Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

February 2019
There was a lot of information and a little bit of drama (for some).
The State of Cybersecurity Report (from left) Mary Blatch (ACC), Erika Brown Lee (Mastercard), Luis Diaz (Vision-e), Lily Lim (Servicenow)
AI Panel (from left) Casiya Thaniel (Microsoft), Andrea Bonime-Blanc (GEC Risk Advisory), Pedro Pavon (Honeywell), Monica MacGregor (Berkeley Research Group)
Photography by Christina Reilly
Ransomware Tabletop  (from left) Mary Chapin (National Student Clearinghouse), April Goff (J.C. Penney), David Kilpatrick (EnvironX Solutions), Roy Hadley, Jr. (Adams and Reese)
By David Hechler
I'VE ATTENDED MANY professional conferences over the years, and I’ve covered quite a few as a journalist. Sometimes I’ve written full articles, sometimes I’ve simply live-tweeted snippets. But I’ve never written a first-person account—until now.
     I’m going to tell you about the Association of Corporate Counsel Foundation’s 2019 Cybersecurity Summit , which was held in Washington, D.C., on January 29. But I don’t want to pretend that I was an objective observer. I was on the Advisory Board that helped plan it. CyberInsecurity News was listed as a sponsor. And I was scheduled to moderate the final plenary session.
     Now that I’ve gotten that out of the way, I think you’ll appreciate some of the words of wisdom I copied down during the day. And I’ll throw in some behind-the-scenes drama that, in retrospect, is amusing in an “only-in-Washington” way.
     The morning plenary was a panel that discussed the Foundation’s 2018 State of Cybersecurity Report. A good deal of the session focused, naturally enough, on privacy. The EU’s General Data Protection Regulation (GDPR)—and Google’s recent $57 million fine—kicked it off. But the most valuable comments on this topic were about the California Consumer Privacy Act (CCPA).
     “Scary,” said Luis Diaz, general counsel and chief cybersecurity officer of Vision-e. The California law, which goes into effect next year, has “lots of ambiguity,” he noted. The definition of personally identifiable information, for instance, is really broad.  “Your policies today, if the law applies to you, are not adequate,” he said. And just because your company complies with the GDPR doesn’t mean you will comply with the CCPA. There are lots of differences: “You should read it.” 
     What’s more, said Lily Lim, the new legal director at Servicenow, the California law is retroactive. What you’re doing now is covered, even though the law won’t go into effect until 2020. To make matters just a little more confusing, there could be changes to the law next year. Stay tuned.

Privacy Lite?
Erika Brown Lee had a slightly different take. The senior VP and assistant GC of Mastercard said that she doesn’t find it as draconian as Diaz does. To her it’s GDPR “on a California diet.” Even though companies don’t have quite as much time to prepare as they did with GDPR, she pointed out that the California attorney general won’t be rolling out enforcement regulations for an additional six months, which should give everyone a little more time.
     Eventually the panel got to a popular topic these days: federal legislation. Will Congress or won’t Congress? Mary Blatch, who is ACC’s associate GC and also its director of advocacy, asked whether the organization should be advocating on this issue. She requested feedback from ACC members ( [email protected] ).
     The next session I attended felt more like a philosophy class than a panel discussion at a legal conference. The topic was artificial intelligence, and the discussion was scintillating. My kudos are not limited to the panel, either. Equally penetrating comments and questions were launched throughout from the audience. What made it feel so much like a philosophy class was how many more questions there were than answers (reflecting the cutting-edge subject).
      AI can be great at shoring up security by detecting and gathering data, Pedro Pavon pointed out. But there are often privacy implications, he added. A big one, said Pavon, who is an assistant general counsel for data protection and privacy at Honeywell International, is the question of what constitutes consent. AI is less effective answering that question, and satisfying the need to obtain consent, than it is at gathering information.
     Another area that AI can disrupt is compliance, the panelists said. Bias can be introduced into AI programming intentionally or unintentionally. If a company’s programmers are exclusively 25-year-old white males, for example, said moderator Andrea Bonime-Blanc, their programming choices may reflect their worldview, and exclude those of other demographics. “We have to think about the 6 year old and the 60 year old,” said Bonime-Blanc, founder and CEO of GEC Risk Advisory. Will the data reflect, and be relevant to, them?
     This vulnerability can be particularly difficult to control, said Pavon, because when bias is introduced into an AI program, it can’t be unlearned. It can only be remediated by the introduction of a new system.

Ransomware On the Table
Next up: a session on tabletop exercises that had two features to recommend it. Ransomware was part of the scenario. But the panel did not create a detailed story and take the audience through a simulated attack. Rather, they talked about the choices organizers must make to design one of these exercises, and the challenges a ransomware demand would add to the test of an incident response plan.
     David Kilpatrick, the GC of EnvironX Solutions, took us through some very basic issues. Who should lead the exercise? Who should attend? Where should it be held, and how long should it last? Who should take notes? The discussion included interesting pros and cons. Outside vendors may be effective leaders, but will they be pushing an agenda? Should executives be there (you'll need their buy-in)? What about the business continuity team? Not surprisingly, a strong case was made that the leader should be an in-house lawyer.
     Sometime within the first half-hour, someone asked how many people had actually experienced a real ransomware attack. About four hands went up. One was panelist Roy Hadley, Jr.’s.
     Hadley is a special counsel at Adams and Reese in Atlanta. The location may have been a tipoff to some cybersecurity mavens. In March 2018, Atlanta was hit with a massive cyberattack that reportedly affected as many as 6 million people. The city eventually revealed that it was the victim of a ransomware attack. Hadley was called in to help. At the time he had never done a tabletop. Now he has participated in dozens. The fact that the Super Bowl was just played in Atlanta was certainly good for business, he admitted with a smile.
      Hadley said that tabletops are absolutely worthwhile. “You don’t want to have your first experience,” he cautioned, “when the bullets are flying past your head.” But it won’t solve all of your problems. And “you can never account for everything,” he added, no matter how carefully you plan.
     Still, it’s important that participants take it seriously. No cell phones. No giving away the scenario in advance (something he has seen, Hadley said). If nothing else, get to know the players on your company’s incident response team. Learn to work together. Review what worked and what didn’t. And follow up on suggested changes, because (in addition to all the other good reasons) the recommendations are likely discoverable.

Washington Drama
The next stop was lunch. There had already been much to digest. And there was much to discuss. I was talking to some people I knew and comparing notes. And I was thinking about the panel I was going to moderate for the day’s final plenary session.
     The title was “Can Companies and the Government Really Work Together on Cybersecurity?” And I had managed to put together a really strong panel. We had two government lawyers, two in-house lawyers, an academic and a lawyer who worked for an NGO.
     The preparation had been a struggle, largely due to the record-breaking (and nerve-shattering) government shutdown. At first I hadn’t paid much attention. Surely it would all be over long before the conference, I told myself. Then, when we met to start preparing, the government lawyers warned that they wouldn’t be able to attend unless the government reopened. 
     Huh? How were we supposed to discuss cooperation if only one side was represented? That’s when I’d begun bulking up. I’d added an in-house lawyer who had worked for a decade in a U.S Attorney’s Office. He could channel a government lawyer and then change hats. My other in-house lawyer also had experience working for the government. So we would be OK, even if the audience was occasionally confused about which role someone was playing.
     And then, suddenly, on the eve of the conference, the clouds had lifted. I realize that, among all the many benefits of the end of the shutdown, this was the least important one. But still, you can forgive me if I was feeling pretty good at lunch, looking forward to actually meeting my fellow panelists in person for the first time. All six of them. An all star team, I was thinking. Feeling almost relaxed.
     And then my phone emitted a ding. It was a text. From the conference director. We had a problem.
     You may remember that on January 29 the weather was atrocious through large swaths of the country. It was -27 in Madison, Wisconsin, where a friend of mine lives. The wind chill was something like -40 there. We’re talking life-threatening conditions. It was also chilly in Washington, D.C., where it was 34. They were even suggesting the possibility of a little snow.
     Snow? SNOW?!! OH MY GOD, IT’S GOING TO SNOW!!!!! If you’ve spent time in Washington in the winter, you know that they don’t handle winter well. I knew that. But it didn’t occur to me that the innocent-sounding ding I heard at 1:51, when it was raining outside, was a message telling me that the law school was closing early—in fact, right before our panel was scheduled to go on.
     By the time we were ushered out of the building, it was snowing, though it wasn’t sticking on the streets. There was zero accumulation. But as if to underscore the point I’m making about Washington, it wasn’t only the law school that closed early that day; the entire government did. So our panel discussion was not merely diminished by a shutdown, it was pre-empted by a shutdown after the shutdown! You can imagine the depths of my despair.  
     But wait. I failed to report the full text that dinged so callously at lunch. We were not going to be able to go on, it was true, but all was not lost. We were going to reschedule. There would be a webinar to replace the event so cruelly quashed by precipitation.
     And so there will be. When it’s ready, which will be very soon, we will update this article and include a link below.
     And our panel may even have another shot at a live event—at the next ACC Foundation Cybersecurity Summit, which will be held on July 11. Far away from Washington. And if it snows in Vancouver, Canada, I think they will know how to handle it!