Heading 1


Cyber In security News



David Hechler, Editor-in-Chief
AFTER ALL OF THE TALK about the European Union’s new privacy regulation, which went into effect six months ago, and California’s new state law, which won’t be implemented for at least 14 more months, it’s surprising that few people seemed to notice that Colorado passed a state law before California’s—and it’s already in effect.
     We interviewed a Colorado lawyer who has devoted a good deal of his career to information governance. He explained what the new law does, how Colorado’s scheme differs from those of the other two jurisdictions, and how general counsel should respond.
     In the wake of these legislative changes, we were eager to learn the state of cyber insurance policies. Our expert looked at whether astronomical penalties under the EU’s General Data Protection Regulation would be covered. He also discussed the importance of business interruption coverage to mitigate the damage of a cyberattack.
     We have a long and multifaceted interview with UnitedLex's Jason Straight that explores the complicated relationship between companies and their law firms, upon which they have not always imposed the same security demands as they do on other vendors. Until now, that is.
     Finally, CyberInsecurity News went to the movies. OK, it was a webinar. The ABA brought us a table top exercise. We especially liked the exposition and the denouement.

 OCTOBER 2018 

OF THE EIGHT ISSUES we’ve published, this may be the one that makes the strongest statement about how far the field of cybersecurity has come.
     Our interview with Prof. Matthew Waxman of Columbia Law School is the opening statement. The popularity of his cybersecurity courses and the enthusiasm students bring to what Waxman refers to as this “booming industry” are powerful evidence of its growing importance. But so are his descriptions of his many opportunities for productive collaboration—both on campus and off.
     We also interviewed Lee Tien from the Electronic Frontier Foundation. He takes us inside the data privacy debate (a subject that Waxman’s students are also intrigued by), which seems to be on the cusp of exploding.  
     The article by Dauna Williams delves into the continuing challenges lawyers confront when trying to manage their relationship with IT. It’s become increasingly clear that there’s really no choice. Neither group will be effective at dealing with cybersecurity unless they learn to work together. And if they don’t, they may not have jobs to return to.
     Finally, we rewound an ABA webinar, which reminded us of how much territory there is to cover, how much the field has had to learn in just a few years, and how steep the challenges remain to this day.


I THINK OF THIS AS OUR CISO ISSUE. We have two articles that feature individuals who have been chief information security officers. They explain how the CISO functions most effectively, and why it’s important to work closely with the general counsel.
     What’s a little surprising about these pieces, and the rest of this issue, is that none of the professionals interviewed is a lawyer. That’s a first for us. But sometimes it’s valuable to see things from the perspective of people on the outside who work with the lawyers. And as always, every article was written with attorneys and legal issues in mind.
    One piece is about a firm that trains the team of individuals who respond when their company is hit with a cyberattack (“Keeping the Lights On”).  Another points out that Russia’s campaign to disrupt the midterm elections is not the only way that disinformation can be dangerous. When companies are the targets, it doesn’t take a nation-state to turn them deadly (“How Disinformation Can Damage Companies”).
    There’s also a news brief on a case that we may be hearing about for a long time. The FBI is trying to force Facebook to let it tap a gang member’s Messenger conversations. This could prove bigger than the encrypted iPhone battle a couple of years ago.

 AUGUST 2018 

THERE'S A THEME that runs though much of our August issue. In the dangerous world of cybersecurity, it’s good to know that resources are available. Our interviews highlight two organizations that offer lawyers support in the battle against data breaches.
  One is the American Bar Association. Ruth Hill Bro is deeply involved there, and in our interview she functions as a kind of tour guide. She suggests that you check out the ABA’s books and articles on cybersecurity, along with its webinars and live events. She also invites you to get directly involved with the organization, the way she has. 
  In the other interview, Chris Colvin talks about the way the membership association he founded, In The House, is trying to help corporate counsel defend their companies against cyberattacks. He has invited the editors of this newsletter to co-chair his Cybersecurity Working Group, and he explains what he hopes it will accomplish.
  We also wrote about the pressure law firms are under to protect client data from attack. Especially in the wake of several high profile failures in recent years.
  One important message comes through in all three articles. It’s good—maybe even necessary—to have partners. Cybersecurity is not an area you want to navigate alone, if you can help it.
  Colvin expounds on the importance of networking. In our article about law firm breaches, he urges inside and outside counsel to work together to reduce their risks. In the same article, the well-known Big Law consultant Peter Zeughauser offers his take on the challenges at hand. He, too, sees progress where law firms and their clients join forces to share the burden.
  That may be the slender silver lining in the stormy clouds overhead—clouds that promise a lot more turbulence before the cyber weather is likely to break.

 JULY 2018 

IT'S THE SEASON of new regulations. While many companies struggle to adjust to the GDPR, which Bart Huffman spoke of at length in our June issue, in Part Two of that interview, Huffman introduces us to what is expected to be the EU’s next offering: the ePrivacy Regulation.
  If that isn’t enough regulation for you, take a look at the first item in our Cybersecurity News Briefs. At the tail end of June, California passed its own privacy law—said to be the nation’s toughest. That’s a lot of new rules to absorb quickly.
  Continuing the theme of high anxiety, Alston & Bird’s Todd Benoff talks about the challenges companies are going to face when driverless car crashes are caused by hacks. Benoff is a litigator who focuses on this area, and in our interview he raises questions that should give pause to general counsel in the automotive industry as well as those who work for medical device manufacturers. Could strict liability turn into absolute liability?
  Regulations, liability: These are the kinds of issues that keep general counsel up at night. Or do they? We have certainly heard that phrase, but we wonder whether this whole concept of sleepless lawyers is just a lot of media hype. So we asked a lawyer who advises clients on cybersecurity whether they ever complain about insomnia.
  Finally, our expert article focuses on one more risk—but it also offers a proposed solution. It’s about the threat of cyberattack that looms over international arbitration. The authors are members of a group that’s drafted a protocol designed to protect the parties, the process and the data. They also encourage readers to add their comments during the consultative period that ends on December 31. At least you shouldn’t lose sleep worrying about that deadline.

 JUNE 2018 

IT'S REACHED THE TIPPING POINT. Recently I had dinner with friends who had no connection with the law, and they were the ones who brought up the GDPR. They weren’t quite sure about the letters, or the order, and they weren’t sure what it stood for. But even after I said “General Data Protection Regulation,” they still wanted to talk about it. And they had lots to say about privacy. 
  For those of us who have been living with those letters, we’re only just out of the starting gate. But already it feels as though 
we’ve been overloaded. And yet... when we interviewed Reed Smith partner Bart Huffman, an expert on privacy and security, it didn’t feel that way at all. In fact, he covered so much information that struck us as essential reading for lawyers that, rather than edit it down, we decided to publish Part One in June (Culture Shift, Courtesy of Europe) and Part Two in July.
  Another article is about the opposite of a tipping point (call it the ticking point), Eighteen months ago, Florida became the first state in the country to mandate tech training for lawyers. But since then, not one state has followed Florida’s lead (Florida Adopted Mandatory CLEs in Tech. Where Are the Followers?). 
  A subject we return to often in this publication is how and when companies decide to cooperate with the government when they’re dealing with breaches. Kimberly Peretti discusses this issue, and, as a former senior litigator at the U.S. Department of Justice, she passes along four tips suggesting how companies can maximize the benefits of cooperating (Working With the Government After a Breach).
  Finally, the article we lead with in this issue is an interview with the Association of Corporate Counsel’s chief legal officer, Amar Sarwal, who digs into ACC’s recently released State of Cybersecurity Report—its first in three years (Cyber Survey Underscores Dour Perspective of In-House Lawyers).
  What’s particularly valuable about this report is in the subtitle: an in-house perspective. The survey reveals what these lawyers are experiencing, and some of the most interesting data reflects not just what they know, but what they don’t.
  Sarwal takes an unflinching look at a pretty grim landscape and delivers a lucid analysis. It’s one of his skills that we have come to appreciate during his eight years at the organization. By the time you read this, however, he will have departed from his post there for a job closer to home. Literally. We hope he’s appreciated at his new work place. We wager that his old one will find him hard to replace.

 MAY 2018 

WE LIVE IN AN AGE OF CONFLICT. It’s everywhere we look. And the challenges of cybersecurity are grounded in, and manifestations of, that conflict. Cyberattacks erupt from political conflict, international conflict, economic conflict—the gamut. And they’ve certainly added to the pervasive global tension. 
  Another troubling trend we’ve seen in the past year has been the erosion of so many longstanding alliances. Countries that have long been allies are on the outs. Brexit and the 
rise of nationalism have shaken the European Union to its core. The United States feels a little less stable, and a little more isolated, every day. These developments have been particularly dispiriting to witness because alliances seem to be our best chance of mitigating the problems. 
  In this issue, in our own small way, we explore the power of alliances. First we look at an alliance of maritime companies working to boost their common cyber defense. 
  Then we have a piece about the Cybersecurity Tech Accord, and the 34 companies that vowed to make the world safer from cyberattacks. 
  And our expert article talks about the ways companies need to partner with their service providers in order to enhance the security of both entities. 
  These are three very different kinds of alliances, but they all make a world of sense. They possess the key components that successful alliances have always needed: they’re designed for the mutual benefit of the partners, and they make them all a little more secure.
  Here’s hoping there’s a resurgence of alliances this year.

APRIL 2018 

SPRING IS HERE AT LAST! In this, our second issue of CyberInsecurity, renewal is a bit redundant. It’s all pretty new. But we have added two features in this issue that you can expect to find each month. 
  First, there’s a new section called Cybersecurity in the News. We know that you keep up with the big events; these short takes focus on smaller fare that you may have missed. This month, for instance, we cue up some surprising statistics, a new cybersecurity lexicon you may want to download, and a story that suggests this field may have achieved household-name status. 
  Also new: our first article by an outside expert. Steven Senz, a consultant who has worked in data security for more than two decades, talks about the questions a client is already trying to navigate months before the EU’s General Data Protection Regulation takes effect in late May. By now the GDPR should be provoking widespread anxiety. This is a good opportunity, Senz points out, for general counsel to emphasize that information security at their companies is everyone’s responsibility. 
  We also have two interviews this month. One is with Andrea Bonime-Blanc, who has a book coming out in April on artificial intelligence. In our conversation, she explains why now is the time for general counsel and boards of directors to work with management to craft an AI strategy—before their competitors find ways to use it to disrupt them out of business. 
  The second returns to a subject we find particularly provocative: When and how should companies cooperate with the government? We interviewed a staff attorney at the Electronic Frontier Foundation who has been investigating a cozy relationship between retailer Best Buy and the FBI—too cozy, the attorney suggests. 
  Finally, we reviewed Cisco’s Annual Cybersecurity Report for the purpose of advising lawyers who don’t have a tech background whether it’s both accessible and worth reading. Since we’re sharing our conclusions, you can probably guess what we think.  
  Enjoy the spring. Thanks for tuning in. And let us know what you think.

 MARCH 2018 

WELCOME TO LEGAL BLACKBOOK, a platform that features writing about the legal arena. 
  The subject of the moment, and it’s a moment that’s likely to last for some time, is cybersecurity. Or, as we call this newsletter, CyberInsecurity. And if you're wondering whether your insecurity is justified, we've included survey data in a graphic that should provide confirmation (What the Numbers Say).
   One facet of this subject that’s been fascinating to watch is the complicated relationship between government and business. Are they friends, enemies, frenemies? 
interview with Rand researcher Sasha Romanosky delves into some of these issues 
(Challenges in Cybersecurity Provoke Conflict between the Public and Private Sectors). But there always seems to be another angle. It may surprise some readers to learn that the government has a history of tech innovation, and some new programs established at universities are designed to lure entrepreneurial students to beat a path to Washington rather than Silicon Valley. And they’re actually winning converts 
(Building a Cybersecurity Bridge between Startups and the Military).  
   Finally, it wouldn’t be a new year if we didn’t feature a crystal ball somewhere in the mix. We invited a legal expert to talk to us about two articles that had important things to say. One predicted what we can expect this year; the other warned what we should fear (Predictions and Threats for the Year in Cybersecurity). 
    We’ll be back with another issue of CyberInsecurity next month. Until then, please let us know what you think. Your comments and suggestions are always welcome.