In this ground-breaking interview with Tony McFarland, we discuss how companies and regulators interpret and understand current legislation on how to monitor and manage the risks that companies face that can potentially harm the business, and even affect shareholders. We discuss the concept of a material breach and how to define corporate obligations to material breach and disclosure.
I loved my discussion with Tony McFarland. Tony is an attorney and one of the best in the United States at understanding the fast moving and ever evolving Data Security and Privacy Law landscape. Tony has a very unique perspective from the top (CEO and Board) as it relates to the CIO’s requirement to answer questions from the top that have not been asked before.
We also discuss how current decisions and precedents on the Safe Harbor rule will affect the way companies across the Atlantic will have to justify the protections used, and required for data transfers.
Tony is a partner at Bass Berry and Sims PLC, with more than 30 years of experience working with leaders at public and private companies, particularly those in the financial services and healthcare industries, in complex individual and class action business litigation and situations. He has experience in Data Security and Privacy matters including electronic information security best practices, data retention and data management. He is also the Chairman of the firm’s Technology Committee and chair-elect of the Lex Mundi Knowledge Management Subcommittee. He is a co-author of Bloomberg BNA Banking Practice Portfolio Series No. 401, Securities Law for Banks.
We discussed legal impacts of the following:
- The Rise of the CISCO – the Chief Information Security and Compliance Officer (my favorite)
- The SEC and what are the considerations of disclosing an IT Security Breach.
- Safe Harbor and the EU – If you have offices in Europe you will find the discussion very, very interesting
- Trends in Privacy – “the right to be forgotten vs the public’s right to know”. The First Amendment vs Europe’s perspectiv We had a fascinating conversation about Data Privacy. Here is a link to the Spokeo Supreme Court case that is highly relevant and important in the US privacy debate.
- The Top Questions a Board and CEO need to ask a CIO or CISO
- “Do we have a data breach response plan?”
- They need to ask themselves, “Do we have someone capable of handling this area?”
- “Is this person getting the support they need?”
- Top 4 elements of a Board presentation
Tony’s Published Work and Articles
Top CIOs and CISOs can learn a good deal by reading Tony’s published work in the following areas:
- EU and Safe Harbor –Doing Business in Europe and the EU-US Safe Harbor
- A Board’s Governance responsibility – Cybersecurity Top Supervisory Priority Data Security: A Board Responsibility?
- Board responsibility to Cyber Security
- What are best questions a Board or CEO can ask about cyber security?
- Data Security Wellness: Breach prep, diagnosis and treatment
- Outsourced Third Parties – Not forgotten
- Tony’s SEC comments here regarding Cyber Breach Disclosure – The Morning Risk Report: Cybersecurity Disclosures are Risky – WSJ
- Top 10 Questions Banking Leaders Should Be Asking About Cybersecurity
- FCC enters data security arena, ups the ante in federal enforcement
- Doing business in Europe and the invalidation of the EU-U.S. Safe Harbor: is your business impacted?
- Data Breaches Drive Retailers To Update Payment Systems
Summarized Show Notes:
- The ability and knowledge to understand and follow the developments in the entire field which runs across many regulatory fields and to understand the way the technology works so you can provide counsel to the CEO, CISO, CIO to the risk and what is an acceptable level of risk, particularly taking into the potential risk of a company. You have to make judgement calls. [06:25]
- SEC said all filings – have to disclose if companies knew of a breach or had knowledge of a breach. What do public companies have to be aware of with the SEC moving forward [09:10]
- Breach disclosure of large corporations seemed to be catastrophic. But number of breaches have increased. [10:20]
- Judgement call area. Guidance: try to stay within the range of what other companies do. There is a range of acceptable disclosures. You don’t want to be outside the norm [11:19]
- Meaning of Material in material breach – meaning, e.g. if you have company that has 200-300 employees and member of management is on a flight and loses a laptop with sensitive information and that could use material. [12:10]
- Inconsistency in responses of various regulators.[13:23]
- Concerned with brand impact and relationship with client than the dollars you are out of pocket to remedy the breach and especially difficulty with public companies because they are under obligations to material advance and disclosure. This could affect the share price. [15:55]
- Is the dialogue about IF you get breached, or WHEN you get breached? [17:20]
- You have to always plan as if you are going to be breached. From technology, process, procedure standpoint, the convention of wisdom, there are only two types of companies, those who have been breached and know it, and those who have been breached and who don’t know it. [17:38]
- Insurance cover – what do you see happening in insurance arena on cyber security? [18:41]
- Now insurance companies are more sophisticated with cyber liability insurance and more being purchased now, especially for amount of retention of deductable for catastrophic losses [20:22]
- European Court of Justice – case decided – brought issue the safe harbor framework relied on by UK and US companies to pass confidential information from EU to US. [21:26]
- Safe Harbor rule – get out of jail free card – a mechanism whereby if companies show they were operating within in the safe harbor compliance framework [22:00]
- Scope of personal data in EU is much broader than in the US covers medical history and data. [23:00]
- EU has adopted some rules which have ‘The Right to be Forgotten’. European citizens can apply through Google to remove URLs to remove those pages and Google balances this with the individuals rights to privacy with the public right to know and there is also an appeal process through a local data protection agency on this. This does NOT happen in the US. Due to privacy according to the 1st Amendment – the public’s right to know clashes with the right to be forgotten – clashes due to guiding principles. [31:37]
- The right to be that invasive in privacy didn’t exist 200 hundred years ago – from a lawyer’s perspective, how do you balance the right of the individual to privacy with the public’s right to know. [33:23]
- Do you rely on precedence for law decisions? Ideally, but practically NO. State laws and provincial laws, and either can apply. Lawyers say there is no guiding law. Try to best guide someone through the absence of rules or conflicting rules. Advise clients to act consistently. [36:18]
- Clear communication with the Board – Boards can’t deflect issues on Cyber Security. What you’re your observations with IT leader’s communication with Board and vice versa? [38:06]
- 10 years ago CIO, CISO positions were rare except in larger companies. Prefers the term Data security rather than cyber security. Predecessors of CIO or CISO were more of an IT manager. [38:33]
- Not much history for CIO or CISO to know how best to present technical information to the Board and for the Board to know how to receive the information. [40:01]
- Extremely difficult situation – the communication needed is inadequate. It needs to be clear, concise, succinct, understandable and memorable. [40:50]
- The CIO/CISO needs to convey to the board the different high level points that company has prepared and has planned its security and knows how to respond to a breach [41:54]
- Board is capable of asking the right questions that are valid and useful for the business. But how are they being trained to ask questions in an area that are highly undefined? [42:20]
- The SEC wants to see that the breach response is documented [44:15]
- Top questions for a Board to ask their CIO/CISO [45:55]
- Are Boards suffering from Ivory Tower Syndrome (ITS)? [48:40]
- From the viewpoint of the SEC, someone needs to check if the information was right. If the Board are not capable of assessing the answer, then it’s more of a pro forma exercise, than check on adequacy of the company’s coverage of it’s Cyber Security issues. [51:00]
- Being an Eagle Scout – what has this given to Tony’s career. Trustworthy, loyal, helpful, friendly, courteous, kind, obedient, cheerful, thrifty, brave and reverent. The merit badge requirement for an Eagle Scout covered a large number of areas and had to know enough about those areas to be a well-rounded person and achieve those badges. As a Business Litigation lawyer, it’s similar – we’re known for knowing a little about a lot of things, but not much about anything [51:28]
- Can’t think of data security without thinking of compliance and can’t focus on compliance aspects of a company without taking into account the commitment to data security. These two positions might eventually merge. Suggesting the term CISCO. [53:33]
Love this episode? Leave a Review
If you haven’t already, please make sure you leave us a review on iTunes.
About Bill Murphy
Bill Murphy is a world-renowned IT Security Expert dedicated to your success as an IT business leader.
Connect With Us On Social Media
Join The CIO Innovation Mastermind Community
We invite the top 20% of Business IT Leaders for my CIO Innovation Mastermind Events group to participate in monthly discussions on things like VR, AI, and other disruptive & emerging technologies. If you want to become a member, email Chief of Staff, Jamie Luber Jluber@redzonetech.net for more information.