AI, Privacy, and the General Counsel’s Role in Responsible Innovation

Intro 0:01

Welcome to the She Said Privacy/He Said Security Podcast, like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st Century.

Jodi Daniels 0:21

Hi. Jodi Daniels, here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:36

Hi, I’m Justin Daniels, I am a shareholder in corporate M and tech transaction lawyer at the law firm, Baker Donaldson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cyber security risk. And when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels 0:59

And this episode is brought to you by ding. Thank you. Birthdaying. Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best selling book, Data Reimagined: Building Trust One Byte at a Time. Visit redcloveradvisors.com. Do you know Justin, how many years old our book is?

Justin Daniels 1:40

Can say three.

Jodi Daniels 1:42

Yes. I have no prizes for you, though,

Justin Daniels 1:45

of course, snip plot that can I get it on Kindle?

Jodi Daniels 1:49

You can get it on Kindle. Yes, for everyone curious, you can get it on Kindle. We’re recording in Cybersecurity Awareness Month. We highly recommend it. And for those listening, our podcast is five. We just like to celebrate everything in the fall around here, because it’s the best season ever. Okay, my favorite. Oh,

Justin Daniels 2:08

so why don’t we introduce our guest for today, who I met when I was most recently in Washington, DC. So today we have Lane Blumenfeld, the chief legal officer for Data Driven Holdings, and he has become a market leader of data, power, technology and marketing solutions for the automotive industry. He was also named a top 50 Corporate Council by on con. Welcome Lane.

Jodi Daniels 2:37

Welcome to the party.

Lane Blumenfeld 2:38

Glad to be here

Jodi Daniels 2:40

Well, we always like to get started and drill a little bit deeper into that career journey. You could share yours

Lane Blumenfeld 2:47

Sure my career journey actually started in Moscow. I had a master’s in addition to my law degree. My master’s was started in Soviet studies. It switched to Russian and East European studies midway through, and I was working with the Russian government back when, when everyone was friends on commercial law reform. I was there for a couple of years, came back, joined a large law firm, realized that I felt really distant from the business side and the policy side, and so I went in house for a series of telecommunications, satellite, internet companies, and, you know, eventually, you know, increased in responsibility, something that happens really pretty quickly when you’re in house. Became GC of a publicly traded company at a relatively young age, practiced a little bit as a solo practitioner on my own for a while, and then joined Data Driven Holdings, or DDH, almost 11 years ago. Now. DDH is a holding company. Our main operating company is Team velocity, and as you noted, we we provide all kinds of data driven marketing services to the automotive industry. Our clients are primarily automotive dealers. We run their websites, we do digital advertising, we do social advertising, we do email, we even do traditional mail. And I’m the chief legal officer dealing with everything from our corporate issues to our HR issues to, of course, our data security and privacy,

Jodi Daniels 4:21

just a few issues, I’m sure, across your desk every day.

Justin Daniels 4:27

So as general counsel, you see the tension between unlocking data’s business value and respecting the privacy boundaries around it. How have you built a governance framework that balance balances these two competing concepts? It’s been

Lane Blumenfeld 4:44

a for anyone who is in house, particularly, that’s a real tension, because from a product and a service perspective, we want our products to be fast, efficient. We want our customers, the dealers we don’t. Their customers, for example, you all to be able to access the website or your portal so that you can either shop for a new vehicle or order service. We want that to be efficient. Think about it like Amazon. When you go into Amazon, you’ve already logged in. Amazon knows where you are. It knows your preferences, and it’s a very smart, user friendly platform, and we want, increasingly, the auto industry to be like that as well. So, but of course, you know, there’s a tension between that and and privacy concerns and security concerns. So what I try to do is I try to get involved early with our product team and our dev team, so that we’re starting to think about those issues as we’re developing new products, as we’re developing new services. That’s a much easier way to do it than if I come along once we’re ready to roll out to market and say, that’s nice. But have you thought about, you know, the multi factor authentication? Have you thought about who in the company will have access to the client’s pi does? Does? Do the sales team really need that? Probably not. Do the service people need that? Maybe not. You know, where can we limit access in order to make it as secure as possible? And so I think there’s, there is definitely a tension between making products that are efficient and and in work well and ones that also protect the, you know, security and keep our dealers out of trouble and keep us out of trouble

Jodi Daniels 6:30

Lane. Can you share maybe a little bit more about the process, or some examples of how you try and get those conversations earlier on? I know people listening are always well, yeah, that would be great. I want to figure that out too

Lane Blumenfeld 6:44

well. For example, it’s the easiest thing to do is to make information within your platform available to everyone in the company. Now, maybe that gets different. If you get to a company that’s 5000 or 10,000 and has lots of different divisions. We started with about 200 employees. We’re now up to about 500 so we’re still in that mid size. And there’s a lot of crossover between people who are in client support, in dev, in products, and sort of the thinking is, well, we want everyone to be able to easily access everything, and it requires a lot of extra work to put up guardrails and to determine who really needs access to what. So that’s an area where I’ve spent a lot of time working with both our dev team but also our executive team and our business team to figure out what’s the right sort of trade offs what’s the right balance between efficiency and protection, and if it means certain people don’t have full access, or have to request it and justify it, or go through a couple extra steps to have access to customer information, that’s the trade off. And but finding where that sort of balance is is sort of a lot of you know, I spent a lot of time trying to parse that and get to that right balance

Jodi Daniels 8:07

that makes some sense.

Justin Daniels 8:09

Indeed, indeed. So driven data deals with massive data pipelines and obviously AI driven insights. And I know we’re still pretty nascent in the regulations, but I’d love if you could just share with us how you think about explainability and bias and your analytics, not really from a technical issue, but how you think about it as a legal issue, versus, hey, this is something we deliver as a value a business value driver, yeah, it’s

Lane Blumenfeld 8:43

AI is one of the things where we are, like everyone you know, trying to figure out how to, you know, use it in a way that’s smart, integrated into our products, in some cases, redevelop products, you know, to make them you know, AI from the beginning. Clean data for us is really important. How many everyone has gotten a letter to renew your you know, your warranty for car you no longer drive, and so, you know, that’s my favorite letter. I mean, it’s and that’s a use. First of all, it’s a waste of money for the advertiser, for the dealer, it irritates you, and it just and then it goes in the landfill. So it’s there’s no positive to it. So being able to take data, you know, we get data, both from our clients, from the dealers themselves. They obviously give us access to their customers. But we also want to be able to get data on potential customers conquest. So we get those from other sources, and we need to make sure that it’s accurate that the person actually lives where you know that the address that the email, that they’re actually driving, the car that they’re then we need to know about their car. Are they ready for an upgrade? Is their lease coming due? And so using AI to you. To, you know, to sort through all of that, and then to rank those customers who is most likely to buy, who is in market. When they’re in market, what are they looking for? And then, how can we target advertising to them across all the different mediums? If they’re looking, you know, like when you are purchasing a product or looking for a product on Amazon, you will notice that when you go to Facebook, you’ll start seeing advertisements for that product, or that kind of product, and so using AI to do that more efficiently, that’s one thing we’re certainly looking at and working on. The other is to in, you know, ad creation we’ve had, you know, I mean, traditionally, we have people creating ads. You know, we obviously have templates and the and the manufacturers, the automotive manufacturers, have requirements for the imagery, the colors, what can be said, not said. Some don’t let you say used. It has to be a, you know, previously owned vehicle, whatever it may be. But increasingly, using AI to create the actual content, which we do on a both a custom per customer basis per individual consumer basis per dealer, basis per brand, per model, and AI getting that right. That’ll drive down costs, obviously, for our industry, both for the dealers as well as for advertisers like us, and it will make things more accurate, more efficient and faster. So those are some of the things where I you know, where it’s largely product driven, but I’m trying to figure out how to do it from a legal perspective, and how to add value there as well.

Jodi Daniels 11:36

I think this would have been so much fun when I was stalking people for cars a long time ago. If I had all these tools, that was, of course, pre privacy, we just stalked you for cars.

Lane Blumenfeld 11:48

And I would say, I find my job. You know, the FTC safeguard rules, which apply to auto dealers, because they do financing and they have, obviously, all this privacy information. Most dealers are family owned. I mean, increasingly there’s consolidation and there’s more public companies purchasing dealers, and obviously those publicly owned dealership groups have a lot more compliance function, as they have in house counsel, but the majority of dealers are still individual, or own a few rooftops. They don’t have counsel in house. They now have compliance functions because the FTC rules require it, and that makes my job easier, because I’m now talking to someone who speaks my language, who understands why we actually have to have a privacy policy and why it should be the dealer’s privacy policy, not ours. We used to provide a template, a privacy policy that I developed to put on our dealer websites. Well, I only know what we do. My company does with the data. I don’t know what the full spectrum of privacy practices are for an auto dealership, so convincing them that they need to give us their policy and we’ll put it on their website because they’re liable, and they know more about their practices than I do. That’s been a discussion that’s taken a number of years, and it’s only in the last few years, and really only starting now that I’m getting even small dealerships to not just understand but agree that, yeah, they need they own their their privacy, and they need to tell me what it should say, and we can post it and make it available. But my creating a template for all dealers across all states is is not a really a good long term solution. So it’s uh, so that’s another thing where I’m, you know, as you said, and you, you’ve been in the auto industry, and it’s a lot, I think it’s a lot more mature from a privacy and data security compliance perspective than than it would have been, you know, five, four, certainly, 10 years ago. The issue you

Jodi Daniels 13:50

brought up about the template and making sure you have the right privacy policy is very important and transcends outside of the auto industry. We see this in a lot of other industries, where they’re a technology provider, they’re hosting different pages in a variety of fields for companies, or if you’re a company listening and you might be have with an AI chat bot, or not even an AI chat bot, just a chat bot, or some other kind of widget or page that you’re going to be transferring someone to. It’s really important to understand the privacy policy on the page you you might have to have both depending on how how clear the other company is. It has to be a big conversation, but it very much needs to be yours and you like how Lane you’re just you’re describing. You’re not providing that template for companies. If you receive that template, do not just presume you can take that template. It has to be what you’re actually doing exactly, and you’re not also just send it to the other company. I see this all the time, that point out,

Lane Blumenfeld 14:56

and I’ve had discussions with other, you know, other companies in. Field, they provide websites, you know, let’s just stick with, you know, providing to the auto industry. And they have their companies. They don’t even have a website. What I mean, the template I created was the dealers web privacy policy. It said dealer, not team velocity, which is our website providing business entity. But I go to other webs, other website providers, and it has their company name on the privacy policy. I’m, like, that doesn’t I mean, then that doesn’t cut it. I mean, you’re this is the dealer’s website. It may be provided by X, Y or Z company, but it’s the dealer’s website. And the FDC and state regulators and plaintiff’s lawyers don’t care who the website provider is. And yes, and you get to, you know, there are utilities within a website that may be provided by other parties, chat or text. And those also need to have, you know, sometimes their own third party, their own direct policies or disclosures. And also you have to remember, you’re trying to do this, the website’s fairly easy, because you can have links to all this stuff, but you in the auto world, you also have to have disclosures in all of your advertisements. And the disclosure rules were written back when advertisements appeared in newspapers, and you had that long fine print at the bottom about, you know, that’s where we went for our auto dealer. You went on Saturday morning before you went to the dealership, and they’re all the disclosures. Well, the rules haven’t changed, and so technically, you still are supposed to put all that stuff in a digital ad where you only have Google only gives you so many characters, you just can’t do it. And obviously the regulators understand that, but it’s still so you’re still trying to, you know, fashion a you know, you know, do advertising online or for social or digital, as if it was a newspaper. And you know, we all you know, from that perspective, no one is fully compliant because you can’t be because you don’t have enough space, right?

Jodi Daniels 16:58

Fascinating conversation, and I’m really summary, anyone listening, make sure you have the appropriate privacy notice that applies to your company on every single page.

Lane Blumenfeld 17:10

And I would say, though you also, and this is where, in house counsel, I think, provides some real value added. Yeah. Also have to be practical about it. You can’t put everything on a digital ad, even if the law technically would seem to say you need to put all of this on in the same font, it just doesn’t work. And so you have to make some risk analysis, and you have to, as a lawyer in house, you have to be able to give some advice as to what you know. What do we really have to have? What do? What do the regulators look at as vital? What do other companies do? I mean, there is a lot of comfort in if we’re doing you know, for following the market trends in terms of advertising disclosures, there may still be an issue with it, but then it’s not about our company or our advertisements, then it’s about the industry, and so providing what is really risk analysis and advice, as opposed to pure legal advice, that’s really, I think, where, where in house counsel has a real important role to play. Excellent point.

Justin Daniels 18:12

So Lane, in the course of this interview with you, we’ve talked about, you’ve mentioned OEMs, dealers, analytics, and so I sit here and I listen to this, and you, you know, as in, a general counsel in your company kind of sit at the center of these labyrinth of all these different relationships in your ecosystem. And what I’ve seen as a fellow attorney is how you shape contracts and how you enter into relationships has really gotten complicated, because it’s rare that some company has a product where they’ve built everything, they’re taking parts and pieces from other places, and then you have your OEMs, you have your dealers. So I’m building up to this question is, you know, share with our audience, from your perspective, as you’re negotiating, these deals are, what are some of the clauses and negotiation points that have become must haves for you when you have to manage data rights and cybersecurity obligations, when it might be OEMs, data analytics, you’ve got your dealers. Those are some pretty complicated relationships to untangle and understand the risk.

Lane Blumenfeld 19:18

It’s a great question, and particularly in my role, and partially because of the size of our company, I am very much at the center of both the vendor relationships and negotiations and the client ones. So I start with the client one. What does our client contract say? What do we commit to? And our terms and conditions are, you know, I’ve designed them intentionally that so that they provide the protections that the dealers need. They have data safeguards, protections in it. We state in our terms that we have cyber security insurance. We provide that the dealer doesn’t have to ask for that. So I start with what have we committed to our dealers? That’s the sort of the foundation and sometimes those comm. Commitments are required, either by the industry or the OEM. The manufacturers require, for example, that you have cyber security insurance. And even though the dealers may not require it to be in the contract with them, I put it in there. We have it. It’s, frankly, it’s a good business, you know, value add to say we have X amount of cyber security insurance, and to put that in your contracts. So I start with, what are our commitments to our clients? And then I look at every vendor relationship, everyone who’s providing us either a service that we use or a service that we incorporate into our into our platform, or a service that we effectively resell to our clients, whatever it is. I then say, I need to be protected on that end, those vendor terms need to mirror what I’ve committed to. So that’s the second part. And then the third part is asking, on a per vendor basis, does that vendor, does that service provider, have access to client data? Do they have access to pi? Not all of them do, obviously, but a lot do, and I am surprised that even today, the number of vendors, technology vendors, that have access to their clients, clients pi and that don’t have sort of standard provisions don’t make data safeguards, reps and warranties don’t state, even if they have it that they have cyber security insurance. So a lot of what I am adding to my vendor contracts are those provisions we make the following, you know, data stand, you know, data safeguard, reps. We follow the applicable state and federal law. We have cyber security insurance in no less than this amount. And it does surprise me that I still have to add that to a lot. No, not, not to all. I don’t even want to say the most, but to a significant number. I’m adding those paragraphs, and they should be, they should already be in there, just like standard reps and warranties and governing law, it should be part of the standard, you know, vendor procurement contract is that they have that because it’s required so, so that’s that’s how I sort of look at the commercial contracting space. You start with the clients, what have you committed to them? Then you go to look at your vendors. They’ve got to mirror those terms. I need to be protected if my vendor makes the mistake and it causes me an issue with my client. I, as the middle man in this case, need to be whole, and so that’s how I look at this universe.

Justin Daniels 22:28

And thank you for making that critical point, because I’ve watched data breaches happen to vendors of my clients, and my clients, liability to their customer who was impacted will be 10 to 20x because they entered into an agreement with a vendor that had a blanket limitation of liability of $25,000 because, as you correctly pointed out, Lane, people don’t appreciate how complicated the relationships are now, because you need vendors to deliver part of the functionality of your value proposition, and you’ve stated it very succinctly,

Lane Blumenfeld 23:00

Well, and let’s say, and here’s when, where the business negotiation gets complicated. Let’s say we have a vendor. We’re only paying them. Let’s say we’re paying them $10,000 well, their view is they should be limited to the value of their contract. They shouldn’t have liability for more than $10,000 okay, I get that. However, if they have a data breach, and my exposure is a million. It doesn’t matter that I only paid them 10,000 they need to cover me for the million, even if we’re only paying even if we have a small relationship, because it’s their issue, their mistake now be a fact based to the extent that that we contributed to it, but let’s assume it’s the vendors issue, the vendors mistake. They need to cover. They know what their risks are. They know how much insurance they need. They know what their exposure is, and they need to make me whole. I didn’t do anything wrong in that situation. And vendors particularly, particularly if they’re smaller, particularly if you’re paying less, if it’s a smaller per you know, if you’re buying software and it’s a smaller per license fee. They have a real trouble with that. And we’ve turned down relationships where they were not willing to back us 100% for things that they did wrong and were responsible for. And sometimes you just have to tell your own business folks want to do business with this company, and you have to say, that’s great, but the risk exposure is too high. Go find another vendor

Jodi Daniels 24:27

Lane with all the knowledge you have about privacy and security, we always like to ask this question, what is your best personal privacy or security tip?

Jodi Daniels 27:23

Thank you. So

Justin Daniels 27:25

when you’re not involved in all things privacy and security in the automotive industry, what do you like to do for fun? What

Lane Blumenfeld 27:33

do I do for fun? I do really believe in in a work life balance. I think it makes me better as a lawyer to have that balance. I’m a big outdoorsman. I love to hike. I love to backpack, kayak, mountain bike. I’m happy when I’m out in nature, doing something. My two boys, who are now, they’re not boys anymore. They’re they’re, well, they’re their brains. May they may have, you know, boy brains, but they’ve had, they’re young men, and they love to do this with me, so it’s great. I we, you know, we were backpacking in the Smokies this summer, saw a lot of bears, and I had to have a discussion with my two boys as when we got back to the when we got out of the back country, and I realized that they had been sending pictures to my mother, their grandmother, of us and the bears while we were with the bears, I’m like, that’s the kind of thing that you send once we’re back at the hotel. You don’t send that to Grandma while we’re actually camping, because guess what? Your dad me, I’m the one who gets in trouble for that, because I’m now putting my, you know, the babies at risk, and so, yeah, we love the outdoors. My mother probably likes it less that we’re out there. But, you know, and I just sort of thought about this, I approach what I do in the outdoors similar to how I approach security issues. And from the work perspective, both my brother, my brother, my son, and I both to one of my sons, and I both have wellness, first responder medical training. You know, we’ve both, all three of us have actual outdoor, you know, educational training. So while we’re out there, you know, there are risks out there, the risks in life, but you know, to the extent that you can get the proper training so you know how to take care of certain medical issues, so you know how to, you know, make some predictions as to when storms are coming. Those are things that are important that can help reduce your risk and enable you to and to enjoy whatever you’re doing. So I, I try to approach that maybe as a lawyer, and it’s and it served me well so far, or at least the the approach still learn how to learn how to keep your yourself and your and your kids safe, just like you learn how to keep your clients safe. No, I like it, not a bad approach.

Jodi Daniels 29:51

Well, Lane, I’m really grateful that you joined us today. If people would like to connect with you, where is the best place to do so?

Lane Blumenfeld 29:57

LinkedIn, Connect. With me on LinkedIn. Send me a message. I I will. I will respond. Unless you’re trying to sell me something. I generally won’t respond to to those. But if you, if you want to connect and talk about any of this or anything else that’s up my alley, and looting the Smokies and and how to safely hang out with bears, look me up a LinkedIn.

Jodi Daniels 30:20

Everyone’s tip, share the picture after,

Lane Blumenfeld 30:23

yeah, that’s that. I mean that to me is, is obvious common sense advice. But when I think back to my young 20s, I would probably would, oh, cool, here’s a black bear, you know, 25 yards away. I’m gonna send that to grandma. So there’s wisdom I’ve learned over my years that has served me well, and I just I had not passed that along to my kids yet, and that was my error. There.

Jodi Daniels 30:48

There you go. Amazing. Well, thank you so much. Thank you both.

Lane Blumenfeld 30:51

This has been really helpful, really good and entertaining, and I hope it’s helpful for those listening out there.

Intro 31:01

Thanks for listening to the She Said Privacy/He Said Security podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.