Why do you need a cyber attorney? Shawn Tuma explains in Ethical Boardroom

spring2018In my latest article in Ethical Boardroom article, I explain some of the not-so-obvious reasons why you need an experienced cyber attorney on your team: Why you need a cyber attorney (Spring 2018)

Here are other Ethical Boardroom (@EthicalBoard) articles that I have written or contributed to that are also available for free:

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Down the Security Rabbithole Podcast #DtSR with Los and Tuma talking all things #cybersecurity

DtSR ImageThis week’s #DtSR Podcast featured Raf Los and guest Shawn Tuma talking about all things cybersecurity. Check out more of what was covered and listen to the podcast here!

Check out some of the past episodes with Tuma as a guest.

 

Share on social media and join in the discussion!

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Security Weekly guest Shawn Tuma discusses “what is reasonable cybersecurity?”

Share on social media and join in the discussion!

LinkedIn Post

 

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

What is “reasonable cybersecurity” and how do courts view it? (SecureWorld interviews)

What is “reasonable cybersecurity” and how do courts view “reasonable cybersecurity”?

See KnowB4’s discussion of these interviews

These are two excellent questions that I was asked and I answered, as succinctly as I could, in two short interviews with SecureWorld. Tell me what you think about my answers.

What Is Reasonable Cybersecurity? – SecureWorld article

How Courts & Attorneys View ‘Reasonable Cybersecurity’ in 2018 – SecureWorld article

Here are the videos.

 

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Uber’s CISO Makes Case for Uniform National Data Breach Notification Law

UberUber’s Chief Information Security Officer (CISO), John Flynn, made a case for a uniform national data breach notification law in his testimony to members of Congress (see penultimate paragraph of full written testimony):

I would like to conclude by stating that we strongly support a unified, national approach to data security and breach standards. We are proactively engaged in the many conversations in both the technical and policy communities to help identify what the critical components of federal data breach legislation should be, and are pleased to see this robust conversation taking place with various Members of Congress and your staff. We welcome the opportunity to be at the table to help all stakeholders understand the best practices.

I agree!

NTSC LogoIf you are a CISO of a company and are interested in participating in this discussion, please considering joining the National Technology Security Coalition (NTSC) in this effort to get an appropriate uniform federal data breach notification law passed. (Disclaimer, I am a member of the NTSC’s Policy Counsel and will be assisting in drafting proposed legislation.)

See these related posts:

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

3 Legal Points for InfoSec Teams to Consider Before an Incident

secureworldAs a teaser to my presentation at SecureWorld – Dallas last week, I did a brief interview with SecureWorld and talked about three of the points I would make in my lunch keynote, The Legal Case for Cybersecurity. If you’re going to SecureWorld – Denver next week, join me for the lunch keynote on Thursday (11/2) as I will again be making The Legal Case for Cybersecurity.

In the SecureWorld article, Why InfoSec Teams Need to Think with a ‘Legal’ Mind, Before an Incident, we discuss these three points:

  1. There are three general types of “cyber laws” that infosec needs to understand;
  2. Sadly, far too many companies do not take cybersecurity seriously until after they have had a significant incident; and
  3. Companies’ need for implementing and continuously maturing a cyber risk management program (such as my CyberGard).

 

What do we in the United States really want from our cyber laws?

In my newsfeed are articles in prominent publications discussing the problems with the federal Computer Fraud and Abuse Act from very different perspectives.

www.businesscyberrisk.comIn the “the CFAA is dangerous for security researchers” corner we have White Hat Hackers and the Internet of Bodies, in Law360, discussing how precarious the CFAA (and presumably, the state hacking laws such as Texas’ Breach of Computer Security / Harmful Access by Computer laws) and Digital Millenium Copyright Act can be for security researchers.

In the “the CFAA prevents companies from defending themselves” corner we have New Bill Would Allow Hacking Victims to ‘Hack Back’, in The Hill, discussing The Active Cyber Defense Certainty Act (ACDC). ACDC (what a great acronym!) would allow companies more latitude in defending themselves against those intruding into their networks by permitting them to use techniques described as “active defense,” under certain conditions, though not permitting companies to counterattack.

Now, instead of thinking about these two measures in isolation, think of them together. What if we were to get both of them passed into law? What if we got one or the other?

This reminds me of a piece I wrote about the CFAA and the broader national policy discussion a few years ago, Hunter Moore or Aaron Swartz: Do we hate the CFAA? Do we love the CFAA? Do we even have a clue? In that piece I stated,

The CFAA has become a national lightening rod with many loving it, many hating it, and far too many loving it and hating it at the same time, without even realizing it. Before we go any further, however, consider this quote:

The CFAA was tailor-made to punish precisely the kind of behavior that [guess who?] is charged with: breaking into other people’s accounts and disseminating their … information.

Quick! Who is that referring to? Hunter Moore? Edward Snowden? Aaron Swartz? Sandra Teague?

I used this overly simplified example to try and make a point that, philosophically, we as a nation need to stop looking at each of these cases and laws in isolation and need to look at the bigger picture of how it all fits together. Picking and choosing based upon our own personal likes and dislikes due to the emotional tug of the facts is no way to develop, maintain, and mature a body of law on any subject matter — much less one as complicated as cyber.

Take this discussion and add into the mix new security-based laws such as NYDFS and then mix in the 48 states + HIPAA, GLBA, etc. breach notification laws, the conundrum of cybersecurity law schizophrenia, and then see what we have to work with. Does it all make sense?

What do you think? Where do we begin? Who needs to be involved in working this out? What are the first questions we need to ask?

IoT Cybersecurity Improvement Act of 2017 proposed by Senate Cybersecurity Caucus

On August 1, 2017, the Senate Cybersecurity Caucus introduced the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017,” bi-partisan legislation focused on establishing minimum security requirements for the federal procurement of Internet connected devices (#IoT). Continue reading “IoT Cybersecurity Improvement Act of 2017 proposed by Senate Cybersecurity Caucus”

3 More Key Cybersecurity Takeaways General Counsel Should Learn Learn from Yahoo

The lessons that general counsel can learn from the Yahoo data breach just keep coming. A month ago I published 5 Key Takeaways from Verizon’s GC on Lessons Learned from Yahoo Deal and recently I read Yahoo’s Warning to GCs: Your Job Description Just Expanded (Big-Time), which I found to be excellent.

Here are 3 key cybersecurity takeaways that general counsel should learn that are described more in that article. The explanation in the article is very good and the author provides actionable recommendations — I encourage you to read the entire article:

  1. The general counsel has emerged as the most logical and effective quarterback of data breach response.
  2. Yahoo’s actions not only signal the evolution of a new standard of care for general counsel when it comes to cybersecurity but also signal a vast expansion of general counsel oversight. 
  3. Cybersecurity presents every bit, if not more risk than financial reporting failure, and should receive the same level of oversight and audit.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

5 Key Takeaways from Verizon’s GC on Lessons Learned from Yahoo Deal

A good friend recently shared with me the article Verizon GC on the Lessons Learned from Deal with Yahoo (use Linkedin for paywall access) because he thought it would be valuable information to add to my own cybersecurity knowledge toolbox. Given the experience Verizon’s GC has gained through this process, when he talks about lessons learned, we should all pay attention.

Here are the 5 key takeaways to keep in mind for mergers and acquisitions such as this one:

  1. Have a strategy on how to handle the news of data breaches.
  2. Analyze how a data breach impacts the original goals of the deal and how it will impact investors.
  3. Be very disciplined in messaging, ensuring that all public statements, to all audiences, are a variation of the same core messages.
  4. Know what the parties’ agreement says about data breaches which, necessarily, requires that the agreement address the issue of data breaches.
  5. While due diligence around data breaches may be important, it is more important to have reps and warranties around data breaches because it is unreasonable to expect due diligence to find what the company itself hasn’t found.

Yahoo security lapses laid bare even as Russia blamed for hack

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.