Legally Bond

A Special Episode Celebrating Cybersecurity Awareness Month

October 10, 2023 Bond, Schoeneck & King PLLC
Legally Bond
A Special Episode Celebrating Cybersecurity Awareness Month
Show Notes Transcript Chapter Markers

In this episode of Legally Bond, Kim speaks with Bond's cybersecurity practice group about the importance of Cybersecurity Awareness Month. Bond attorneys Amber Lawyer, Jessica Copeland, Mario Ayoub, Shannon Knapp and associate trainee Victoria Okraszewski discuss the firm's practice group and why it's important for organizations and individuals to always remain vigilant against cyber-attacks.

Speaker 1:

Hello and welcome to Legally Bond, a podcast presented by the law firm Bondchank and King. I'm your host, kim Wolf Price. In this episode, we're speaking with a number of attorneys at the firm who practice in cybersecurity and data privacy. Why? Because October is Cybersecurity Awareness Month, so I'm going to start by welcoming all of them to the podcast and hope that our listeners enjoy this special episode. Hey, amber, welcome back to the podcast. Hi, kim, thanks for having me All right. So will you remind everybody your name and your role at the firm Sure.

Speaker 2:

Hi everyone. My name is Amber Lawyer. I'm deputy chair of the Data Privacy and Cybersecurity Practice Group at Bond and I'm a member of the business department here.

Speaker 1:

Very good, and you are out of our Syracuse office. That's right. I sit in Syracuse, very good, just a couple floors above me here in the Syracuse office, all right? Well, so, as you well know, amber, the reason we're putting together this podcast is because October is National Cybersecurity Awareness Month here in the US. I mean, actually, it's the 20th anniversary, I believe, of that month, and I was hoping that we could talk about the purpose. So is the purpose to increase the general knowledge base so people or businesses can know more about how to be safe and secure online?

Speaker 2:

Yeah, that's exactly right, kim. So in 2004, the US government decided to declare October National Cybersecurity Awareness Month and since then we've celebrated the month as a dedicated month for entities and individuals and folks in the cybersecurity industry to collaborate and work together to raise awareness for cybersecurity and for cybersecurity risks.

Speaker 1:

So, amber, what are some of the things Bond has planned and your team around cybersecurity awareness month to help educate businesses?

Speaker 3:

So every year Bond tees up several events for our clients and individuals and folks in the industry to kind of raise cybersecurity awareness and to discuss cybersecurity risks. So this year, beyond the lookout for a couple of really interesting topics, including a webinar on cybersecurity insurance and risk mitigation techniques for cybersecurity threats, including physical, technical and administrative safeguards that entities and businesses can put in place to kind of mitigate risk and also to lower insurance premium, so that should be fairly helpful for many businesses out there. And then also BMO look out for information, articles, blasts, memos in relation to new cybersecurity laws, cybersecurity mandates and enforcement of cybersecurity law. And that includes New York's SHIELD Act, which has a cybersecurity mandate, and so we'll put out some more information on that and enforcement we're seeing out of the AG's office. And then, finally, we're going to present some information on artificial intelligence tools and cybersecurity risk to take into consideration when talking about AI.

Speaker 1:

AI is the thing we're going to be talking about a lot in the next years in November. That's right. That's right. Well, so it seems to me that you have a ton of stuff planned, and always it's great resources educating people, letting them know about the risk, and it seems like awareness of the risks is key in cybersecurity protection, isn't it?

Speaker 3:

Yeah, that's right. There's no getting around it anymore. So what I would say is, in the last five years, we've seen a massive increase in cybersecurity threats, and I think most people nowadays are generally aware of cybersecurity risk, probably because they've either been notified that their information has been compromised or they've seen the massive cybersecurity hacking events that have happened throughout the United States and the world. But what that really means is we need to stay informed and, because this is constantly evolving, the individuals need to stay on top of it, stay informed, know the risks and then try to respond, and we want to be proactive in our approach to cybersecurity threats instead of reactive.

Speaker 1:

There's no hiding from this. It's an area that is also constantly changing, isn't it? That's right.

Speaker 3:

So we never know where the next cybersecurity threat will come from or how it will come for our clients. But what's really important is that individuals prepare, so businesses prepare incident response plans and have adequate cybersecurity measures in place, and that we're really aware of what obligations we have in the event of a cybersecurity incident. And it's much easier to do that before an incident occurs than after, and that's really what our goal this month is is to inform folks, keep them aware and to start putting those plans and procedures in place. Thanks, Amber, Thanks Kim.

Speaker 1:

Hi, Jessica. Welcome back to the podcast. Thank you, Kim. As we get started, do you mind just reminding everyone your name and your one of your roles, at least at the firm Sure?

Speaker 5:

Jessica Copeland. I'm a member in the Buffalo Office and I am the chair of the firm's cybersecurity and data privacy practice group.

Speaker 1:

Well, that makes perfect sense because we're talking about cybersecurity awareness month, so of course, we want to make sure you're a cornerstone of this podcast episode, and one of the things I really appreciate about this group is that it's a really deep bench. There are a lot of attorneys, there's your core group, but a lot of other folks at the firm. So can you tell us a little bit about the practice group generally and what types of lawyers are involved in this practice?

Speaker 5:

Sure. So the practice group includes associates and members that are full-time dedicated to cybersecurity and data privacy practice, and then we have additional associates and members that are in different practice areas or practice groups, and that provides for sort of a cross-sector, cross-industry perspective on the ever-changing data privacy laws. Some of the groups include higher ed, labor and employment, intellectual property, health care and litigation.

Speaker 1:

And so every sector, in every industry is touched by cybersecurity.

Speaker 7:

Absolutely.

Speaker 1:

So that's why it's so good that you have all of these other folks, your partners and associates throughout the firm that you can call on from the different industries.

Speaker 5:

Well, as you know, I'm speaking to the choir here, but diversity of perspective provides significant value to our client base, as we serve clients in every industry and sector, from Fortune 500 companies to non-for-profits. We're in the health care space, we're in the financial industry space and manufacturing. So having a deep understanding of the industry we're serving, coupled with the comprehension of data privacy laws, is really critical and valued by our clients.

Speaker 1:

And it must be kind of fun for you to get to work with so many different people at the firm.

Speaker 5:

Oh, absolutely. It has permitted me, especially joining the firm right before COVID. I've had the pleasure of meeting people from every office that we currently have which we've brought on new offices, but I've recently spent time in our normal office, the New York City office. I regularly go to Syracuse and Rochester and that's because of the relationships, frankly, that were built on Zoom and Teams.

Speaker 1:

Yeah, that's amazing and I think that's a good point too that we do really cover all of New York State and your team in cybersecurity and data privacy, touch all of our offices and can really help everyone.

Speaker 5:

Yes, and including, you know, in Florida and Oberlin Park. So it's a very unique opportunity with cybersecurity because it's not necessarily regionally based. Obviously, there are state laws, there are international laws, there are federal laws, but we're educated and certified in all of the applicable data privacy laws impacting our US based clients.

Speaker 1:

That's fantastic, All right. Well, you know that I can't have a conversation with you without turning to some kind of a little more nerdy and substantive topic. So I need to ask you, like what is the first step if a business thinks there's a breach?

Speaker 5:

Well, the first step is to look at your incident response plan. Hopefully you have one and hopefully your company takes time to do what's called the table top exercises, to make sure that it's not a plan that's drafted and stuck in a file cabinet whether it's a digital file or, you know, in an actual hard file cabinet. You need to take that plan out, you need to exercise it, you need to make sure that it's effective on that bad five o'clock on Friday moment where there's a ransomware attack or you recognize that emails are not getting to the recipients that you sent them to and therefore there might be a business email compromise causing it. So, having an incident response plan and then knowing who's the first person to contact, is it the IT help desk? If you already called the help desk, have they notified the GC of the company or the CIO or the CEO? It's really organization dependent plan. If there's no right size, there's no right line of who to call first, other than if there is insurance, contact the carrier and if there is counsel that who rely on regularly either for corporate matters or for cybersecurity matters, contact the lawyer initially as well, so that the communications can be protected as privileged.

Speaker 1:

Thanks, jessica. Well, hello Mario. How are you? Thanks for coming back to the podcast. Will you mind just telling the listeners your name and your role at the firm?

Speaker 4:

Hi Kim, thanks for having me back on. My name is Mario Ayoub, I sit in the Buffalo office and I'm a data privacy and cybersecurity associate.

Speaker 1:

That's fantastic, so I'm going to start with this question for you what is cybersecurity and how is that different from data privacy?

Speaker 4:

It's interesting because data privacy and cybersecurity are often mentioned in the same breadth and sometimes are used interchangeably, but there are some key differences. Cybersecurity pertains to the protection of data when it's on an information technology system and safeguarding that data In the applicable laws and regulations. We typically see these safeguards, these cybersecurity safeguards, in three separate categories. Those are administrative, technical and physical safeguards, so I'll talk a little bit about each briefly. Administrative safeguards are really what types of policies does an organization have in place that governs the use of data, where things are stored? What types of security is implemented? It also concerns how to respond to a data breach or an incident, an interruption in business, with a mind toward protecting data both at rest and in transit. Physical safeguards for cybersecurity include a lot of things that we're familiar with, like two-factor or multi-factor authentication, encryption when you're sending things through email or other means, data backups, the technical aspects of protecting the integrity of data, and then physical, physical controls are very important too. So if your server room doesn't have a lock on it, that's obviously a cybersecurity risk. Are there cameras set up in your buildings? Are there unique access numbers to log who's coming in and out of areas that have access to cybersecurity resources. So that's cybersecurity in a nutshell is the protection of data. Privacy, on the other hand, is making sure that you are using data in line with the consumer's preferences and individual's preferences pursuant to applicable law. So we're familiar at this point with the GDPR, the CCPA, the California Consumer Privacy Act, which affords certain privacy rights to consumers, such as the right to access what information a company has stored about them. The right to correct that information if it's inaccurate, especially in situations where that could lead to an adverse credit decision or something that can significantly impact a consumer's life. The right to delete data. Maybe they provided information to a company but no longer want to have a business relationship with that company. They need to have the right to remove it. So data privacy is really looking at how this data is used, how companies use it in line with both privacy laws and stated preferences from consumers.

Speaker 1:

Well, we'll get more into that data privacy part, I think in January when it's Data Privacy Awareness Day. But for cybersecurity, I really appreciate you going through that conversation and the difference it seems like with the administrative, the technical and the physical. Cybersecurity is something that has to be on business leaders' minds all the time, isn't it?

Speaker 4:

Yeah, absolutely, and cybersecurity is not industry specific, it's not market specific. It is something now that everyone has to pay attention to. We all use web apps, we all store data in cloud environments or even in physical servers. There's a common misunderstanding that, well, if I'm a business leader and I store my client contacts on certain vendors' software, they're responsible for the security. But a lot of the times, the new laws that are coming out now are putting responsibility on those business leaders to vet those vendors, to vet those software companies that they rely on for their business. So, even if you're not storing this data directly, you're still responsible for any data in your possession or that you use a service provider for. So cybersecurity is important across industries. Thank you.

Speaker 1:

Well, that's sorry. Thanks for that Submarine. You're right, every industry has to be paying attention because there's no hiding from it, which I think a lot of people may have tried to do at the beginning, thinking it didn't have anything to do with them. So, while we'll have to have you back soon, mario, to talk about some of the new cases and developments, Definitely Looking forward to it.

Speaker 4:

Thank you for having me back on.

Speaker 1:

Thank you, hello, victoria. How are you? You're well, how are you Very good, all right. So, Victoria, will you tell us your name and your role at the firm?

Speaker 7:

So my name is Victoria Okazewski and I am an associate trainee.

Speaker 1:

Terrific. So you're an associate trainee. That means that you graduated just a few months ago from law school. Right yeah, in May, in May from.

Speaker 7:

University at Buffalo. No, I actually went to New York Law School in the city, oh you went to New York Law, all right, great.

Speaker 1:

So New York Law is down not to like off Fifth Avenue.

Speaker 7:

No, it's in Tribeca, it's off of Chambers and it's on West Broadway. So it's Chambers and West Broadway.

Speaker 1:

Oh, chambers and West Broadway Very good. So it's a little bit different to be back in Buffalo then.

Speaker 7:

I mean, I've never been here before. I moved here and this was my first glimpse because I went apartment funding during bar prep, so I didn't actually make it down to Buffalo up to Buffalo actually so my moving day was my first step.

Speaker 1:

Very good. Well, it's a good town and it's a good time of year to be there, because it's lively and everyone's got a lot to say about Josh Allen and the Buffalo Bills. Oh yeah, I've heard all about him. Well, very good. Well, welcome to Upstate Western New York. We're glad you're here. So, as I mentioned, you're a new law graduate and you just joined the firm a few weeks ago. What drew you to the practice of cyber security law?

Speaker 7:

So one thing that really drew me to it was the unknown. So I feel like people haven't really paid attention to privacy or cyber security since the GDPR came out in the EU in 2018. So it's still relatively new and emerging, and it was kind of like all of us are in this together, we're all interpreting it together. We're all just in the world of unknown and every day it's changing. Every day New laws are being enacted or new policies and new decisions, so it's really interesting.

Speaker 1:

Yeah, it's kind of a fun emerging area of law. Are you enjoying the work so far?

Speaker 7:

Yes, a lot of it has been researched because, like I said, there's just so many things happening. So I recently just worked on the FTC a law close of the FTC decision imposing individual liability on the CEO of Drizly, which was something that's never been heard of other than I believe it was Uber CEO had a criminal conviction for his role in a breach that they had a couple of years ago. So it's been really interesting and the FTC is starting to crack down on even AI, so starting to get into that and it's really interesting so far, Very good, all right.

Speaker 1:

Well, thanks for joining us on the podcast to celebrate Cybersecurity Awareness Month, and we'll have to have you back again soon. Thank you so much. Hey Shannon, how are you Good? How are you? I'm good. Thanks for joining us back on the podcast. Will you tell us your name and your role at the firm, to remind, everybody.

Speaker 6:

Yeah, my name is Shannon Knapp. I am now a fourth year associate at the firm and I am part I know it's not wild I'm part of the cybersecurity and data privacy practice group.

Speaker 1:

I'm sorry I'm still pausing on that fourth year associate moment I like oh my gosh, last, I knew you were a second year last student. What happened all these years? So well, it's great. I'm glad that you're here with us as a fourth year. Well, I wanted to talk to you today about all the certifications. So you had this law degree and you then, you know, you took the bar exam and you have a law license. But there are a lot of certifications on top of the law, certifications that are really helpful to clients in areas of cybersecurity and data privacy. So, do you mind, can you talk a little bit about that? And then the certifications that you and some members of the team have.

Speaker 6:

Yeah, absolutely so. As the cybersecurity and data privacy area of the laws developed, there's these additional certifications that are becoming increasingly useful, and I keep kind of comparing it to how intellectual property attorneys kind of have to go through additional training and things like that to have the technical knowledge for what they're doing. It's kind of a similar idea, although not quite as intense as what the IP attorneys have to go through with the patent bar. So there's these additional certifications that we can obtain through the International Association of Privacy Professionals, or IEPP, and they're usually on various privacy laws throughout the world. And so, for example, myself, jessica and Amber all have a certification in the United States Privacy Landscape, and so what we do is we take like a course and study for this exam, and then we take an exam and if you pass you obtain the certification and you have to do kind of like CLEs, but they're equivalent of that, so like continuing education type credits to stay on top of things. And then other jurisdictions have the certifications as well. So I have the CIP Asia, so I'm certified in various Asian privacy law, and I just obtained that a couple months ago. And Amber is certified in the EU, so she has a certification for the European Union's privacy law. And then there's also Canada, and it sounds like IEPP is also developing some new ones as well, like maybe something with AI and some other things, kind of keeping up with the various changes in cybersecurity and data privacy that are occurring, I think that just shows how broad this field is and how many different laws come into play at any given time in cybersecurity and data privacy. Oh yeah definitely.

Speaker 1:

It's just like you have to. There's so much Victoria talked about how it's an emerging field and you have to sort of stay on top of everything. These certifications must be a good way to sort of help you keep your arms around it, because you do have those continuing ed credits as well as having intensely studied for the exam.

Speaker 6:

Yeah, absolutely, it's really cool. It's a really cool opportunity to expand knowledge and help our clients. I got a really good in depth view of privacy law in Asia, and particularly like in India and Hong Kong and Singapore, that I wouldn't have gotten otherwise, which is really cool, especially some of those areas growing in the tech industry and our clients interacting with them more, whether it's higher ed clients through international students or companies working with people in those areas. It's definitely helpful knowledge to have, because privacy laws get implicated a lot more than I think people realize, especially internationally.

Speaker 1:

Yeah, I'm sure. So these must be important to the practice group, not only to sort of promote and sell the group, but also for you all to share that knowledge with each other.

Speaker 6:

Yeah, it's definitely very helpful. It's nice that we all have like a very solid baseline knowledge of kind of all the things to issue spot, but then we all have some what varying levels of experience with different laws that we can help each other out.

Speaker 1:

That's great. Well, I think that I didn't know I was going to see you take so many tests when I first met you.

Speaker 6:

I know already have taken two more. And then there's also these other certifications that you can obtain. One is very IT specific, so it's usually for people who are actually in the IT field a little bit more, and not a lot of attorneys take it. But then there's also the SIP management, which has to do with managing, like, cyber security and data privacy, relationships with clients and how to manage things like an incident response and things like that, and that is one that I think we're also looking at taking, because the ABA and IEPP have partnered and if you obtain the SIP US and the SIP M, you can then receive this credential where you're a certified information attorney.

Speaker 1:

So there's always more. You're going to be taking more tests, Shannon?

Speaker 6:

Yeah, at least one more Right Go from there.

Speaker 1:

Very good. I think we go to lunch usually after. Somehow. You're always like, yeah, and then there's a lunch we're supposed to be at, so let's plan that for next time. I like it All right. Thanks so much. Thank you, jessica. I want to give you the final word for the podcast today on issues relating to cybersecurity because, I'm going to say it again, it's Cybersecurity Awareness Month and there's so much that your team is putting together for the month. What are some final thoughts as we wind up this podcast?

Speaker 5:

Well as it relates to cybersecurity. I will repeat the same mantra I have been professing since I started in this area of law over 10 years ago Stay vigilant and train your workforce to remain vigilant. We can learn tough lessons from highly publicized data breaches and most recently, the MGM Caesar's Breach can inform us. So I'm not sure if you're familiar with that, kim, but most recently there has been a new cyber crime outfit, if you will, or family, referred to as Scattered Spider, and there means of infiltrating organizations is social engineering. They are mimicking the help desk or support desk of organizations, contacting employees and trying to obtain their access point into the network and as a result of that, they have their significant monetary loss and operational loss for MGM, and that same cyber crime outfit is likely responsible for the Clorox breach which is just now hitting the news, and it was a similar scenario, and they're still operationally not back to 100% and they're looking at revenue loss of over 28% over the last month because of the breach.

Speaker 1:

It seems like we should do a special episode on social engineering and that sort of entry point, and I think that your message of stay vigilant there's never a point where any business can let their guard down.

Speaker 5:

Absolutely so. If companies are looking to focus just one training in cybersecurity this month, it would be on recognizing phishing emails, phishing phone calls that are from cordially legitimate IT professionals within your organization that turn out to be trying to compromise your credentials.

Speaker 1:

All right, everyone. So be careful out there, be vigilant. Thanks again, jessica, for joining the podcast. Thank you again to all of the attorneys who joined us today. We wish them and all of you a wonderful national cybersecurity awareness month and that your data is all safe and secure. It's a good reminder to listeners to pay attention to how we act and interact in the cyber world, both for our businesses and for ourselves personally. Thank you, kim. Thank you for tuning into this episode of Legally Bond. If you're listening and have any questions for me, want to hear from someone at the firm or have a suggestion for a future topic, please email us at LegallyBondbskcom. Also, don't forget to rate, review and subscribe to Legally Bond wherever podcasts are downloaded. Until our next talk, be well.

Speaker 8:

Bond, seneca and King has prepared this communication to present only general information. This is not intended as legal advice, nor should you consider it as such. You should not act or decline to act based upon the contents. While we try to make sure that the information is complete and accurate, laws can change quickly. You should always formally engage a lawyer of your choosing before taking actions which have legal consequences. For information about our communication, firm practice areas and attorneys, visit our website legallybondcom. This is Attorney Advertising.

Cybersecurity Awareness Month and Bond's Plans
Data Privacy and Cybersecurity
Cybersecurity Certifications and Importance
Legally Bond