Weary of Wearables: IP, Privacy, and Data Security Concerns

Have wearables signaled a new focus on couture from Cupertino? It’s on the rise, but not just yet. Not when the relationship everyone thought would be steady by now is firmly in the “It’s Complicated” phase.

LPT App

The fashion and technology industries have certainly recognized a gap in the market where they intersect, both in terms of fulfilling societal needs (needs we never even knew we had), as well as in lost revenue streams. Sales of wearables amounted to roughly $3.5 billion in 2014, and due to improving data reliability and product variety, industry experts expect sales to increase five-fold in the next five years. This is occurring in the face of whole groups, such as the Chinese People’s Liberation Army, banning the use of certain wearables by soldiers, for fear of increased trackability and a higher chance of leaking military secrets.

As the wearable technology industry grows, the legal community must address the new and inevitable intellectual property concerns that manufacturers and technology companies will have, as well as consumer data security and privacy concerns associated with FitBits, Fuelbands, and other wearables. Makers of wearables must protect their IP in innovative ways; as technology companies and fashion houses partner, who owns what is a growing concern. Consumers are weary about the security of sensitive personal data and have concerns over their ownership of such information. Lawyers need to understand both the technology and the business behind it to counsel clients most effectively.

Part of the rising success of wearables, despite their inherent privacy risks, is their “coolness” factor. One way manufacturers of wearables have sought to achieve positive consumer connection is by associating with fashion houses and designers who have mass-market appeal. Apple made some strategic hires, enlisting executives at Burberry and Saint Laurent to assist with designing the Apple Watch. Google Glass co-brands with Diane von Furstenberg (the Queen of Cool) and Ray-Ban.

Through these partnerships, attorneys have been careful to address intellectual property ownership by dividing the assets into two vague camps—the IP that stems from the technology, and the IP residing in the brand value. Trademarks must be safeguarded and used correctly in marketing and branding the wearables. Attorneys must be able to quantify their clients’ brand values in dollar amounts as compared to the companies they partner with. In addition to trademarks, wearables are one of the few technology consumer products that garner value in trade dress. Among others, Nike has capitalized on the Fuelband’s distinctive and readily recognized shape and design, so as to create trade dress protection around the device. It will be interesting to see how attorneys deal with features of wearables that blend design and technological function, as trade dress remains a historically underutilized form of IP protection.

As is often the case, however, patents offer the greatest protection for wearable technology, and unlike many other patentable innovations, wearables offer manufacturers the opportunity to invest in both utility and design patents.

Patent investment and enforcement can also lead to the most costly of legal battles. An upgrade in the form of a wearable installed in Ralph Lauren’s signature Ricky bag is the subject of an ongoing patent infringement lawsuit. The handbag features an illuminable interior, and a charger for electrical devices An inventor claims this technology infringes on his utility patents for an “electric accessory system.” Also named in in the suit is Leoht Inc., the technology partner that Ralph Lauren worked with to produce the $5,000 luxury handbag, and Kickstarter Inc., where Leoht’s light-up-juice-up technology was initially sold. It remains to be seen how this case plays out, and, if infringement is affirmed, how damages are accounted for between Ralph Lauren Retail, Leoht, and Kickstarter.

Adidas and its technology partner, body sensor manufacturer Textronics, are embroiled in a patent infringement lawsuit filed by a different body sensor products manufacturer by the name of Sarvint, over the use of sensor technology employed in Adidas’ line of miCoach training shirts. The shirt uses special fibers to measure the wearer’s vital signs, and is linked to a smartphone app.

The fact that utility patents are spilling over into the fashion industry—an industry that from an IP perspective previously was focused on design rather than technological innovation—and across several devices at once, may be cause for patent litigators to pay closer attention to an industry often considered frothy and frivolous.

The IP issues faced by wearables manufacturers and technology developers are largely familiar, and previously addressed in different boom industries at various times. But wearables also bring issues of privacy and data security that may be novel to many attorneys. The largest regulatory voids exist in these two areas of law, and the legal community must highlight and educate on risks of data loss or theft, and privacy violations, as well as demand a more concrete framework to address these concerns.

Data protection is a key consideration for manufacturers of wearables, and those developing for wearable devices. The security of data collected from users of wearables, especially data considered “personal information” (such as health, financial and location data) is important, because through personal information, it is possible to identify the individual to whom the data is linked, either by a single piece of information or by triangulation and combination of information. Unauthorized, unintentional or overreaching use and dissemination of personal information creates potential liability for several parties.

Consider this: Jo wears a device that collects information through an app about her blood pressure, heart rate, and the number of steps she takes in a day. The device manufacturer gathers and stores the data, all tied to Jo’s account, which she was required to create to use the app on her wearable device. The manufacturer of the device or app developer could use the information to present Jo with targeted, strategic advertising. Since Jo’s been taking over 15,000 steps a day, on average, perhaps she’s in the market for a new pair of sneakers? This kind of data use falls on the more innocuous side of the spectrum, because it is the wearer’s data being boomeranged back to the wearer herself, in the form of advertising.

However, data security concerns of the more nefarious kind are at play when the wearer’s data is disclosed—intentionally or in error—to third parties that can have huge impacts on the wearer’s quality of life. Data sold, stolen or leaked through a data breach, to third parties such as insurance providers, for example, could allow insurers to quote Jo higher rates for health insurance, or even cancel her policy, without her knowing how or why, or even that the insurer was able to access her wearable device data.

The risk of breach is so tangible that many companies are purchasing cyberinsurance, to protect themselves from the liability arising out of a data breach. Although not directly a breach resulting from wearable devices, Columbia Casualty v. Cottage Health System, No. 2:15-cv-03432 (C.D. Cal., 2015), highlights the important issues and value of health data breaches, the type of data collected by the most popular wearables.

In that case, private health data belonging to some 32,500 patients, stored on network servers owned, operated and maintained by Cottage Health, was negligently disclosed in the public domain via the Internet. That case settled with Cottage Health’s insurer, Columbia Casualty, shelling out just over $4 million. Columbia Casualty sought to recoup the settlement amount, based on two claims. First, Columbia Casualty alleged that Cottage Health failed to “continuously implement” minimum security practices, and to “regularly check and maintain security patches on its systems.” Columbia Casualty’s second claim related to the misrepresentation of material facts regarding Cottage Health’s maintenance of risk (of breach) controls.

Although currently in mediation, the peremptory case highlights the work that successful attorneys counseling in the areas of data security and privacy law must do. It appears that preventative measures are better than an entirely curative approach to dealing with liability and risk of privacy violations and data security breaches. Lawyers may draft the most airtight and overreaching privacy policies and end-user license agreements (EULAs) for their wearables manufacturer or technology-developing clients, explicitly informing wearable users that their data can and will be used. At the end of the day, however, it is unlikely that these agreements would be held to be enforceable.

A better practice would be for attorneys to counsel their manufacturer and data controller clients on limitations of data use, and the risks of data breaches. Attorneys must be able to advise on the adequate levels of security and protocols required to withstand scrutiny in light of current industry practices and forecasted risks of data breach and privacy violations. Health and financial data are more risky than certain other types of personal information because they are more sought after. And in light of Columbia Casualty, attorneys should attempt to negotiate cybersecurity insurance policies on behalf of clients, to reduce the likelihood of an insurer successfully avoiding or limiting coverage in the event of a claim.

Privacy regulations need to be put in place and be enforced before, for example, blood pressure information collected during rush hour gets sent to your auto insurer, causing you to be classified as an aggressive driver. In the U.S., the FTC enforces consumer protection and consumer privacy rights where companies mislead, or fail to maintain adequate security for sensitive consumer personal information, under Section 5 of the FTC Act (barring unfair and deceptive acts and practices in or affecting commerce). The most recent example of privacy breaches comes in the form of a settlement between the FTC and Wyndham Hotels and Resorts, after Wyndham was found to have “unfairly exposed credit card information of hundreds of thousands of consumers to hackers,” in not one, not two, but three data breaches. Under the settlement, which places Wyndham under obligation for 20 years, Wyndham must adhere to strict auditing and security certification procedures.

Attorneys can learn from Wyndham’s mistakes, to be better able to counsel clients on managing data breaches, whether the clients are individual users or manufacturers of wearable technology and devices.

Once again, a preventative approach would have saved Wyndham much public scrutiny, skepticism and some serious cash. Attorneys need to be able to converse with the technical experts that handle their clients’ data, and who put in place the various levels of encryption and other security protocols, in order to meaningfully assess the clients’ exposure and areas of risk and liability. Preparing EULAs, privacy policies and going about generally counseling clients who develop for or directly manufacture wearables will require attorneys to be educated on the capabilities of the devices, how data is accessed, managed, disseminated and protected.

Until regulations that speak directly to the collection and dissemination of data through wearables—arguably all of which is personal information—are put forth, attorneys must keep abreast of case-by-case updates on the types of breaches that are occurring, and make sure that clients are protected, at minimum, against known threats.

The other side of privacy concerns associated with wearables is third-party contact with a user of a wearable device. Certain wearables, like Google Glass, may intrude on the privacy rights of others who may not consent to being filmed, recorded, or otherwise included in the wearer’s information collection activities.

The law has not yet addressed several concerns for third parties here, but it is important to be cognizant that such issues exist. Who owns the data that ropes a third party who did not consent to being recorded? What rights does that third party have in demanding a copy of the data, or in demanding deletion of the data?

ABA TECHSHOW

As devices get smaller and more inconspicuous (some smartwatches are intentionally designed to look identical to their traditional timekeeping counterparts), how do we account for the presence of wearables in settings where proprietary and confidential information is being disclosed discreetly, especially if we don’t even know they’re there? And ultimately, who bears the responsibility and liability for unauthorized dissemination of the data—the data collector who took all the reasonable security measures, or the wearable-wearing thief?

Industry experts conclude that by 2025, more data will be generated from sensors and wearable devices than all of the data being generated today from any other source. This makes sense: wearables, by definition, are small and portable, meant to be worn and taken with you wherever you go, during your waking and sleeping hours. Wearables are meant to be real time, 24/7 personal trackers of your mood, shopping needs, caloric intake, heart rate, proximity to destination… the list is endless.

As of now, we have not seen headline-grabbing data breaches involving data collected from wearables, which more often than not, measure health and wellness indicators, from check-ins at the gym to number of hours slept. Additionally, the wearables market is too nascent to have encountered its share of patent infringement mega suits. This may be why so little has been done by the legal community and policymakers to address the risks, and how to deal with them.

As with all technology, breaches and subsequent legal action are only a matter of time. The difference with wearables is that the value of health and wellness data has proven to be more valuable than stolen credit card numbers. After all, bank accounts can retroactively be corrected for fraud, but the health information of a wearable device user is inextricably tied to that user (in many ways, the data is simply a slice of the pie that makes up the person). In the absence of solid regulations, we need to be aware of the legal implications of introducing an increasing number of wearables into our everyday lives, and understand the technology behind the wearables and how it is used, in order to effectively counsel clients. The legal community—both in private practice and in public policy—can be the first point at which public concerns over privacy of data are addressed, by pushing all the actors in the wearables industry to expend greater efforts to ensure data security.

About the Author

HussainZainab Hussain is an attorney with Foundry Law Group in Seattle, and focuses her practice on intellectual property issues. Follow Zainab on LinkedIn.

 

 

(Feature Image Credit: ShutterStock)

Send this to friend