attack: Who do you go
to? Who's the right person at the FBI to contact? How can they
help you?
Ed Black: And you know all that? You can say,
"Officer Jonesâthat's who you want to contact?"
Do you help people work that out?
Fran Faircloth: Yes, absolutely. So, there are
traditional ways of reporting incidents to the
FBIâthere's a form online that you can fill out, but
honestly, it helps to have a direct contact. The FBI can be
incredibly helpful in these eventsâthey can sometimes even
look at things like a ransom note and say, "That looks like
this attacker from this place," and can help clients in that
way. So, yes, I have a couple of FBI agents on speed dial that I
can call, if needed.
Ed Black: Wow, that's great. We talked
about EdTech, we talked about ransomwareâthe threats are
constantly evolvingâbut it seems to me, at least based on
what you hear in the paper, that the legal environment is also
evolving. Where do you see this going? Is this something that's
going to be regulated by state law, by federal law? Are there going
to be international treaties? If you think ahead to three to five
years from now, what does the data protection and cybersecurity
environment look like in terms of who's calling the shots?
Fran Faircloth: Yes, this is an area of law, as
you said, that's really been rapidly changing, and so, we have
to really stay on top of all these changes. For the past 10 years
or so, everyone looked to the EU as the leader here with
GDPRâtheir comprehensive privacy lawâand a lot of
companies that had dealings with clients and customers in the EU
were up to date on that. But companies that were fully U.S.-based
maybe weren't focusing on it as much because the U.S.
didn't have the same kind of comprehensive privacy laws, but
that's changing. So, just in the last year, we've seen
several states pass their own versions of comprehensive privacy
lawsâwe're now up to five states that will come into
effect in the New Year.
Ed Black: What five are those?
Fran Faircloth: California, Colorado,
Connecticut, Utah, and Virginiaâthat's the count so far.
But there are several others, at least four or five other states
that still have active bills working their way through legislature,
and over half of the states have had something introduced, it's
becoming a patchwork of state laws here. There have been federal
proposals but it may still be several years before we see federal
U.S. law. And there will probably be several other state laws that
pop up with their own version of comprehensive privacy laws between
now and then.
Ed Black: It sounds like keeping track of this
is a huge headache, obviously, for those like you at the firm. But
you have a giant law firmâwe've got our London office,
which is on top of GDPR helping out with the GDPR perspective and
so on. But how is it that we can help clients stay on top of this?
Do we come up with playbooks for them? Do we have communication
platforms? How do we solve a client problem in terms of keeping
them fully informed of exactly where things stand?
Fran Faircloth: We do have pretty regular
communications with our clients about how the law is changing and
how they might need to make changes to their internal rules,
policies, or procedures related to that. We also have a blog where
we try to keep up with these changing things, and post things
thereâmany of our clients are actually subscribed to our blog
so that they get notice of those posts once they go up, and then we
can have further communications with them about how it might apply
to them. But it really is an area that has to be watched, not just
on the state law front. Things are changing around advertising and
tracking technologyâthere are a lot of changes going on right
now that we've been helping clients keep up with.
Ed Black: "Globalization" was the
catchphrase for many years, and now, we're looking at trading
blocs replacing globalization. There's global tension: tension
with China, tension with Russia. In a world of globalization, it
seemed like data would just flow everywhere. But do you think, in
the new world order, that there's going to be "data
jurisdictions"âblocs of countries where data just
can't cross borders, and we have to solve the problem for
clients who are global of how to work in multiple data
jurisdictions?
Fran Faircloth: That's a problem we've
seen come up more and more, especially China seems to be
splintering off their own version of the Internet, where data
can't go in or out, or they have complete control over data
going in and out. And we've seen proposals, even in India
(although it looks like that one's not going to go through) and
other countries looking to have pretty strict data localization
that makes it difficult for clients who want to run a global
business. They have to do things like set up data centers in all
the different locations to deal with this.
Ed Black: Again, do we have tools for helping
clients keep track of these jurisdictional issues and possible
solutions for dividing the world up in this way?
Fran Faircloth: We do. We have various trackers
who help clients keep up with these changes in various
jurisdictional rules and how they differ as you cross lines, and
then, we've also been helping clients come up with policies to
address this. It used to be five years ago, or last year, or even
now, we see clients come in who, for example, their online privacy
policy will have a "general" portion, then they'll
have a special "EU" portion, then it'll have a
special "California" portion, a special
"Australia" portion, and that's really becoming not
workable with the proliferation of these laws. Before long,
you're going to have to have a hundred different privacy
policies translated into 20 languages or more if you are trying to
run a global business. So, we've really been advising clients
to move towards a version of "Global Best Practices." And
it looks a lot like GDPR: It's based in the principles of
transparency and making sure people know what data is collected and
how it's used without being overly burdensome in a way that the
policy would just be so long and complicated that it couldn't
be helpful to anyone, and I think that really is the solution.
Ed Black: So, if I were sitting behind a desk,
looking at a business that's growing rapidly around the world,
and I slapped my forehead and I said, "The good news is
we're growing rapidly around the world. The bad news is
we're growing rapidly around the world, and I now need to adopt
a privacy approach or a data cybersecurity approach that meets the
world's requirements." Could they give you a phone call
and you could help get them set up?
Fran Faircloth: Absolutely. That's one
thing that we've been helping clients with a lot, lately,
moving towards that kind of global policy that will enable them to
do business around the world. There are variations between these
different laws, especially, as we noted, in China, which has its
own kind of special rules. But, really, 80% to 90% of the laws, of
the substance of the laws, are based on the same principles, so if
they adopt that 80%-to-90% approach, then they are hitting the
majority of anything material in the laws. And for the variations
between different jurisdictions, then it just becomes a risk-based
approach of figuring out what jurisdictions to address where
they're doing the most business, and where they think the
regulators might be looking at them most closely.
Ed Black: This is a fascinating subject, and I
know we could go for a while, but we're running out of time and
I want to make sure that we get to the portion of the podcast I
refer to as the personality testâthe portion of it which has
nothing to do with law, but just gives us a chance to get to know
you. So, it's a lightning roundâquick questions, quick
answers. Do you have a favorite movie, and in that movie, do you
have a favorite character in the movie?
Fran Faircloth: That's hard, I really like
movies. Probably Rear Window, a really excellent Hitchcock
movie. I love Jimmy Stewart, and Grace Kelly's character in
that movie is just fantastic. But probably my favorite thing is her
wardrobe in that movie, all of the dresses.
Ed Black: Okay, Jimmy Stewart. Do you have a
favorite board game?
Fran Faircloth: Favorite board game...I really
like any kind of trivia game, so I like Trivial Pursuit a
lot. In law school, I was a big fan of going to pub quizzesâI
get very competitive at these things.
Ed Black: That surprises me: A lawyer at a
large law firm gets competitiveâthat's shocking to me,
absolutely.
Fran Faircloth: My law school class actually
voted me "most competitive," and it wasn't for any
legal argumentsâit was purely for board game and trivia
competitiveness.
Ed Black: Superb. Alright, last
questionâI've asked this of everybody in the podcast: In
a peanut butter and jelly sandwich, what is more important, the
peanut butter or the jelly, and why?
Fran Faircloth: The peanut butter, 100%.
I'm from south Alabama, which is peanut country, so that's
a warm place in my heart. I like them in basically every form.
I'm a big fan of peanut butter, and you can have a good
sandwich even without the jelly. I'm a big fan of peanut butter
and banana. But who wants jelly with anything else? So, peanut
butter is my answer.
Ed Black: When you think about it from the
point of view of that competitive person, who's got the FBI on
speed dial, the peanut butter is where the substance isâthat
jelly is just like a frilly distraction, right? Who even needs
it?
Fran Faircloth: Exactly. Peanut
butterâand preferably, crunchy.
Ed Black: Let's eat the peanut butter. Yes,
that's goodâespecially crunchy, because that
delivers.
Fran Faircloth: It does. I like the
textureâthe full peanut experience.
Ed Black: "The full peanut
experience," from someone who grew up in peanut country, so
you know what the full experience is. Thank you, Fran, for taking
the timeâit's been great to chat with you. And for our
audience, once again, this is the Ropes & Gray R&G Tech
Studio podcast. It is available on the Ropes & Gray
website, on the R&G Tech Studio page. It is also
linked and available where you get your podcasts. Thanks so
much.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Gloss