Thought Leader – Cyber Law – Hunton & Williams – Lawyer Monthly | Legal News Magazine

Thought Leader – Cyber Law – Hunton & Williams

Following the recent headlines surrounding the WikiLeaks, the Panama Papers, and thousands of much smaller cybersecurity breaches around the world, legislation and action related to the protection of data and cyber processes is increasingly necessary, and while governments and other parties do attempt to implement ways of managing breaches, the threat of cyber-attacks cannot be shrugged away.

This month Lawyer Monthly has heard from Aaron Simpson, Partner Hunton & Williams member of the firm’s global privacy and cybersecurity team.

Aaron was based in New York since 2002, and moved to the firm’s London office in July 2016. He advises clients on a broad range of complex privacy and cybersecurity matters, including state, federal and international privacy and data security requirements as well as the remediation of large-scale data security incidents. He helps clients identify, evaluate and manage risks associated with their collection and use of information.

 

What are the common of cyber law matters you regularly advise on? What particular challenges do these matters present?

Generally speaking, my cyber practice revolves around significant data breach events. This includes leading internal investigations into suspected breaches, managing the notification process in accordance with applicable law and contractual requirements, and addressing inquiries from regulators. In addition, given the stakes involved for many companies, I also engage in many proactive legal services in the cyber context, including the development of incident response plans and other breach preparedness tools, as well as negotiating commercial terms in data intensive agreements, which are increasingly common today. Now that I am based in the UK, I am assisting clients across the EU who are gearing up for enhanced breach notification requirements arising from the GDPR.

There are many challenging — but interesting — aspects of practicing law in the cyber arena. The first and foremost is timing. There is an incredible amount of time pressure facing breached companies, both from a regulatory and normative perspective. The public is very interested in these events, and they are widely covered in the media today. Thus, getting the team onboard quickly and developing an understanding of the key facts, within the expectations of regulators and the media, can be quite challenging in certain circumstances.

In addition, from a legal perspective, bridging the gap between various legal regimes in different jurisdictions can present challenges. We have been fortunate to have significant experience working on breaches of a global nature and so are quite familiar with requirements around the world. Nevertheless, these requirements are a moving target, and in many countries they are more art than science, in that they are a result of regulatory guidance rather than strict legal requirements.

 

Which industries do you find are the most prone to cybersecurity issues? Why do you think this is?

No industry has been spared when it comes to cybersecurity. There are so many different motivations for why a company’s data would be targeted. For criminal hackers, the retail industry has been a primary focus given the nature of the payment card data that they process. But retailers would be of less interest to nation-state actors, whose motives could be more focused on learning information about processes and technology in place. In addition, there are hacktivists attacking corporate networks for any number of reasons, including to cause embarrassment. In this regard, all companies are at risk.

 

How do you personally help your clients identify, evaluate and manage risks associated with data storage and management?

At the end of the day, I am a lawyer and not a technologist. Thus, rather than assisting with technical risks, I assist with the management of risk from an administrative and legal perspective. I start with identifying the organisation’s main data stores and what data are held in those data stores. Then I also look at how that data is moved within the organisation. Once I have a detailed knowledge of the organisation’s data profile, and what compliance and security measures are in place, we are in a position to identify and evaluate the legal risks associated with the data they hold and their systems. When doing so, we look at a variety of legal frameworks applicable across the globe, as well as to recognised data security standards and industry certifications.

 

The business world is always looking for ways in which to fight cyber-crime; as a thought leader, how would you say legislation could be changed to do this to a better extent?

If the goal is to protect data and data subjects, I think that policymakers need to tread very carefully. Developing prescriptive, proactive requirements generally does not help protect data. To the contrary, it forces companies to shift their focus from protecting data, something they know how to do far better than policymakers, to check the box compliance. Even worse, in six months’ time they will be checking boxes that are no longer relevant given technical advances. And for most legislative bodies around the globe, updating legislation is not something that happens with sufficient pace to keep up with technological change. In my view, the best path forward, from a cyber policy perspective, is to require regulatory notification of meaningful breach events combined with the developing of a standard of care that is capable of evolving with changing technological means. The standard of care concept is important, as it cannot be the case that every breached company has committed a legal violation. In many breaches, particularly those involving sophisticated nation-state actors, a company with perfectly reasonable safeguards in place can still be breached. In other cases, breaches clearly result from a negligent failure to safeguard information. In those cases, enforcement actions should be taken, and the results of those enforcement actions should help to flesh a meaningful standard of care.

 

Technology moves at a fast pace and new ways in which to break the law in cyber space are being found all the time. Can legislation ever keep up? How?

I don’t believe that cyber criminals are put off by laws. That’s why they’re criminals. The truth is there is a cyber arms race taking place at this time, and companies are well-advised to look to their information security colleagues, and not legislators, for help in defending against cyberattacks. Given the nature of the threat, cooperation among and between both industry and law enforcement, although at times controversial, is also an important piece to the puzzle. Of course, finding the right balance between privacy and security when it comes to such information sharing initiatives can present challenges.

 

Do you have any thoughts on the recent cybersecurity scandals involving Yahoo and the Panama Papers?

These incidents provide good examples of how ubiquitous the cyber threat has become. All companies, including technology companies and law firms, are potential victims. The Panama Papers case was alleged to have resulted from a disgruntled employee, which is often an underappreciated risk for companies focusing their efforts on outsiders. Companies can learn from these events so that they are prepared to address breaches arising from all of the various threat vectors, including cybercriminals, nation states, activist groups and insider threats.

 

Is there a prominent case involving the ‘remediation of large-scale data security incidents’ in which you have applied particular thought leadership? Please explain.

At Hunton & Williams we have handled well over 1,000 security breaches since the first breach notification law in the world in California came into effect in 2004. Many of these breaches have been watershed events in the industry and have served to shape how companies respond to these events. I am particularly proud of the work we have done on behalf of clients in this arena on a global scale. As I mentioned, outside of the US, breach notification law has been more art than science in the past decade. Through our work, we have developed significant expertise in assisting clients with responding to breaches at scale that impact numerous jurisdictions around the globe. This is very challenging work that requires a nuanced understanding not only of the legal requirements around the world, but also of the practical business considerations necessary to help clients manage extralegal – and in many cases existential – risks to their business.

 

Do you have a motto or mantra you live by in assisting your clients with cyber law?

Robert Mueller, the former US FBI Director, famously quipped that “there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” Knowledge is power, and understanding the ubiquity of today’s cyber threat is critical to ensuring that you are prepared to successfully manage a data breach event.

 

Is there anything else you would like to add?

Organisations that manage cyber security successfully are those who have moved information security from the dusty basement to the C-Suite. How you secure the data entrusted to you is a strategic management issue and, in today’s day, simply must be embedded as a core value within your organisation.

Features
By Lawyer Monthly 0
d.marsden

Dan Marsden is the head of Web Development at Universal Media

You might also like More from author
Leave A Reply