For Fenwick's Cyber Co-Chair, Privacy Is Not a One-Size-Fits All Proposition
Jim Koenig, co-chair Fenwick & West's Privacy & Cybersecurity Practice, discusses his view on the FTC, GDPR, and why privacy is a business necessity for all modern tech companies.
May 10, 2018 at 11:30 AM
6 minute read
Jim Koenig, co-chair and partner with Fenwick & West. |
Fenwick & West partner Jim Koenig wants to reinvent how law firms help their clients.
In Koenig's view, it isn't enough to just help clients comply with specific privacy regulations or respond to cyber challenges. So he helped design Fenwick's Privacy & Cybersecurity Practice, of which he is co-chair, into what he refers to as a “one-stop shop.” This shop employs legal and industry professionals to offer everything from security assessments to training to “privacy-by-design” product services. Fenwick attorneys even sit on some clients' product design councils.
With such a hands-on approach and clients like Facebook, Google and Uber, Koenig is at the forefront of consumer cybersecurity and privacy. But that is nothing new for the MIT graduate who helped co-found the International Association of Privacy Professionals (IAPP) and was called upon to help companies comply with some of the earliest FTC privacy rulings.
➤ Would you like more news from the intersection of law and technology? Sign up for What's Next, a weekly email briefing that explores how new technologies are revolutionizing the business and practice of law.
Koenig sat down with Legaltech News to discuss why he became a privacy attorney, his thoughts on FTC enforcement, and why he believes privacy is a cornerstone of modern innovation and business.
LTN: You went to MIT as an undergrad. What made you want to become a lawyer?
JK: I thought at the time that it was too early for some of the internet and emerging technologies, and I thought the best thing for my career was to focus on what made me different. I had background in business and technology and I figured with adding law, that will allow me to really appreciate all the dimensions a company would need.
When the Cambridge Analytica scandal happened, Facebook was under a 2011 FTC consent decree that required it establish a privacy program. Was the FTC agreement ineffective?
While I'm not speaking specifically about Facebook, the FTC takes on cases particularly in groups to make points about in certain practices. And in that time period, 2011, 2012, 2013, the FTC had a series of case about what constitutes a comprehensive privacy program.
There has been a call by former FTC commissioner and others to make the process potentially even more thorough, but on balance I think the consent decrees and the level of expected detail balance consumer privacy protections with giving the companies enough flexibility to be innovative, grow and to be competitive.
In short, you don't want a consent decree to put a company out of business and they have to strike the right balance. Many companies are free to design [comprehensive privacy programs] based on what's appropriate for the nature of their business, the sensitivity of their information and their size—it's not one-size-fits-all.
[The question is], are the standards thorough enough? Do you have the appropriate administrative safeguards? That doesn't mean that something can't get through. It's about the right balance.
The EU's GDPR comes into effect in a few weeks. How aggressively do you think it will be enforced?
Most data protection authorities (DPAs) have been hiring and have arrangements where part of the fines and penalties they levy will be used to support their own budget and operations. So if you look at the tea leaves, there is likely to be more activity, more investigations, and more fines and penalties than the Europeans have ever had in the past. That being said, the four percent potential penalty is likely not to be levied initially. It is likely the DPAs are going to use the threat of the four percent penalties as a means to help encourage companies to enter settlements with them quickly.
Do you believe GDPR will lead to standardized privacy practices worldwide?
The GDPR is just one of many global regulations. For global companies, the trend is to not just build for GDPR, but to build global privacy programs where in almost all cases the personal information of all of their customers, B2B partners, employees, workers and others are treated similarly. This provides a consistent baseline to respect privacy, a consistent standard for employees and data scientists and security teams to implement, and from a business point of view, it also means your data will be collected and handled consistently and interoperably.
If companies make the investment in trying to achieve a global program, they may be able to do larger scale analytics across their databases, if implemented with the appropriate level of privacy, security and homogeneous data handling standards. So there is a benefit for companies that invest more in broad privacy and security baseline.
So are there standardized approaches to privacy by design?
To be meaningful and impactful privacy by design has to be customized and fit for the company's products and services and for the primary and secondary uses of the information, as well as the company's internal and third party risks. General high-level principles won't drive those into the product.
To me, the promise of privacy, what's at stake for getting privacy right, is that it unlocks the trust needed for business to expand innovation and technology, whether it's autonomous vehicle, digital health, internet of things, gaming, etc. If we get it wrong, it will slow down trial and adoption of these new technologies, and it will retard innovation.
➤ RELATED COVERAGE: Ready or Not … Here Comes the GDPR
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1How I Made Partner: 'Develop a Practice Area You Really Care About ,' Says Jennifer Gniady of Stradley Ronon
- 2Indian Billionaire Gautam Adani Indicted in Brooklyn for Alleged Orchestration of $250 Million Bribery Plot
- 3St. Ivo: Patron Saint of Lawyers
- 4Eagle Pharma Founder Sues Company to Recoup Cost of SEC Investigation
- 5GC Conference Takeaways: Picking AI Vendors 'a Bit of a Crap Shoot,' Beware of Internal Investigation 'Scope Creep'
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
