It is important for small and medium-sized companies to stay current with cybersecurity. This can be a valuable asset and not a liability. Joe Dickinson is a member of Kaufman & Canoles’ Raleigh office, which has practice groups in intellectual property, commercial and litigation.
Dickinson is a veteran of over 30 years, dating back to the days before the World Wide Web. He worked as an applications programmer for Progressive Insurance, before earning his Juris Doctor at Cleveland State University Cleveland- Marshall College of Law. In his data privacy practice, he was the chief privacy officer as well as chief information security for a large academic health center in Ohio.
In an interview with Attorney at Law Magazine Executive Editor Bob Friedman recently, Dickinson spoke about the appropriate levels of cybersecurity risk for small- and medium-sized businesses.
JD Data security and privacy impact all businesses. Information and computers are the driving force behind everything we do in business. Data used to be information about your customers, intellectual property and financial data. All the information that your business processes and accesses is now data.
Data is the new oil. Data is the new oil in today’s society.
The most common impacts can be seen in the gaining and losing of business deals and the valuations placed on a business as a result of it either addressing or ignoring the privacy/cybersecurity issues. Many businesses believe that the main risks are the regulatory enforcement and penalties. These risks and how to manage them are important, but they may not have the greatest impact.
AALM What do you think about the argument “my company is not big enough to be targeted by a cyberattack?”
JDWe’ve all seen the blogs, and class action suits when there have been large data breaches. It’s like a double-edged blade. Positively, it’s a great marketing tool for small and mid-sized companies. You’ll be more attractive to potential clients if you tell them that you have already taken steps to mitigate those risks. Data is not just a compliance issue, but also an asset. Asset management is also risk management.
AALM But, isn’t cyber security a losing proposition since the bad actors always outmaneuver and outgun regulators?
JD : Cybercriminals are a very wealthy lot. In many cases, they’re funded by the government or other entities with state backing. Consider China and Russia. Think of China and Russia.
We look at what we can learn from the data and the threats we face, the security laws and regulations that apply, and the ways in which small and medium businesses with limited budgets are able to identify and prioritize their priorities, but not always to perfection.
AALM The challenge is that they did not go into business because they wanted to be computer experts.
JD Our clients are smart people, whether they’re business owners, healthcare executives or financial services executives. They can be overwhelmed by the demands of running a business. They need to know what risks they face and how to manage and prioritize them.
Many business owners and attorneys bury their heads in sand, because they are not familiar with technology. It’s important that the legal and technology communities communicate. The technology advances much more quickly than the law. It’s therefore important to coordinate legal issues and real-world technical and business issues.
AALM We don’t think of data privacy and security lawyers as the first line of defense for a company when it comes to cyber-attacks. When it comes to privacy and data security, do you think that you could replace a company’s own IT support or an outsourced one?
JD: No. We can assist in engaging and managing other resources including tech experts. We can assist in specifying software functionality needs, but do not program or install. We manage and lead the program, but we need tech experts to help with CMMC, HIPAA, GDPR and FTC Section 5 compliance, as well as various state laws.
We’ve found that we’re most effective and helpful when we have frequent, sometimes daily conversations with business owners or C-Suite executives, who are worried about data privacy and security. We remove that burden from their shoulders so they can concentrate on other issues.
We encourage our clients to involve us in simple business transactions, before there is a problem. Even the simplest business transactions include due diligence and everyone uses the same checklists. We can assist them in identifying “good cybersecurity controls” including policies and procedures they should have in place. This is usually much cheaper than addressing these concerns when a breach occurs or a ransomware attacks.
Our team has a technology background and I believe we can translate the communications between technology experts and business experts. We can also protect these communications using attorney-client privilege. We have had great success in helping businesses identify security issues, fix them and minimize unprotected communications.
AALM The recent settlement of the strikes by writers and actors was largely based on AI. AI is also a topic of debate in many industries. How much should law firms rely on AI?
JD AI allows us to discover and reveal information on a level that we have never experienced before. However, AI also generates many risks. AI is not perfect. Artificial intelligence is often imperfect. When you consider how data is stored and artificial intelligence functions, it’s not always linear. When you consider how data is stored on a computer and the AI’s desire to gather as much information as it can, this is what you will see. AI will produce information that appears to be thorough and complete. It may not be accurate. Managing the inaccuracies of artificial intelligence and its impression adds to the challenges of understanding, appreciating, and using its value.
The post Joe Dickinson – Managing Client Cybersecurity Risk first appeared on Attorney at Law Magazine.