Cybersecurity & Data Privacy Articles by Robert W. Anderson

Robert Anderson, a shareholder at Lindabury, McCormick, Estabrook & Cooper and a member of the firm’s Cybersecurity & Data Privacy practice group was recently questioned by Tom Hughes of ROI-NJ, regarding the reasons a business should consult an attorney to oversee cybersecurity planning and preparation.  In short; the answer is: attorney-client privilege.

If you have a breach and your company gets sued — and it will, Anderson said — having all of your preparation protected could result in huge savings of both money and reputation. Anderson, speaking at a recent ROI-NJ Thought Leadership Series panel, explained how. “When you’re first starting to put together a program to protect your company, one of the things that you will typically want to do is hire someone called an ethical hacker, who will try to get into your system,” he said. “The results of this kind of a penetration testing that determines the vulnerabilities and weaknesses in your system will be in a report that goes on for pages and pages of all the problems in your system. If you do end up with an attack and end up in litigation, Exhibit A in the litigation is going to be this detailed report that shows all the vulnerabilities of your system, and they’ll be able to see how you elected to prioritize the problems. “The litigants are then going to say you knew you had these vulnerabilities and spot the one you didn’t fix.” Having legal counsel order the penetration test would likely shield that document by virtue of attorney-client privilege, Anderson said.

You may visit ROI-NJ to read the full article or download a copy here.

Robert Anderson, Co-Chair of Lindabury’s Cybersecurity & Data Privacy practice group was recently interviewed by ROI-NJ’s Tom Bergeron in regards to the European Union’s May 25th institution of the General Data Protection Regulation (GDPR). Bob feels GDPR will have a huge impact in Europe where there is a different view of privacy.  “In the EU, they have taken the position that privacy is a fundamental human right and we certainly have not taken that position in the U.S., especially in terms of digital information.”

To read ROI-NJ’s full online article click here.

Cybersecurity & Data Privacy practice group co-chair, Robert Anderson’s recent interview has been included in New Jersey Business Magazine’s recent cover story ” The Digital Landscape Evolves”.  Regarding employees who work remotely, who may now pose a risk to their companies Bob says, ” I think everybody, every company, realistically, withing the constraints of what they can reasonably do, should devote significant attention to these kinds of remote access liability issues.”  Bob will be among a panel of Cybersecurity professionals at NJBIA’s upcoming “The Internet of Things – Transforming Your Business” Summit on April 20th in Newark, NJ.

To read the full article click here.

Bob Anderson, co-chair of Lindabury’s Cybersecurity and Data Privacy practice group, was recently interviewed by Karen Talley of FierceCEO, a publication that is considered a must-read source for running a business. Bob reports to Ms. Talley that “there is a tendency for businesses to not put the emphasis on employees, but they are the greatest vulnerability” and that “most cyberbreaches are caused by employees, inadvertently.”

To read the full article online click here.

On June 1, 2017, New Jersey Governor Chris Christie signed Executive Order 225 directing NJ’s Chief Technology Officer to set in motion actions to deliver a more secure, efficient, and reliable information technology platform and services across the Executive Branch.

Previously, each state department and agency oversaw its own information technology services, software and hardware integration. Under the new Executive Order, the Chief Technology Officer of the State of New Jersey is granted broad authority to oversee and integrate the hardware, software, and other information technologies used by departments and agencies within the Executive Branch. In speaking to the Chief Technology Officer at the signing of the Executive Order, Chris Christie stated:

“This is a big day in changing state government. To take away that authority and personnel from every one of the state departments and agencies and put it in your hands is a sea change in the way government is managed given how integral information technology is to the everyday operation of government. This is about a common-sense approach to taking us to a new level in terms of our information technology, and what we know is our customers, the 8.9 million people of the State of New Jersey are going to demand we do it.”

Lindabury’s Bob Anderson, shareholder and co-chair of the Cybersecurity and Data Privacy Group, was interviewed by NJBIZ‘s Tom Bergeron in response to the worldwide ransomware attack over the weekend. Bob said the attacks last weekend were not a surprise at all to the people in the industry.

“It was just a matter of time before something like this happened,” he said. “We’ve seen ransomware attacks pick up at an incredible level the past few years. It was just going to happen at some point that somebody was going to launch something that was going to travel from computer to computer and spread to every country in the world.”

Lindabury will be represented at the NJBIZ Cybersecurity panel discussion on May 18th at Raritan Valley Country Club in Bridgewater, where the Cybersecurity and Data Privacy Group’s co-chair Eric Levine is participating as a panelist.

Businesses have a major need to assess their own cybersecurity risks, and to openly exchange internal information within the company to effectively address and mitigate an actual breach situation. Yet a company’s internal assessments of its own weaknesses and the holes in its cybersecurity protections can, ironically, actually expose the company to even greater danger in future security breach litigation. A company’s good faith internal report of its cybersecurity weaknesses can potentially serve as almost an admission that it has found its cybersecurity protections for personal and confidential data to be inadequate.

Similarly it is of extreme importance that in the midst of dealing with a cyber breach event, that the company’s personnel freely exchange information related to the breach crisis situation quickly and without undue worries about how the disclosure of that information might look in a future litigation discovery proceeding.

The involvement of the company’s legal counsel in all important aspects of a cybersecurity risk assessment and breach response is crucial because of the protections that involvement can potentially provide the company under the doctrines of (i) attorney-client privilege, and (ii) work product protection.

The United States does not currently have a single comprehensive federal law regulating data privacy and cybersecurity matters. Instead, there is a patchwork of laws which at times overlap, and in other cases may even potentially contradict one another. This patchwork, together with the growth in interstate and international data flow, heightens the risk of privacy violations and can create significant compliance challenges. Failure to meet these challenges, however, can result in government imposed civil and criminal sanctions (including fines and penalties), private lawsuits and class actions, as well as damage to a company’s reputation and customer trust.

The following is a brief summary of some of the most significant Federal legislation impacting data privacy and cybersecurity matters.

Federal Trade Commission Act (the “FTC Act”)