R&G Tech Studio Presents: Data, Privacy & Cybersecurity Partner Fran Faircloth

In this episode of the R&G Tech Studio, data, privacy & cybersecurity partner Fran Faircloth sits down with technology, media & telecommunications co-lead Ed Black to discuss how she counsels clients on a wide variety of privacy and cybersecurity concerns, including cyberattacks and data breaches, and how it’s helpful that she has a couple FBI agents on speed dial that she can contact whenever needed. 

Transcript:

Fran Faircloth: I am a partner in our data, privacy, and cybersecurity group. I’m based in our D.C. office—I live here with my husband and my two daughters. And I spend my time helping clients figure out privacy and cybersecurity questions—that could be a range of anything from making sure they have the right policies in place to helping them deal with a ransomware attack. We help a really broad range of clients, technologically sophisticated businesses, but they can really be in any sector. Just in the last year, they’ve ranged from the CEO of SolarWinds, who we’ve been representing in the wake of the unprecedented cyberattack that happened there, to businesses that include an HR company for the entertainment industry and a company that helps prevent school violence and bullying. So, it’s really just across-the-board companies where they’re using technology and data in ways that we need to figure out how to help protect to make it useful for them.

Ed Black: That’s a huge area. Can you give me some examples of the kind of problems clients have and the kind of solutions that you help bring to them?

Fran Faircloth: Sure. Just as one example, in the past year, we’ve seen a lot of increase in use of technology everywhere, especially since COVID, so more monitoring and videoing, and use of tracking in offices and retail stores, and even in schools, to some extent. And along with that, there’s been an increase in fears about Orwellian-type surveillance in the media and in popular opinion. We’ve had a lot of clients that have been trying to figure out how to handle those fears, how to respond to those fears, so that they still can have the value and social benefit of their technology and highlight those positive aspects of their products. So, just as a specific example, I mentioned a minute ago I’ve been working with a company that uses AI to help prevent suicide and student violence, through things like logging of student activity and using the AI to watch for things that could be indicators. And, I think, everyone would agree that preventing school violence, especially in our current climate, is something that we definitely want, but this client and others that have similar technology have been getting a lot of criticism for being “overly intrusive” and “spying” on students. And so, that’s been a struggle that I’ve been helping them address through things like communications with regulators and interest groups; and making sure that they are putting reasonable protections in place, like de‑identification and data minimization, so that they can still harness the value of the data-driven AI to protect students and prevent student deaths, while balancing that against the impact on students’ privacy.

Ed Black: Wow. Now, that type of scanning and monitoring stuff with the AI, that is a bleeding-edge concern. I have to say, though, that when I think about data and privacy, and data cybersecurity issues that I’ve heard about in the press over the past few years, a lot of it deals with these “hacks,” with a cybersecurity breach of some kind that results not only in a lot of loss of data, but then an organization: first they’re victimized by the hackers, and then they’ve got lawsuits to contend with, and regulators. Does your practice also embrace that more traditional cybersecurity incident?

Fran Faircloth: Yes, absolutely. And I think part of the value of the practice is that we work with clients across the board from setting up policies to working through the incident. So, for example, one of our clients is Bombas, the sock company—I love their socks. We started out working with them, actually, in the context of a transaction. And over the course of our relationship with them, ended up working with them on a couple of data breach incidents, and helping them to sort through what happened in those incidents, who needed to receive notice, and carried that all the way through to communications with regulators about the incident, and class action litigation that came out of the incident that we were able to settle successfully for the client. It’s a very holistic view of helping clients protect against these events and helping them deal with them when they happen.

Ed Black: One of the things that I used to hear from clients, just in general, is, “Data privacy and cybersecurity issues, those are ‘specialized’ issues. In my industry, we don’t have them.” But it seems to me, that even if you’re not collecting credit card data, or filming students at school—obviously, kids in school, very sensitive—you read about in the paper these ransomware attacks and other things that seem to be going after all sorts of things. How do you see data protection and cybersecurity evolving?

Fran Faircloth: Our client base, I think, has really just expanded so much in the past few years because of this. We’re now seeing clients come in who didn’t have a lot of credit card information or that very, kind of traditional, sensitive consumer information. So, they didn’t traditionally think that this was an area that they needed to spend a lot of time on, and even they are facing these risks, especially with the evolution of ransomware. We had a client just recently who they don’t collect personal medical information at all—all they do is work with manufacturing or compounding of drugs. So, “sensitive” in the sense that you need to get this right, but not in the sense of they have a lot of personal information that would need to be protected. But they got hit with a ransomware attack that shut down their operation in ways that they didn’t realize before this happened was a risk that they were subject to. And so, helping them work through that, and figuring out what happens when you get hit with a ransomware attack: Who do you go to? Who’s the right person at the FBI to contact? How can they help you?

Ed Black: And you know all that? You can say, “Officer Jones—that’s who you want to contact?” Do you help people work that out?

Fran Faircloth: Yes, absolutely. So, there are traditional ways of reporting incidents to the FBI—there’s a form online that you can fill out, but honestly, it helps to have a direct contact. The FBI can be incredibly helpful in these events—they can sometimes even look at things like a ransom note and say, “That looks like this attacker from this place,” and can help clients in that way. So, yes, I have a couple of FBI agents on speed dial that I can call, if needed.

Ed Black: Wow, that’s great. We talked about EdTech, we talked about ransomware—the threats are constantly evolving—but it seems to me, at least based on what you hear in the paper, that the legal environment is also evolving. Where do you see this going? Is this something that’s going to be regulated by state law, by federal law? Are there going to be international treaties? If you think ahead to three to five years from now, what does the data protection and cybersecurity environment look like in terms of who’s calling the shots?

Fran Faircloth: Yes, this is an area of law, as you said, that’s really been rapidly changing, and so, we have to really stay on top of all these changes. For the past 10 years or so, everyone looked to the EU as the leader here with GDPR—their comprehensive privacy law—and a lot of companies that had dealings with clients and customers in the EU were up to date on that. But companies that were fully U.S.-based maybe weren’t focusing on it as much because the U.S. didn’t have the same kind of comprehensive privacy laws, but that’s changing. So, just in the last year, we’ve seen several states pass their own versions of comprehensive privacy laws—we’re now up to five states that will come into effect in the New Year.

Ed Black: What five are those?

Fran Faircloth: California, Colorado, Connecticut, Utah, and Virginia—that’s the count so far. But there are several others, at least four or five other states that still have active bills working their way through legislature, and over half of the states have had something introduced, it’s becoming a patchwork of state laws here. There have been federal proposals but it may still be several years before we see federal U.S. law. And there will probably be several other state laws that pop up with their own version of comprehensive privacy laws between now and then.

Ed Black: It sounds like keeping track of this is a huge headache, obviously, for those like you at the firm. But you have a giant law firm—we’ve got our London office, which is on top of GDPR helping out with the GDPR perspective and so on. But how is it that we can help clients stay on top of this? Do we come up with playbooks for them? Do we have communication platforms? How do we solve a client problem in terms of keeping them fully informed of exactly where things stand?

Fran Faircloth: We do have pretty regular communications with our clients about how the law is changing and how they might need to make changes to their internal rules, policies, or procedures related to that. We also have a blog where we try to keep up with these changing things, and post things there—many of our clients are actually subscribed to our blog so that they get notice of those posts once they go up, and then we can have further communications with them about how it might apply to them. But it really is an area that has to be watched, not just on the state law front. Things are changing around advertising and tracking technology—there are a lot of changes going on right now that we’ve been helping clients keep up with.

Ed Black: “Globalization” was the catchphrase for many years, and now, we’re looking at trading blocs replacing globalization. There’s global tension: tension with China, tension with Russia. In a world of globalization, it seemed like data would just flow everywhere. But do you think, in the new world order, that there’s going to be “data jurisdictions”—blocs of countries where data just can’t cross borders, and we have to solve the problem for clients who are global of how to work in multiple data jurisdictions?

Fran Faircloth: That’s a problem we’ve seen come up more and more, especially China seems to be splintering off their own version of the Internet, where data can’t go in or out, or they have complete control over data going in and out. And we’ve seen proposals, even in India (although it looks like that one’s not going to go through) and other countries looking to have pretty strict data localization that makes it difficult for clients who want to run a global business. They have to do things like set up data centers in all the different locations to deal with this.

Ed Black: Again, do we have tools for helping clients keep track of these jurisdictional issues and possible solutions for dividing the world up in this way?

Fran Faircloth: We do. We have various trackers who help clients keep up with these changes in various jurisdictional rules and how they differ as you cross lines, and then, we’ve also been helping clients come up with policies to address this. It used to be five years ago, or last year, or even now, we see clients come in who, for example, their online privacy policy will have a “general” portion, then they’ll have a special “EU” portion, then it’ll have a special “California” portion, a special “Australia” portion, and that’s really becoming not workable with the proliferation of these laws. Before long, you’re going to have to have a hundred different privacy policies translated into 20 languages or more if you are trying to run a global business. So, we’ve really been advising clients to move towards a version of “Global Best Practices.” And it looks a lot like GDPR: It’s based in the principles of transparency and making sure people know what data is collected and how it’s used without being overly burdensome in a way that the policy would just be so long and complicated that it couldn’t be helpful to anyone, and I think that really is the solution.

Ed Black: So, if I were sitting behind a desk, looking at a business that’s growing rapidly around the world, and I slapped my forehead and I said, “The good news is we’re growing rapidly around the world. The bad news is we’re growing rapidly around the world, and I now need to adopt a privacy approach or a data cybersecurity approach that meets the world’s requirements.” Could they give you a phone call and you could help get them set up?

Fran Faircloth: Absolutely. That’s one thing that we’ve been helping clients with a lot, lately, moving towards that kind of global policy that will enable them to do business around the world. There are variations between these different laws, especially, as we noted, in China, which has its own kind of special rules. But, really, 80% to 90% of the laws, of the substance of the laws, are based on the same principles, so if they adopt that 80%-to-90% approach, then they are hitting the majority of anything material in the laws. And for the variations between different jurisdictions, then it just becomes a risk-based approach of figuring out what jurisdictions to address where they’re doing the most business, and where they think the regulators might be looking at them most closely.

Ed Black: This is a fascinating subject, and I know we could go for a while, but we’re running out of time and I want to make sure that we get to the portion of the podcast I refer to as the personality test—the portion of it which has nothing to do with law, but just gives us a chance to get to know you. So, it’s a lightning round—quick questions, quick answers. Do you have a favorite movie, and in that movie, do you have a favorite character in the movie?

Fran Faircloth: That’s hard, I really like movies. Probably Rear Window, a really excellent Hitchcock movie. I love Jimmy Stewart, and Grace Kelly’s character in that movie is just fantastic. But probably my favorite thing is her wardrobe in that movie, all of the dresses.

Ed Black: Okay, Jimmy Stewart. Do you have a favorite board game?

Fran Faircloth: Favorite board game...I really like any kind of trivia game, so I like Trivial Pursuit a lot. In law school, I was a big fan of going to pub quizzes—I get very competitive at these things.

Ed Black: That surprises me: A lawyer at a large law firm gets competitive—that’s shocking to me, absolutely.

Fran Faircloth: My law school class actually voted me “most competitive,” and it wasn’t for any legal arguments—it was purely for board game and trivia competitiveness.

Ed Black: Superb. Alright, last question—I’ve asked this of everybody in the podcast: In a peanut butter and jelly sandwich, what is more important, the peanut butter or the jelly, and why?

Fran Faircloth: The peanut butter, 100%. I’m from south Alabama, which is peanut country, so that’s a warm place in my heart. I like them in basically every form. I’m a big fan of peanut butter, and you can have a good sandwich even without the jelly. I’m a big fan of peanut butter and banana. But who wants jelly with anything else? So, peanut butter is my answer.

Ed Black: When you think about it from the point of view of that competitive person, who’s got the FBI on speed dial, the peanut butter is where the substance is—that jelly is just like a frilly distraction, right? Who even needs it?

Fran Faircloth: Exactly. Peanut butter—and preferably, crunchy.

Ed Black: Let’s eat the peanut butter. Yes, that’s good—especially crunchy, because that delivers.

Fran Faircloth: It does. I like the texture—the full peanut experience.

Ed Black: “The full peanut experience,” from someone who grew up in peanut country, so you know what the full experience is. Thank you, Fran, for taking the time—it’s been great to chat with you. And for our audience, once again, this is the Ropes & Gray R&G Tech Studio podcast. It is available on the Ropes & Gray website, on the R&G Tech Studio page. It is also linked and available where you get your podcasts. Thanks so much.