eWhite House Watch - Full Article

Georgetown’s Third Annual Cybersecurity Law Institute – A Recap of Informative Programming

The Georgetown University Law Center held its annual Cybersecurity Law Institute on May 20 and 21, 2015.  The event, billed as the only cybersecurity conference geared primarily for attorneys, focused on providing both practical how-to advice for attorneys working on cybersecurity while also discussing the future of cybersecurity.  eWhite House Watch had the opportunity of attending the conference as part of the Institute’s Press Corps, and found the sessions and networking opportunities fascinating.

 

The highlight of the event came on its first day when both James B. Comey, the director of the FBI, and Leslie Caldwell, Assistant Attorney General in charge of the DOJ Criminal Division, spoke to the assembled conference goers.  Director Comey demonstrated a solid understanding of the cybersecurity threats facing the nation.  He repeatedly emphasized the importance of private companies’ collaborating with the FBI to address the most pressing of cyber threats.  He noted that even though the FBI has not always had a stellar record in working with the private sector, it hastaken great steps to improve its relationship with private enterprise since the financial attacks of 2012.

AAG Caldwell stated that “we need to have a real sense of urgency when we talk about cyber crime.” It is the most international of criminal activity and, as such, the CCIPS (Computer Crime & Intellectual Property Section) of the DOJ has made a concerted effort to work with its international and private partners to track down and prosecute foreign criminals.  AAG Caldwell noted that earlier this year, the DOJ had worked with INTERPOL and foreign authorities to arrest notorious Russian hacker Roman Seleznev while he was on vacation in the Maldives.

 

The program was also chock-a-block full of panel discussions designed to be useful for individual practitioners.  One of the reoccurring themes was that cyber threats were not an IT issue, they were a corporate issue.  Boards of directors and senior executives need to not only understand cybersecurity issues, but also they need to fully buy into their companies’ security programs and response plans.  More than one panel discussed the need to include senior executives in “tabletop”exercises practicing how the company will respond in the event of a cyber intrusion.  During one panel discussion, Ivan Fong (General Counsel for the 3M Company) said that Boards needed to address the “3 Rs” for cyber security: (1) Risk – a board needsto have an understanding of the cyber risks the company faces and to drill down on how those risks affect the company; (2) Resources – a board needs to ensure that the company has the personnel, the technology, and the processes in place to address a threat when it arises; and (3) Reediness/Response – senior management and the board should have a plan in place to respond when the inevitable intrusion occurs, senior executives should have a communications team ready, contacts with relevant law enforcement/regulatory agencies, and a plan tailored to address the specific needs of your company.

 

Peter Gleason from the National Association of Corporate Directors (NACD) noted that his organization had developed a Cyber-Risk Oversight Handbook for boards of directors, which received great praise from other conference attendees.

 

The conference also comprised a fascinating panel discussion regarding emerging trends in corporate liability resulting from cyberattacks.  The panel had representatives from the plaintiffs’ bar, corporations and the defense bar.  A lively, though good-natured, discussion ensued regarding what companies are doing wrong in terms of responding to attacks and how they can position themselves to better fend off litigation.  An interesting point that came out was that while companies are racing to collect data that could be used to analyze markets and customers, such efforts also create risks for the company – and if there is not a business reason to keep the data, then companies should question why they are collecting it.

 

Overall the conference was well organized and well received. Lawrence J. Center, Assistant Dean, at Georgetown Law and the administrator overseeing the event said that the school was “very pleased that in its third year [the conference] had more than doubled the total number of attendants” to more than 300 people in attendance at the conference.  He believed that this increase was “a reflection of the importance of the conference” as the institute “strives to be the premiercybersecurity conference for lawyers.”

Leave a Reply