Search

Cybersecurity Business Law Blog

The Intersection of Cybersecurity, Business, and Law

Tag

infosec

Managing Cybersecurity Risks for Boards of Directors

Ethical Boardroom Winter 2016In his latest Ethical Boardroom article, Shawn Tuma explains why it is important for board members to have an active role in their company’s cybersecurity preparation and tells them several key steps they can take to do so. Tuma also explains why cybersecurity is as much a legal issue and business issue as it is an IT issue. Continue reading “Managing Cybersecurity Risks for Boards of Directors”

Cybersecurity Legal Year in Review – #DtSR Podcast

Do not miss this podcast discussing key cybersecurity legal events from 2015. Shawn Tuma joined the DtSR Gang [Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst)] on the Down the Security Rabbit Hole podcast.

In this episode…

  • Most important cybersecurity-related legal developments of 2015
    • Tectonic Shift that occurred with “standing” in consumer data breach claims
      • Discussion of law prior to Neiman Marcus case, and post-Neiman Marcus
      • Does this now apply to all consumer data breach cases?
      • Immediate impact? Companies now liable?
      • Lesson is in seeing the trend and how incrementalism works
      • Michaels & SuperValu case dismissals in light of Neiman Marcus
  • Regulatory Trends
    • FTC & SEC gave hints in 2014, post-emergence of Target details
    • Wyndham challenged authority – came to fruition in August 2015
    • SEC not far behind – significant case in September 2015
    • Aggressiveness of FTC is substantial – FTC v. LabMD … all over LimeWire
  • Officer & Director Liability
    • 2014 – SEC Comm. fired the warning shot … pointed the finger
    • Shareholder derivative litigation
    • Individual liability of IT / Compliance / Privacy “officers”
  • Anticipated 2016 Legal Trends
    • Regulatory enforcement … which, by the way, is why NIST is becoming default
    • Shareholder Derivative – much more likely than consumer class actions at this time
    • Lessons from both of these: when you need to persuade the “money folks” that they need to act, mention D&O Liability (especially Caremark) and Regulatory focus on individuals … now they’re in the cross-hairs
    • Realization that cybersecurity is more of a legal issue than anything else (IT or business) b/c it is the legal requirements and consequences that ultimately drive everything

Go HERE to listen to the Podcast!

Dear Santa: Shawn Tuma’s Cybersecurity Christmas Wish

 

Rockefeller_Center_christmas_tree
Shawn Tuma’s Cybersecurity Christmas Wish

My friends at SecureWorld asked me to do something I have not done since I was a kid. They asked me to write a letter to Santa and tell him what my one cybersecurity Christmas wish would be.

What is my wish?

Here is a hint: it is for business leaders to begin to understand one particularly crucial thing about cybersecurity incidents — one thing that could really help get their companies prepared for the cybersecurity risks they face.

If you want to know what that one thing is, all you have to do is read my letter to Santa: Cybersecurity Wishes: Shawn E. Tuma

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

 

What Do Cybersecurity, Brown M&M’s & Credit Ratings Have in Common?

Eddie Van HalenOf all the examples of pompous extravagance the legendary rock band Van Halen exemplified, one that has always stood out was the band’s contractual requirement that the dressing room to have M&M’s — but warned there were to be no brown M&M’s. If any were there, the band had the right to cancel the concert at the full of the promoter (see No Brown M&M’s).

Only recently did the band reveal the real reason for this requirement. It was their canary in the coal mine to alert them to major problems.

No Brown M&M's

Van Halen wasn’t just playing music, they were putting on a massive stage show that involved filling venues with equipment they were never intended to handle. This posed a significant safety concern for the public as well as the band. To mitigate against this risk, Van Halen’s contract spelled out in precise detail the technical requirements for how the stage, lighting, and other equipment were to be assembled. Hence, the reason for the No Brown M&M’s Clause:

To ensure the promoter had read every single word in the contract, the band created the “no brown M&M’s” clause. It was a canary in a coalmine to indicate that the promoter may have not paid attention to other more important parts of the rider, and that there could be other bigger problems at hand (seeNo Brown M&M’s).

Cybersecurity Risks & Credit Ratings

A few weeks ago, Moody’s announced that it will begin to place more weight on a company’s cybersecurity risks when issuing its credit ratings.  (see Moody’s).

The report is the latest indicator that it has becoming increasingly important that companies view cybersecurity in financial terms, not simply in terms of reputational risk.

“More cyber security expertise is being added to boards and trustee governance,” said associate managing director Jim Hempstead, in a release. “We expect many issuers will create distinct cyber security subcommittees, which is a material credit positive.”

S&P issued a similar warning in September, stating that it would downgrade credit ratings of financial institutions that have poor cybersecurity protections.

Good for Moody’s and S&P!

Think about it. For today’s companies, their cybersecurity posture is that canary in the coal mine — the brown M&M’s — that will either indicate that the company is carefully focusing on its business or is run in a haphazard manner.

Cybersecurity should be used to evaluate credit ratings as well as other aspects of the company. This is good for everybody — especially for companies that are keeping their cybersecurity house in order. It will give them a distinct competitive advantage in the future as more and more become attuned to just how bad cybersecurity risk can be.

So, what do cybersecurity, brown M&M’s and credit ratings have in common? They’re all an indication of the kind of company that others want to do business with; ultimately, they mean increased competitiveness.

(Disclaimer: I am more of a Van Hagar fan than a Van Halen fan)

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

SecureWorld Webinar: Data Protection Pitfalls to Avoid

You are welcome to attend a complimentary SecureWorld webinar with these featured presenters:

  • Aliki Liadis-Hall, Director of Compliance, North American Bancard
  • Jason Hart, CTO of Data Protection, Gemalto
  • Shawn Tuma, Cybersecurity & Data Protection Partner, Scheef & Stone, LLP
  • Kim L. Jones (moderator), Sr. Vice President & CISO, Vantiv

The webinar is sponsored by Gemalto, qualifies for CPE Credits, and will take place on Thursday, December 10 at 12 pm CST but if you are unable to attend, you can access the recording as well.

You can learn more about, and register for, the webinar at this LINK.

Blog at WordPress.com. | The Baskerville Theme.

Up ↑

%d bloggers like this: