[MUSIC BIZ LAW CONFERENCE RECAP] Panel 5 — Blurrier Lines: The Evolving and Confusing Landscape of Data Privacy and Cybersecurity in the Entertainment Industry

In the final part of Music Biz’s recap series of last week’s Entertainment & Technology Law Conference with a look at “Blurrier Lines: The Evolving and Confusing Landscape of Data Privacy and Cybersecurity in the Entertainment Industry.” Thank you to our panel of four cybersecurity and technology law experts for their invaluable insights on changing best practices and new consumer data privacy laws!

At the advent of the internet in the 1990s, the common belief was that “Content is King,” and that it would be the major source of revenue on the platform as it continued to grow. Fast forward two decades later, and as moderator Barry Perlman of Ritholz Levy Fields LLP put it, it seems that “Data is King.” Consumer data has become a hot commodity that helps companies more easily target specific audiences, ensuring greater returns on their marketing efforts. However, there is great risk in collecting and storing consumer data, as an attack from a hacker can expose highly sensitive personal and financial information for a company’s customers and, ultimately, lead to distrust in said company. The day’s final panel touched on how consumer privacy and cybersecurity are handled in the entertainment industry, including best practices from overseeing government bodies, and how changes both overseas and stateside are leading to a renewed focus on protecting the consumer.

Perlman began the discussion reviewing the major entities established to handle consumer data privacy. Right now in the United States, there is no uniform, omnibus federal privacy law — instead, data privacy has remained a states’ rights issue and nationwide protection exists via a “patchwork” of state regulations. The closest thing to federally governing bodies with regard to entertainment law are the Federal Trade Commission (FTC) and the Children’s Online Privacy Protection Act (COPPA), and even these have their issues in their current forms. As consumer privacy expert Katherine Lewis of Meister Seelig & Fein LLP explained, the FTC operates to protect both consumers and commercial entities from one another, which means there are instances the Commission has to rule against a consumer if it inhibits a company’s ability to do business. However as the use of technology both in commerce and on the consumer side began to grow rapidly, the FTC in 2012 issued new “best practices” (linked here) for companies to follow, ensuring they are best serving consumers and protecting their business interests. Companies operating in the U.S. were expected to update their Privacy Policies to match these guidelines, but doing so retroactively without informing consumers is considered deceptive to the general public.

Of course, a company saying they will enforce a new privacy policy and actually enacting it are two separate things. In recent months, major tech companies have faced unprecedented fines, Lewis explains, to set a standard all companies must follow. In response, governments across the globe are starting to take charge by creating their own guidelines to regulate big tech and ensure the enforcement of data privacy — notable examples mentioned were the General Data Protection Regulation (GDPR) in the EU and the California Consumer Privacy Act of 2018 (CCPA). Panelist Craig Besnoy, whose law practice specializes in intellectual property, technology and privacy, offered that as these conversations are happening, it is of utmost important for media attorneys to get a seat at the table up-front, to help lead the discussion about how companies can best implement privacy by design practices. Based on the FTC’s guideline of privacy by design, this could mean that suggesting to companies that they only collect data essential to their operations, so they are not questioned as to why they have collected information outside their scope if a data incident occurs. Or, the panel postulated, this could mean obtaining broader data collection rights up front so they can adapt to new formats or products that would require them to ask permission for more data in the future. The FTC is asking companies to be proactive, as they are stewards of incredibly sensitive data, and operating to protect data not only saves necessary legal repercussions but, as Lewis put it, “engenders consumer trust and increased goodwill.”

So what happens in the event of a data breach, which the panel agreed to refer to as a “data incident?” Each state in the U.S. has breach notification laws in place, and many have their own statutory framework which may affect data protection and the use of data by private entities. As mentioned earlier, California is working to pass an updated privacy-focused legislation, the CCPA; New York State, Delaware and Maryland are also preparing stronger laws in response to consumer concerns to events such as last year’s Cambridge Analytica incident. These new laws would grant consumers the right to access what information a company has collected since they have begun interacting, and the option to “opt out of sale” of their personal data to outside parties. Brittany Bacon of Hunton Andrews Kurth LLP points out that bills like the CCPA, which was drafted in a week’s time, are a start, but do not completely ensure consumer protection just yet. There is also work on a federal privacy bill, something the major tech companies want; however this has proven tricky to hash out because it involves consensus across all 50 states. A nationwide bill also requires proper communication to all parties involved — legislators, legal teams, companies and consumers — something which the EU is facing now with the GDPR. U.S.-based companies who do business in the EU, for example, are currently working on understanding the law by asking legal experts how this directly affects them. While the GDPR is written for companies based in the EU and those outside companies targeting EU consumers, it is essential for companies in the U.S. to comply with the cross-border guidelines set up by the law. If an artist from the U.S. is touring in the EU, for example, and the marketing team collects data during the tour that they’d like to bring back to the U.S., they are required to be proactive approach in collecting and securing that information.

After laying the groundwork for what constitutes a data incident and how regulations are responding to consumer threats, the discussion moved to how companies can ensure the data they collect is safe. This started with talking about insider company threats — Perlman offered that this is not the issue of a company’s IT department, but rather that it comes down to proper employee training on what could create vulnerabilities for the company. It is also important to educate employees on new types of cybercrimes, such as “spear phishing,” which subverts the expectations of an employee by using email addresses and names of parties they trust to mine for data (rather than receiving a message from “the Prince of Nairobi,” hackers are, say, able to mimic an artist’s manager via email to gain access to data, contract information, or money.) Ransomeware attacks are another new threat, where hackers use a ransomware program to access company’s files and demand money to release them. Besnoy says that the best way to handle a ransomware attack is to not pay for a company’s own files; rather, the best way to subvert an attack is to properly backup data, completely wipe all memory and complete a full restore from backup. Company reaction to a data incident is also crucial, as a proper and prompt reaction is key to getting ahead of handling the problem and, of course, the public’s perception of the company’s competency. Companies must have a common understanding on how to respond to serious threats, never downplay the severity of the crisis, and of course never deny that something is happening. In examples of some incidents the panelists have helped clients through, feigning ignorance was always the worst possible solution. This tied a bow on the underlying theme of the panel: a company’s best response to any data-related issues is a combination of proactive preparation and meaningful reaction that demonstrates an understanding of how this affects stakeholders outside their offices — namely, the consumer.


Written Materials:

Music Biz’s Entertainment & Technology Law Conference brought together top players from the tech and startup, music business, and entertainment law communities at the NYC offices of Greenberg Traurig to hash out solutions to the high-profile issues facing the industry today. Be sure to check out the summaries of our Copyright Infringement, Podcast Licensing, Metadata Transparency and Stem Marketplace panels.