Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

August 2019
In the uncertain world of cybersecurity, collaborating is more important than ever.
ACC Foundation
The lunch panel (from left): Jim Goepel, Robert Kirtley, Aliya Ramji (on screen), Richard Stewart and Erin Tolfo
By David Hechler
CYBERSECURITY IS A CONCERN THAT CROSSES BORDERS just as surely as data does. And the Association of Corporate Counsel Foundation decided to underscore the point by, for the first time, holding its summer Cybersecurity Summit outside of the United States.
    The July 11 conference was held in Vancouver this year (a far cry from its January conference in Washington, D.C.), and panelists from the U.S. and Canada shared the spotlight. They assessed the worldwide impact of new privacy legislation, discussed the implications of AI in the workplace and considered the profusion of ransomware attacks. An audience member even described how his company was hit with what must have been one of the most benign such attacks on record.
     The day started with The State of Cybersecurity Report. As the session progressed, and as the day unfolded, two themes emerged. For those who work in this field, it’s a period of great uncertainty. At the same time it’s rarely been clearer that, in order to achieve greater security, colleagues need to learn to collaborate.
     The report told a story of uncertainty. The EU’s General Data Protection Regulation (GDPR) went into effect last year, but as panelist Amy Yeung, deputy general counsel of Comscore, noted, there was little data on its impact. Most of the investigations that have led to recent penalties predated the GDPR, she said.
     Artificial intelligence (AI) has been introduced fairly broadly now, Yeung continued. But few regulations have followed. They seem years away. And there’s even greater uncertainty in the world of politics. Look no farther than Brexit, she said.
     Their best advice, the panelists suggested, was to work closely with colleagues. Stephen Kaplan, the general counsel and chief privacy officer of HealthPlanOne, spoke about his company’s tech team. Lawyers can talk policy, he said, but the tech people “make things happen for us.” They not only inform him of problems, they tell him what to do—and help him do it.
     Lindsey LeClair, director of legal affairs at First West Credit Union, used to work in retail, where there wasn’t much collaboration, she said. In her current position, there is. And that’s a big improvement. She also makes a point of keeping in touch with outside experts, she added, some of whom she recognized in the audience.

Uncertainty Redoubled
One of the breakout sessions that followed was devoted exclusively to privacy. It began with a law that is not very well known in the United States and is, at the moment, a source of great confusion: Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
     It governs the way private sector companies collect, use and disclose personal information in the course of their commercial operations., explained Jane Percival, chief privacy officer and associate general counsel of BMO Financial Group. It also applies to how federally regulated entities handle the personal data of their employees.
     Companies are held broadly accountable for protecting personal data, Percival said, and consumer consent is generally required to collect, use and disclose their data. Though it resembles the GDPR in some respects, there are significant differences.
     Breaches must be reported "as soon as feasible" rather than the 72 hours required by the GDPR, and companies must record every single incident of a breach of security safeguards. And the law does not carry the threat of huge fines, as the GDPR does. The federal privacy commissioner cannot issue orders or impose monetary penalties, Percival pointed out. He can only issue non-binding findings and refer cases to the federal courts, though he has argued that this should be changed. 
     But in April, there was a sudden, blockbuster development. The privacy commissioner issued a consultation in connection with a proposed reinterpretation of PIPEDA’s rules governing transfers of personal information to third parties for processing. Then, the following month, the Canadian government introduced a new Digital Charter. It proposed 10 broad principles to govern the use of data in the digital world, including modernizing PIPEDA. The commissioner suspended the consultation, and issued a "reframed" version on transfers for processing in June.
The commissioner's proposed reinterpretation of PIPEDA left lawyers "gasping," Percival observed. One lawyer said he was having “an out of body experience” trying to take it all in.
     The discussions of the GDPR and the California Consumer Privacy Act (CCPA) could not match that drama, but the panelists found plenty to chew on. Romaine Marshall, a partner at Stoel Rives, talked about the GDPR provision that has drawn so much attention: the 72-hour deadline by which a company must report a data breach. “That’s unfathomable,” Marshall said. In his experience, a small or medium size business will require “at best a week.” Usually longer.
      He’s not sure how scrupulously the rule has been enforced, but companies have reported breaches two or three times as often as they did in previous years, he said. Companies seem to be reporting just to be safe, even if they’re not sure whether there’s actually been a breach.
     Next came the CCPA. Asha Muldro explained why so many lawyers are frustrated with a law that doesn’t go into effect until January and is still a work in progress. A senior managing director and deputy general counsel at Guidepost Solutions, Muldro is based in California, where she’s watched the questions mushroom. 
     “It’s kind of a mess,” she said. And proposed amendments are still being drafted. “It’s still not clear what it’s even going to look like.”
     Percival noted that much of the frustration is the result of vague language. One example that Muldro cited is that companies are responsible for what vendors do with their data. But they may not even know all the vendors this includes. What if some vendors are getting the data from other vendors? Is the company responsible for them, too? Where does it end?
     There’s one key vendor in-house lawyers may not even be thinking about. “What about your outside counsel?” asked Ryan Spelman, senior manager at CyberClarity360. “Are you familiar with what they’re doing with your data?”

Bringing AI to Work
Another breakout session offered a grab bag of topics. It covered AI, cyberattacks and the workforce.
     The portion that focused on AI reviewed both the broad range of its uses, and the  legal complications that sometimes follow. 
     There are certain things that machines are better at, said Patrick Huston, and certain things that humans do better.  And we need to be careful, he advised. Huston is a lawyer and the commanding brigadier general at the U.S. Army Judge Advocate General’s Legal Center & School. One issue he deals with at work that can provoke controversy involves autonomous weapons, he said. That put his comment on the need for care in context.
     In a very different realm, Natalie Pierce, co-chair of Littler’s AI, Robotics and Automation Practice Group, noted that the Illinois legislature recently passed a law that established rules that companies must follow when they use AI to evaluate job candidates.
     Amazon, long a leader in workplace automation, was one of the first companies to make news by using an automated recruitment tool that was found to be biased against women, according to panelist Melloney Douce, general legal counsel of Rolta AdviseX Technologies.
     The panel went on to discuss a variety of topics, and then they invited questions and comments from the audience. The subject of ransomware had come up, and one member of the audience wanted to share his own company’s experience which, improbably, turned out to be a good experience.
     The lawyer later introduced himself as Scott Hilsen, the assistant general counsel and chief compliance and privacy officer of a $7 billion automotive company. He explained at the conference that the data that was encrypted by the hacker was not information that was critical to the company. So they had an internal debate about whether it made sense to bother paying the ransom. In the end, they did—in part because it was only $600. 
     But that wasn’t the end of the story. After they paid and were able to retrieve their data, Hilsen said, the company received a nice email from the perpetrator telling them what he’d done, and how to remedy the problem. Which, in retrospect, was probably worth a lot more than $600. It was almost as though they’d been tutored by a white hat hacker, who even discounted his rates.

Lessons About Cooperation
There were two presentations during lunch, and they also emphasized the importance of cooperation, though in very different contexts.
     The first was a 15-minute video that Microsoft president and chief legal officer Brad Smith provided. Microsoft was one of the conference sponsors, and Smith had been invited to speak on a subject he has long championed: the need for greater international cooperation to effectively combat the threats to peace in cyberspace. He wasn’t able to attend, but the video was his own State of Cybersecurity Report.
     The dangers keep mounting, Smith said. The technology that has done so much to improve our lives has been turned against us by cyber criminals. They are relentless in their attacks, and they are constantly refining their methods with new tools. “Put it all together, and what we see is a threat landscape that continues to grow in severity, with better technology,” he said.
     “The good news,” he continued, “is that we’re getting better, too.” But to have a chance to defeat the constant assaults, we need to collaborate. And we’re finally showing signs that we can do that. As evidence, he pointed to the international alliances that have been forged over the past few years, including the Cybersecurity Tech Accord and the Paris Call for Trust and Security in Cyberspace. Smith encouraged more work along these lines, including conferences such as the one at which he was speaking.
     When Smith finished, Jim Goepel, CEO and GC of Fathom Cyber, introduced the panel he was moderating. The topic was how general counsel can forge alliances with their companies’ chief information security officers (CISOs) and boards of directors. Where Smith had been talking about alliances between companies and between countries, this panel was dispensing practical advice to help lawyers and their colleagues be more collegial.
     Erin Tolfo, legal director of business operations and privacy at Coast Capital Savings Credit Union, kicked it off with some simple advice. You need to focus on common ground, she said. A good place to start is paying attention to the customers, rather than worrying who’s in charge on the team that’s serving them. A couple of minutes later, she added a catchy slogan.
     You need to change the image of the legal department from the “Department of No to the Department of Know,” she said, spelling it out.
     Robert Kirtley said that the place to start is to understand the business, and what all the people there do. Not just the CISO, said Kirtley, cybersecurity director at iDiscovery Solutions, but the CFO. And all the rest. Then, when you go to the board and management for security funding, pitch it with the return on investment in mind. Tell them that the money the company invests in security will be far less than the company may have to pay in fines—if it doesn’t make that investment.
     Aliya Ramji had an interesting perspective on this. She’s senior director for legal and corporate affairs at Figure 1. And because it’s a small startup, she’s very much in touch with her colleagues, asking questions every day to keep up with developments.
     But for her, that wasn’t enough. Management is really pushing cybersecurity and so-called privacy by design on the tech team, she said. That meant that she had to work very closely with them. So Ramji took a course to learn enough tech to communicate with them in their language.
     Richard Stewart works in a very different world. He’s deputy general counsel of technology and operations at BMO Financial Group. He’s also the chief knowledge officer. So it’s a very different challenge for him to stay in touch with the business. But it’s particularly important, he said, because he’s now involved in participating in strategic decisions. Which means he almost needs to meld with the business side.
     During a recent high-level meeting, one of his colleagues turned to him and said, “Oh, I forgot you’re a lawyer here.” Which is just what he’d been aiming for. “It’s a proud day,” he said, “when the executive sitting next to you says that.”

Back to Basics
One of the day’s last discussions was called “Lessons Learned from a Breach.” It helped bring the conversation back to fundamentals. Early on, Milan Zivkovic, former chief information officer at the giant parking management company Impark, succinctly defined a secure computer. It’s one where there’s no internet connection, he said. The hard drive has been removed. And it isn’t plugged in.   
     Zivkovic was not playing comedian in the session. He was the reality check. Again and again he asked a question that ran through the discussion like the chorus of a song. “Why do you want to keep the data? What do you need to protect it for? “ And once, “How much are you willing to spend?”
     They talked about the high-profile breaches that make the headlines. But panelist Jade Buchanan, an associate at McCarthy Tetrault, said that small-scale breaches have also ramped up. Like from laptops. This happens a lot, he said, and if you’re a GC and you’ve never heard about it, that may signal your company has a communication problem.
     Some corporations are taking measures to shore up cybersecurity by controlling employees’ online behavior. Melloney Douce, general legal counsel at Rolta AdvizeX Technologies, said that her company has blocked Facebook, gmail and use of USB ports on work computers.
     Her fellow panelist Marilyn Loewen Mauritz, chief transformation officer at Central 1, said that some companies are hoping that, when the inevitable breach occurs, it’s a small one. Just enough to wake the company to the dangers without devastating the business.  In such a case, it might even be a boon. 
     Zivkovic said that fines for breaches, which are a new development, might also have positive effects. They get people’s attention, he noted.
     As they were wrapping up, each panelist left the audience with a takeaway.  Zivkovic offered the same refrain: “Why do you want the data? Why do you want or need to store it?”
     And it seemed to have gotten into Buchanan’s head. “That’s a good point,” he said. “We hear that ‘data is the new oil.’ But I don’t store oil in my garage. We should be worried about oil spills.”