© 2017 The Texas Lawbook.
By Mark Curriden
(June 6) – Within days of joining the corporate legal department of American Airlines in 2010 as a staff attorney, Russ Hubbard was hip-deep in a multi-million-dollar lawsuit against the City of Chicago involving the potential construction of several new runways at O’Hare International Airport
A year later, he was assigned to work American’s 2011 bankruptcy, which led to its $11 billion merger with US Airways in 2012.
Last week, Hubbard, 37, was promoted to associate general counsel and is now tackling a legal issue every bit as important to the future of American Airlines: cybersecurity and data privacy.
“Russ has been a wonderful addition to the American Airlines legal team from the day he joined,” says American Deputy General Counsel and Vice President Bruce Wark. “He has continued to take on greater and greater challenges on behalf of the company, and his most recent challenge of building a group dedicated to protecting data privacy is the most important yet.
“In today’s environment, it’s critical that companies understand the data they have and have the right procedures in place,” Wark says. “Russ is the right man for that job at American, and we’re lucky to have him.”
During the past several years, Hubbard helped create and develop the Fort Worth company’s Privacy Office, completely updated the airline’s data privacy incident response plan, negotiated scores of data privacy and security agreements with vendors and business partners and handled the related corporate compliance and regulatory issues.
“I think it’s easy to confuse data security and data privacy,” he says. “It is easy to read the headlines and think data privacy and security boil down to preventing and/or responding to data breaches. But there are many layers to data security and privacy from a regulatory, compliance, and contractual standpoint that need to be taken into account to ensure your compliance risk profile is lowered and that you’re acting as a responsible data steward.”
Hubbard was born in Philadelphia, but his parents moved to Lancaster, England, where his father worked in the energy industry. After Hubbard completed the third grade, his family moved to Portland, OR and then Redmond, WA, where he graduated in 1998 from high school and was on the wrestling and debate teams.
The University of Kentucky was impressed with Hubbard’s debating skills and provided him a scholarship.
“I’m a huge UK basketball fan and make it a point to watch all the games during the year,” he says. “I competed nationally on the college debate circuit for four years and ended up in the finals of the National Debate Tournament, which is considered the national championship, in 2002. I decided that my debate experience would translate well into the legal profession, which is why I decided to practice law.”
In 2003, Hubbard started SMU Dedman School of Law. His father had started his own company advising funds on energy asset investments in Plano, which meant his family was nearby. Hubbard’s father recently retired, allowing his parents to travel and spend time boating.
“SMU is an excellent law school, especially if you want to practice in Dallas,” he says. “And there are many great law firms as well as public and private companies located in Dallas that could provide ample opportunity for legal work.”
Russ Hubbard Fact Box:
• Born in Philadelphia
• Worked for Nintendo one summer and tested video games
• Wrestled in high school
• Huge Univ. of Kentucky Wildcat basketball fan
• The new owner of a Big Green Egg smoker
• Hobbies include playing and watching basketball with son Grant, 6, and Max, 1, and grilling and smoking meats
• Recently promoted to Associate General Counsel
The Texas Lawbook interviewed Hubbard about his legal career at American Airlines and the legal issues surrounding cybersecurity and data privacy.
Hubbard was an associate at the Dallas boutique Figari & Davemport when a staff attorney spot in American’s corporate legal department came open.
“I knew when I first met Russ in our interview that he would be a great asset for the American litigation team,” says Kathryn Koorenny, who was then the company’s associate general counsel of litigation and compliance. “He has a passionate energy and enthusiasm for practicing law and winning. When coupled with his personable way of delivering difficult news and persuasive personality, he is an incredibly effective lawyer.
“Shortly after joining the American legal team, Russ agreed to fill a need by taking on the data privacy work,” says Koorenny, who is now the general counsel at AlixPartners. “He quickly became the expert in this area, and he has grown the knowledge and expertise within the legal department to world-class levels. I view him as the future of the American Airlines Legal Department. He stands out among his peers in airline industry lawyers.”
The Lawbook: Tell us about your history at American.
Hubbard: I was just finishing my fourth year of practicing commercial litigation at Figari & Davenport in the fall of 2010 when I came across an opportunity to take an in-house position at American in the litigation and compliance group. Although I enjoyed my current practice and wasn’t looking to leave the firm, I found the opportunity of working on cases and compliance matters at American too interesting to pass up.
Lawbook: What did you do when you started with American in August 2010?
Hubbard: I immediately began working a matter involving the potential construction of several new runways at Chicago O’Hare International Airport when demand was not warranted that the City was then looking to American and United to primarily fund. Both airlines ended up filing a lawsuit against the City of Chicago in early 2011 seeking a preliminary injunction preventing the City from making capital expenditures at O’Hare that would be borne by the airlines without airline approval. The fact we were able to work out a mutually acceptable deal with the City of Chicago that American was pleased with made it that much better.
Things took an unexpected turn toward the end of 2011 when Kathryn Koorenny, then associate general counsel of litigation and compliance, called me into her office and told me that American would be filing for bankruptcy in the very near future and that I was going to have an integral role to play on American’s bankruptcy team. Fortunately for me, I got to work with some of the best bankruptcy attorneys in the business at Weil Gotschal. I learned enough about bankruptcy to be dangerous and gained valuable experience negotiating deals with creditors, seeking approval from the creditors’ committee on decisions that materially impacted the company and handling adversary proceedings.
Lawbook: When did the issue of cybersecurity and data privacy first appear on your radar?
Hubbard: Around the same timeframe [as the bankruptcy], I was also asked to handle the data privacy compliance work at the company. Although I didn’t have any experience with data privacy matters at the time, I quickly found myself knee deep in complex data privacy issues. With the help of experienced outside data privacy counsel, self-study, and becoming certified as a Certified Information Privacy Professional (“CIPP”) through the International Association of Privacy Professionals, I soon became pretty well-versed in data privacy law and best practices and assisting with implementing those across the enterprise.
Lawbook: How did the creation of the data privacy office come about and how were you chosen for the position?
Hubbard: After the merger with US Airways in 2013, I worked with the senior leadership team in [the corporate legal department] to create a more structured and formalized way to handle data privacy issues across the company. While both Legacy US Airways and Legacy American were committed to data privacy, it was apparent that creating a more centralized function to deal with data privacy issues consistently across the board was the next step. With the support of our executive vice president of corporate affairs, general counsel and chief compliance officer, and two deputy general counsel, we created the Privacy Office and situated it within the legal department. Once the office was created, I was asked by the legal leadership team if I wanted to lead the Privacy Office due to the data privacy work I had previously done at the company and CIPP certification. I, of course, jumped at the opportunity and challenge to build a comprehensive Privacy Program that would allow American to continue meeting regulatory requirements and maintain our reputation as a good data steward with our customers and employees.
Lawbook: What is your experience or history in data privacy?
Hubbard: I have more than five years of experience handling data privacy issues for American. I have been fortunate to tackle data privacy issues at American from almost every angle with the help of a fantastic team of in-house privacy professionals and outside privacy counsel and consultants who help me navigate what can be a very complex and constantly changing regulatory environment.
For example, I have experience handling data security incidents involving the potential or actual unauthorized use of personal information. And I was able to help redraft and update our data privacy incident response plan, which involves ensuring key business units are alerted and involved in responding to an incident. On the contract side of the house I have assisted with the negotiation of over 100 agreements with our vendors and partners when it comes to data privacy and security issues.
While these negotiations center on the data security standards we require any third party handling personal data under our control to agree to, they also involve issues such as limitations of liability, audit rights, termination rights, data ownership concepts, data security incident notifications and many other issues that impact the entire agreement. From the data privacy compliance side of the house I have worked on all manner of privacy policies, notices, statements, use cases, etc. that form the basis of how the company will treat the processing of personal data. Additionally, I have helped develop our processes for conducting privacy impact assessments, data mapping, and privacy training for our employees across the company.
Compliance with state and federal data privacy and security regulations as well as international laws such as the current EU Data Protection Directive and soon to be in force EU General Data Protection Regulation have been a primary focus of my practice since the regulations can be complex and onerous with the potential for steep fines and enforcement actions.
Lawbook: How important is data privacy and security at a company such as American?
Hubbard: Both data privacy and data security are very important to American as we want to ensure we remain good data stewards for our customers and employees (current and former). Not only do we want to comply with applicable data protection laws, but work to apply standard and reasonable security measures to the personal data in our possession. We recognize that not only is data protection a legal issue for the company, it’s also a reputational issue, which is why we make it a priority on the security and privacy sides of the house.
Lawbook: What do most business leaders not understand about cybersecurity and data privacy?
Hubbard: I think business leaders tend to confuse data privacy and security issues as being one in the same. This can be easy to do as privacy and security are closely related and involve the processing and security of personal data.
However, typically the data security side of the house is concerned with how personal data is protected. For example, if a business unit wants to start processing personal data for a new business purpose and within a new system the data security folks will usually want to understand what security controls are in place for that data. Is the data located on a system behind a company firewall? Is it encrypted in transit and at rest? Are there access controls around who can process the data?
Whereas data privacy typically involves how the personal data is going to be processed. For example, did you notify the data subject whose personal data you collected what you were going to do with it via a privacy notice? Did you receive their consent to process it if required by law? With whom are you intending to share the personal data and for what purpose? How long are you going to retain the personal data? Are you going to use that data for purposes other than those related to transaction at issue such as marketing or analytics? Where are you storing the data—locally in the country where it was collected or in a remote data center? What is your data transfer mechanism if you’re intending to transfer the data internationally, and do you need one?
These are some of the issues data privacy professionals are concerned with that distinguish data privacy from data security.
Lawbook: What do most GCs and corporate legal departments not understand about cybersecurity and data privacy?
Hubbard: I think it’s easy to confuse data security and data privacy. Also, it’s easy to read the headlines and think data privacy and security boil down to preventing and/or responding to data breaches. But there are many layers to data security and privacy from a regulatory, compliance, and contractual standpoint that need to be taken into account to ensure your compliance risk profile is lowered and that you’re acting as a responsible data steward.
Lawbook: Tell us how you and American developed your data privacy office and how it operates, including the number of professionals you work with.
Hubbard: We created a centralized Privacy Office that sits in the legal department with a Data Protection Officer responsible for running the daily operations of the Privacy Program and who reports directly to Paul Jones, the General Counsel and Chief Ethics and Compliance Officer of American.
The Privacy Office is staffed by a Senior Privacy Attorney, three Privacy Managers, and a Privacy Analyst. We then created a Privacy Council comprised of Vice Presidents and Managing Directors from key business units that process personal data all across the enterprise. The Privacy Council meets quarterly and assists the Privacy Office in coordinating privacy interests and activities across the enterprise.
Because the Privacy Office is not a large group we asked each member of the Privacy Council to appoint one or two Privacy Liaisons from their business units who would help the Privacy Office on day-to day privacy issues and function as our privacy “eyes and ears” on the ground within that business unit. We also have executive sponsorship from Steve Johnson who is our executive vice president of corporate affairs. Having support from senior leaders like Steve and Paul provides additional credibility to the program and allows our message to reach to reach the highest levels of the company.
Externally I have a great group of outside privacy counsel (he uses Covington & Burlington most often) I can reach out to for advice on almost any issue including handling incidents, coming up with solutions to comply with regulatory requirements, contract negotiations, etc. And we have and continue to work with privacy consultants to help us put the building blocks of the Privacy Program in place as well as continue to implement the program across the enterprise.
Lawbook: What advice do you give other businesses regarding data protection?
Hubbard: Data protection can seem like an overwhelming and unmanageable task when you start to realize all of the different issues that need to be accounted for. But that doesn’t mean it can be ignored.
The regulatory landscape continues to move toward stricter regulation and enforcement both domestically and internationally. Plus, data is becoming more useful and valuable from a commercial standpoint. So not having a plan in place for how that data will be protected and processed in accordance with the law and best practices is no longer an option.
I advise starting with inventorying your company’s personal data so you know what you do and don’t have. Only then can you really determine how you will tackle protecting that data going forward. Then putting a framework together around how the company will treat this data along with the applicable policies and procedures will give you the structure for a privacy program that can then be used to systematically conduct privacy reviews and impact assessments on your company’s data processing activities starting with the most high risk ones first.
Understanding how your company processes personal data and identifies privacy risks that can then be remediated will allow you to reduce your privacy compliance risk profile while also leveraging your company’s ability to legally use this data in ways that can benefit the company as well as its customers and employees.
© 2017 The Texas Lawbook. Content of The Texas Lawbook is controlled and protected by specific licensing agreements with our subscribers and under federal copyright laws. Any distribution of this content without the consent of The Texas Lawbook is prohibited.
If you see any inaccuracy in any article in The Texas Lawbook, please contact us. Our goal is content that is 100% true and accurate. Thank you.