Navigating the Intersection of Tech and Law

Every day, Clifford Chance attorneys advise clients on the opportunities and risks posed by rapidly advancing technology. No matter the practice, no matter the industry, they are helping clients confront change so fast that it outpaces the law and customary business practices. This approach is not by happenstance. As their attorneys point out, “Every company is a tech company. Every business is a tech business. No sector is sheltered from the digital storm.”

Clifford Chance's Tech Group has been purposefully shaped to help clients cope with today’s tech revolution. Positioned at the intersection of law, business and technology, this integrated global team crosses traditional practice lines with ease to shape and deliver hybrid advice on tech-related issues. It is the right team in the right place at the right time.

Guiding the team is a core leadership group that includes U.S. partners Anand Saha and Megan Gordon, who are joined by colleagues from New York, Washington, D.C., and across the globe. Together, and in close collaboration with their clients, they are engaged in an ongoing dialogue about the impact of rapid technological developments on corporate legal departments. The array and complexity of the issues they confront is staggering – from Antitrust to AI, FinTech to IP, Competition to Cybersecurity, Data to Disputes. For clients, the need for coherent counsel and deliberate direction now is critical.

The following is designed to advance the tech conversation beyond the law to the bigger picture. Please visit Clifford Chance's Tech Group page to join the discussion.

A Law Firm Fluent in Law and Tech

Anand Saha

Not long ago, the term “technology” often referred to an industry—a business sector made up of tech companies. Today, however, digital technology is pervasive, and it plays a growing role in every industry, from consumer products to insurance, manufacturing, aviation—you name it. It is driving a comprehensive shift in the way companies do business, and as more and more CEOs will tell you, every company is now a tech company.

Law firms need to evolve to adapt to that reality. For example, at Clifford Chance, we have a growing number of attorneys who focus specifically on technology-related issues. Their expertise can be applied across many traditional legal areas, such as mergers and acquisitions, capital markets, finance and regulatory.

At the same time, we are working to ensure that all of our lawyers, regardless of their practice area, are fluent in the key technological trends that our clients are facing. To that end, Clifford Chance has launched its global “Tech Academy” to build on our existing strengths in training lawyers in topics ranging from e-commerce and connected vehicles to artificial intelligence, blockchain, data privacy and cybersecurity. The goal is to stay on top of the issues and remain in tune with our clients as they grapple with rapidly changing technologies.

To enhance the technology conversation with clients, the firm’s Tech Group produces a range of publications focusing on technology. We also have a dedicated website called "Clifford-Chance Talking Tech.” The site provides a focal point for the firm’s knowledge at the intersection of technology and the law, and provides another way to deepen clients’ understanding of the risks and opportunities being presented by evolving technology.

Through all these efforts, we are making technology as pervasive in our firm as it is in the business world. And we are helping to ensure that our clients can keep up with the accelerating technology–driven change that is reshaping their companies and the business world.

Anand Saha is a partner in Clifford chance's Corporate practice and is a leading member of the firm's global Tech Group. Reach him at [email protected]

Tech Raises New Litigation Risks

Megan Gordon

As technology becomes more deeply woven into business, general counsel at tech companies—and for that matter, companies in general—need to be alerted to new litigation risks. These might include, for example, potential civil suits for liability involving devices that can be hacked; antitrust litigation stemming from the use of algorithms in pricing; or issues with export controls, to name a few. In addition, governments are becoming more and more savvy about new technology, and as that continues, we can expect more technology-related enforcement action.

Perhaps the greatest area of potential risk is the data that companies collect and use. Data breaches exposing sensitive information can lead to actions from federal and state regulators as well as litigation risks. Thus, general counsel need to pay special attention to the handling of data. How are their companies gathering and moving data, and what are the risks and benefits associated with those activities? How are they protecting data? And just as important, they need to determine how the company will respond in the event of a breach, which can have a significant impact on how any ensuing litigation unfolds.

At the same time, companies need to take a global view of litigation risk, as technology-related laws often differ from country to country. Case in point: The EU’s new General Data Protection Regulation (GDPR), a sweeping change to data privacy rules, includes broad requirements for collecting data, gaining consent for data usage, the processing of data and the infrastructure needed to protect data. While this is an EU rule, it applies to any company marketing products in Europe—which includes most large U.S. companies.

Overall, the general counsel will need to put in place policies and procedures that help ensure compliance with technology-related regulations and the security of data. At the same time, however, technology-enabled change is moving fast, and becoming critical to business success. That means that companies will need to find the right balance between control and flexibility in order to meet the dual mandates of mitigating risk and enabling innovation.

Megan Gordon co-heads Clifford Chance's U.S. Cybersecurity and Data Privacy group and is a leading member of the firm's global Tech Group. Reach her at [email protected]

Antitrust Enforcement

Tim Cornell and Kiran Gill

With rapid developments shaping an increasingly digital era, antitrust regulators around the world are running bold test cases against tech giants, exploring new theories of harm and obtaining record-breaking fines for anticompetitive sales practices. Unlike regulators in other domains, the antitrust regulators in the U.S. are not waiting on any changes to existing legislation in order to effectively regulate emerging technology practices.

Artificial intelligence & anticompetitive practices

Businesses that utilize algorithms in offering services or products should make sure to steer clear of any risk of being viewed as enabling price collusion (such as when competitors jointly use the same algorithms to facilitate a price agreement) or dominance (where the algorithm operates as a search engine and unfairly prioritizes the firm's own products; a potential example of this could arise within the context of voice shopping).

Antitrust enforcement of IP rights

The current head of the DOJ's Antitrust Division, Makan Delrahim, comes from a strong IP background, and he has expressed concern over the standard-setting process, noting the tension between innovators (patent holders) and standard-setting organizations, (SSOs, the technology implementers). Thus, companies should expect enforcement of IP rights to be pro-innovation and should take care to ensure that any SSO they are part of observes robust antitrust compliance policies and avoids information sharing. Indeed, Delrahim has warned that SSOs can be rife with opportunities for anticompetitive activity.

Increased enforcement and self-education

The scrapping of Obama-era net neutrality regulations in December reinstated the FTC's jurisdiction over broadband services, meaning it will be up to the regulator to bring antitrust enforcement action to protect free and open competition on the Internet. In stating their views on competition in the American technology sector, all four of the recently confirmed FTC commissioners expressed intentions to closely monitor the tech giants and ensure that the agency builds the talent and capability needed to understand the unique dynamics of technology-driven markets. These comments also suggested that the FTC likely will be more receptive to the concerns of smaller competitors and consumers.

Corporate partner Tim Cornell heads up Clifford Chance's U.S. Antitrust practice. Reach him at [email protected]

Kiran Gill is a law clerk in Clifford Chance’s Antitrust practice. Reach her at [email protected]


Daniel Silver and Daniel Podair

The cybersecurity regulatory landscape in the United States is rapidly evolving. Recently, prosecutors and regulators have stepped up efforts to combat cybercrime and ensure that companies adequately manage cybersecurity risk and disclose breaches and other material information.

In February, the Department of Justice (DOJ) created a cybersecurity task force to review current criminal enforcement efforts and suggest areas for improvement. As they often require assistance from victimized companies, prosecutors and law enforcement agents are continuing efforts to strengthen information-sharing between government and private industry. Corporate entities, however, are sometimes reluctant to involve law enforcement authorities for fear of inviting regulatory scrutiny.

Regulators, in turn, are increasingly focused on making sure companies actively manage their cyber risks. The Commodity Futures Trading Commission (CFTC) requires regulated entities to conduct periodic cybersecurity testing. The New York State Department of Financial Services (DFS) also requires DFS-licensed entities to adopt a cybersecurity program and undertake monitoring and testing. DFS-licensed entities must submit an annual certification of compliance—the first of which was due in February—and must notify DFS of any material risk of imminent harm arising from a cyber incident within 72 hours of the incident. Also in February, the Securities and Exchange Commission (SEC) issued interpretive guidance that emphasizes the importance of maintaining adequate cybersecurity policies and procedures and disclosing material cyber risks and incidents to the investing public.

These enhanced regulatory requirements will likely lead to increased enforcement activity. In February, the CFTC initiated an enforcement action for failure to properly safeguard information security systems, which allegedly led to a breach of customer information and records. The SEC and other regulators are likely to continue this trend.

Now more than ever, companies must adequately assess their cybersecurity risks and adopt policies and procedures that respond to those risks. They should regularly monitor compliance and conduct exercises so they can respond to a cybersecurity incident rapidly and effectively.

Daniel Silver co-heads Clifford Chance’s U.S. Cybersecurity and Data Privacy group. Reach him at [email protected]

Daniel Podair is an associate in Clifford Chance's Litigation & Dispute Resolution practice. Reach him at [email protected]

Data Security

Celeste Koeleveld

Data has become a "force unto itself" in our digital world, with the potential to offer great benefits while also threatening to cause tremendous mischief. For example, with regulatory and enforcement agencies imposing bigger and bigger demands on corporations for information about their operations, advances in technology—including intelligent artificial intelligence (AI)—can make the lives of the corporate compliance and legal departments easier. Indeed, AI may even be better than humans, and certainly cheaper and more efficient, when it comes to some types of data examination and production.

At the same time, the more that corporations rely on data to conduct their operations, the more those operations are at risk from cyberattacks. Moreover, regulators are increasingly demanding that corporations shore up their defenses to ward off attacks proactively—and it's not just the corporation's own defenses, but also those of third-party service providers that require scrutiny. New York State's Department of Financial Services, for example, explicitly requires, as part of its cybersecurity regulations, that its regulated entities take steps to protect data held by third-party service providers.

It's a lot to stay on top of. Whether a company is facing the need to conduct internal reviews of cybersecurity policies and procedures or to review those of outside vendors, the goal should be to ensure that it is well-positioned to take full advantage of technology and data, without suffering the potentially devastating consequences of a cyber breach and its aftermath.

Celeste Koeleveld, former GC of the New York State Department of Financial Services, is a partner in Clifford Chance’s Litigation & Dispute Resolution practice. Reach her at Celeste [email protected]


David Felsenthal and Jesse Overall

The forces of technological change, enabled by breakthroughs in computing and multiplied by the network effects of the Internet, are shrinking the borders of time and space and transforming every facet of modern life around the globe. We stand on the brink of a Fourth Industrial Revolution—driven by artificial intelligence and machine learning, cloud computing, the extraction of value from Big Data using predictive analytics software, the Internet of Things—and machines are quickly replacing human intellect and power.

Finance is not sheltered from the digital storm. Traditional financial intermediaries risk disintermediation by peer-to-peer technologies that use the Internet to connect untapped pools of capital to those seeking funding, while traditional methods of doing business may not survive in a world where every consumer carries a supercomputer in their pocket. People can use a smartphone to sell Bitcoin from a digital wallet at an online cryptocurrency exchange, or text their robo-advisor's chatbot for more conventional investment recommendations. Bitcoin's blockchain introduced the concept of "distributing" the storage of a transaction history to each participant in a network and synchronizing updates to that history after all participants reach a consensus on the validity of each update. Now, the technology has the potential to replace traditional performers of certain payment processing, clearing, trade settlement and transfer agent functions.

However, finance is a regulated industry, so technological innovation takes place within a framework of rules set by the relevant authorities. For instance, for a blockchain securities trading platform or settlement system, the Securities Exchange Act of 1934 and SEC rules require registration for securities exchanges, alternative trading systems, broker dealers, clearing agencies and transfer agents.

States ranging from Delaware to Wyoming have enacted varying forms of enabling legislation for blockchain and smart contracts. Tech companies such as Amazon and Google may attempt to enter banking by having a subsidiary obtain an Industrial Loan Company (ILC) charter. As parent, the tech company would not be subject to regulation by the Federal Reserve Board as a bank holding company.

As the waves of technological change wash over the financial sector, the law will ultimately have no choice but to adapt. In the meantime, however, like it or not, all market participants—insurgents and incumbents alike—will have to comply with, and innovate within, "legacy" statutory and administrative frameworks.

David Felsenthal is a partner in Clifford Chance's Capital Markets group and a member of the firm's global Fintech practice. Reach him at [email protected]

Jesse Overall, an associate at Clifford Chance, works on a variety of transactional and regulatory areas, primarily within the Capital Markets group. Reach him at [email protected]

Published .