March 2017 Segment 3

Managing Technology: From Big Data to the Internet of

Things

TRANSCRIPT

1. Disconnection from Work

QUINLAN: Just as the dot-com revolution transformed the entire global economy, the
world of work is changing as businesses seek to rigorously manage costs - and improve
their agility - through a more flexible workforce. Of course, for many years, a variety of
industries - from oil and gas to engineering and technology - have encouraged and utilized a
so-called contingent workforce. While most of the headlines involve on-demand apps like
Uber and Lyft, the fact is that - according to a recent Harvard survey - the number of
workers engaged in alternative work arrangements has raised by sixty-six percent in the
past decade. But how is the contingent workforce being "greeted" around the world?

For instance, France has recognized a 35-hour work week for more than a decade. And
workplace proposals introduced in recent years to streamline hiring and firing - and to retool
overtime and working hours - have sparked protests in the country. However, a package of
new private sector restrictions went into effect, beginning in 2017, that calls for many
French employers to retool how and when they communicate with and assign work to
employees. The so-called "right to disconnect" legislation was designed to allow employees
to unplug when they're not on the clock - something that can be quite difficult when laptops
and smartphones have made out-of-office work so accessible.

The bad news: as of this year, the right-to-disconnect law targets those employers with
more than fifty workers as its primary focus. The good news: the new law is not exactly
one-size-fits-all, as organizations have some flexibility in picking and choosing how to adjust
daily activities to fall in line.

For example, some companies reportedly have instituted a nighttime blackout period,
during which employees are not expected to respond to emails. At the same time, other
businesses have reportedly shut down their email servers after normal office hours.

We turn, once again, to attorney and technologist Peter Vogel, a partner at Gardere Wynne
Sewell, where he co-chairs the firm's Internet, eCommerce and technology industry team,
to find out how you can balance these restrictions when you have offices and employees in
numerous countries.

VOGEL: What has happened, historically, is that there has been a huge problem in
communities around the world, not just France. France is just the first one to enact a law
where employees would say: "Wait a minute. If you expect me to work late at night you
should pay me late at night."

As a matter of fact, the police in Chicago filed a lawsuit against the city of Chicago, saying
that they should get overtime pay for having to respond to text messages and emails in the
evening.

Managing Technology: From Big Data to the Internet of Things

-1-
So, this has been going on for quite a while, about people wanting to have some privacy
and not have to be connected 24/7.

I think a lot of it has to do with the fact that they would like to know that they can actually
turn off their devices, their phones and their tablets, and not be expected to respond all day
long. And I think there is an interesting social issue associated with it that I think, "It's not
really law." It is a societal demand that people be able to have a more casual evening, so to
speak.

And if you think about it, different countries around the world have different expectations.

And so, I think a lot of it has to do with what is society trying to allow its citizens to do.
What is important to them? And I think we are now so dependent on emails and
communicating with others by text messages or whatever, 24/7, that we are just plugged in
all of the time.

QUINLAN: As Peter Vogel indicated, similar work/life proposals have been discussed in
other jurisdictions. But France's new right-to-disconnect law has been widely considered a
first in the developed world. The move is significantly more progressive than what's been
seen in the rest of the world.

VOGEL: I think it is up to each business. I mean, we are going to see how this plays out. I
mean, it is a little soon.

It went into effect on January 1, 2017. I am not aware of any other country to do this. They
may be setting the path down a new road that we are just not familiar with. But it is a very
unusual circumstance where a company would negotiate when people do not have to work.
Now, it is not necessarily good for the business.

Daimler AG has had a rule in effect for a few years, I believe, that allowed individuals to
essentially get offline when they want to, and they kind of encouraged them to do that.
They said: "If you want some privacy, let us know when it's going to be. And we won't
expect you to do anything."

Yes, I think that "email on holiday" is an interesting idea. And it is one that actually we use.

But doing it at night hours, so you are offline at night is not quite the same.

Being gone for a week because you are in meetings in another part of the world, and you
will not have access to email, that probably makes sense.

I do not know of any laws obviously on the books, or in preparation, in the United States
that would address that.

But I think what we are going to see is that, as this plays out in 2017 and in the future,
there may be other countries that come up with a similar law.

And as they come up with these laws, they may be more refined about the expectations.

QUINLAN: In the U.S., the work/life balance has received a great deal of attention from
employers, who need their workforce to be operating at peak efficiency. At the same time,

Managing Technology: From Big Data to the Internet of Things

-2-
last year's effort to expand overtime pay sparked a great deal of judicial opposition and
heated debate.

VOGEL: Well, I think, in the U.S., there is an expectation that everybody work 24/7. And
that is our culture. I see it to be that way, and I think it I kind of unusual.

I do not see laws like this coming to the United States. I mean, it is possible but, of course,
here is the reality: if this turns out well in France, it may well impact the United States
government to say: "Maybe we ought to consider this." But there are also some academic
scholars, who are very skeptical.

Because what they are concerned about is the productivity of individuals may be impacted if
all of a sudden at five o'clock in the evening they are offline, and they do not come back
online until eight the next day.

One of the real problems in expecting people to work 24/7 is the fact that they also maybe
do not think through what they are responding to. And so, there is a trade-off on people
that are in the middle of the night, waking up and seeing on their phone, that they got an
email.

QUINLAN: As we were producing this segment, one of our viewers offered an example. He
is based in the U.S., but works extensively with his company's team in India, where his
manager is based. He was recently called - unexpectedly - at 4 a.m., and he missed the
call. At his next performance review, the "missed" telephone meeting was mentioned as a
negative item.

VOGEL: I have not heard of any laws that penalize employees like that. But I think there is
a sharp reality difference, with people that are conducting business around the world, that is
different than just being in the U.S.

And the example that you gave is one that I think is interesting because it puts us in a
position where: why should somebody be penalized if they do not know they are going to
get a call at four in the morning?

If they are operating in one country or one state in the United States, it is a lot different
than if they are doing business around the world and their customers are all over the world.

And I think that what I have found probably the most useful way is to say to the employees,
"If this is intruding on you, that is, to have to be available for conference calls at eleven
o'clock every night."

Well, then, we are going to compensate you another way.

And I think there are businesses that are more attuned to doing things like that, where they
are more sensitive if you are going to force somebody to work late hours, then they give
them a different time.

And so, it really depends on the business, I think, and what their obligations are to their
customers or to their community.

Managing Technology: From Big Data to the Internet of Things

-3-
QUINLAN: Peter Vogel provides his counsel, as we wait to see how organizations - and
regulators - react to the idea of a worker's right-to-disconnect.

VOGEL: I think that we are at a point in time with the change of use of communications,
text messages, and emails. We live in a very dense information age, and it is only going to
get more complicated.

And if it becomes a social problem, then people will go to their governments and expect
orders and rules to be put in place, so that there may be laws that would be helpful to
them.

People really need rest. They need to get away from emails and text messages. And it is
important to have "down" time. Otherwise, I think it is not healthy.

2. Big Data and Privacy

QUINLAN: The term "big data" does not have a singular definition, but refers to a
confluence of factors, including the nearly ubiquitous collection of consumer data from a
variety of sources. Increasingly, businesses are using big data, based on the plummeting
cost of data storage as well as the powerful new capabilities, to analyze data in order to
draw connections and make inferences and predictions.

Big data is often characterized by reference to the "three Vs": volume (the sheer amount of
data that can now be collected and analyzed); velocity (the speed at which industry can
collect it); and variety (the breadth and diversity of data).

Last year, the Federal Trade Commission released a report on the growing use of "big data,"
which discusses potential benefits and risks to big data use and offers practical and legal
considerations for businesses. The report concludes by identifying potentially applicable laws
and offering legal and compliance considerations for businesses using big data.

VOGEL: Well, the privacy issues with big data actually have been around for a very long
time. This is not something new. Big data - the label - is something that is now getting front
page news because there is so much information.

And it is so voluminous that managing personal private information has now all of a sudden
gotten the attention of many regulators in Washington, DC. The issue has been - for many
years, going back to 1995 - when I think the Internet really took off for business. And now,
every business is using the Internet. So, what is happening is, what we are finding is that
there are aggregators of data that are purchasing it in large volumes, so that they can
synthesize it and make some value and use of it.

3. Privacy Practices and Regulations

VOGEL: Privacy controls have actually been in existence since the inception of the Federal
Trade Commission in 1934. And it has morphed along with protecting personal privacy, to
now with the Internet, where there is an obligation for every website to protect the privacy
of the information there.

Managing Technology: From Big Data to the Internet of Things

-4-
But there is no obligation in the United States that there be a privacy policy. But if a
company has a privacy policy, they have to abide by it.

QUINLAN: Essentially, the Federal Trade Commission shares Peter Vogel's perspective:
while current laws do provide for meaningful regulation of big data, the FTC does plan to
use its existing authority to address those big data practices that it deems problematic.

VOGEL: I represent many companies that run very large websites, actually all over the
world. And so, part of the protection is customers theoretically want that sense of
confidence that they have some privacy. But as I said, they do not look at the privacy policy
or the terms of use or the click agreement for that matter. But one reason that this is so
important is because we are not the only country in the world.

There are other privacy laws that are much more strict than the U.S. And so, companies
that do business, like in the E.U. or Canada or Australia, those laws are much more
complicated and more strict than they are in the U.S. And so, businesses that do have
customers around the world have to be very sensitive to making sure that they comport
with those laws around the world about who may be impacted from their customer base.

So, for instance, there is a legal concept called data localization. And that is where a country
enacts a law that requires all the data about individuals in companies to be in that country.
So, Russia adopted that a while back.

And what that means is that cloud providers have to have computers in Russia, if they are
going to maintain data. And I think there are other countries, including Germany, that are
looking to pass such laws. This has been under consideration for the past few years.

And so, these legal scholars are saying: "Okay, well, where that data is located then has a
different impact." Because, if you cannot remove the data from Russia, then you are going
to have to do all your data analytics in Russia, or you just cut out Russia altogether.

And so, I think the data localization potentially does have an interesting spin on where we
are going with big data. Because if more countries adopt data localization, then that puts
more rings around where the data can be. And it is a violation of the law to move the data
out of the country.

4. Email and Search Engine Policies

VOGEL: Under the E.U. law, emails are private to employees. And in the U.S., emails are
private to the employer. And that is going to continue to be the way in Europe.

But what is happening also in the E.U., that I think is important is the citizens of the E.U.,
because this is their privacy view of the world.

They have the right to go to any computer that has data about them, and have it changed,
if they think it is wrong. They also have the right to be forgotten. They can eliminate things
from Google search engines historically.

That is dealing with privacy as well is that people want to be able to eliminate things they
think are bad and really old and outdated.

Managing Technology: From Big Data to the Internet of Things

-5-
QUINLAN: Last year, a California federal judge rejected Google's bid to dismiss a proposed
class action, claiming the company violated federal and state privacy laws by checking
user's emails for advertising information. As a result, the court will determine whether
Google violated the Wiretap Act in its operations of the Gmail system, by intentionally
intercepting the content of emails in order to create user profiles and to provide targeted
advertising.

VOGEL: The class action lawsuit against Google for using the content of Gmail, and I think
many people did not understand that. Like, let's say, I send a friend of mine an email on
Gmail, and I say: "Look, let's go see the World Series next fall."

We have no idea right now where that is going to be, but let's say that. Then, alongside that
Gmail that my friend would get, would be hotel options and tickets to the game and airline
options. So, you have an opportunity to figure out where you are going to go.

And what people discovered, that caused this class action, was that Google was actually
taking the content and monetizing it.

So, they brought a class action lawsuit against them. And the federal court in California
ruled that it was not a violation of the federal law, because they were not really reading the
information. They were not using the content. They were merely offering it for sale to
somebody else. So, they were not analyzing it. And I think the fact that they just kind of
made it available, with key words, got them "over the hump" on that.

The issue really has to do with: What does the privacy policy say? As I said earlier, if a
website says: "We're going to take your information and we're going to provide it to
anybody." Then, they have the right to do that under the Federal Trade Commission Act.

So, a class action lawsuit would be a waste of time.

5. Cybersecurity and Attacks

QUINLAN: Today, the threat of a cyber attack is firmly at the top of every boardroom
agenda.

This means that with the complexity facing organizations - from globalization, computing
infrastructure, threat vectors, and criminal organizations-only a collaborative, strategic and
enterprise-wide approach to cybersecurity will suffice.

But in this difficult environment, most organizations are not sufficiently protected against
cyber attacks, despite years of effort and multi-billion dollar annual global spend.

Even if an individual organization's defenses are robust and continuously optimized,

dependencies on supply-chain partners and third-party services introduce vulnerabilities
beyond its direct control.

In recent years, the market is rapidly growing for insurance that is specifically meant to
cover losses arising out of cyber attacks and other privacy and data security breaches.

Managing Technology: From Big Data to the Internet of Things

-6-
These insurance policies are marketed under names like "cyber-liability insurance," "privacy
breach insurance" and "network security insurance."

VOGEL: Cyber attacks are going on all of the time. And the criminals - it is organized crime
- and we have persistent attacks that just never go away. And what I have learned from
spending a lot of time with the FBI is that it is not so much the attack - that is the label I
use. It really is the intrusion.

Because from the time of the intrusion until detection is about eight months on average. So,
what happens during those eight months? We do not really know. But from a privacy
perspective, that means there is a great deal of vulnerability to companies when they have
these intrusions.

And during that eight-month period, there is no telling how much data has been stolen. As I
am sure the audience will recall, a few years back, T.J. Maxx had a huge intrusion and credit
card data was being stolen.

It went on for fourteen months before it was detected. So, these kinds of problems can be
very, very large and go on for tremendous lengths of time and be very costly.

Like, for instance, the Target attack of a few years ago. And actually, that came through the
HVAC air conditioning vendor, because they had remote access to the computers, so they
could adjust air conditioning at Target's various locations. And the malware came through
that.

There was $100 million worth of cyber insurance that Target had. That sounds like a lot.
$10 million deductible - that sounds like a lot, too. But there were $1 billion worth of claims.

So, one of the issues we have to deal with today is making sure that we have cyber
insurance.

Forty-seven states require some kind of reporting - some to the state themselves, and then
others just to the individuals. And so, those kinds of obligations are huge on today's
business community.

But one of the problems with all this is: all big data is not good data. Sometimes the data is
bad. And so, as I think all of the computer people watching know the expression: "garbage
in, garbage out." If it is bad data coming in, it is going to be bad data going out.

6. Data Access and Risks

QUINLAN: Peter Vogel indicated that "big data is not necessarily good data." But to what
extent are companies aware of the potential bias, or lack of accuracy, in their analytics?

VOGEL: Well, I think that there are some interesting problems associated with big data.

Because what happens is these data aggregators really do nothing to validate that the data
is accurate. They just buy it in large volume.

Managing Technology: From Big Data to the Internet of Things

-7-
And not that maybe they could even validate it if they wanted to, but if they are buying it
from a source that is questionable, then maybe they get what they pay for. And that is,
maybe, it is not so great.

But one possibility, just by way of example, is I subscribe to a service.

I pay $25 per year to have access to all kinds of data. And one of those categories of data
that they have is driver's license information, arrest records, court records of all sorts. They
also have a database of all of the Social Security numbers of everybody that is dead in the
United States.

And so, for a long time, it occurred to me: What was that data for? Was that for identity
theft? And some of my partners, who do banking law, said: "No, there was another reason
for it." And that is: by collecting the Social Security numbers of people who are dead, then
people cannot apply for credit cards. Because the card companies access that data base,
too, to make sure that, if somebody is dead, they cannot steal the identity and do that.

So, that is a positive use of big data. But that data is available from the federal
government.

If you think about it, in our Constitution, there is a requirement every ten years to collect
the census data. And the federal government has been using big data, since the
Constitution, to manage and plan for how our growth in going to develop incentives and
state interstate highways, all kinds of things are related to big data.

I would say, in general, people are completely indifferent to protecting their privacy on the
Internet, as evidenced by the fact that they share information that probably they should
not, and they do it on the wrong websites, and they do not really think about it.

Generally though, most companies - the ones that I represent in these kinds of matters -
what they do is, they say: "We will not use any of your personal identifiable information.
But we may aggregate data about all of the people from a certain state that buy products or
a certain kind of product. And we can sell that information" - the aggregated data about
information.

And that is the middle of this big data conundrum, where there are companies now that are
buying that data in large volume, because computers now have such large data storage
facilities, so that now there is huge information. And then, with the advent of artificial
intelligence, there are more analytic tools around today than ever to look at that big data.

7. Protecting the Organization

VOGEL: One of the interesting things that I have found, as a lawyer, is that law is looking
at what happened in the past. Not so much about the future. And so, we are at a point
where - when we present things to judges - we have to talk about case law and things that
happened some time ago. So, we are living through this change in the Internet, as we sit
here today. But we do not really know where it is going.

We know what happened yesterday and today. We may not know what's going to happen in
two or three years.

Managing Technology: From Big Data to the Internet of Things

-8-
There are a number of things, obviously, that companies can do to help protect themselves.
First of all, what they can do is they can make sure that they have the proper cyber
protections in terms of the technology. And make sure that they adhere to the current
national and international data standards. And that they also make sure that they have the
right people.

They have the right technical background to help manage cyber security. Because the
companies that do not are going to suffer.

But what we find we need to do is they need to have in place what is referred to as an
incident response plan - so that when something happens, what do you do about it?

Do you call the federal government, the FBI, Interpol, whoever? Do you hire outside
forensic investigators? What do you do? What do you say publicly?

Like Target or Yahoo, when they had to acknowledge all of the problems that they had. And
I think that the other part that goes along with it is not just having the incident response
plan, but it is testing it regularly and making sure that it actually works.

And so, that is something that we do a lot with our clients. And I think it is very, very
important that businesses recognize this risk.

8. Internet of Things: Risks and Protections

QUINLAN: The new rule for the future is going to be: "Anything that can be connected, will
be connected." As a result, the Internet of Things is becoming an increasingly growing topic
of conversation in the workplace. Essentially, it is a concept that has the potential to impact
how we work.

Essentially, there is a perfect storm for the Internet of Things. Broadband Internet is
become more widely available, the cost of connecting is decreasing, more devices are being
created with Wi-Fi capabilities and sensors built into them, technology costs are going
down, and smartphone penetration is sky-rocketing.

Simply put, this is the concept of basically connecting any device with an on and off switch
to the Internet (and/or to each other). This includes everything, from cellphones to the
printers and coffee makers in your workplace.

VOGEL: Well, the Internet of Things is an enormous change in the world, and a lot of it has
to do with the Internet obviously. But the estimates are, right now, there are over 6 billion
things connected to the Internet. The expectations are, by 2020, it will be over 100 billion
things connected, and what are those things?

The Internet of Things is connected to everything in your office: the thermostat; heating
and air conditioning; your computers.

As a matter of fact, there is an interesting cyber issue associated with this, that may not be
so obvious, that has just come up recently. And that is: there are dummy printers that are

Managing Technology: From Big Data to the Internet of Things

-9-
stored in various offices and they are not connected as printers. They are really stealing
information from Wi-Fi information within offices.

It is a huge issue that is going on right now. And so, there are lots of businesses that are at
risk, because of the data associated with it.

QUINLAN: Earlier, we mentioned the growing activism of the Federal Trade Commission in
connection with big data. Earlier this year, the FTC ventured into the Internet of Things,
when it filed a lawsuit against D-Link, arguing that the company failed to take steps to
ensure that the routers and Internet-linked security cameras that it manufactures could not
be hacked.

VOGEL: Part of the issue that is going on right now is that the Federal Trade Commission
brought a lawsuit in January of 2017 against a company called D-Link.

And what they are doing in that case, is they are claiming that, even though D-Link says
that their devices that are in your offices, including routers, there is no security to them.

They say it. And you look at the specs and it says it adheres to all these specs. It does not.
What they also include in that product, which I found kind of amazing, is cameras for
monitoring babies are not secure. And I think most parents - and grandparents in my case -
would be alarmed to find out that their children are being spied on by somebody else. And
so, the Internet of Things - from a privacy standpoint - I think is going to grow a lot.

I think the Federal Trade Commission picked D-Link for a reason. They usually do when
they file a lawsuit. They want to set an example to other companies that offer similar
Internet of Things.

QUINLAN: Financial executives are obviously concerned about the cost of producing their
products. After all, in terms of liability, many businesses produce thousands of unlocked,
open windows in the form of unsecured, Internet-connected goods that invite hackers to do
harm.

VOGEL: Well, my experience has been most chief information security officers and IT CIOs
are very conscious about the Internet of Things and the kinds of risks associated with it.

And I find that, when they communicate with the CFO, they usually put that out on the
table. I think if it is not happening in your business, as the chief financial officer, you want
to demand that you get that information.

QUINLAN: Yes, there is a serious risk that, in racing these smart devices to market,
companies will fail to properly vet them for vulnerabilities to hacking attacks. Because once
on the market, these vulnerabilities may be exploited by hackers. And that could mean
significant costs - and legal liability - for companies down the road.

VOGEL: Well, I think that there is a potential liability with the Internet of Things for the
manufacturers and companies that buy these devices. So, the companies that are using the
D-Link devices that have no security, I think they are at risk.

And if they do not have cyber insurance that is directed at protecting that data, they run the
risk that they have to pay for any kind of damages associated with it.

Managing Technology: From Big Data to the Internet of Things

- 10 -
Or, if they have not investigated a cyber policy, maybe they need to look at that more
closely because there are a lot of different variable provisions in these cyber policies, and
they do not always cover everything people think.

So, looking at those closely is something that is very important, and the Internet of Things
is only more complicated.

9. Asking the Right Questions and Going Forward

VOGEL: Now, what also fits into play with some of this is: how many of those Internet of
Things are connected to the cloud somewhere?

And where is the cloud provider? What contracts do you have with the cloud provider? For
most companies, what they do is they sign up and they just do a click agreement.

They do not even know what they are doing. The data could be stored in another country.
And getting that data, in case of an electronic discovery, is not an easy thing to do. I can
assure you: having tried to get data out of the E.U. before, they do not like it. It is not part
of their rules system.

QUINLAN: We've mentioned the Federal Trade Commission as a regulator of businesses.

But it turns out that the FTC is also considering how organizations can take a more
preventive attitude towards their products.

VOGEL: Well, the Internet of Things has been a topic of great discussion for the Federal
Trade Commission. They have had hearings all over the country for the past five or six
years, trying to study what is going on. And they recently announced that they have a
contest to see who can attack - and bring to the knees - more Internet of Things devices
and technology. And what makes this particularly important is the federal government is
doing it.

There have been competitions like this, all over the country, for years. This is not a new
event. But I think it is significant that the Federal Government is doing this, because what
they are doing is they should be highlighting the businesses. You are at risk.

If we can let college students attack all of these Internet of Things, don't you think that you
ought to be more mindful of how you connect to the Internet and how your customers
connect to you?

QUINLAN: As you might have expected, Peter Vogel concludes by looking into his crystal
ball and providing counsel to financial executives.

VOGEL: Well, I think my advice would be this: this is only going to get bigger. And I think
people need to be very mindful of what data they share, and if they want to opt in or if they
want to opt out.

When those options come up, I think it is important to think about it. I also think it is not a
bad idea to take a look at the privacy policies, terms of service, and click agreements.
People tend not to do that.

Managing Technology: From Big Data to the Internet of Things

- 11 -
But I think reviewing these things to find out if your data is actually being shared. Or why
would somebody need to know my social security number? I do not give it out very freely.

And I think there are a lot of people that just regularly put their mother's maiden name and
the date of birth and all that. And maybe you do not need to really use your mother's
maiden name.

Maybe you can make one up, because that is what you want. You want to hide some of your
privacy. And I think a lot of people tend not to do that, but it is something to think about.

Managing Technology: From Big Data to the Internet of Things

- 12 -