Former in-house privacy and security director Peter McLaughlin of Burns & Levinson discusses how to prepare for inevitable cyber incidents.
CCBJ: Tell us about your background and your practice.
McLaughlin: I practiced law in Europe in the mid to late ’90s and helped many Irish e-commerce firms enter the U.S. market. When I returned to the U.S., I spent several years in-house and began to support internal data security clients in 2001. By 2005, I was the first chief privacy officer for a $100 billion multinational. For the last 12 years, I’ve leveraged my international background, my understanding of technology and my in-house experience to deliver practical advice to clients. Most of our clients are trying to apply new business models and technologies to manage confidential and personal data and support their own clients. It is a fun time to be in this field.
How does your past in-house role as assistant general counsel for privacy and security and global privacy director of a Fortune 20 healthcare company inform the work you do now for clients?
There are many excellent lawyers in this space, but nothing replaces the experience of being in-house. Few clients are interested in lengthy memos that provide no real guidance. The advice needs to be timely, concise and useful. It needs to reflect an understanding of the client’s business and help them manage their risks.
What type of privacy and cybersecurity issues are you helping your healthcare clients deal with? Is there a recent interesting project you can share with us?
Although my practice covers a range of sectors, some of the most amazing things are happening in healthcare. We are helping clients improve medication adherence, deliver medical services to patients’ homes and develop more secure medical devices. Technology is also enabling the expansion of tele-health, so people in rural areas can obtain the health support they need. We are also helping a number of international clients in preclinical and clinical trials adjust to changes in the European data protection rules.
You do significant work with companies in the internet of things space. What are some of the biggest issues facing IoT companies and their investors?
Data security is first (and maybe second and third). If a company cannot protect its data, then all other arguments – data ownership, privacy rights – are less relevant. How do we protect data within inexpensive IoT devices if good security seems too expensive? How do we update those systems? This applies as much to the industrial IoT as it does the consumer side.
Data ownership and who has what rights to the data (including any individuals) are also evolving. So many entities potentially touch IoT data, including the manufacturer of the device, a controlling mobile app developer, the smartphone producer, analytics firms and consumers. The estimates for IoT-generated data are staggering, and this raises questions of individual rights, anonymity and using data responsibly.
Are there some business sectors that are more vulnerable to cyberattacks than others?
Some business sectors appear to be behind the curve. The legal industry is one. Firms with seemingly impressive cybersecurity resources and investments have been massively affected as collateral damage in cyberattacks. Law firms have also been targeted because of particular clients and the desire to access that client data.
The financial and healthcare industries also remain particularly vulnerable despite how regulated they are and the sensitivity of their data. From the perspective of the opportunistic thief, health data – which is easy to access – is particularly valuable because it can be used for insurance fraud and identity theft.
Ironically, stolen payment card data is less valuable on the dark web because the card-issuing banks have become so adept at identifying fraud and reissuing cards. So each organization needs to consider how valuable the data it holds might be to a thief – rather than simply responding to regulatory requirements for data security – and develop a holistic approach to reducing that risk.
Do you think most companies are doing enough to protect their organizations? What can they do to improve?
There is no perfect security, so it’s hard to argue that any organization does enough. One of the challenges for organizations is to understand what data they have, where it is, what the value or sensitivity of that data is and how to protect it. Many organizations are investing significant time and resources, but the landscape is constantly shifting. Each smartphone, each IoT device, each service provider, each website constitutes a different potential access point to a company’s information systems.
But all firms can improve with information risk sharing. The bad guys communicate and share attack strategies. We need a safe means for organizations to share threat and vulnerability data, without being pilloried for unsafe cybersecurity or anticompetitive behavior. People within organizations represent both risks and benefits. Training employees helps significantly, but security that materially undermines the ability to work will be ignored and bypassed. Companies can do many things, but it always helps to have a third party review or assess an organization’s security practices. This can be a qualified law firm or security consultant. Best-case scenario is a combination of the two leveraging privilege to protect recommendations. This can be of any scope and doesn’t need to cost six figures.
How do you help companies prepare for the likelihood that a security incident will happen at some point? How do you minimize the fallout after a cyberbreach occurs?
Self-awareness and preparation are key. We view an incident as more of a certainty rather than a likelihood – not if but when. So companies need to develop a response plan, much as one practices building evacuations and fire drills. Tabletop exercises are one valuable way to help stakeholders understand their roles and how to collaborate under a stressful situation and engage with third parties, including legal counsel. When you are experiencing an incident, that’s not the time to prepare for or test your incident-response plan.
Minimizing the fallout depends on many things. Managing the communications in a timely manner is important, but the speed of messaging can undermine the accuracy of what is conveyed. That reflects one of the tensions in breach response, because there is an understandable desire to inform affected individuals as soon as possible. But with security incidents, the full facts often take time to appear.
The EU’s General Data Protection Regulation (GDPR) went into effect on May 25. What do companies need to know about complying with these complex new regulations?
The core components include understanding what personal data is collected, how it is used and what applications touch it. The GDPR also applies to U.S. firms that have no presence in Europe, depending on what sort of business the firm conducts. Covered personal data includes what is often considered innocuous business card data, so it is important for U.S. firms to learn enough about the law to determine whether and how it applies. Even though there may be a low risk of enforcement from EU authorities, multinational clients may demand compliance.
We also expect to see FTC enforcement against U.S. companies that claim to protect personal data in accordance with GDPR but are not doing so. While the FTC is not specifically an EU enforcer, companies in the U.S. believed to engage in deceptive practices may find themselves at risk at home.
You recently moderated a panel about data security and investing. What are the driving issues in this arena?
There are a few big themes when it comes to investing, which includes venture capital, private equity, corporate investment arms and acquisitions. In the Yahoo breach debacle, a material security issue directly affected pricing, and the company’s in-house general counsel took a heavy share of the blame for not responding and managing the response effectively.
Awareness of the risk by investors means heightened expectations of the company seeking investment or sale. If a company is looking to obtain investment, then it is more important than ever to make sure privacy and security programs are in place and effective. The failure to do so will affect discussions and obligations after closing.
We also see significant investments into cybersecurity startups. Technology and third-party services can be valuable solutions and may prove to be good investments. It remains to be seen how these play out, but there is no silver bullet.
What trends do you see on the horizon?
The expansion of robotics and IoT presents privacy and cybersecurity challenges. Artificial intelligence and machine learning will help us manage the massive volumes of data evolving, as well as in the cybersecurity field itself to combat threats and threat actors. Blockchain technologies may also yield more important products than bitcoin and could produce data protection tools and operational efficiencies. It is truly an exciting time for this field of law.
Peter McLaughlin is a partner in the intellectual property group at Burns & Levinson and leads the Privacy and Data Security practice, where he advises U.S. and international clients on their handling of corporate and personal information and complying with cybersecurity, privacy and data protection standards. Reach him at email@example.com.
Published August 31, 2018.