Features

Michael Kauffman – Tech DNA

For this company, compliance is in the blood

Imagine this: After months of market analysis, your company has finally separated contenders from pretenders and found its acquisition target: a plucky Silicon Valley startup with a game-changing machine learning technology platform.

Later that day, you see a story on CNN about one of your competitors being fined hundreds of millions of dollars for violating the European Union’s General Data Protection Regulation (GDPR), because the startup it acquired failed to adequately protect people’s privacy.

Michael Kauffman – Tech DNA Vanguard Law Magazine

Once the schadenfreude subsides, the alarm bells begin to ring: This absolutely must not happen to us.

With any luck, it won’t—so long as you give Michael Kauffman a call before closing on the deal.

“If you’re a company acquiring tech, the day those papers are signed you’re on the hook for all the sins of your target; there’s no grace period,” says Kauffman, a former programmer-turned-attorney who now serves as principal and chief legal officer for the Seattle-based Tech DNA, a leading provider of technology due diligence services. “Even if you isolate them within a holding company, the GDPR still gives regulators all the tools to fine you based on 4 percent of your global revenue.”

The revenue of the parent company—not the target. Meaning there’s a potential for fines to dwarf the cost of the acquisition itself.

“Gone are the days where the worst that could happen was the deal ended up not achieving its goals,” Kauffman adds. “Now the downside can be many multiples of the deal itself.”

Opening salvo

According to Kauffman, laws like GDPR (as well as the upcoming Consumer Privacy Act in California) represent a reckoning of sorts for a tech industry that long viewed itself as immune to politics—and, more importantly, regulation.Michael Kauffman – Tech DNA Vanguard Law Magazine

Prior to GDPR, the biggest privacy violation in U.S. history resulted in a $25 million fine of AT&T. But earlier this summer, the Federal Trade Commissioned fined social media giant Facebook $5 billion—a penalty amount Kauffman says was directly influenced by GDPR, even though GDPR is an EU law.

“GDPR and the tone it set are just the first wave,” Kauffman says. “The gloves have come off on both sides of the pond. And even if you don’t get the billion-dollar treatment Facebook got, the message is clear: The penalties are no longer wrist-slaps; they’re face-punches.”

Don’t Get Bitten

It’s Tech DNA’s focus to ensure that buying tech doesn’t put you on the regulatory radar. First, Kauffman and his team review any and all technology-related documents underlying the transaction: everything from architecture diagrams, to privacy policies to data schemas.

Next, they dive into the code itself. And this is what separates Kauffman’s team from other digital regulatory compliance teams: The documents aren’t the standard of truth; the code is.

“It’s exceedingly rare that the documents tell the whole story. After hundreds of assessments, maybe we’ve seen that once,” Kauffman says. “It’s the tech-as-built, not the docs-as-written, that really drive the regulatory scrutiny, so the tech-as-built is what we focus on.”

The goal, Kauffman says, is to pinpoint any red flags regarding how the target handles its information. For example, when the legal team says to the tech team “delete X from everywhere,” the tech team might not really understand that truly means everywhere. So they delete from key databases and backups, but not POCs, crash dumps, log files with foreign keys or other locations—things few attorneys understand.

“The list goes on and the GDPR gives no relief because tech and legal couldn’t get on the same page,” Kauffman says. “It’s the same with data isolation, consent demonstration, salting, training sets, visual identifiers, context-based sensitive data, leveraged privacy regimes, imposed personal data and so on. The reality is that there’s a painful shortage of the dual-hat programmer/attorney that understands both the tech and the law.”

More Deals Affected

According to Tech DNA’s own data, 9 to 13 percent of all deals fail because of technology problems associated with things like privacy.

“For a lot of acquirers, they take the risk apparently thinking, ‘We’re good. There’s an 87 to 91 percent chance that everything is just fine, right?’” Kauffman explains. “But that’s irrational; the cost of checking is a small fraction of the penalty if caught. It just doesn’t make sense to ride rogue anymore, which of course is by regulatory design.”

Michael Kauffman – Tech DNA Vanguard Law Magazine

“We prevent bad deals before they happen,” he says.

But it’s often not as black and white as “buy or don’t buy.”

For example, Tech DNA’s analysis might support the deal going through, but only under the condition that the target shed historical data not properly obtained under modern privacy regimes.

Alternatively, Tech DNA might identify that a certain privacy-violating feature or functionality needs to be turned off. Or recommend making the calculated choice to stop selling in the EU to simply dodge the GDPR entirely. What’s more, Tech DNA can review if the target’s tech can accurately detect EU customers from others to ensure the GDPR dodge is complete.

“To those who see GDPR and privacy regimes generally as only a cost, they’re missing the point,” Kauffman says. “It’s entirely possible to make GDPR a competitive advantage; and we’re seeing savvy tech acquirers wake up to that. That’s what makes our skills and expertise unique: We understand the tech, the law and the market forces at play.”

The False Comfort of Anonymizing

Still, Kauffman says one the most common attempts to dodge the GDPR is the riskiest of all: attempting to escape privacy regulations by anonymizing data so that no personal data remains—while retaining the profitable insights that make the data so valuable.

The problem, Kauffman explains, is that anonymization is much harder than it seems, as the cracking of a few high-profile anonymized datasets have shown.

Like the time New York City was compelled—through a freedom of information request—to disclose GPS data of its taxicabs. While the data was anonymized, it wasn’t done correctly, so numerous personal details were leaked, such as specific taxi trips by Bradley Cooper and Jessica Alba and the potentially embarrassing fact that neither tipped.

Or the time a supposedly anonymized health insurance database for the State of Massachusetts was used to identify the specific medical condition of then-Massachusetts Governor William Weld that he refused to disclose himself. Or when streaming giant Netflix had to pay $9 million to settle privacy claims for releasing supposedly anonymized data in support of a contest that let teams compete to create a new suggested-viewing algorithm.

What comes next

The problem, Kauffman says, is that terms like “anonymous” have legal meaning but require technology skills to establish if the software actually meets the legal standard. In fact, it’s one of the industry’s big blind spots right now: There simply aren’t enough people with years of technology experience and years of legal experience to fuse those two worlds and provide real guidance.

“Ten years ago, it might’ve been forgivable for being less private and less secure if it was unintentional,” Kauffman says. “That’s no longer the case. We spot personal data all the time at tech companies and they have no idea how much they actually have and how poorly they’ve obscured it. But the regulators don’t seem to care that anonymization is difficult. They just know that post-close, the acquirer is liable for it.”

“The GDPR changed everything and the feds and individual states, especially California, aren’t far behind. Now you have laws that can affect your entire reason for pursuing a deal in the first place. And more regulation is coming.”

Getting a clear-eyed view of the risks is key, says Kauffman—so you can make CNN headlines for all the right reasons.

“Tech due diligence has become a market in its own right, rather than just a niche practice for a few sophisticated acquirers,” Kauffman says. “A few years ago, the market didn’t exist to quantify such tech risks, so companies just bought blindly. But that’s changed and it’s now possible to reduce tech risk even as tech risk becomes more painful.”

Published on: October 1, 2019

regions:

categories: ,

Showcase your feature on your website with a custom “As Featured in Vanguard” badge that links directly to your article!

Copy and paste this script into your page coding (ideally right before the closing tag) where you want to display our review banner.

Testimonials

As promised in advance, my feature in Vanguard has increased my visibility within the profession and prompted more than a few people I have not communicated with recently to reconnect. One of the Italian law firms I have used in the past is now in the process of interviewing me for an article on their website and tweeting out the feature story. Activity and the number of people connecting with me on LinkedIn has soared, which is great. The Vanguard writers and editorial staff were great to work with—highly professional and made the effort to make the experience both fun and rewarding (they were also respectful of the time pressures and demands all lawyers face). I was very pleased with the experience and the final outcome. Needless to say, I have been very pleased. All in all working with Vanguard has been a very positive experience which generated good publicity for both Shawcor and myself. My sincere thanks.
– Tim Hutzul, General Counsel, ShawCor Ltd.
The piece highlighting my company, Bob Baker Enterprises, Inc., came out fabulous. Our company is in the new and used car sales and service industry. Everyone was great to work with and extremely professional. They produced a high-quality product and have provided expert assistance and guidance post-production of the article.
– Wade Poulson, General Counsel, Bob Baker Enterprises Inc.
It was a great honor to be featured in Vanguard Law. Working with every member of the team, from the initial interview with Erin Clark, through production with Victor Martins, writing the article with Taryn Plumb and creating the final content with Dave Gushee, was a true pleasure. Everyone was very professional, enthusiastic and supportive, and their creative approach and positive attitude clearly came through in the final product.
– Kevin C. Rakowski, Senior Vice President, Deputy General Counsel, Compliance with Radian Group Inc.
I was honored to be the subject of an article. I enjoy reading Vanguard articles and seeing how other attorneys got to their positions and see their jobs. It's also interesting to see how different law firms partner with the subjects of the articles.
– Henry Marquard, in-house counsel, Stanley Consultants Inc.

LATEST EDITION

Spring III 2023

READ NOW

GET VANGUARD IN YOUR INBOX.

  • * We’ll never share your email or info with anyone.
  • This field is for validation purposes and should be left unchanged.