1 Industry Trends: Technology and TelecommunicationsCharlotte Lewis Jones, Flextronics Sherrese Smith, Paul Hastings Stephanie Phillipps, Arnold & Porter David Wallis, Deloitte Jeffrey E. Lewis, AT&T

2 Overview of Panel Discussion Topics

3 Overview of Panel Discussion TopicsIntroductions Telecom: B2C Trends and Issues Privacy/Security Video + Spectrum Availability Internet of Things (“IoT”) Technology: B2B Hardware Trends and Issues Legal issues related to different/changing business models Global regulations that affect hardware manufacturing Industry 4.0: IoT in Manufacturing Technology: B2C Hardware + Software Trends and Issues Privacy Security

4 Telecommunications B2C Trends and Issues

5 Privacy/Data Security Online Video Spectrum Availability General Practice Significant Federal Communications Commission (FCC) Regulatory Developments/Issues Privacy/Data Security Online Video Spectrum Availability “Internet of Things”

6 Privacy/Data Security

7 Privacy Notice of Proposed Rulemaking (NPRM)General Practice Privacy Notice of Proposed Rulemaking (NPRM) FCC’s Legal Authority Purpose of Proposed Rules Rules Apply Generally to Broadband Internet Access Service Providers 3 Categories of Consumer Consent Governing Use of Customer Private Information Transparency Requirements Data Security Requirements

8 Privacy and Security trends related to a global practiceGeneral Practices Privacy and Security trends related to a global practice Privacy and Data Security in M&A M&A within the telecommunications industry is growing at a rapid pace As companies collect and store increasing amounts of data, one of the key M&A concerns is conducting adequate due diligence of the target’s data security and privacy practices A target with inadequate data practices could lead to significant successor liability Key M&A Issues Compliance with global data privacy laws Collection and use of sensitive information (e.g. health or financial information) Data breach incidents Accuracy of privacy policies Third-party vendor data security

9 Privacy and Security trends related to a global practiceGeneral Practices Privacy and Security trends related to a global practice EU – US Privacy Shield EU Commission adopted the Privacy Shield in July; US certification process began August 1 Replacement mechanism for the invalidated Safe-Harbor program Certification permits the transfer of data between the EU and US Privacy Shield Basics Compliance requires fulfilling a number of requirements, including: Making a public commitment to comply with the Privacy Shield Principles, and Submitting an annual certification of compliance to the Department of Commerce The Privacy Shield has 7 primary Principles and 16 supplemental Principles The primary Principles include requirements regarding notice, choice, data security, and individual consumer access The supplemental Principles include requirements regarding sensitive data, human resource and employment data, and access requests by public authorities The FTC and Department of Transportation have authority to enforce non-compliance with the Privacy Shield

10 Privacy and Security trends related to a global practiceGeneral Practices Privacy and Security trends related to a global practice EU – US Privacy Shield (cont.) Privacy Shield Plagued by Uncertainty The European Data Protection Supervisor is concerned that Privacy Shield is not “robust enough to withstand future legal scrutiny” Participation by US companies is mixed A number of companies are already utilizing the Privacy Shield, such as Microsoft The Department of Commerce has announced that it has more than 200 certification applications pending Some companies are adopting a wait-and-see approach until the EU courts review the Privacy Shield Such companies are relying on alternative legal safeguards to transfer data such as model clauses

11 Legal Aspects from the FCC and NPRM Perspectives Jeff LewisData Security – Enforcement by the FTC and FCC Privacy and Data Security: The evolving roles of the FCC Section 222(a) of the Communications Act imposes a duty on every telecommunications carrier to protect the confidentiality of “proprietary information” of its customers. The FCC interpreted PI broadly to encompass all types of information that should not be exposed widely to the public, whether because that information is sensitive for economic reasons or for reasons of personal privacy. Includes personal data customers expect their carriers to keep private, including information a carrier may possess that is not subject to additional restrictions afforded to CPNI. FTC Privacy and Security Update The FTC’s primary legal authority comes from Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive practices in the marketplace. Since 2002, the FTC brought almost 60 cases against companies that have engaged in unfair or deceptive practices that put consumers’ personal data at unreasonable risk. 2015 FTC Case examples: Oracle, Wyndham Hotels and Resorts, Lifelock

12 Legal Aspects from the FCC and NPRM Perspectives Jeff LewisData Security – Enforcement by the FTC and FCC (Continued) FCC vs. FTC – a new privacy turf war Since the 1999 Geocities case, the Federal Trade Commission has been the nation’s defacto privacy cop, bringing more than 150 privacy and data security cases. But the net neutrality order could make the FCC a much bigger player in privacy enforcement. The FCC’s new privacy authority could reach to Do Not Track, data collection and mobile app privacy. FCC To Step Up Broadband Privacy Enforcement Law360, March 5, 2015; Panel at IAPP Summit in Washington, DC: “Going forward, the commission anticipates that there will be rulemaking around Section 222 of the Communications Act, which begins to think about how the concept of customer proprietary network information shall apply to Internet service providers, and that will lead toward important privacy protections being put in place there,” LeBlanc said. “I think the reason we’re seeing this heightened interest at the FCC is due to the fact that we’re seeing a rise in the number of mobile devices that people are using,” LeBlanc said at the conference Friday. “Your phone these days is a minicomputer that’s in your pocket … all the time, and it’s collecting massive amounts of information, [meaning] there’s a huge amount of data going through communications networks.”

13 Legal Aspects from the FCC and NPRM Perspectives Jeff LewisAT&T Consent Decree and Fines Actions taken by AT&T to address Consent Decree Designated a senior corporate manager to serve as a Compliance Officer – Jeff Lewis. Developed and implemented a Compliance Plan which consists of: Risk Assessment Information Security Program Ongoing Monitoring and Improvement Compliance Review Compliance Manual Compliance Training Program Reporting Noncompliance and Data Breaches Compliance Reports Key point No customer information was stolen and the customer experienced no harm, which speaks magnitudes to the actions taken by the FCC.

14 Privacy & Data Security Jeff LewisBreach Prevention Security risks and responses in an evolving telecommunications industry PwC Survey Initiatives launched to address mobile security risks: Mobile security strategy; Mobile device-management software; Strong authentication on devices; Protect corporate and calendaring on employee and user owned devices; Ban user-owned devices in the workplace/network access; Use of geolocation controls How telecoms are improving cybersecurity: Telecoms organizations are boosting information security budgets significantly. Security is becoming a board-level discussion – a foundational component of the business strategy that’s championed by the CEO and board. Information security is a discipline that demands advanced technologies and processes, a skill set based on counterintelligence techniques, and the unwavering support of top executives. Among telecom respondents, 54% said they collaborate with others – including competitors – to improve security and reduce the potential for risks. Deploying solutions that augment threat detection and intelligence capabilities – intrusion-detection tools, asset-management tools, protection and detection solutions, patch-management tools, centralized user data storage.

15 Privacy & Data Security Jeff LewisBreach Prevention (Continued) What Retailers Need to Learn from the Target Breach to Protect against Similar Attacks Actions that could have been taken by Target: Paid for licenses of fraud and malware protection software for any endpoints to be allowed access to their portals or mandated two-factor authentication for more than just contractors who have internal access to sensitive information. Secure development process, including training developers on secure coding practices, as well as performing source code reviews and automated scans. Strong authentication—including changing default passwords—should be a required pre-configuration step. Ongoing system maintenance – keep up to date on patches and regularly scanning exposed applications to identify known vulnerabilities and mitigate them before the attackers find and exploit them. Incident response: Plan should include detection, response and escalation, engaging law enforcement as appropriate, preservation of evidence, compliance with regulations and contractual agreements, customer and press notification, and public relations.

16 Privacy & Data Security Jeff LewisBreach Prevention (Continued) Bill O’Hern, Chief Security Officer Bill O’Hern Integrated virtualized firewall, intrusion detections services, scanning, threat intelligence, reporting, identity and access management, and inventory management. Helped build the first scalable internal Threat Management System – monitors and defends our network and holds responsibility for our security policy and requirements, penetration testing, architecture and risk management functions. Bill O’Hern’s Blog Sign in to your corporate network or a private database with only your fingerprint or by clicking a button on your phone or smart watch. AT&T Halo platform uses a proprietary technology called MobileKey – software allows device to function as master key to gain access to both digital content and physical building access, instead of IDs, passwords, and badges. System can authenticate a user based on the device they are using, their location, the network they are connected to, or even their physical characteristics, like fingerprints.

17 Privacy & Data SecurityBreach Prevention (Continued) Key Points Opportunities with Breach Prevention and Management If (when) a breach occurs, you can raise your hand and ask to be involved. Opportunity to work with regulators and senior officers. If your company does not have a breach management process in place, this could be an opportunity to your General Counsel and volunteer to start a breach response team. Impact to Group Opportunity and rapid change in this area. Need to be aware of these issues even if you're not in telecommunications. Only going to be more issues affecting more companies in privacy and data security.

18 Online Video

19 Current Developments in VideoGeneral Practice Current Developments in Video Growth of Online Video Substitute/Complement to Traditional Video? Multiple Business Models FCC Actions Related to Online Video “Net Neutrality” Rules Inquiry into “Zero Rating” Practices Merger Conditions to Protect Online Video Distributors

20 Current Developments in Video (Continued)General Practice Current Developments in Video (Continued) Set-Top Box Notice of Proposed Rulemaking (NPRM) At a high level, FCC proposal would require traditional video distributors (e.g., cable, DBS) to provide a series of information that would allow third parties to design and build hardware and software for consumers to access video programming Proposal has generated significant comment, as well as interest from Capitol Hill Traditional video distributors, copyright owners generally oppose NPRM Consumer groups, equipment manufacturers and Silicon Valley generally support NPRM If FCC adopts proposal, judicial challenge is likely

21 Spectrum Availability

22 Spectrum AvailabilityGeneral Practice Spectrum Availability Broadcast Incentive Auction 5G: Spectrum Above 24 GHz FirstNet Public Safety Spectrum Unlicensed Spectrum and Spectrum Sharing for Wi-Fi and Flexible Wireless Broadband Wireless Microphones Spectrum for Medical Body Area Networks/Devices

23 Internet of Things

24 General Practice Internet of Things Definition?Some Examples: Smart cities; smart homes; smart electric grid; wearable devices; connected cars; mobile health; etc. Pervasiveness/Economic Value Potential Limitations Currently, a patchwork of international, federal and state laws Some Key Legal Issues: Privacy and Data Security Regulatory Compliance Intellectual Property/Patents/Ownership of Data Product Liability

25 Technology B2B Hardware Trends and Issues

26 B2B Trends and Issues - HardwareManufacturing Business Models EMS - Electronic Manufacturing Services ($460 billion in 2014 to $621 billion in 2019) New IP Ownership - Customer Warranties - Workmanship JDM - Joint Design Manufacturer New IP Ownership – Jointly held or one party owns and licenses to the other Warranties - Workmanship, materials (depending on control), IP (partial) ODM - Original Design Manufacturer (“Sketch to Scale”) New IP Ownership - Customer (or rarely manufacturer) Warranties - Workmanship, materials, IP Other High mix low volume (HMLV); Low mix high volume (LMHV)

27 B2B Trends and Issues - HardwareManufacturing Trends: Geography + Regulations Location, location, location Major EMS/ODM geographies: Australia; Brazil; Canada; mainland China, Hong Kong; India; Indonesia; Israel; Japan; Malaysia; Mexico, Philippines; Singapore; South Africa; South Korea; Taiwan; Thailand; Vietnam, USA Emerging EMS/ODM geographies: Japan, Vietnam, Thailand, Indonesia Benefits - Proximity to emerging markets, lower wages Risk - infrastructure, supply chain vulnerability and infancy Global Regulations and Costs Labor and environmental laws - China: 2015 Environmental Protection Laws, 2013 Employment Contract Law re dispatched workers; Mexico: maquiladora labor laws) Foreign direct investment, currency control and tax incentives - “Make in India,” China capital controls, Japan’s “Abenomics” Patent landscape for strong EMS markets - India, Americas, Taiwan, Singapore, China, etc - and strong ODM markets - China, Taiwan, etc

28 B2B Trends and Issues - HardwareManufacturing Trends: New Business Models Gobbling up the supply chain Component manufacturing Benefits - more margin, quality control Risk - more materials risk (warranties), more supply chain risk (transport, security, etc) Additional services: logistics, repair, warehousing Parts + product multi-channel sales: e-commerce sites (Shopify, etc) Moving up the supply chain Products v Services - white label products (ie. manufacturer’s product w/customer’s label) ODM model Benefits - more margins with requisite leverage Risk - More IP and materials risk w/o sufficiently increased margins Supplier consolidation Benefit – acquirer market share + supply chain control Risk - less price or quality competition

29 B2B Trends and Issues - HardwareManufacturing Trends: Industry 4.0 Advanced analytics: smart factories and logistics efficiency Benefits - Predictive analytics for demand forecasting, QA, equipment maintenance; databases and data storage improvements Risk - privacy and security breach Robotics revolution: coding skills replacing manual skills* Staggering stats: 2010 – 2014: average robot sales increased by 17% per year (CAGR); 2015 – 2018: roughly, 1.3 million new industrial robots will be installed in factories globally Benefits - cost efficiency; removal of human error; LMHV products; replacement of dangerous, tedious and dirty jobs Risk - privacy and security breach, labor reduction costs (RIF regulations) *https://youtu.be/3xGoBlI_fdg

30 Technology B2C Hardware + Software Trends and Issues

31 B2C Trends and Issues - HardwareManufacturing Trends: Supply Chain Security Securing manufacturing supply chains are an important component of protecting against data security incidents Use of third-party suppliers creates exploitable weaknesses in a supply chain Risks Vendors do not build adequate security protections into their products In 2014, the industrial machines of US-based energy companies were infected with malware by a cyber-espionage group through the exploitation of vulnerabilities in software provided by a third-party subcontractor Vendors mistakenly or intentionally use counterfeit components Almost 10% of all technology products (including components) are counterfeit Counterfeit components may be preloaded with malicious software

32 B2C Trends and Issues - HardwareManufacturing Trends: Supply Chain Security (Continued) Best practices for protecting a supply chain: Map out the supply chain (including the actual manufacturing location(s) for each component) Enables identification of key suppliers to better assess the scope of the supply chain Assists in determining if certain suppliers pose a greater security risk because of their geographic location Rank suppliers based on the risk they pose to the overall supply chain Risk factors include: Location-specific risks (e.g., areas known for counterfeit production) Manufacturing components that handle data or software Financial stability Ownership

33 B2C Trends and Issues - HardwareManufacturing Trends: Supply Chain Security (Continued) Best practices for protecting a supply chain: Diligence the security practices of third-party suppliers prior to engagement, and periodically throughout the relationship Diligence should include a review of: Prior cyber threats levied against the supplier Supplier security practices Business relationships Key vendor personnel Reputation in the market

34 B2C Trends and Issues - HardwareManufacturing Trends: Supply Chain Security (Continued) Best practices for protecting a supply chain: Include data security requirements in all contracts with subcontractors Contracts should require: Adoption of specified data security standards Periodic certification of compliance with such standards Subcontractors to submit to auditing and testing of its security controls Timely notification of any security breaches Subcontractors to include similar requirements in their contracts with third-party vendors

35 B2C Software Trends and IssuesEncryption Companies are embedding encryption into every facet of devices and applications to address consumer concerns The iPhone’s encryption is embedded into the hardware Facebook is deploying end-to-end encryption for its messenger service Benefits Reduces risk of data security incidents Increases user privacy Facilitates transfer of sensitive information Risks Encryption is hindering law enforcement and national security agencies Governments may mandate “backdoors,” potentially compromising the effectiveness of encryption Government-mandated backdoors may hinder commerce in foreign markets

36 Speaker Bios

37 Speaker Bios Charlotte Lewis Jones Jeffrey E. Lewism Charlotte Lewis Jones m Jeffrey E. Lewis Jeff Lewis is a corporate officer in AT&T’s Compliance organization. His team is responsible for compliance oversight of AT&T’s information security principles and practices necessary to protect customer data. His team is responsible for helping ensure that AT&T has implemented appropriate processes to obtain customer consent to use customer data. As Chief Accessibility Officer, his team is responsible for directing AT&T’s efforts to provide corporate support to comply with federal requirements to make its products and services accessible to customers with disabilities. During his 14 year career at AT&T, he has also held Legal positions in support of the Product Marketing/Regulatory/External Affairs Litigation/and Compliance organizations. Jeff’s team provided legal support for AT&T’s Regulatory/External Affairs operations, as well as litigation support, to AT&T’s wireline and wireless businesses. Jeff and his wife Sarah live in Dallas and have 4 children—2 sons in college and 2 daughters in high school. AT&T SVP-Compliance & Chief Accessibility Office Charlotte Lewis Jones is a legal athlete with over 10 years of cross-border experience in compliance, commercial, corporate, IP and risk mitigation matters. She currently serves as Senior Director, Lead Counsel, Global Strategic Partnerships at Flextronics, located in San Jose, CA. In this role, Charlotte advises senior executives on diverse matters such as foreign direct investment, global regulatory compliance, antitrust risk, critical dispute, litigation and regulatory risk, deal structures and restructurings, labor force management, corporate governance, global trademark strategy, commercial agreements and IP strategies, and the reconciliation of competing legal, revenue and branding goals. Charlotte began her career as a corporate attorney at Skadden, Arps, Slate Meagher & Flom in New York, NY. She received her Bachelor of Arts in Economics from Yale University and her Juris Doctor from Columbia University School of Law.

38 Speaker Bios Stephanie M. Phillips Sherrese Smith Ms. Smith is an expert in emerging media, digital, and communications technologies. Prior to joining Paul Hastings in 2013, Ms. Smith worked as Chief Counsel for Chairman Julius Genachowski at the Federal Communications Commission, where her portfolio included digital and mobile privacy issues. She also worked as Vice President and General Counsel of Washington Post Digital. Her client roster for privacy matters includes innovative projects involving the collection, processing, and use of telecommunication data and geolocation data for fraud prevention and monetization, consultations with media companies involving privacy issues relating to online data, international marketing of digital promotions for major retail companies as well as complex issues of telecommunication carrier services. Ms. Smith has tremendous depth of expertise in data protection and security issues, and her practice includes advising how to market consumer products globally in an age where thorny national regulations make such digital campaigns difficult. Stephanie Phillipps is experienced in telecommunications regulatory, transactional and litigation counseling, and represents clients in administrative proceedings and litigation on telecommunications issues. Her clients have included wireline, wireless, Internet, cable television, and media companies and related service providers, as well as state and local governments and nonprofit organizations. She has advised those clients on federal rules and new policy developments on issues such as video distribution and programming, Open Internet, market entry, cable franchising and renewal, mobile health, accessibility, privacy, and consumer protection. Ms. Phillipps is an experienced advocate before the Federal Communications Commission and other regulatory agencies and public bodies. She also advises national organizations on corporate governance and policy issues.

39 Speaker Bios David M. Wallis David holds or has held roles within Deloitte as the National Leader of the Technology, Media and Telecommunications (TMT), the National Leader of Telecommunications, Lead Client Service or Entity Partner for TMT clients and other similar/related roles. David frequently is engaged by corporate counsel (and other corporate officers) in a wide variety of internal and external investigations/litigations and other consulting matters. He works with TMT clients domestically and internationally dealing with regulators and various enforcement agencies. David has provided testimony in Federal and State courts, state regulatory commissions and arbitration. David leads Chief Legal Officer, Chief Litigation Officer and the Chief Compliance Officer Forums, each with a focus on current and significant legal, corporate litigation, and compliance issues and building deeper relationships amongst corporate peers. David received his MBA from Duke University and his BA in both Business Economics and Sociology from the University of California at Santa Barbara and is a licensed Certified Public Accountant.