2022年2月03日

Key Legal Considerations in Use of Portfolio Company Data

分享
This article was co-authored by Elizabeth Raymond (partner) and Matthew Marvin (associate) at Mayer Brown LLP. This is the final article in a three-part series from Mayer Brown on digital transformation and its impacts on financial institutions.

With the rapidly increasing cost-effectiveness of machine learning and other data analytic tools, private investment funds are increasingly looking for ways to use and monetise operational data and information from their portfolio companies (“PortCos”). Doing so can allow funds to increase returns by investing and trading on insights derived from data that the fund understands more deeply than other investors.

Funds have, of course, long leveraged insights from PortCos to invest. Analysing one company, or sitting on its board, gives the investment team insights about the companies that buy from, sell to or compete with that company. The more recent development is that funds may seek to upload large quantities of data from PortCos into data lakes. In basic terms, a data lake is a repository for storing data in a manner designed for use of advanced analytic tools to generate insights that go beyond the PortCo’s original purpose in gathering the data. A fund may be able to generate insights not available to any one PortCo by including data from many PortCos along with other data from public sources and data licensors. Increasingly, cloud providers offer suites of tools that allow data scientists to quickly create and develop data lakes.

In this article, we discuss examples of legal risks that a fund may face when using a data lake to store and analyse PortCo data. These risks arise from obligations under contracts with PortCos and various laws, including corporate, eDiscovery, antitrust, data privacy, and intellectual property laws. Whether or not making use of a data lake, however, funds interested in pursuing PortCo data projects need to be aware of the legal obligations and risks as to the collection handling, storage, use, processing, and disclosure of PortCo data.

After describing legal risks that Funds face when attempting to use and monetise information from their portfolio companies, we describe steps that funds might take to address those risks. These steps include contracting with the PortCo, adapting the fund’s policies to address PortCo data, and implementing technical safeguards and mechanisms for storing, accessing, and using the PortCo data in compliance with laws.

Legal risks in contractual duties to PortCos

Funds with access to confidential information of PortCos generally have agreed to a variety of restrictions on use of that information. These restrictions may be found in stand-alone confidentiality agreements or in investor agreements entered into by the fund and the PortCo. The contractual definitions of confidential information are generally broad enough to cover any operational data. Commonly, the fund’s use of confidential information learned from or about the PortCo is limited to use for evaluating and managing the fund’s investment in the PortCo. However, most of these provisions have been written without data lakes in mind, and thus the precise language is critical.

The contracts may restrict use and disclosure of PortCo data or disclosure only. A contract that only restricts disclosure of data may allow the fund to use the PortCo data so long as the fund does not disclose the data. Note, though, that the non-disclosure provision may require that the data lake be run in the fund’s own data center or on a cloud platform where the cloud provider cannot access the underlying data.

The information sharing or governance provisions in contracts between the fund and the PortCo might or might not permit directors and observers to share information with the fund and its affiliates. In addition, if PortCo data is obtained by the one investor through its right to information as a stockholder, the governance agreement may provide for equal rights to such information by the other investors.

There may be detailed restrictions that affect use in the data lake. Disclosure and/or use may be limited to only personnel with a “need to know” or a specific list of people. The fund may be required to destroy data when no longer required or at a specific time. Use might be limited to a purpose specified in the contract. The fund might be required to comply with other license or data sharing contracts between the PortCo and third parties, and those contracts may impose additional limitations on the use and disclosure of PortCo data, including specific restrictions against disassembling or reverse engineering the data. Any data lake containing the restricted data should be designed to permit compliance.

Legal risks in corporate law Duties to PortCos

In addition to its contractual responsibilities, the fund may owe fiduciary duties to the PortCo. The fund’s specific fiduciary duties will depend on the type of entity (e.g., corporation, limited liability company or limited partnership) and the jurisdiction of the organisation involved (e.g., Delaware or New York state business entity laws).

Under many corporate laws, a PortCo’s directors owe the PortCo and its stockholders a duty of care and a duty of loyalty. The duty of loyalty includes the duty of confidentiality, which requires a director to maintain the confidentiality of sensitive information learned as a result of being a director. Also included in the duty of loyalty is the corporate opportunity doctrine, which restricts directors from personally benefiting, including benefiting their Fund, from an opportunity that belongs to the corporation or the PortCo. These doctrines were conceived long before the convergence of data, artificial intelligence and cloud services created the opportunities for monetising PortCo data at scale.

The fiduciary duties may vary if the fund, instead of appointing a director, appoints an observer. An observers are generally defined as an individual serving as a non-voting attendee at board meetings who does not owe traditional fiduciary duties. This is in contrast to individuals the fund designates to serve as directors, who do owe a fiduciary duties to the PortCo.

In addition to the fiduciary duties of directors, the fund may have fiduciary duties under applicable law, generally based on a degree of control. In addition, the fund may owe fiduciary duties under the PortCo’s governance documents, such as its charter, by-laws, investor rights agreement, operating agreement or limited partnership agreement. However, those documents also might waive fiduciary duties imposed by law. For example, waivers of fiduciary duties are possible for Delaware limited liability companies and limited partnerships , but not for Delaware corporations. Where permitted, such waivers of fiduciary duties in governance agreements can reduce the risk of liability for fiduciary duty failures generally.

Legal risks in laws governing data use

In addition to the contractual and corporate law duties that govern the relationship between the fund and the PortCo, the fund’s use of PortCo data is governed by numerous other laws. Here, we provide examples of securities, eDiscovery, data security and privacy, antitrust and intellectual property laws of the United States. However, any type of data may be governed by its own unique set of laws and these laws vary by jurisdiction.

Securities Laws. The fund could violate “insider trading” laws if the PortCo data includes material non-public information (MNPI). “Insider trading” is traditionally defined as the purchase or sale of securities on the basis of MNPI, and is prohibited under U.S. securities laws. This is familiar territory for funds, though, as they generally have well-developed policies to identify MNPI and exclude it from use or restrict access. However, insider trading policies may need to be adapted for new technology that can bring a flood of data into a data lake without human review.

eDiscovery. If the fund becomes subject to litigation arising from an investment or management decision based on PortCo data, a plaintiff might seek discovery of the models and data used in creating the output leading to the fund’s decision. Machine learning tools are often not designed or configured to store records of intermediate steps or to retain requests for information or their actual output. Unless designed to store models and underlying data in case of litigation, the fund may be unable to reconstruct how it made decisions and to preserve and produce records as required by law. That creates the risk of sanctions and adverse rulings in litigation.

Antitrust. Antitrust laws restrict sharing of certain types of competitively-sensitive information between or among competing companies. Some potentially sensitive types of information from an antitrust perspective include strategic plans or opportunities, target markets, investments, pricing, or marketing plans. There is a risk that, for example, people at the fund share information that they glean from the data lake with a PortCo, not realising that the information originated with a competing PortCo. This highlights the importance of tracking data provenance for each part of the data in the data lake.

Cybersecurity and Data Privacy. Cyber security and data privacy laws impose requirements on the storage, processing, use and transfer of some data, including personally identifiable information and various types of sensitive data. These laws generally impose restrictions based on the type of data and its origin. The restrictions may prevent use of regulated data for use in analysing investments or impose onerous security obligations. These laws are complex and vary widely.

Intellectual Property. Being comprised of raw unmodified data, PortCo data would most likely be protected as a trade secret (as opposed to copyright or other form of intellectual property). Therefore, the protection of the data depends largely on the fund’s ability to use “reasonable measures to keep such information secret.” If the data lake does not satisfy this standard, the fund may lose any trade secret protection that it and the PortCo have to the data. This could result in legal action by the PortCo and other investors.

Mitigating legal risk with contractual licenses from PortCos

A data license agreement with the PortCo can mitigate some of the legal risks that we described above. However, PortCos are rarely in the business of licensing their operational data. They rarely have the people, processes or technology needed to provide operational data at the levels of quality, reliability, and accuracy that funds expect from data licensors such as stock exchanges.

As a result, funds should not approach these licenses as a typical data license negotiation. In a typical data license negotiation, the fund might ask for a broad, exclusive, perpetual license to timely, accurate data delivered in an easily ingestible format with strong representations, warranties and indemnities. With a PortCo, a reasonable ask might be, for example, for a license to use data provided from time to time using the PortCo’s existing data export routine by a limited set of people for defined purposes. Also, the PortCo data license will need to consider and perhaps amend or supersede other contractual agreements between the fund and the PortCo. With that in mind, the following are some (but not all) of the key considerations when entering into a data license agreement to mitigate legal risk in using PortCo data.

Licensed Data. The core provisions of a data license agreement define the data that is being licensed, including the manner and frequency with which the data will be provided/updated, how current the data will be, the format in which the data will be delivered and the mechanism of delivery. The fund might also, for example, require the PortCo to de-identify and anonymise any personally-identifiable information in accordance with published standards before delivering the data to the fund and not provide any MNPI.

Permitted Users. The data license agreement may limit who is permitted to use the licensed data. The fund will want to identify in advance what restrictions are consistent with its anticipated use of the data and provide for use by all entities likely to be users, including perhaps a future data analytics subsidiary or joint venture. It may be important to provide that the licensed data may be used by third-party contractors in performing data science, cloud computing or other services on behalf of the fund. Finally, it may be important to provide that the licensed data may be accessed and used by regulators in reviewing the operations of the fund.

Permitted Purposes. Licensing PortCo Data for specific purposes and only for those purposes will reduce the risk that the fund is seen as overreaching, and may reduce the cost of the data license. However, the fund likely will continue to identify new or different purposes, and users will want to replicate or access data when helpful for new or different purposes. If the purpose clause is not general enough to allow those possible future uses, the fund will need to limit replication and access or use other compliance mechanisms to avoid a possible license breach.

Liability. The license may also address liability for issues arising from improper use by the fund, failures by PortCo to provide the promised types or quality of PortCo data and failures by the PortCo to obtain proper consents from data sources for uses permitted under the license to the fund. The PortCo may ask that as a non-specialist provider that it have little or no liability, and the fund may be reluctant to even consider an action for damages against a PortCo. The PortCo may also ask that the fund have substantial or even unlimited liability for data breaches but, also, be unlikely to sue an investor. Thus, a low mutual liability limit might be a good initial proposal. In any event, the less the PortCo has at risk, the more important it will be to perform due diligence.

Mitigating legal risk by updating contracts and policies

Funds should update their policies on data use to consider PortCo data from access through use through disposal. This is not merely an update for data lakes. For example, if use of PortCo data is a core strategy for the fund, the fund’s investment criteria may be modified to consider what data the PortCo may offer. Policies designed to address insider trading risk, protect intellectual property rights and comply with a variety of laws may need to change.

That said, we recommend considering a policy update with any PortCo data lake project. For example, as discussed above. most funds have policies to avoid insider trading by limiting access and use of MNPI. The fund should review those polices to, for example, exclude MNPI from entering the data lake, restrict access to MNPI in the data lake, and provide warnings to any person accessing MNPI in the data lake. As a second example, the fund might update its trade secret policies to specifically address PortCo data and the data lake. The “reasonable measures” to protect the data’s secrecy might include policies limiting disclosure of PortCo data to only those who need access, requiring persons with access to sign confidentiality agreements and tracking the user’s identity, time of access and what the user did with the PortCo data. Making these policy updates in tandem with implementing technical safeguards in the data lake will help to have the policies be technically feasible and the data lake design comply with the policies.

Mitigating legal risk with data lake design

A fund may further mitigate legal risks by designing the data lake to include controls for filtering incoming data, tracking data provenance and restricting and recording data uses. We here offer three examples.

First, funds may mitigate the risk of violations of cybersecurity and data privacy laws by implementing and configuring the data lake to identify and classify personally identifiable information before ingesting. This gives the fund the opportunity to block the sensitive data from entering the data lake or impose appropriate access controls. Another technical solution may be to configure the data lake so that the fund can delete personal information upon changes in applicable laws, requests from the data subject or termination of the fund’s rights to the data.

Second, funds may mitigate eDiscovery risk by building the data lake to be ready to preserve and produce the data required to comply with eDiscovery laws and successfully defend the fund’s actions. Such technical safeguards might include mechanisms that (1) log each access to the data lake and requests for specific outputs, (2) retain copies of requests and outputs in the native format of the request or output, (3) retain copies of models that might be important in defending decisions and (4) allow end users to document decisions they make based on outputs from the data lake.

Third, funds may mitigate the potential exposure to governmental or private antitrust claims with robust restrictions on the flow of competitively-sensitive information to competitors. While the risks can be addressed by outright prohibition on sharing information, less restrictive alternatives may be available through the data analytics platform. For example, depending on the use case, alternatives such as creating and sharing summaries or aggregations may eliminate the competition concern.

Conclusion

Leveraging PortCo data to guide investment decisions is an enormous opportunity for funds. However, there are substantial legal risks in contracts with PortCos, fiduciary duties to PortCos and obligations under many laws governing data. Thus, legal advice and due diligence is a valuable part of planning, executing and governing any project to leverage PortCo data. The fund will find numerous opportunities to mitigate risk by contracting with the PortCo, modifying the fund’s own policies and designing the data lake as an automated compliance and risk mitigation approach.

相关服务及行业

及时掌握我们的最新见解

见证我们如何使用跨学科的综合方法来满足客户需求
[订阅]