Search

Cybersecurity Business Law Blog

The Intersection of Cybersecurity, Business, and Law

Tag

Digital Information Law

Cybersecurity Legal Year in Review – #DtSR Podcast

Do not miss this podcast discussing key cybersecurity legal events from 2015. Shawn Tuma joined the DtSR Gang [Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst)] on the Down the Security Rabbit Hole podcast.

In this episode…

  • Most important cybersecurity-related legal developments of 2015
    • Tectonic Shift that occurred with “standing” in consumer data breach claims
      • Discussion of law prior to Neiman Marcus case, and post-Neiman Marcus
      • Does this now apply to all consumer data breach cases?
      • Immediate impact? Companies now liable?
      • Lesson is in seeing the trend and how incrementalism works
      • Michaels & SuperValu case dismissals in light of Neiman Marcus
  • Regulatory Trends
    • FTC & SEC gave hints in 2014, post-emergence of Target details
    • Wyndham challenged authority – came to fruition in August 2015
    • SEC not far behind – significant case in September 2015
    • Aggressiveness of FTC is substantial – FTC v. LabMD … all over LimeWire
  • Officer & Director Liability
    • 2014 – SEC Comm. fired the warning shot … pointed the finger
    • Shareholder derivative litigation
    • Individual liability of IT / Compliance / Privacy “officers”
  • Anticipated 2016 Legal Trends
    • Regulatory enforcement … which, by the way, is why NIST is becoming default
    • Shareholder Derivative – much more likely than consumer class actions at this time
    • Lessons from both of these: when you need to persuade the “money folks” that they need to act, mention D&O Liability (especially Caremark) and Regulatory focus on individuals … now they’re in the cross-hairs
    • Realization that cybersecurity is more of a legal issue than anything else (IT or business) b/c it is the legal requirements and consequences that ultimately drive everything

Go HERE to listen to the Podcast!

Texas Super Lawyers Honors Shawn Tuma

Texas Super Lawyers recognized Shawn Tuma as one of the top Intellectual Property Litigation Attorneys in Texas for 2015.

Mr. Tuma’s integrity, intensity, and drive for excellence have helped him become a nationally recognized thought-leader in cybersecurity, computer fraud, and information law.

In addition to being recognized by Texas Super Lawyers, Mr. Tuma was recently honored by being named one of D Magazine’s Best Lawyers in Dallas for Digital Information Law.

To compile the list, Texas Super Lawyers solicits nominations from more than 70,000 attorneys across Texas. A blue-ribbon panel of lawyers then assists with final selections, which represent no more than 5 percent of Texas attorneys. The list is published in the October issues of Texas Monthly and Texas Super Lawyers magazines and appears online at http://www.superlawyers.com/texas.

Why every CIO needs a cybersecurity attorney (my comments on why this is my favorite article ever)

Wow, this article seriously just made my day.

I will apologize in advance to my friend and CSO writer and Michael Santarcangelo (@catalyst), but this may very well be my favorite article — anywhere — of all time! And, thank you, Tom Hulsey (@TomHulsey), for sharing it with me! As for you, Ms. Kacy Zurkus (@KSZ714), all I can say is, great job on this article!

Why is it my favorite article?

Well, if the title of the article did not give it away (yes, there’s a reason we attorneys are the 2nd oldest profession … we’re pretty close to the 1st …), then consider these snippets:

“Distinguishing the technical experts from those responsible for legal obligations and risks will help companies develop better breach response plans. Understanding the role of an external cybersecurity firm will only help.” (Have I not been preaching the need for breach response plans??? See Why Your Company Needs a Breach Response Plan: Key Decisions You Must Make Following A Data Breach (Aug. 3, 2015) and More Posts)

“But even with a seemingly impenetrable security system in place, you still need an attorney focused on cybersecurity issues. Sure, internal counsel can help you minimize your company’s legal risks. But partnering with an external firm boasting security expertise can also help the CIO navigate through several unfamiliar legal areas, such as compliance with local, state and national privacy laws and security requirements, civil litigation over data and privacy breaches, and corporate governance.” (ahhh yes, music, sweet music to my ears!)

“’The breadth of industries who need this type of counsel has exploded,’ says Amy Terry Sheehan, editor in chief of the Cybersecurity Law Report.” (preach it sister Amy, preach it!)

“Because every company now has data online – including personally identifiable information (PII), trade secrets and patent information – Sheehan says, ‘There is an increased need for specialized expert attorneys in cybersecurity and data privacy. Even attorneys who are working on mergers and acquisitions need to know the cybersecurity laws. (I could not have said this any better myself, dang Kacy, you are good!)

“Because time is not a friend in any breach situation, companies that have cyber security attorneys on retainer are better positioned to quickly and efficiently respond to incidents.” (mmm hmm, as I write this, there is a leader of a company who did not know my name or know what a “cybersecurity attorney” was on Monday of this week … today (Thurs. morning), I am his new best friend and he calls me more than my wife does!)

“CIOs are clearly responsible for the technical aspects of cybersecurity, of course, but as Sheehan says, ‘negotiating with the government or a complicated investigation that requires more manpower’ demands the expertise of a cybersecurity attorney.” (exactly — those who are looking back with 20/20 hindsight, following a breach, are not technical people, they are lawyers: agency regulators, state attorneys’ general, judges, and plaintiff’s lawyers — you need a legal perspective for this)

“’To not have a cybersecurity attorney on retainer is foolhardy at best,’ because organizations need somebody who is a specialist in what Thompson identifies as the four main areas of concern: breach scenarios, personnel policies, cyber liability insurance and working with government.” (exactly!)

“Maintaining privilege is paramount in the aftermath of a breach, but understanding the differences between a possible incident, an actual incident or a breach will drive the company’s response. Cybersecurity attorneys work with organizations to develop their incident response plans, which determines who speaks to whom when and about what. ‘The plan should be very basic and the attorney is a key part in designing the plan,’ Thompson says.” (privilege can be a huge issue — and as for those Incident Response Plans, definitely use the KISS method)

“Additional risks exist around response time in the aftermath of a breach. According to Sheehan, ‘You’ll not have valuable advice in advance of a breach, which presents litigation risks, and litigation is becoming much more common – it’s filed immediately after a breach, and counsel is involved in mitigating litigation risks.’” (what you do pre-breach can have a huge impact on how you are impacted post-breach, from a liability standpoint)

There is a lot more delicious medium-rare red meat (filet mignon, to be exact) in this article so go read it — NOW! Why every CIO needs a cybersecurity attorney | CIO.

What is ‘cybersecurity law’? Orin Kerr’s 4 Categories

Regular readers know I have a tremendous amount of respect for Orin Kerr as a — if not the — true scholar on cyber law issues. Kerr recently wrote an article in which he explained his view of cybersecurity law and broke it down into four distinct categories:

  1.  The law governing steps that potential or actual victims of Internet intrusions can take in response to potential or actual intrusions
  2. The law governing liability for computer intrusions, both for the perpetrator and the victim
  3. The regulatory law of computer security
  4. Special issues raised by government network offense and defense

The full article has a nice explanation for each category so go give it a read: What is ‘cybersecurity law’? – The Washington Post.

Bleak Cybersecurity Future: Data Breaches on Track to Cost Companies $2.1 Trillion

I recently posted about how corporate general counsel now view cybersecurity as a top 3 concern. At this rate, it will soon be their #1 concern. A recent article in Corporate Counsel gives several reasons for why this problem will only continue to increase in volume, expense, and overall risk to companies:

  1. Companies continue to move more infrastructure online
  2. The annual cost of data breaches is projected to rise to $2.1 trillion by 2019
  3. Cybercriminals are more often hacking for profit instead of for “causes” as with hacktivism
  4. Nearly 60 percent of data breaches in 2015 are anticipated to be in North America
  5. The average cost of a data breach is projected to exceed $150 million by 2020
  6. Companies are developing quantum computers with so much power they will render ineffective all currently known defenses

Not only should corporate general counsel be concerned about cybersecurity, but so too should companies’ officers and directors because there is a growing trend toward liability for them as well.

Read more: Data Breaches on Track to Cost Companies $2.1 Trillion | Corporate Counsel.

Blog at WordPress.com. | The Baskerville Theme.

Up ↑

%d bloggers like this: