Cybersecurity & Data Breach: You Don’t Drown From Falling Into the Water

“You don’t drown from falling into the water, you drown from not getting out.” Think about that — and think about how that applies to cyber security and data breach issues facing companies in today’s cyber world. Here, in my first ever video blog post, I explain this issue with more detail.

Kevin O’Keefe Interviews Shawn Tuma About Blogging at State Bar of Texas 2015 Annual Meeting

I had the wonderful opportunity to visit with and get to know Kevin O’Keefe (@kevinokeefe) at the State Bar of Texas 2015 Annual Meeting in San Antonio. Kevin is the Founder and CEO of LexBlog, the preeminent source for legal blogging (where I plan to head, one day).

Kevin and I both did presentations during the Ignite Session; Ignite presentations are 20 slides in 5 minutes, with the slides advancing automatically, whether you are ready or not! It was quite a challenge. Following my presentation, Kevin did a brief interview of me using just his iPhone — and it was really cool (and is inspiring me to start doing video blogs – so stay tuned!).


FBI Business Email Compromise Advisory for Dallas / Fort Worth Businesses

From: FBI – Dallas Division

Date: June 24, 2015


The Dallas Division of the FBI has drafted a Private Sector Advisory regarding the identification of six individuals possibly working as a group, targeting U.S. businesses using the Business E-mail Compromise (BEC) scheme. As of June 2015, approximately 25 Dallas companies have been targeted by the BEC scheme, or variations of the scheme, with an attempted loss of over $100 million. Please see the attached advisory and feel free to further disseminate it , to prevent you or others from becoming victims of this scheme. In addition, as set forth on the attachment, please report any attempted or successful BEC schemes.

Here is the link for the FBI’s Advisory.



Cyber Trial Lawyer Lesson: Stick With the Chronological Story

There is a well-known rule among experienced trial lawyers: when presenting your case, you always tell your story of the case in a chronological order unless there is an exceptional reason not to.

The problem is, for most of us, the deeper we get into a case and the further into the weeds we get, the more apt we are to convince ourselves that our case is one of those exceptional ones that is so complex that it should be organized by topical subject matter and not chronological order. It happens all the time but it is wrong to give in to this temptation.

The most common reason this happens is because the longer a lawyer works with a case, the more we begin to focus on the details instead of the big picture, and the more we begin to convince ourselves that all of those little nuances are what the case will turn on, and the more we lose sight of the big picture. Simply put, we have a tendency to lose sight of the forest because of the trees.

It is usually at this point that we begin telling ourselves that we are now dealing with that one rare case that requires us to abandon the age-old rule of telling stories in chronological order and, instead, organize our story by the topical subject matter.

Trial lawyers who are handling cyber cases have even more of a temptation. Cyber cases are usually pretty complicated and require a more detailed story. Cyber cases more often fit the criteria of true complex litigation more often than not. And, the more complex a case is, the more we must get into the weeds of the case and, the deeper into the weeds we get, the more tempting it gets to convince ourselves that this is that one exceptional case that justifies abandoning the old rule.

But, the truth is, when we look at the case from how the trier of fact will see it — the jury, judge, arbitration panel — we see that there never really is a good reason to abandon the old rule. We as trial lawyers have usually lived with the case for many years and can see the importance of every little nuance and how each one can make or break a case. That is our job. We must understand it all and be able to answer any question that is asked of us. We must master the microscope.

However, we must also be able to put ourselves into the shoes of our audience who will know nothing of the case, and be able to see in our mind’s eye what will be the best way to help them understand the case in the shortest amount of time. This requires telling them a story in a way that will make sense to them. This requires stepping back and seeing the big picture — seeing the case as a whole — and then finding a way to present that whole case to them in one cogent, easy to understand story, with only enough of the details as are necessary to have the story make sense. This is also our job. We must master the telescope.

This is just as true for lawyers trying cyber cases as it is for lawyers trying any other cases.

What human history teaches is that when it comes to learning, we all learn best through stories, and the easiest stories to understand are those that go in chronological order. It is just how we learn. It is as true for complicated stories as it is for simple stories. So, next time you find yourself thinking that you have one of those exceptional cases and you need to abandon the old rule, don’t give in to the temptation. You don’t. Stick to the chronological story.

Businesses Beware: You need to understand and adopt EMV / Chip-and-PIN Technology

“Visa, MasterCard, Discover, American Express and their banking partners have set a government-enforced deadline of Oct. 15 for a “liability shift” that, for the first time, would make merchants liable for fraudulent charges that result from using point-of-service readers that can’t read chip-and-pin EMV cards. The issuers have been implementing the technology, but it’s still up to companies including Home Depot, Target, Neiman Marcus and others to implement it or be held responsible for fraud resulting from continued use of magnetic strips.”

This quote comes from, Chip-and-PIN Procrastination Is Endangering Your Credit Card, an excellent article that goes into great detail to explain this technology, why you need it, and why the security benefits outweigh the inconvenience factor.

What is ‘cybersecurity law’? Orin Kerr’s 4 Categories

Regular readers know I have a tremendous amount of respect for Orin Kerr as a — if not the — true scholar on cyber law issues. Kerr recently wrote an article in which he explained his view of cybersecurity law and broke it down into four distinct categories:

  1.  The law governing steps that potential or actual victims of Internet intrusions can take in response to potential or actual intrusions
  2. The law governing liability for computer intrusions, both for the perpetrator and the victim
  3. The regulatory law of computer security
  4. Special issues raised by government network offense and defense

The full article has a nice explanation for each category so go give it a read: What is ‘cybersecurity law’? – The Washington Post.

Blue Goose Cantina Data Breach

Presentation tomorrow – Collin County Bar Ass’n Corporate Counsel Section – here’s the question:

“What do I talk about?”

No, it’s not that I don’t have anything to say — for goodness sakes, you all know that I always have something to say!

Blue Goose Cantina Data BreachThe problem I am having is that I had planned to talk about cyber risk compliance and the key elements of what a good cyber risk compliance program needs to include and why. Interesting topic, right? :)

But tonight I saw where a local restaurant that just may be my favorite Tex-Mex place of all — Blue Goose Cantina — had a data breach last week. What was interesting is that they announced it via Facebook at what seems like a very preliminary stage. So, I am thinking I just may make this the focal point of my presentation and use it as an ad hoc case study.

Leave me a comment and let me know what you would rather hear?