Why do you need a cyber attorney? Shawn Tuma explains in Ethical Boardroom

spring2018In my latest article in Ethical Boardroom article, I explain some of the not-so-obvious reasons why you need an experienced cyber attorney on your team: Why you need a cyber attorney (Spring 2018)

Here are other Ethical Boardroom (@EthicalBoard) articles that I have written or contributed to that are also available for free:

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

What does it mean to “hack back” and is it a good idea?

There is more and more talk about companies hacking back against those who attack them in cyber space and whether allowing them to take such measures is a good idea. Right now, hacking back, or active defense, as it is often called, is illegal under the federal unauthorized access law, the Computer Fraud and Abuse Act. There are current federal efforts to change this, along with some woefully misguided rumblings by some state legislators (who do not seem to understand that the CFAA supersedes anything they pass to the contrary).

So, the question is whether hacking back a good idea or will it cause more harm than good? Shawn Tuma was a guest on the KLIF morning show to discuss this issue. Go here to listen to what he had to say about it.

What are your thoughts?

Cyber Risk Management and Attorney-Client Privilege in Cybersecurity Discussed on Business Security Weekly

Business Security Weekly, Episode 81, featured Michael Santarcangelo (@catalyst) inviting Shawn Tuma to join as co-host and guest to discuss two topics that should be near and dear to everyone’s hearts:

  1. The legal case for why companies need cyber risk management programs and what experienced cybersecurity attorneys’ roles are in such programs; and
  2. The frequently cited but often misunderstood role of attorney-client privilege in cybersecurity.

Here are the show notes and here is the video:

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Data is the hot potato!

During a presentation yesterday, I was trying to make a point about the liability that comes with data and, therefore, the need for us to never forget that in cybersecurity our ultimate goal is protecting systems and data. I used the little line at the end of this quote:

Data equals risk. It is toxic because of the potential liability that goes with it. Data is the hot potato.

Despite how corny it sounds, I had several people approach me later to tell me how much “data is the hot potato” stuck with them (and, it could be because I had them join me in chanting it!). So, why not share it with you? Now join me in chanting,

Data is the hot potato!

Data is the hot potato!

Data is the hot potato!

Data is the hot potato!

Data is the hot potato!

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Do data breaches have consequences? Will Equifax CIO serve jail time for insider trading?

“Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit.” Richard R. Best, SEC – Atlanta Division

For years many in the cybersecurity/data breach space have been saying that somebody is going to have to go to jail before corporate decision-makers begin to take cybersecurity as seriously as they should. Many thought the Department of Justice’s focus on individual accountability through the “Yates Memo” may be the vehicle but that has not yet happened.

With the Equifax breach and revelations that three executives had sold stock in the company before the breach was announced publicly, we saw an outcry against what was believed to be insider trading and calls for the executives to face jail time:

Thirty-six U.S. senators on Tuesday called on federal authorities to investigate the sale of nearly $2 million in shares of credit bureau Equifax Inc by company executives after a massive data breach, and one compared their actions to insider trading.

The lawmakers signed a letter asking the U.S. Department of Justice, the Securities and Exchange Commission and the Federal Trade Commission to look into about $1.8 million in stock sales by three executives between July 29 – the day Equifax said it learned that its systems were hacked in mid-May – and when they made it public last week.

“If that happened, somebody needs to go to jail,” Senator Heidi Heitkamp, a Democrat on the Senate Banking Committee, said at a credit union industry conference in Washington. “It’s a problem when people can act with impunity with no consequences. How is that not insider trading?”

gate-191675_1920As it turned out, however, the sale of stock by those Equifax executives was found to have been properly approved and they did not know of the data breach at the time of the sale, so it was not the problem that many had suspected.

Criminal Charges Filed Against Former CIO of Equifax Unit

For one former Equifax executive, however, his actions were not quite so innocent and may now give rise to the closest chance yet of someone actually getting jail time as a consequence of a data breach:

If these allegations are true, this certainly sounds like insider trading. As stated by Richard R. Best, Regional Director of the Atlanta Regional Office of the SEC, “Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit.”

Best’s sentiments were echoed by David J. LeValley, Special Agent in Charge of FBI Atlanta: “By prosecuting cases like this, the FBI and the U.S. Securities and Exchange Commission are sending a strong message to company insiders that they must follow the same rules that govern regular investors. Otherwise, they face the severe consequences for failing to do so.”

Severe consequences can mean many things. What everyone is really wanting to know is whether Ying actually serve any jail time. If he does, this case will be a game-changer that moves the needle of data breach consequences significantly upward. We will not know the answer to that question until he is convicted (or enters a plea agreement) and sentenced. Some articles state that Ying is facing up to 25 years in jail on the charges. Neither the SEC nor DOJ press releases state how long of a sentence is being sought.

As far as real-life insider trading cases where people have actually been sentenced to jail go, a Wall Street Journal post from 2014 discussing the longest insider trading sentences has the top 5 longest sentences ranging from 12 years down to 7 years. Comparing the amount of money involved in those cases to the $117,000 in losses that Ying avoided makes this cases relatively small. I doubt we will see anything approaching those sentences.

If the question, however, is not how much jail time will Ying get but whether he will get any jail time, I think both the SEC and DOJ have been looking for the right poster child to make an example out of and Ying may have drawn the short straw. Let’s see …

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.