Heading 1

Cyber In security News

TM

EDITOR'S NOTE
David Hechler
Editor-in-Chief

dhechler@cyberinsecuritynews.com
JANUARY 2019
THREE OF THE ARTICLES we have in January look forward to the year ahead. The interview with Daniel Garrie does so explicitly. After looking back at 2018, he hazards predictions that will be interesting to examine next year at this time.
     The expert article by Tyler Gerking and David Smith provides a quick survey of the known risks associated with the internet of things (IoT).  Then it launches into a detailed examination of the new California IoT laws, which have received far less attention than the state’s new privacy law.
     They all go into effect in 2020, and this article looks at the ways insurance can help companies minimize their IoT risks. (Gerking wrote about ways companies can prepare for California’s privacy law in an article we ran in November.)
     I wrote an article on a House committee’s report on cybersecurity that arrived  festooned with red flags that seemed to warn: “Don’t expect much from this one.” They proved to be false alarms.
     That report is also forward looking. It refers to past events, but one of its strengths is that it attempts to set actionable national priorities to improve cybersecurity. And the committee does more than write recommendations; it attempts act on them.
     Our last feature is a very strong interview with former federal prosecutor Michael Yaeger. He covers a lot of ground, and to all of it he brings a litigator’s eye. As he talks, his perspective has a way of clarifying and distilling what’s truly important to his clients. 
     That’s a particularly valuable skill at year’s end. Happy New Year!

_____________________________________

DECEMBER 2018
YOU MAY NOTICE that there are links between pairs of our stories. That’s because they talk to each other. We liked the synergy, and we wanted to underscore it.
     There's an article about a Columbia Law School class in which Judith Germano took the students through a tabletop exercise. There wasn’t space in that piece to include much information about Germano, and the way she uses these scenarios in training sessions with incident response teams at companies. So we ran an interview with her as a separate article. And we linked the two.
     We also included a link from the Columbia class story to the interview we ran a few months ago with Matthew Waxman, who is one of the regular teachers of that class. Waxman explained, among other things, why classes in cybersecurity are suddenly very hot.
     We also have two very different articles on another hot topic: privacy. One is an expert article about data protection officers (DPOs). Lots of companies are hiring them because the EU’s General Data Protection Regulation requires them for some companies under its jurisdiction. Author Jason Straight talked about the background the job requires, and discussed whether it could ever be filled by a general counsel.
     Straight was in a pretty good position to discuss this issue. He’s a lawyer who functions in a tech role at his company, where he’s also the chief privacy officer. But we have an interview with a woman who also has an interesting perspective. Rita Heimes works at the International Association of Privacy Professionals, where she is the DPO and the general counsel. So we linked those two articles as well.
     Oh, and just for good measure (call it an extra dose of synergy), we linked Straight’s article to the recent interview we ran with him in which he talked about why outside law firms may pose the greatest risk to a company’s data.
     Happy holidays! And watch your data!
_____________________________________

NOVEMBER 2018
AFTER ALL OF THE TALK about the European Union’s new privacy regulation, which went into effect six months ago, and California’s new state law, which won’t be implemented for at least 14 more months, it’s surprising that few people seemed to notice that Colorado passed a state law before California’s—and it’s already in effect.
     We interviewed a Colorado lawyer who has devoted a good deal of his career to information governance. He explained what the new law does, how Colorado’s scheme differs from those of the other two jurisdictions, and how general counsel should respond.
     In the wake of these legislative changes, we were eager to learn the state of cyber insurance policies. Our expert looked at whether astronomical penalties under the EU’s General Data Protection Regulation would be covered. He also discussed the importance of business interruption coverage to mitigate the damage of a cyberattack.
     We have a long and multifaceted interview with UnitedLex's Jason Straight that explores the complicated relationship between companies and their law firms, upon which they have not always imposed the same security demands as they do on other vendors. Until now, that is.
     Finally, CyberInsecurity News went to the movies. OK, it was a webinar. The ABA brought us a table top exercise. We especially liked the exposition and the denouement.

_____________________________________

OCTOBER 2018
OF THE EIGHT ISSUES
we’ve published, this may be the one that makes the strongest statement about how far the field of cybersecurity has come.
     Our interview with Prof. Matthew Waxman of Columbia Law School is the opening statement. The popularity of his cybersecurity courses and the enthusiasm students bring to what Waxman refers to as this “booming industry” are powerful evidence of its growing importance. But so are his descriptions of his many opportunities for productive collaboration—both on campus and off.
     We also interviewed Lee Tien from the Electronic Frontier Foundation. He takes us inside the data privacy debate (a subject that Waxman’s students are also intrigued by), which seems to be on the cusp of exploding.  
     The article by Dauna Williams delves into the continuing challenges lawyers confront when trying to manage their relationship with IT. It’s become increasingly clear that there’s really no choice. Neither group will be effective at dealing with cybersecurity unless they learn to work together. And if they don’t, they may not have jobs to return to.
     Finally, we rewound an ABA webinar, which reminded us of how much territory there is to cover, how much the field has had to learn in just a few years, and how steep the challenges remain to this day.

_____________________________________

SEPTEMBER 2018
I THINK OF THIS AS OUR CISO ISSUE. We have two articles that feature individuals who have been chief information security officers. They explain how the CISO functions most effectively, and why it’s important to work closely with the general counsel.
     What’s a little surprising about these pieces, and the rest of this issue, is that none of the professionals interviewed is a lawyer. That’s a first for us. But sometimes it’s valuable to see things from the perspective of people on the outside who work with the lawyers. And as always, every article was written with attorneys and legal issues in mind.
    One piece is about a firm that trains the team of individuals who respond when their company is hit with a cyberattack (“Keeping the Lights On”).  Another points out that Russia’s campaign to disrupt the midterm elections is not the only way that disinformation can be dangerous. When companies are the targets, it doesn’t take a nation-state to turn them deadly (“How Disinformation Can Damage Companies”).
    There’s also a news brief on a case that we may be hearing about for a long time. The FBI is trying to force Facebook to let it tap a gang member’s Messenger conversations. This could prove bigger than the encrypted iPhone battle a couple of years ago.

_____________________________________

AUGUST 2018
THERE'S A THEME that runs though much of our August issue. In the dangerous world of cybersecurity, it’s good to know that resources are available. Our interviews highlight two organizations that offer lawyers support in the battle against data breaches.
  One is the American Bar Association. Ruth Hill Bro is deeply involved there, and in our interview she functions as a kind of tour guide. She suggests that you check out the ABA’s books and articles on cybersecurity, along with its webinars and live events. She also invites you to get directly involved with the organization, the way she has. 
  In the other interview, Chris Colvin talks about the way the membership association he founded, In The House, is trying to help corporate counsel defend their companies against cyberattacks. He has invited the editors of this newsletter to co-chair his Cybersecurity Working Group, and he explains what he hopes it will accomplish.
  We also wrote about the pressure law firms are under to protect client data from attack. Especially in the wake of several high profile failures in recent years.
  One important message comes through in all three articles. It’s good—maybe even necessary—to have partners. Cybersecurity is not an area you want to navigate alone, if you can help it.
  Colvin expounds on the importance of networking. In our article about law firm breaches, he urges inside and outside counsel to work together to reduce their risks. In the same article, the well-known Big Law consultant Peter Zeughauser offers his take on the challenges at hand. He, too, sees progress where law firms and their clients join forces to share the burden.
  That may be the slender silver lining in the stormy clouds overhead—clouds that promise a lot more turbulence before the cyber weather is likely to break.

_____________________________________

JULY 2018
IT'S THE SEASON of new regulations. While many companies struggle to adjust to the GDPR, which Bart Huffman spoke of at length in our June issue, in Part Two of that interview, Huffman introduces us to what is expected to be the EU’s next offering: the ePrivacy Regulation.
  If that isn’t enough regulation for you, take a look at the first item in our Cybersecurity News Briefs. At the tail end of June, California passed its own privacy law—said to be the nation’s toughest. That’s a lot of new rules to absorb quickly.
  Continuing the theme of high anxiety, Alston & Bird’s Todd Benoff talks about the challenges companies are going to face when driverless car crashes are caused by hacks. Benoff is a litigator who focuses on this area, and in our interview he raises questions that should give pause to general counsel in the automotive industry as well as those who work for medical device manufacturers. Could strict liability turn into absolute liability?
  Regulations, liability: These are the kinds of issues that keep general counsel up at night. Or do they? We have certainly heard that phrase, but we wonder whether this whole concept of sleepless lawyers is just a lot of media hype. So we asked a lawyer who advises clients on cybersecurity whether they ever complain about insomnia.
  Finally, our expert article focuses on one more risk—but it also offers a proposed solution. It’s about the threat of cyberattack that looms over international arbitration. The authors are members of a group that’s drafted a protocol designed to protect the parties, the process and the data. They also encourage readers to add their comments during the consultative period that ends on December 31. At least you shouldn’t lose sleep worrying about that deadline.

_____________________________________

JUNE 2018
IT'S REACHED THE TIPPING POINT. Recently I had dinner with friends who had no connection with the law, and they were the ones who brought up the GDPR. They weren’t quite sure about the letters, or the order, and they weren’t sure what it stood for. But even after I said “General Data Protection Regulation,” they still wanted to talk about it. And they had lots to say about privacy. 
  For those of us who have been living with those letters, we’re only just out of the starting gate. But already it feels as though 
we’ve been overloaded. And yet... when we interviewed Reed Smith partner Bart Huffman, an expert on privacy and security, it didn’t feel that way at all. In fact, he covered so much information that struck us as essential reading for lawyers that, rather than edit it down, we decided to publish Part One in June (Culture Shift, Courtesy of Europe) and Part Two in July.
  Another article is about the opposite of a tipping point (call it the ticking point), Eighteen months ago, Florida became the first state in the country to mandate tech training for lawyers. But since then, not one state has followed Florida’s lead (Florida Adopted Mandatory CLEs in Tech. Where Are the Followers?). 
  A subject we return to often in this publication is how and when companies decide to cooperate with the government when they’re dealing with breaches. Kimberly Peretti discusses this issue, and, as a former senior litigator at the U.S. Department of Justice, she passes along four tips suggesting how companies can maximize the benefits of cooperating (Working With the Government After a Breach).
  Finally, the article we lead with in this issue is an interview with the Association of Corporate Counsel’s chief legal officer, Amar Sarwal, who digs into ACC’s recently released State of Cybersecurity Report—its first in three years (Cyber Survey Underscores Dour Perspective of In-House Lawyers).
  What’s particularly valuable about this report is in the subtitle: an in-house perspective. The survey reveals what these lawyers are experiencing, and some of the most interesting data reflects not just what they know, but what they don’t.
  Sarwal takes an unflinching look at a pretty grim landscape and delivers a lucid analysis. It’s one of his skills that we have come to appreciate during his eight years at the organization. By the time you read this, however, he will have departed from his post there for a job closer to home. Literally. We hope he’s appreciated at his new work place. We wager that his old one will find him hard to replace.

_____________________________________

MAY 2018
WE LIVE IN AN AGE OF CONFLICT. It’s everywhere we look. And the challenges of cybersecurity are grounded in, and manifestations of, that conflict. Cyberattacks erupt from political conflict, international conflict, economic conflict—the gamut. And they’ve certainly added to the pervasive global tension. 
  Another troubling trend we’ve seen in the past year has been the erosion of so many longstanding alliances. Countries that have long been allies are on the outs. Brexit and the 
rise of nationalism have shaken the European Union to its core. The United States feels a little less stable, and a little more isolated, every day. These developments have been particularly dispiriting to witness because alliances seem to be our best chance of mitigating the problems. 
  In this issue, in our own small way, we explore the power of alliances. First we look at an alliance of maritime companies working to boost their common cyber defense. 
  Then we have a piece about the Cybersecurity Tech Accord, and the 34 companies that vowed to make the world safer from cyberattacks. 
  And our expert article talks about the ways companies need to partner with their service providers in order to enhance the security of both entities. 
  These are three very different kinds of alliances, but they all make a world of sense. They possess the key components that successful alliances have always needed: they’re designed for the mutual benefit of the partners, and they make them all a little more secure.
  Here’s hoping there’s a resurgence of alliances this year.

_____________________________________

APRIL 2018
SPRING IS HERE AT LAST! In this, our second issue of CyberInsecurity, renewal is a bit redundant. It’s all pretty new. But we have added two features in this issue that you can expect to find each month. 
  First, there’s a new section called Cybersecurity in the News. We know that you keep up with the big events; these short takes focus on smaller fare that you may have missed. This month, for instance, we cue up some surprising statistics, a new cybersecurity lexicon you may want to download, and a story that suggests this field may have achieved household-name status. 
  Also new: our first article by an outside expert. Steven Senz, a consultant who has worked in data security for more than two decades, talks about the questions a client is already trying to navigate months before the EU’s General Data Protection Regulation takes effect in late May. By now the GDPR should be provoking widespread anxiety. This is a good opportunity, Senz points out, for general counsel to emphasize that information security at their companies is everyone’s responsibility. 
  We also have two interviews this month. One is with Andrea Bonime-Blanc, who has a book coming out in April on artificial intelligence. In our conversation, she explains why now is the time for general counsel and boards of directors to work with management to craft an AI strategy—before their competitors find ways to use it to disrupt them out of business. 
  The second returns to a subject we find particularly provocative: When and how should companies cooperate with the government? We interviewed a staff attorney at the Electronic Frontier Foundation who has been investigating a cozy relationship between retailer Best Buy and the FBI—too cozy, the attorney suggests. 
  Finally, we reviewed Cisco’s Annual Cybersecurity Report for the purpose of advising lawyers who don’t have a tech background whether it’s both accessible and worth reading. Since we’re sharing our conclusions, you can probably guess what we think.  
  Enjoy the spring. Thanks for tuning in. And let us know what you think.

_____________________________________

MARCH 2018
WELCOME TO CYBERINSECURITY NEWS, a platform that features writing about the legal arena. 
  The subject of the moment, and it’s a moment that’s likely to last for some time, is cybersecurity. Or, as we call this newsletter, CyberInsecurity. And if you're wondering whether your insecurity is justified, we've included survey data in a graphic that should provide confirmation (What the Numbers Say).
   One facet of this subject that’s been fascinating to watch is the complicated relationship between government and business. Are they friends, enemies, frenemies? 
interview with Rand researcher Sasha Romanosky delves into some of these issues 
(Challenges in Cybersecurity Provoke Conflict between the Public and Private Sectors). But there always seems to be another angle. It may surprise some readers to learn that the government has a history of tech innovation, and some new programs established at universities are designed to lure entrepreneurial students to beat a path to Washington rather than Silicon Valley. And they’re actually winning converts 
(Building a Cybersecurity Bridge between Startups and the Military).  
   Finally, it wouldn’t be a new year if we didn’t feature a crystal ball somewhere in the mix. We invited a legal expert to talk to us about two articles that had important things to say. One predicted what we can expect this year; the other warned what we should fear (Predictions and Threats for the Year in Cybersecurity). 
    We’ll be back with another issue of CyberInsecurity next month. Until then, please let us know what you think. Your comments and suggestions are always welcome.