An Interview with Amber Lawyer, Cybersecurity & Data Privacy Artwork

Legally Bond

A legal podcast on all things law and those who practice. Hosted by Kim Wolf Price. Presented by Bond, Schoeneck & King. For more information on Bond visit bsk.com. If you have any questions, want to speak with someone from the firm or have a suggestion for a future topic please email legallybond@bsk.com.

All Episodes

Legally Bond

An Interview with Amber Lawyer, Cybersecurity & Data Privacy

March 24, 2025 • Bond, Schoeneck & King PLLC

In this episode of Legally Bond, Kim speaks with Bond attorney and co-chair of the firm’s cybersecurity and data privacy practice group Amber Lawyer. Amber discusses the distinction between data privacy and cybersecurity, provides updates on global and US privacy laws, and the new challenges that are arising from artificial intelligence.

For information on the Honda settlement discussed in this episode, click here.

Speaker 1: 0:07

Hello and welcome to Legally Bond, a podcast presented by the law firm Bond Schenick King. I'm your host, kim Wolf-Price. In this episode we're speaking with Amber Lawyer. Amber is a member in the business department of Bond, focusing on data privacy. She's also the co-chair of our data privacy and cybersecurity practice group. She works out of our Syracuse office and that's the first time I got to introduce her as a member at the firm, which is pretty cool. So welcome back, amber. Thanks for having me. Kim, always great to talk to you. Well, for today I was hoping we could talk about the landscape of law governing data privacy. Can talk about the landscape of law governing data privacy. I know that there's lots of state laws, no federal law, many international laws, so give people a little overview and maybe talk about some of the recent decisions, trends or issues that are surrounding data privacy. Does that work for you?

Speaker 2: 0:55

That sounds great.

Speaker 1: 0:57

All right, Terrific, Well, as you know, but it's been a couple of years before we start talking about the law stuff. I like to talk about you a little bit, and especially before you start talking, and I feel the need to change all of my passwords and make sure all of my personal data privacy is up to date. So do you mind spending a few minutes talking about your background for the listeners? Whatever you'd like to talk about where you grew up, law school, undergrad, things like that your family.

Speaker 2: 1:25

Sure. So I grew up in Tupper Lake, new York, in the Adirondacks. I went to undergrad at St Lawrence University where I studied government and economics witha public speaking minor. I went to law school at the Syracuse College of Law, which is where I met Kim. I also met my husband at the Syracuse College of Law, my husband Wes, who's also an attorney in Syracuse. We were lucky enough to welcome our son, owen, last year. So I'm back into my first full year back after maternity leave, which has been fantastic. I got to Bond as a summer associate, so I started at the firm in 2016. I was lucky enough to get an offer to come back and I did the full bond rotation and ended up in the business department and then slowly started to specialize in data privacy, cybersecurity and technology transactions.

Speaker 1: 2:16

Well, that's great. You know I'm a big fan of those two lawyer families, particularly when they're two Syracuse law attorneys in the family. So thanks so much for sharing that, amber. I think people just like to know that lawyers are real people and I'm legally bond. We hope that we're making sure everybody knows that a little bit so well. I'm sure that by now people listening have some sense of what the terms data privacy and cybersecurity mean generally. But do you mind giving us sort of a high level overview or definitions of both and maybe what the difference is?

Speaker 2: 2:50

Sure. So data privacy and cybersecurity are obviously related. We hear them combined quite often, but they are distinct in that data privacy is really focused on the protection of a certain subset of information. So when we think about privacy laws, most people think of something like HIPAA that's focused on protecting health information right, and so privacy laws really drill down on the type of information we're talking about and what standards need to be put in place to collect, use and process that information.

Speaker 2: 3:22

Cybersecurity is a little bit different. It also aims to protect information, but a cybersecurity law can focus on the actual security safeguards needed to protect a subset of information. So we may have a state cybersecurity law that requires the protection of all information and businesses have to comply with that law, and we may have a cybersecurity law that sets specific standards for protection of things like sensitive data. So when you think about your bank processing your financial information or health information or the data of children, we require certain firewalls, encryption methods, certain technology to ensure that that information is protected. So that's a little bit of the distinction between the two.

Speaker 1: 4:09

I think that's important. It's okay for the layperson probably to get them wound up a little bit, but it is good to know the difference between the two. So I also think it's important to remind people especially businesses think oftentimes that smaller businesses forget that these things may also apply to them. These are there's very broad application. Is it safe to say that if you're a small business in a small town but you sell online or otherwise have customer data or employee data, these laws apply to you?

Speaker 2: 4:42

Yeah, it is safe to say, and unfortunately, the way most of our clients learn about this is the hard way, where they're reacting to a legal issue instead of being proactive. Cybersecurity and data privacy laws can apply to entities all across the board nonprofits, small businesses, large tech companies. They're designed to fold in everyone because, when you think about it, those entities all can process personal information. They can all be subject to a cyber attack. We've seen that in the manufacturing world, in the hospitality industry really runs the gamut there, so it does affect everyone. There are some laws that require de minimis thresholds, so we could have some small business exemptions, but it's really important for businesses to do an assessment before they're hit with a cybersecurity incident or before they're subject to a data privacy law, so that they can get compliant and make sure they're processing information appropriately, because the risk on the other side is really much greater when you're responding to an event instead of being proactive.

Speaker 1: 5:50

Yeah, that makes perfect sense, and it's one of those situations that we're assuming it doesn't apply to you is a really bad idea.

Speaker 2: 5:57

That's right. That's right Especially because in the privacy world we see privacy laws that really can focus on sector specific information. So you really want to ensure that you understand what you're subject to, what may be excluded or exempt, and have a good process moving forward.

Speaker 1: 6:13

And you actually, besides you know, successfully passing the bar exam and all of that, you have special credentials in this field, don't you?

Speaker 2: 6:22

Yes, I do. So I have passed two additional exams. I always tell people I never thought I would take another exam after walking out of the bar exam, but I have a specialty in European data privacy law and US privacy law, so I have passed those exams through the International Association of Privacy Professionals. So I am credentialed as a privacy professional under both European data privacy law and US privacy law.

Speaker 1: 6:47

That's great and that's why you hang out with those IP lawyers, because you guys like to have those extra tests that you take.

Speaker 2: 6:52

That's right. You know anything? To just set us apart.

Speaker 1: 6:57

Well, you mentioned that you also have the European and I really appreciate you talking about that. Four years ago, believe it or not, when you were on the podcast, we were talking about GDPR and things that have just I know things have evolved from there on the legal landscape. But will you remind the listeners like how did we get started? What's GDPR?

Speaker 2: 7:16

Yeah, sure. So when I started at the firm, gdpr was a thought that had come out of the European Union and some issued guidance had come out, and then in 2018, the regulation was passed, so it's the General Data Protection Regulation and it is subject to all members in the European Union and then any entity that processes personal information of individuals located in the European Union. And we've seen that the GDPR is extraterritorial in scope and it really kind of kicked off this data privacy wave, where countries were establishing data privacy laws that applied not only internally but to any business that was processing the personal information of individuals located within the regulated territory, and so GDPR affected US businesses, and that's how I got involved and we had to work with companies on compliance efforts, and then that really kicked off a global effort in data privacy, and now we see data privacy laws in China, australia, brazil. Many, many countries now have general consumer data privacy laws that are extraterritorial in scope, and that was a big transition in the last seven years and has governed a lot of my privacy practice.

Speaker 1: 8:38

Yeah, absolutely Like our higher ed clients, right? If you are getting candidates, potential students, from any of these countries, that means you're subject to all these laws.

Speaker 2: 8:48

Yeah, that's right, and a lot of higher ed institutions have partner programs located in these international jurisdictions. They're getting applicants from those pools and they're conducting research in foreign jurisdictions. So it's become kind of part of everyday life for several higher ed institutions and for businesses.

Speaker 1: 9:09

Absolutely, and so you know, there's a lot in China in the GDPR for the European Union, other countries, but right now in the US we don't have a federal law, do we? We do not.

Speaker 2: 9:20

We do not, and I think our clients are starting to get frustrated with that, because we have 20 US state laws now that have general consumer privacy laws and, just to make that clear, that's a general law that applies to the processing of personal data of any consumer located within the state. These states also have sector specific, industry specific and data specific privacy laws specific industry specific and data specific privacy laws. So we have 20 consumer privacy laws, and on top of that we also have biometric privacy laws, children's data privacy laws, health privacy laws, financial privacy laws. So the industry has exploded, but we do not have any kind of federal law to kind of set the standard for everyone, and so a lot of entities have to comply with this very piecemeal approach.

Speaker 1: 10:11

Yeah, it's sort of almost like a quilt instead of an omnibus thing that we see in the law, where finally everything gets pulled together and there's, you know, one thing that we can follow. Have there been any other legal developments recently that you'd want to update folks on?

Speaker 2: 10:26

Yeah. So California, which was the first state to enact a consumer privacy law, has just come down with one of its first enforcement actions, and they just had a settlement in the last two weeks with Honda, which was surprising in a few ways. Expected right, it wasn't an entity that was processing a ton of consumer information, but more than that. The settlement was for over $600,000 and it related to 153 consumer data privacy requests, so quite a hefty fine for a small amount of consumer requests. And what the California Privacy Agency found really in this settlement was that Honda was not affording consumers the proper avenue to opt out of sale or sharing of their information, so they were requesting too many data points for verification from a consumer and it was difficult for the consumer to opt out of the sale or sharing of their data.

Speaker 2: 11:29

This is a big trend right now in privacy law and something called dark patterns, which is that it's much easier for an entity to collect your information than for you to opt out of the use of that information. There's supposed to be a symmetry in choice, and what the privacy agency found was that there was not a symmetry in choice coming out of the Honda selection and the way that the consumers were submitting those requests and they were requiring too much information from the consumers to submit those requests. Really interesting in the settlement was the strict reading of that symmetry. So Honda required a consumer to accept all cookies with one click and it took two clicks to opt out of advertising cookies and the California Privacy Agency deemed that asymmetrical, so two clicks pulled them into noncompliance under the law. It was technically a violation of the law, of course accompanying other issues. So it wasn't just that they zeroed in on that, but a really interesting strict read of the law that's going to affect any entity that's subject to the California privacy law. We've all seen those cookie pop-ups.

Speaker 1: 12:40

They all say yeah, exactly.

Speaker 2: 12:45

And so you're used to that collection method and that's going to be really interesting how that impacts all of our clients that use a cookie manager tool, consent tool and advertising. The other really interesting thing we're seeing and it's also coming out of California. They're really kind of the new wave is an increase in privacy litigation relating to technology tracking tools that you're leveraging on your website. So these are wiretapping claims coming from the California Invasion of Privacy Act and they're very interesting. They're very interesting legal claims about technology tracking you as you click through a website or input things into a chatbot. So that's been a pretty big spark out of California as well.

Speaker 1: 13:32

Every time you say wiretapping it reminds me of almost every fact pattern in law school moot court.

Speaker 2: 13:38

That's right, that's right.

Speaker 1: 13:41

But there are some states is it Massachusetts? Some states are saying you're not going to be able to use, they don't think wiretapping works.

Speaker 2: 13:48

Yeah, it's really interesting because the law was clearly not written to encompass this advanced technology, and so these are really interesting claims. We'll see if any of them end up holding up. But the point there is that sometimes you can rely on consent as the right to use the technology on the website, and so it goes right back to the cookie consent managers. Do you have a pop-up informing consumers of the technologies you're using? And there are several states that say that's fine. You don't need all party consent. But of course, out of California, we're seeing these very interesting claims around wiretapping and the use of tracking technologies.

Speaker 1: 14:28

Yeah, and for the listeners it's because those wiretapping all went back to literally your old landline being wiretapped in a criminal investigation for a divorce or otherwise. How do you get consent to have the wiretapped and then how can it be used? And because of that consent, with the click some lawyers somewhere said we can hook into that same law. So that's kind of interesting.

Speaker 2: 14:51

It is interesting. I'll be curious to see how it unfolds in the next year or two, because it doesn't seem like the underlying law really marries with the data that we're talking about, especially because the technology is continuing to develop, and so I'll be curious to see how that comes out.

Speaker 1: 15:07

Yeah, they try to use it in cell phone cases and other things as well by using the geo-tracking. So we'll see where it goes. That's very interesting. Yeah, I imagine AI is part of the interesting world here as well. Oh yeah.

Speaker 2: 15:19

It's the buzzword for everyone right now. Everyone knows about new AI technology coming out, but it does affect data privacy and cybersecurity pretty substantially. As you can imagine, it's evolving technology, especially generative AI. Clients need to consider if you're allowing your AI technology to train off of personal information, and is that information subject to a privacy law. Many privacy laws have rules regarding using automated technologies to make decisions, and so that ties into AI as well, so it's really the hot topic that everyone's keying in on, for good reason. It's going to change the industry, for sure.

Speaker 1: 16:02

Well, it's the same in our day jobs, right, just as lawyers, we have ethical obligations, and AI can't train. We can't let other people, we can't break our ethical rules. It can't learn in ways that other people could take that information, and it's a very fast-paced and interesting development constantly.

Speaker 2: 16:25

It's so interesting. I think we're seeing more and more proposed AI regulation coming out, but the technology is developing at the same time or even faster, so I think we're still playing catch up. And it's funny because I felt the same way about data privacy about seven years ago, that the legal landscape, the marketplace, had exploded for profiting off of data and the legal landscape hadn't caught up. We're slowly catching up there. I think it's going to be the same thing with AI that the legal landscape will catch up eventually, but our clients can leverage kind of that gray area right now, which has been very interesting.

Speaker 1: 17:03

Absolutely so. We'll have to have four years again. We'll update and see, we'll see what the next big trend is the next big trend, is for sure. So you know, I think it might be important for people to understand. Besides, like compliance with laws, like in a broad view, like why do you call your data privacy and cybersecurity lawyer? It's not just if there's a breach right, there's a hopefully way before.

Speaker 2: 17:26

Yeah, yeah, so we talked about it a little bit. You want to be proactive in setting up and managing your business, and that includes how you collect information. Most clients, when I first talked to them, don't understand that the information they're collecting off their website is probably governed by some form of a privacy law and they think, even if it's a business that has nothing to do they sell car parts, right, but they're collecting information on their website they could be subject to a privacy law. But you need to get your safeguards in place. Make sure that you have a good data hygiene for your business, make sure that you're compliant in every way and that you have appropriate disclosures on your website.

Speaker 2: 18:10

The best way for our clients to mitigate risk on the employee side for consumers is that you're properly disclosing the information you're collecting, how you're using it, what technology you're leveraging, if you're sharing it with anyone. That's a fantastic risk mitigation strategy that will afford you the ability to be compliant with privacy laws as they evolve. So really important there. And then the other place we're seeing a lot of new cybersecurity risk is in vendor contracts. So if your vendors are holding your data or processing your data in any way, making sure that you're addressing that risk with contractual terms and handling any flow down liability obligations for the processing of that information.

Speaker 1: 18:58

So you sort of mentioned that you know, you, you know as a counselor at law developed in this field. It like developed alongside of these laws, right, and it wasn't something when you were in law school that you thought about. But if you were giving advice now to a law student who's interested, what are some things that you would recommend they do?

Speaker 2: 19:26

marketplace has changed. Data privacy is a very valuable knowledge set to have. It impacts every industry. So in our practice group we have attorneys from every department at the firm labor attorneys, litigators, intellectual property attorneys. We have folks that dabble in data privacy and cybersecurity, and then folks that specialize in data privacy and cybersecurity.

Speaker 1: 19:45

With those special, accreditations that you have.

Speaker 2: 19:47

Exactly, and so the advice I would give to law students is get involved now. I know that many law schools are offering privacy courses. Now, if you are interested in it and cybersecurity, start taking those courses. I would always recommend getting the IAPP accreditations if you can. You're highly marketable if you have a specialty in this area and that you can say you have a specialty in this area, and those accreditations focus on not just US law and European law, but also Asian law. You can be certified as a privacy manager, and so you can get good, comprehensive background information before you even are a practicing attorney.

Speaker 1: 20:28

Yeah, and that those aren't like. That has nothing to do with the bar exam and having the law license and separately, where we can't use words like specialized. So it's it's. Those are two separate things. One is really working in an industry and that's the industry of data privacy and cybersecurity.

Speaker 2: 20:46

Yeah, that's exactly right.

Speaker 1: 20:48

That's important, and it's an important way for our clients to know that you know it's a. This is not something that we dabble in.

Speaker 2: 20:54

That's right. That's right. We, we work hard to stay up to date and to remain the experts in the field, if we can.

Speaker 1: 21:01

Yeah, that's fantastic. All right, Well, thank you, amber. Thanks for joining us and updating us on these issues. Of course, we'll have to bring you back in to see what kind of AI is making in the world on these topics of data privacy and cybersecurity, and we hope you'll come back again soon.

Speaker 2: 21:19

I will see you in four years, Kim.

Speaker 1: 21:22

You better see me before that. Amber, I will Thanks for having me on. Yeah, thanks so much. Thank you for tuning into this episode of Legally Bond. If you're listening and have any questions for me, want to hear from someone at the firm or have a suggestion for a future topic, please email us at legallybondbskcom. Also, don't forget to rate, review and subscribe to Legally Bond wherever podcasts are downloaded. Until our next talk, be well.

Speaker 3: 21:54

Bond, schenick and King has prepared this communication to present only general information. This is not intended as legal advice, nor should you consider it as such. You should not act or decline to act based upon the contents. While we try to make sure that the information is complete and accurate, laws can change quickly. You should always formally engage a lawyer of your choosing before taking actions which have legal consequences. For information about our communication, firm practice areas and attorneys, visit our website bskcom. This is Attorney Advertising.