White Hat Privilege: The Legal Landscape for a Cybersecurity Professional Seeking to Safeguard Sensitive Client Data

Presented at Black Hat USA 2017, July 26, 2017, 4 p.m. (50 minutes).

The law affords unique protections to communications between a lawyer and client, commonly referred to as the "attorney-client privilege." This tool is indispensable because a lawyer can best advocate for a client when the client is free to disclose both the good and the bad. The law affords similar protections to communications between a physician/therapist and patient.

Cybersecurity professionals have no equivalent. This is true despite the fact that cybersecurity professionals are regularly entrusted with more sensitive information (about an individual/company) than what is entrusted to a lawyer or doctor. Security consultants can hold their clients' darkest secrets, or perhaps information that could "bring down" the company. These professionals are asked to find flaws, infiltrate networks, gather sensitive data, and document exactly how it happened, all-the-while contemplating how to use the information to the worst detriment of the target.

Although security consultants have no straightforward legal privilege for protecting client data, they may have the best mechanism of all: White Hat Privilege. By using this term, the speakers submit that a white hat professional is perhaps able to utilize technical savvy to implement technological solutions to the problem of protecting client data while staying within the confines of the law.

In this talk, we will examine the legal landscape for cybersecurity professionals seeking to safeguard a clients' sensitive client data. We will cover issues including contract formation, risk allocation, and other legal issues that arise during formation of services contracts. We will pivot to legal regimes for handling PII, cross-border data transfers, IP rights, and export-control issues. And because security professionals are not static beings, we will also examine border crossings, including authority of TSA/Customs to search and seize devices that might hold client data. While examining these issues, where possible, we will discuss potential technological solutions to legal problems.


Presenters:

  • Jacob Osborn - Counsel, Goodwin Procter LLP
    Jacob R. Osborn is a counsel in the firm's Litigation Group and a member of its National Security + Foreign Trade Regulation (NSFTR) Practice and Patent Litigation Practice. Mr. Osborn is an expert in computer software and encryption, and his legal practice focuses on advising clients with respect to software and encryption matters. He joined Goodwin Procter in 2008. Prior to becoming an attorney, Mr. Osborn was a software developer for a telecommunications company. Mr. Osborn holds bachelor's degrees in mathematics and computer science, and a master's degree in electrical and computer engineering. Mr. Osborn plays a prominent role in the firm's NSFTR practice, and has advised hundreds of clients regarding regulatory compliance with the Export Administration Regulations (EAR), the International Traffic in Arms Regulations (ITAR) of the State Department, economic sanctions administered by the Office of Foreign Assets Control (OFAC), and the Committee on Foreign Investment and the United States (CFIUS), particularly with respect to electronics, telecommunications, software, and encryption items. In 2016 he was named as an "Associate to Watch" for his International Trade, Export Controls and Economic Sanctions practice by Chambers USA: America's Leading Lawyers for Business. Mr. Osborn has also provided patent litigation support in over a dozen cases involving computer and electrical technologies, with particular emphasis on computer hardware, software, encryption techniques and business methods. These cases include patent matters in jurisdictions throughout the country, as well as other litigation involving computer-related federal statutes (e.g., Computer Fraud and Abuse Act and the Electronic Communications Privacy Act). From 2013 – 2016, Mr. Osborn was selected as a Washington D.C. SuperLawyers "Rising Star" for his patent litigation practice. Recently, Mr. Osborn successfully second-chaired a trademark case before the Supreme Court of the United States, B&B Hardware, Inc. v. Hargis Industries, Inc. (2015), an important decision on the intersection between agency decisions and IP litigation. He also successfully first-chaired a trademark opposition proceeding before the Trademark Trial and Appeal Board (TTAB). Mr. Osborn also provides patent prosecution support at all stages of prosecution, including appeals to the Patent Trial and Appeal Board, and AIA procedures such as Covered Business Method Reviews and Inter Partes Reviews. Mr. Osborn additionally assists the firm's Privacy + Cybersecurity Practice by providing technical and legal guidance during data privacy and breach investigations.
  • Karen Neuman - Partner, Goodwin
    Karen Neuman, a partner in Goodwin's Business Litigation Group and a member of its Privacy + Cybersecurity Practice, is an internationally recognized privacy lawyer and former Chief Privacy Officer with the U.S. Department of Homeland Security. A solution-oriented practitioner with highly specialized expertise in complex privacy law matters at the intersection of technology and innovation, Ms. Neuman advises organizations and management on a broad range of issues related to data privacy, cybersecurity, and regulatory compliance. Ms. Neuman's practice is particularly focused on counseling companies on commercial privacy matters, including the collection, use, monetization and protection of customer and employee data. She has deep expertise providing advice on sector-specific privacy laws and regulations, including the Children's Online Privacy Protection Act, and compliance with the European Union Data Protection Directive. Since joining Goodwin she has conducted sessions for corporate boards on their evolving obligations for addressing cybersecurity risk, assisted companies with self-certification under the EU-US Privacy Shield for cross-border data transfers, and provided strategic counseling to a wide range of companies on privacy compliance. Prior to joining Goodwin in 2016, Ms. Neuman was Chief Privacy Officer at the U.S. Department of Homeland Security, where she was the principal advisor to the DHS Secretary on privacy policy. As part of the DHS senior leadership team, Ms. Neuman oversaw, implemented and enforced the department's privacy and data security program, and provided advice to other senior leaders concerning relevant statutes, rules, presidential orders, policies and best practices. She also spearheaded the integration of innovative privacy protections into various DHS programs, and oversaw how those protections were operationalized, notably the department's big data analytics program, and White House initiatives for cybersecurity information sharing with commercial entities. She was a member of the U.S. delegation that negotiated an umbrella Data Privacy Protection Agreement with the EU and was part of the high-level U.S. team that supported negotiations for the new EU – U.S. Privacy Shield. She was also appointed to President Obama's recently formed Federal Privacy Council. Ms. Neuman was previously a founding partner of a Washington, D.C. law firm, where she led that firm's privacy practice and counseled clients on state and federal sector-specific privacy laws, FTC rules and guidelines, state data breach laws, and EU privacy laws. As the head of that practice, she regularly counseled companies in the life sciences, technology, retail, e-commerce, social media and consumer product sectors. She routinely provided advice on devising and operationalizing privacy and data security programs, drafted website privacy policies, FAQs, and terms of use, and performed privacy due diligence in connection with various commercial transactions.

Links:

Similar Presentations: