How do you “Own” Data?

Data ProtectionCybersecurityTrade Secrets & Intellectual Property
Written By Hosch & Morris

February 1, 2024

Privacy Plus+

Privacy, Technology and Perspective

This week, let’s consider the “ownership of data.” Everyone wants to “own” “their” data. First-party collectors and data brokers claim to “own” the data they’ve amassed. Service providers promise their customers will “own” the data they receive from their customers, and perhaps also the processed results coming out.  Many “owners” insist that “their” databases are their “intellectual property” (IP) (emphasis on “property”).

But exactly what does it mean to “own” data? Can data be “property?”

“Property” in Data (or anything): 

At its core, a “property” right in something is the right to exclude other people from accessing or using it. This is very different from the right to use the thing itself. For instance, you may have a property right to exclude others from using “your” improvement to an underlying system which you have no right to use yourself. So you may be able to keep others from using “your” processing and improvements to an underlying database; but if you had no right to use the underlying database in the first place, the improvements won’t do you much good. Either way, the right to exclude other people (you excluding others from using your improvements, the original “owner” to exclude you) is where it starts. Exclusionary rights must have some basis in law.

Three Things are Certain:

            1.         No Single Body of Law Establishes the Metes and Bounds of Property in Data, or Protects “Your” Data Against the World. 

There are established bodies of Intellectual Property law, but not for data per se. Data must rummage and scrounge for authority to be “protected” (i.e., to exclude others) where it may, but it will find such authority only against specific persons under specific circumstances – usually in contract or fiduciary duties, not (usually) in IP law.

                        U.S. IP law is a set of four different bodies of law, each addressing a different goal, with different requirements, trade-offs, and rights. Copyright gives authors exclusive rights for a limited time to “creative expressions” of the human spirit, but not facts, systems, or methods. Patents give inventors exclusive rights for a limited time to “inventions” and “discoveries,” under strictly controlled circumstances. Trademarks are “source identifying,” protecting consumers from being deceived or mistaken in the origin or affiliations of their sellers. Trade Secrets encourage business innovation and commercial morality. None of these covers data squarely, if it covers data at all.

            The one that comes closest is Trade Secrets, but in most states, this requires that the secret be genuinely “secret” in the industry and not readily discernable, be valuable, and be the object of continual efforts to keep it secret (and the practical applications of the one state still operating under the old Restatement aren’t much different). Not much data rises to this level. Probably what comes closest is the down-market cousin of Trade Secrets, namely “Confidential and Proprietary Information.” This is a vague, imprecise term for data which doesn’t meet the prevailing judicial definition of a Trade Secret, but which a business still thinks is valuable, wants to share with employees or suppliers etc., and doesn’t want others to know or use. Practically, if must be protected by express contract (or sometimes fiduciary duties) if it can be protected at all.

            2.         Data “Protection” has Almost Nothing to Do with the Amount of Effort or Labor it Took to Create It.  

Working hard to create or develop something doesn’t make it “yours,” as against the world. Your effort may be protected and rewarded in other ways, particularly if it’s misused in ways we consider “unfair,” but not with an exclusionary right good against the world.

            3.         A Claim of “Protection” is Sometimes a Cover for Unfair Competition.

“Protection” commonly means “don’t let my competitor use this.” But if the competitor is not prohibited from using it, “protection” may amount to unfair competition. (“Unfair Competition” can be found in the FTC Act, state-based “Little FTC Acts” like the Texas Deceptive Trade and Unfair Practices Act, state and federal antitrust law, and other sources of law.)

Our Thoughts:

What’s Needed is an Entirely New Body of IP Law for the Digital Age. 

For at least two generations now, the U.S. has struggled with trying to put new wine (software, data, now AI) into old skins (patent, copyright, etc.).  Copyright was structured in 16th-century English booksellers’ Statute of Anne, conceptualized while they were still burning witches down the street.  It and Patents are both referenced in the 1789 U.S. Constitution. Trademark is inapposite and trade secret law, though closest, is too narrowly focused. What’s needed is a new body of law reflective of a new age, which like the old ones both encourages progress and commercial morality without stifling it. We are hardly the first to call for this, but just because it will be hard is no reason to give up.

Meanwhile, to ensure effective management and protection of their data, prudent data-holders should adopt a comprehensive approach that incorporates key principles from various IP laws, focusing on practical strategies, including the ones outlined below:

  • Prioritize Trade Secret Law and Express Contracts:

  • It is advisable to  rely heavily on trade secret law, and express contracts about “Confidential Information” and privacy and data security. Avoid framing discussions or thoughts around the concept of “copying data.” The term “copying” is closely associated with copyright law, which is public by nature, and is sweepingly preemptive under 17 U.S.C. 301. Here, control of data is the primary issue.

  • - Clearly Define and Prioritize Your Data:

  • Identify precisely what data you wish to protect from unauthorized use.  Organize your data according to its importance and value, allocating more resources and protective measures to the most critical data.

  • - Employ Contractual and Technical Safeguards:

  • Use a strategic mix of legal agreements, such as Non-Disclosure Agreements (NDAs), and technical solutions to protect your data against unauthorized access, loss or misuse. 

  • - Maintain Continuous Security Awareness:

  • Don’t just “train” on data security and forget it. Remember “awareness” programs – enough to keep data security “top of mind,” but not so many reminders that they’re ignored as background noise.

  • - Clarify Data “Ownership” and Handling in Contracts:

  • In your contracts, be very clear about what is “your” data, how it is to be handled, and how it is to be destroyed or returned once the purposes of the contract have been fulfilled.

By following these guidelines, data holders can effectively safeguard their valuable information, balancing legal protections with practical security measures.

---

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet, and technology. Open the Future℠.

Hosch & Morris https://hoschmorris.com
Previous

Blackbaud's FTC Deal: Delete Data, Amp Up Security
Next

Kate Morris to Speak at the Annual “Damages in Civil Litigation” and “Advanced Intellectual Property Law” Conferences