Autores: Adam L. Massaro Tyler J. Thompson
Adam Massaro sits down with Tyler Thompson, a partner in Reed Smith’s Emerging Technologies group, to discuss how data privacy and artificial intelligence are reshaping the legal landscape. Tyler shares how he built a practice around emerging tech before it took off — and offers insights on how companies can stay ahead of rapid regulatory change.
Transcript:
Intro: Welcome to Disputes in Perspective, a Reed Smith podcast. This podcast series will discuss disputes-related trends, hot topics, and developments occurring in the global legal landscape, and hopefully provide you with some helpful insights and practical tips. If you have any questions about any of the episodes, please feel free to contact our speakers.
Adam: Welcome back to the Reed Smith podcast. I'm Adam Massaro, a litigation partner in Denver, and I am joined by Tyler Thompson. Tyler, how are you?
Tyler: I’m doing great. Thanks for having me, Adam. Really appreciate it.
Adam: Of course. You're a partner as well. What do you do?
Tyler: Yeah, so I'm a partner in the emerging technologies group, which obviously a pretty big, pretty expansive window. Most of my practice is data privacy, artificial intelligence, and technology transactions.
Adam: So it feels like everybody always tries to catch a wave in the legal practice, but most people either pick the wrong wave or a wave that ultimately doesn't fully take off. But it seems like you actually caught one. So how do you get into an actual emerging trend like that? When did you get into it and how did you pick that wave?
Tyler: Yeah, honestly, I just had really good advice. So in law school, I was working in Silicon Valley and basically my third year of law school was out there working for Cisco Systems, a massive tech company. And they were one of the few companies in the world at that time that had a Chief Privacy Officer. I knew nothing about privacy, but went to coffee with this guy and he just said, hey, you should look into this privacy thing. You know, as far as I know, I know my law school didn't have privacy courses. I don't think, you know, hardly any, if any, did. And just looked into that. So, you know, I started out my practice doing a little bit more in the technology transaction side. So, you know, executing those technology deals, software as a service, etc. But just really leaned in hard to privacy. And trying to get as much experience as I could in that area. And a little bit right place, right time. EU came out with GDPR, which was massive. That was in 2018. Then eventually California came out with their privacy law. And so, you know, it's just got some good advice and looked into an area of law kind of on my own and thought this sounds really interesting. It sounds like there's a future to it. And it was funny. I had folks, you know, even that when I used to work in-house, I had folks that I really respected say, hey, this practice, you know, this is a compliance function. You're never going to be able to make a whole practice out of it. And thankfully, I listened to myself and not them and have been very busy ever since.
Adam: So just to put some time frames on that, so you've been doing it for about a decade. Is that right?
Tyler: Yeah, that's exactly right.
Adam: Yeah. And so it's one of those things where everyone thinks about privacy, security issues, things like that, website compliance. And it all seems normal now, but go back 10 years. What did the landscape look like?
Tyler: Yeah. I mean, there was very little happening for a lot of companies. I mean, you had big, sophisticated players out in the valley where I was. But a lot of companies weren't really thinking about it. I mean, even if you went to a website, the websites that had a privacy policy or terms of use, they were a couple of paragraphs. A lot of times they were copied from other websites. You'd be on a website and their privacy policy would be talking about a totally other unrelated company because it was a copy-paste job. Folks didn't really think about it. The data security side, there was some sophistication on. I mean, people were worried about data breaches, but the privacy side, which is very different, there was hardly any, if at all, sophistication on that yet. So, you know, I think people knew that it was coming or could be coming down the road, but nobody really had any idea of how fast and furious it was going to hit. To your earlier point about catching that wave, it was more trying to survive the tsunami, right, rather than catching the wave.
Adam: Now, let's talk about privacy, because that means so many different things. But where does that fit within your world?
Tyler: Yeah, so privacy just means, you know, personal information. So any information that could identify an individual, you know, hey, Adam's on the website, we can tell it's Adam. It's very, very broad, that definition, and then all the rules around that. So, you know, how do we give individuals rights in their data, let them know what we're doing with their data? How do we make sure that companies and entities are processing that data in a way that, you know, it's respectful of the individual and is designed to minimize the risk of the individual. While at the same time, obviously, with my clients, it's we want to respect, you know, our customers or those individuals whose data we have. But we also want to make sure that we're using this information and running our business the right way. And I'm using it to our advantage, because as we all know, businesses, they just run on data these days.
Adam: I understand how a website like Amazon or, you know, big companies, obviously, they have all types of concerns about data privacy, but, you know, local operator, local website, local companies that has a smaller footprint, when they say they don't need your services, how do you respond?
Tyler: Yeah, I mean, it's, you know, it's honestly extremely, extremely rare to find an entity that doesn't need our services, even if they're B2B, even if they're very small. Now, you might say that, hey, we're small enough that a lot of these privacy laws in the United States, for example, don't apply to us. But if they're doing anything internationally, a lot of those international rules, they don't have revenue or size thresholds. The other thing is, it's not just these comprehensive privacy laws. We're seeing a lot of litigation around privacy aspects. And these are things that, hey, it doesn't matter if you're a one-person company, if you have a hot dog stand on the street, if you're using technology, if you're processing personal information from your customers, you could maybe be exposed to some of this litigation and some of this risk on that front. And then in general, I think it's always just a great business practice as well. I mean, people have become more and more accustomed to wanting to know how their data is being used. So even if you are that kind of one in a million client that you're small enough, you have enough of these exceptions, I just think it's a pro for your business as well. It's a selling point. Your customers, I really believe, want to see that. They want to see that their information is being taken care of.
Adam: So let's start at the threshold level of what services you offer and kind of work up from there. So let's even assume that sole proprietor, smaller business, where do you make an impact in their business?
Tyler: Yeah, if you're that sole proprietor, smaller business, we really want to get that low-hanging fruit. So let's say you have that website. Can we put a privacy policy on that website? No, it doesn't have to be like one we do for a Fortune 10 tech company. But can we put something on that website where we at least talk about how you're processing personal information? Putting a terms of use on that website so that when people are interacting with the website, you, the website owner, are protected, right? If somebody comes in, they try to scrape your data off the website, attack your website, take it down. You can use the terms of use as one of the methods to come back at them and get some recovery. And also, it's a lot of forward thinking as well. So a lot of folks are clients that are smaller, kind of in that startup stage, something like that. They're thinking ahead and they're thinking, too, we're going to need additional capital. We might be thinking about an exit and selling it at some point. I can tell you from experience, if you wait till the time that you're in that transaction and you're trying to close a deal and take your exit and walk out to think about privacy, it's going to be very, very painful. I mean, you're talking about things that could really change the purchase price of your company because you haven't thought about it ahead of time. So, you know, it's a little bit of prevention is worth a lot of cure. And that's why I tell folks is we can handle that low hanging through cheaply and efficiently right now. It's just going to save you a lot of brain damage and expense down the road.
Adam: How about on the insurance side? Is that something where is, you know, there's a lot of policies, but what is your take on sort of the status of do those policies provide any degree of protection? What's the kind of the status of that in your mind?
Tyler: Yeah, so cyber insurance and tech insurance in general, we've kind of seen a vacillation. At first, I would say it was hard to write this and you had pricing and the coverages varying very greatly. And we had a couple of years there where we'd say, hey, it's very hard to get this written, get these type of policies written. Now that's getting a little bit better. But what we're seeing is there's a lot of gaps in these policies. So I'm not an insurance attorney, but my understanding from what I've seen, there's much more variation in, say, a cyber insurance policy than any other type of insurance policy. Just because you have it doesn't mean it has any coverage. And we see that clients have this a lot, like in a deal negotiation and say, well, yeah, we're agreeing to a $2 million limitation of liability, but we're not worried about that because our cyber insurance is $2 million. Except that your cyber insurance is probably not going to cover some of these privacy and security concerns that would get you up to that $2 million or even above it. So there's a lot of gaps. And And I think if you have that insurance, it's really important that you dive into a deep dive and understand where you actually covered and where are you lacking.
Adam: How about middle-sized company, maybe operating in multiple states, still domestic, solid revenue growth, customer facing? What are some of the additional steps or tools you offer when you get to that larger company that's also now they're worth being sued on the flip side if they do do something wrong?
Tyler: Yeah, I think the middle-sized companies are actually where there is the most risk, in my opinion, because, you know, you're big enough now that these laws are applying to you. You're getting the regulatory scrutiny. You're getting scrutiny from plaintiff's firms. But most of these companies, you know, they just do not have the sophistication yet or haven't thought about or put the resources into privacy, data security, that type of compliance just yet. So, you know, what we typically do there is we're trying to orient these companies and understand, hey, this is what you have to comply with. These are the laws that apply to you. These are the risks that you face under those laws. And so once they get that lay of the land, it's, okay, how do we address that and start minimizing that risk as quickly as possible and as efficiently as possible? One thing with all the areas that we deal in is, you know, you can definitely rabbit hole on them a little bit. And you can go down this big path of spending a lot of compliance dollars where maybe you're not seeing that risk benefit. So we were trying to take a targeted approach and saying, hey, these are the three areas that we see the most risk. Usually it's your public facing things like things on your website, cookies, your privacy notice that a subject request can we reduce the risk of those big three areas quickly and efficiently and then we can work on the broader privacy program as you guys get the resources, the budget, as you get your arms around the personal information processing. So it's a lot of education for that middle company stage and then it's addressing it in a practical way and trying to be as efficient as possible with their compliance dollar.
Adam: Cookies, just for the audience benefit, what are those and why do you have to be worried about them?
Tyler: Yeah, so unfortunately, these are not like the tasty bakery cookies. If you've gone to any website recently, you see those pop-ups, you see those banners. That's what we do. We do a lot of that all day, every day. And basically, a cookie is just a little piece of code that a website will place on your device. There's a lot of other technologies that we kind of lump into cookies that are a bit different, but we kind of use cookies as a shorthand for it. And these are all technologies that, hey, when somebody visits my web platform, website, mobile app, what have you, you know, that owner of that platform is using to understand how is somebody using the site or they're using it for advertising or even they're using it to make the site function. The reason that this has become controversial is you can track people with those depending on your cookie. But there's a lot of cookies where, hey, like my IP address might be associated with that. So then I can know that Tyler is visiting my site. And so it's, again, it's going back to what we talked about earlier in that broad definition of personal information. It's in scope there. The regulators hate it. And these are not just regulators in the United States. These are regulators all over the world. The other thing that's really problematic about it is, you know, if you're a plaintiff's firm or a regulator, we can land on a website and know if you're compliant literally in about 30 seconds. And so it has just created this professional plaintiff's class where they can bring tons and tons of nuisance suits. And it's very hard to defend. And really the only way you can do it is by upfront compliance.
Adam: Your example, I could think of two where it's a fine line of what's private and our expectations, obviously, nowadays, but the one that always still gets me is I go to the website, I look at an article of clothing or whatever, don't go any further. And then I get pinged on my cell phone on a text, an SMS a little bit later, asking when I want to get back in the game. And, you know, it's interesting on some levels, you know, I've at least submitted to the process, but there's just certain degrees where it's unnerving to know that there's that much connectivity about what you're doing and what you're doing, you know, in a greater space, you don't have control over that information any longer.
Tyler: Yeah, 100%. I mean, we call it kind of the smell test in privacy where that's a great example. Maybe you're not doing anything non-compliant, but if a customer, a potential customer is turned off, that is going to freak them out and that can cause, you know, harm to your business, reputational harm. So a lot of what we do, again, is not only educating our clients, But then how can our clients educate people that visit their website? This is how we want to do things. There is definitely uses of this information where it seems very seamless. And all the ads that you get that you like, you probably don't even notice. And you're like, oh, hey, this ad is very useful. You never think about it again. But these things where you're talking about cross-device tracking, things like that, that can be jarring to people. And so beyond just the regulatory function, it's educating them on, hey, this is how this works. And should you be telling your customer base a little bit more about it so they're not surprised?
Adam: Speaking of emergent technologies, we're talking about artificial intelligence, an area you're focused on. What's going on from a regulatory perspective that people need to know about?
Tyler: Yeah, I mean, this is a huge topic, but Colorado, where we are, this is a huge factor right now because, you know, the Colorado AI Act. So this is something where we are the first state in the United States to really have a comprehensive AI law. And it's come under a lot of scrutiny. And also, Trump put out his AI Action Plan, and that AI Action Plan specifically states in it that, hey, states that have harder regulatory regimes for artificial intelligence are not going to receive federal funding. So the biggest question right now, I think, in the artificial intelligence regulatory space is, hey, should we be regulating it or to what extent? Because you see things like Colorado, you see things like Europe, where there's been a lot of pushback and folks are saying this regulation is going to kill this innovation. We think that artificial intelligence is a must-have for our economy or perhaps even broader, like our national security. These are countries around the world saying it. So that's the biggest conversation right now is where do you land on that line between trying to regulate it, maybe protect consumers and individuals a little bit, but not hamper it, especially when the United States and Colorado is going up against other countries or even other states with a more pro-business, pro-AI function.
Adam: So on some levels, the AI issues are at the forefront, especially we can't even fully embrace what's going to happen next. But if I'm a Chief Information Officer, Chief Technology Officer, what should I be thinking about with respect to AI? What do I need to know going forward, at least to deal with it in the next six months or a year when I'm thinking about regulatory issues, legal compliance, things like that?
Tyler: Yeah, so I think first off, if you're one of those folks in that role who thinks, oh, we're not using AI yet, or we have some time, I think you need to look yourself in the mirror. And it's actually you're probably already too late. Like people in your organization are rampantly using AI, your competitors are rampantly using AI. So first with clients, it's like having that moment of, hey, we've got to embrace this. Once they get to that point, it's talking about, okay, what can we do for some future proofing, right? Obviously, the regulatory space is very much evolving. What can we do to reduce some of our risk outside the regulatory space, to provide that transparency on how we use AI, and to just provide the future-proofing of, hey, if a massive federal AI law hits us next year, have we done everything we need to up to this point? So we're not going to be totally scrambling to handle those new regulations. So you're trying to peek around the corner, and we understand that, and we talk about that a lot with clients, and just try to be very transparent with them of, look, we know it's changing. We know you're a little bit trying to see into that crystal ball, but there is some things you can do right now to get a handle on it that is never going to be a wasted compliance dollar. It's always going to be useful no matter where that regulatory space goes.
Adam: Are you seeing provisions in various tech agreements, provisions addressing AI, whether it's in providing services or any provision that's somehow contemplating whether AI is permissible or how it may be used?
Tyler: Yeah, we're pushing at Reed Smith, we're pushing for artificial intelligence addendums. So, you know, to bring it back to privacy for folks that might be familiar with that, in the privacy space, there's data protection addendums, which are actually required by law and contracts. We're pushing for artificial intelligence addendums kind of in the same vein, right? We want exhibits to be included in these agreements that have some of the controls in place to deal with AI. And again, part of it is that future-proofing where, okay, if a new law comes out, we're not going to go out and have to repaper every single agreement that you have. I would say it's extremely standard to see some sort of artificial intelligence provision in any contract where that could at all be relevant. We're also seeing it in the M&A space. We're seeing it in the insurance space. So, you know, everybody is pivoting hard into it and trying to handle some of these risks, the risks that maybe aren't controlled with regulation. People are trying to handle that with contracts right now. And how can we see around that corner a little bit and protect ourselves via contract because we don't have a law yet that we can rely on as a standalone?
Adam: When we're talking about M&A work and things like that, what are some of the roles that you and your team support when you've got a merger and acquisition going on?
Tyler: Yeah, for sure. So for us, we're parachuting in and we're going to help out with those specialty areas. So, you know, let's say that we're by side. We're going to go into that target company and take a deep dive into all their privacy compliance. What are they doing on the AI side? What's the compliance look like there? Also just their general IT infrastructure and what does that look like making sure that hey they have that set up in a way that is going to work to run the business long term so we're looking at all these type of things trying to find that risk now once you've closed you you've bought that risk and we've seen this a lot in recent years where people will close on these massive deals and then there's a there's an unexposed breach or there's a lot of privacy non-compliance and it ends up costing uh you know it ends up costing nine figures even right it can be very, very expensive depending on what it is. So we're trying to mitigate that risk on the front end. And unfortunately, you see a lot of non-compliance because it's such a new area. It's a constant challenge and we're just seeing a lot of gaps there. So then we're going back to our clients and trying to educate them again on, hey, here's the gaps. Here's what we think the risk is and how can we help you maybe post-close or pre-close to mitigate that.
Adam: When it comes to, obviously, providing input on other areas, like, for example, cyber insurance security, is that something else that your team does to assist whether a company should get cyber security? How much? Understand what the realistic probabilities are of that coverage being in place.
Tyler: Yeah, 100%. I mean, we spend a lot of time on that, trying to find the right cyber insurance for our client. We also have great insurance folks here, so we like to team up with them. And so we're bringing that, what I think is really hard technical expertise and pairing it with some of that insurance expertise to provide a really unique offering there. Same thing with the data security side. I mean, trying to come in when you have that breach and help you respond, help you find the right team to line up on the forensic investigation side or even like the PR side. So I think what's unique about Reed Smith is our ability to pair that really hard data security, data privacy, technical expertise that I think we're excellent in, but pair it with some of these other areas that we're also strong in to give the client a one-stop shop for everything.
Adam: For purposes of, obviously, you've mentioned some European regulations, things like that. In your practice, are you working with any of our offices outside the US? Obviously, we have a global footprint.
Tyler: Yeah, we do. I mean, it's one of the things I love about this practice that it's so international. And, you know, even our team, we're dealing with international issues on a daily basis. And then we're working with, you know, the European offices, the APEC offices, because they have really complex regulatory regimes as well. Also dealing with jurisdictions that Reed Smith doesn't have offices, things like Canada, trying to advise on those areas. So, you know, privacy, it really is worldwide now, even though we're the United States in some ways have weaker controls on privacy and AI than a lot of other jurisdictions. We spend a lot of time analyzing what folks are doing around the world and then leveraging those in-country experts that we have around the world, really to provide that local guidance and just make it that much better.
Adam: I want to wrap up, just focusing a bit on your path and your path to partnership. So obviously you are a partner and you made partner at a point earlier in time. What was sort of the moment or whether a set of moments where you sort of realize you're going to lean in and this is what you're going to do and no one's going to take it away? Or how did you approach that transition? you?
Tyler: Yeah, it was interesting. I mean, I actually, so I started out in-house and I went to big law and I'm not ashamed to admit, like fully expecting to dislike working in a law firm. And nobody was more surprised to me that I just really loved it. I love the intellectual challenge of it. And so I started leaning in very, very immediately. And I've always been a person that leans in heavily. Like high school, I was the person going to all the sporting events and wearing the school colors. And it's kind of been like that ever since. And I was fortunate to be in an area where leaning in really paid off. And we've had so many great opportunities because of the changing laws and the great opportunities our clients have provided us. And so I realized early on that, hey, my expertise is really needed here. And even though at the time I was a lot younger, there wasn't a lot of old attorneys that had the technical knowledge or the expertise in these new laws. And that was really a competitive advantage for me. It doesn't matter if you've been practicing for 40 years if the law is one year old, right? And so that was something I realized early on is when we came out with the new privacy law, nothing stopping me from diving in and reading that cover to cover 50 times and reading all the guidance on it and being a true expert on it no more than anybody else in the firm. So I just use that to my advantage and realize this is a great path for me and it's worked out really nicely.
Adam: Love it. Well, that is our time for today. So I appreciate you joining the pod. And I'm glad to hear everything's working out so well. And I can't wait to have you on back.
Tyler: Yeah, thanks, Adam. It's been great. Appreciate it.
Outro: Disputes in Perspective is a Reed Smith production. Our producers are Ali McCardell and Shannon Ryan. For more information about Reed Smith's litigation and dispute resolution practice, please email disputesinperspective@reedsmith.com. You can find our podcast on podcast streaming platforms, reedsmith.com, and our social media accounts at Reed Smith LLP.
Disclaimer: This podcast is provided for educational purposes. It does not constitute legal advice and is not intended to establish an attorney-client relationship, nor is it intended to suggest or establish standards of care applicable to particular lawyers in any given situation. Prior results do not guarantee a similar outcome. Any views, opinions, or comments made by any external guest speaker are not to be attributed to Reed Smith LLP or its individual lawyers.
All rights reserved.
Transcript is auto-generated.