In preparation for the 2nd Annual Senior Executive Cyber Security Conference, I spoke with one of our featured speakers, Roberta Anderson, to hear her perspective on information sharing and data privacy. Roberta is a partner at K&L Gates LLP and co-founder of the firm’s global Cybersecurity practice group. She concentrates her practice in insurance coverage litigation and counseling and emerging cybersecurity and data privacy-related issues. In addition to helping clients successfully pursue contested insurance claims, Roberta counsels clients on complex underwriting and risk management issues. She has substantial experience in the drafting and negotiation of “cyber”/privacy liability, D&O, professional liability, and other insurance placements. Below are some highlights from our discussion.
1. What are your thoughts on the recent data breaches we’ve heard in the news (i.e. Target, JP Morgan, and the federal Office of Professional Management?
The recent breaches and headlines illustrate that every company is at cyber risk. Cyber attacks are on the rise with unprecedented frequency, sophistication, and scale, and they are pervasive across industries and geographical boundaries. With serious attacks on the rise, addressing and mitigating cyber risk is a top priority for organizations across the globe. It is abundantly clear that network security alone cannot entirely address the issue of cyber risk; no firewall is unbreachable, no security system impenetrable. An organization can have the best firewalls, perimeter security, end-to-end encryption, and updated antivirus software, but there always remains the human element that is so difficult to control.
2. Do you feel the government should play a part in keeping corporate America secure?
Some recent breaches carry broad implications surrounding national security. At least to the extent that attacks amount to state attacks on American companies or state-sponsored industrial espionage, which has been termed the “greatest transfer of wealth in history,” I do feel the government has an important role to play in keeping corporate America secure.
3. What role do you think education plays in preventing data breaches?
Education plays an important role in preventing data breaches. Although even the best cyber security can and does fail, the most secure institutions recognize that they need to be cyber-resilient in the wake of a breach and education is a necessary predicate to being cyber-resilient. Organizations are encouraged to educate themselves on how to be positioned to detect and efficiently and effectively respond to threats, to recover as quickly as possible in the wake of a breach event — with the minimum financial, reputational, and overall exposure to the organization — and to be defensible to customers, stakeholders, and regulators. Some of the key avenues to cyber-resilience include a thorough cybersecurity assessment, including penetration and vulnerability testing, ongoing threat monitoring, appropriate employee training, a solid business continuity plan, and a tested, vetted, incident response plan, which should be in place before a breach and should empower key individuals within the organization to take immediate action upon discovery of a significant breach event.
4. What are the legal implications of information sharing between the government and commercial sectors?
A major issue with information sharing between the government and commercial sectors has been that private sector organizations have legitimately been concerned that voluntarily sharing information will expose them to significant sources of potential liability. An organization must consider that disclosing an attack that may have harmed the company, for example, could potentially lead to a host of adverse consequences, be they in the form of class action litigation, shareholder litigation, regulatory action, or losses flowing from reputational harm. Simply providing certain types of information to third parties can and often does expose an organization to significant sources of liability, and an organization also must consider what responsibility the organization itself has with respect to information received from third parties.
5. What would your proposed solution be?
Information sharing can be a very useful tool in fighting cyber attacks. Increasing appropriate protections for private sector entities, together with the promulgation of clear standards and protocols surrounding information sharing, which expressly define and limit risk, will assist the effort to foster information sharing beyond what already is increasingly occurring within the private sector.
Hear more from Roberta and other featured speakers from the commercial, government, and non-profit sectors at COMPASS and the Johns Hopkins University Information Security Institute’s 2nd Annual Senior Executive Cyber Security Conference. This year’s topic of interest is the quandary of information sharing and data privacy. The conference is on Thursday, September 10th, at the Johns Hopkins University Homewood Campus.
