Shawn Tuma, Co-Chair of Spencer Fane LLP's Data Privacy & Cybersecurity practice, presented on this topic at the 2020 Northwestern State University's Fall Continuing Legal Education Conference on November 18, 2020.
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...Shawn Tuma
Shawn Tuma, Co-Chair of Spencer Fane LLP's Data Privacy & Cybersecurity practice, presented on this topic at the 2020 Dallas Baptist University Reimagine Technology Conference course in Dallas, Texas on November 18, 2020.
Shawn Tuma, Co-Chair of Spencer Fane LLP's Data Privacy & Cybersecurity practice, was a guest lecturer on this topic at Southern Methodist University Digital Branding Class on October 27, 2020.
The Role of Contracts in Privacy, Cybersecurity, and Data BreachShawn Tuma
Shawn Tuma, Co-Chair of Spencer Fane LLP's Data Privacy & Cybersecurity practice, presented on this topic at the 2020 Texas Bar CLE's Making and Breaking Iron-Clad Contracts course in Austin, Texas on March 6, 2020.
Using AWS to Meet Requirements for HIPAA, FERPA, and CJIS | AWS Public Sector...Amazon Web Services
With rich controls, auditing, and broad security accreditations, AWS enables its customers to be in compliance with CJIS, FERPA, and HIPAA. Come hear customers and partners share their approaches to achieving compliance for those standards across many markets.
Ten Steps to Help Avoid a Major Privacy or Security Headache Ryan Boyles
"Learn from others' mistakes to avoid making your own"
From Privacy and Security session at Internet Summit 2010. This is the legal perspective of the 3 part session. This presentation was given by Elizabeth Johnson from Poyner Spruill LLP in Raleigh NC.
Reimagine Your Company Operating Again After a Ransomware Attack -- The Lifec...Shawn Tuma
Shawn Tuma, Co-Chair of Spencer Fane LLP's Data Privacy & Cybersecurity practice, presented on this topic at the 2020 Dallas Baptist University Reimagine Technology Conference course in Dallas, Texas on November 18, 2020.
Shawn Tuma, Co-Chair of Spencer Fane LLP's Data Privacy & Cybersecurity practice, was a guest lecturer on this topic at Southern Methodist University Digital Branding Class on October 27, 2020.
The Role of Contracts in Privacy, Cybersecurity, and Data BreachShawn Tuma
Shawn Tuma, Co-Chair of Spencer Fane LLP's Data Privacy & Cybersecurity practice, presented on this topic at the 2020 Texas Bar CLE's Making and Breaking Iron-Clad Contracts course in Austin, Texas on March 6, 2020.
Using AWS to Meet Requirements for HIPAA, FERPA, and CJIS | AWS Public Sector...Amazon Web Services
With rich controls, auditing, and broad security accreditations, AWS enables its customers to be in compliance with CJIS, FERPA, and HIPAA. Come hear customers and partners share their approaches to achieving compliance for those standards across many markets.
Ten Steps to Help Avoid a Major Privacy or Security Headache Ryan Boyles
"Learn from others' mistakes to avoid making your own"
From Privacy and Security session at Internet Summit 2010. This is the legal perspective of the 3 part session. This presentation was given by Elizabeth Johnson from Poyner Spruill LLP in Raleigh NC.
Cybersecurity Legal Issues: What You Really Need to KnowShawn Tuma
Presentation delivered at the Cybersecurity for the Board & C-Suite "What You Need to Know" Cyber Security Summit Sponsored by the Tarleton State University School of Criminology, Criminal Justice, and Strategic Studies' Institute for Homeland Security, Cybercrime and International Criminal Justice. Shawn Tuma, Cybersecurity & Data Privacy lawyer at Scheef & Stone, LLP in Frisco and Dallas, Texas.
The presentation date was September 13, 2016.
As a cybersecurity and privacy attorney, Shawn Tuma spends much of his time assisting clients proactively prepare for the legal aspects of cybersecurity incidents and respond to incidents when they occur. His work with management, legal, as well as the technology departments, and focus on the legal aspects of cybersecurity, gives him unique insight into how the non-technical areas of companies understand and evaluate cybersecurity.
In his presentation, Tuma will explain how, in his experience, the traditional fear, uncertainty, and doubt – the fear -- that has been used to “sell” cybersecurity has now gone too far and has created a feeling of hopelessness in many companies that has led many to simply quit trying. Instead of always focusing on the fear, he will explain how cybersecurity professionals should help empower companies to do what they can, even if they can’t do everything, so that they can at least improve their cybersecurity posture even if they can’t become “secure.”
Tuma will explain how recent legal and regulatory compliance developments encourage companies to take this approach by doing what is reasonable and provide specific action items that virtually all companies can implement to better themselves in this regard – especially if they find themselves in an incident response situation.
After completing this session, you will:
• Understand why cybersecurity is as much a legal issue as it is a business or technology issue.
• Understand how most legal and regulatory compliance actions support a “take reasonable measures” approach instead of a “strict liability” approach to companies’ pre-breach activities.
• Understand the need to, and how to, focus on the basics of risk and preparation for mitigating such risk.
• Understand the 2 primary legal and regulatory compliance areas that pose the most risk to companies and key action items that can help mitigate that risk.
• Know the 3 pre-breach must-haves for every company to have in place.
• Understand the importance of cybersecurity and privacy focused contractual agreements have on companies and how such agreements can be negotiated.
• Understand why selling the FUD impedes all of these objectives and harms companies’ cybersecurity posture more than it helps.
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...Shawn Tuma
This presentation was delivered by Shawn E. Tuma, Cybersecurity and Data Privacy Attorney, to SecureWorld Expo Dallas on September 27, 2016.
This presentation was significantly updated from past presentations and included a discussion of the groundbreaking New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies.
The main points of this presentation are:
(1) Cybersecurity events create a crisis situation and should be treated as such;
(2) Cybersecurity incidents are as much legal events as they are IT or Business / Public Relations events;
(3) Companies must have a cybersecurity breach response plan in place and tested, in advance;
(4) While consumer class action data breach litigation is a significant threat to companies and their leadership, it is not as great of a threat as regulatory enforcement by agencies such as the FTC and SEC, or the shareholder derivative claims for officer and director liability; and
(5) The odds are that all company will be breached, but preparation and diligence can help minimize the likelihood that such a breach from being a catastrophic event.
This presentation addresses the role of attorneys as the first responders in leading their clients through cybersecurity and data loss crisis events. The discussion begins by looking at the risk business have of being the victim of a cybersecurity or data loss incident and examining the nature of such incidents and the crisis environment they create. Then, because of this crisis environment, the need for leadership in helping keep the parties calm, rational, and making deliberate, calculated decisions.
The discussion then explains why cybersecurity events are legal events and legal counsel is the natural leader that should fulfill this role and how they can do so. It will then discuss the process legal counsel will take, including assembling the key players in such an event, both internally and externally. It discusses the obligations for responding to such an event, the steps that must be taken, those that must be considered, and certain factors that go into the decision-making process. It briefly addresses the costs of such an incident and the liability issues that can arise from such an incident and failing to properly respond to the incident. This section includes a discussion of the cybersecurity lawsuit landscape, cybersecurity regulatory landscape, and the issue of cybersecurity-related officer and director liability stemming from shareholder derivative lawsuits based on cybersecurity incidents.
It concludes with a discussion of the steps that companies can take to prepare for and be in a better position to respond to and mitigate the negative repercussions of such an incident.
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las VegasShawn Tuma
This presentation was delivered by Shawn E. Tuma, Cybersecurity and Data Privacy Attorney, to ISACA CSXNA 2016 in Las Vegas on October 18, 2016.
https://www.isaca.org/cyber-conference/index.html
This presentation was significantly updated from past presentations and included a discussion of the groundbreaking New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies.
The main points of this presentation are:
(1) Cybersecurity events create a crisis situation and should be treated as such;
(2) Cybersecurity incidents are as much legal events as they are IT or Business / Public Relations events;
(3) Companies must have a cybersecurity breach response plan in place and tested, in advance;
(4) While consumer class action data breach litigation is a significant threat to companies and their leadership, it is not as great of a threat as regulatory enforcement by agencies such as the FTC and SEC, or the shareholder derivative claims for officer and director liability; and
(5) The odds are that all company will be breached, but preparation and diligence can help minimize the likelihood that such a breach from being a catastrophic event.
This presentation addresses the role of attorneys as the first responders in leading their clients through cybersecurity and data loss crisis events. The discussion begins by looking at the risk business have of being the victim of a cybersecurity or data loss incident and examining the nature of such incidents and the crisis environment they create. Then, because of this crisis environment, the need for leadership in helping keep the parties calm, rational, and making deliberate, calculated decisions.
The discussion then explains why cybersecurity events are legal events and legal counsel is the natural leader that should fulfill this role and how they can do so. It will then discuss the process legal counsel will take, including assembling the key players in such an event, both internally and externally. It discusses the obligations for responding to such an event, the steps that must be taken, those that must be considered, and certain factors that go into the decision-making process. It briefly addresses the costs of such an incident and the liability issues that can arise from such an incident and failing to properly respond to the incident. This section includes a discussion of the cybersecurity lawsuit landscape, cybersecurity regulatory landscape, and the issue of cybersecurity-related officer and director liability stemming from shareholder derivative lawsuits based on cybersecurity incidents.
It concludes with a discussion of the steps that companies can take to prepare for and be in a better position to respond to and mitigate the negative repercussions of such an incident.
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...Shawn Tuma
This document provides information about Shawn Tuma, a cybersecurity partner at Scheef & Stone, L.L.P. It includes his contact information, areas of expertise, industry affiliations, and qualifications. The document highlights that Tuma serves on several boards and committees related to cybersecurity, data privacy, and technology law. It also lists some of the awards and recognitions he has received for his work in these fields.
Cyber Risk Presentation to Murphy Chamber of Commerce (5.28.15)Shawn Tuma
Cybersecurity is a growing challenge as the odds of a company being hacked are very high. The document discusses cybersecurity best practices companies can implement to protect themselves, including having basic IT security, policies around data security, and assessing risks. It also covers responding to data breaches by notifying relevant parties, investigating the breach, and managing public relations impacts. The overall message is that while all companies will likely experience a breach, following basic security practices and having an incident response plan can help reduce liability and costs.
The document outlines terms and conditions for influencers using the Connex platform, including:
- Influencers agree to work exclusively through Connex for any new business opportunities and comply with content boundaries.
- Content boundaries prohibit adult, crude, violent, illegal, spam, malware or personally identifying content.
- Influencers must provide contact information and metrics like social media followers for their profile.
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsShawn Tuma
This presentation focused on cyber security protections for businesses and other law firm clients. Cybersecurity and data privacy attorney Shawn Tuma presented this continuing legal education session on March 10, 2017. It was delivered live at the TexasBarCLE presents the 8th Annual Course
Essentials of Business Law:Four Modules for a Robust Practice Cosponsored by the Business Law Section of the State Bar of Texas.
This is my keynote speech at IPExpo 2018. In this talk i highlight how cybersecurity need to take lessons learnt from the development of safety in the motor industry and apply them to the cybersecurity industry
This document discusses ways for parents to protect their children from inappropriate or dangerous online content. It outlines six main risks children face, such as accessing pornography, being cyberbullied, or being contacted by predators. It then provides tips for a family game plan, including keeping open communication, supervising internet use, teaching children online safety skills, and using internet filters and parental controls. The overall message is for parents to take time to educate their children about online dangers and how to stay safe through teaching biblical values and maintaining oversight of children's online activities.
Online Trust and Safety, A New Dimension for Real-Time EngagementTiffany Xingyu Wang
How online trust and safety is rising to be a new dimension for real-time engagement. This was first published as part of Agora's RTE2020 Conference.
Presented by Tiffany Xingyu Wang, Chief Strategy Officer at Spectrum Labs and GM and Co-Founder at Oasis Consortium.
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data LossShawn Tuma
Shawn Tuma is a cybersecurity lawyer with expertise in data privacy law. He is a partner at Scheef & Stone LLP, a commercial law firm in Texas. Tuma has extensive experience advising businesses on cybersecurity issues and data breaches. He serves on several boards and committees related to cybersecurity law and policy. The document provides an overview of Tuma's background and experience in cybersecurity law.
Cybersecurity Issues All Lawyers Should Know -- Especially LitigatorsShawn Tuma
This document profiles Shawn Tuma, a cybersecurity lawyer and partner at Scheef & Stone, LLP. It lists his extensive experience in cybersecurity law, data privacy law, and information governance. The document also provides an overview of key issues at the intersection of law and cybersecurity, including unauthorized access laws, data breach notification laws, cybersecurity best practices, breach response processes, officer and director liability, cyber insurance, and developing a cybersecurity risk management program.
Cyber Liability Insurance Counseling and Breach ResponseShawn Tuma
This presentation focused on how teaching attorneys how to counsel their clients on cyber insurance and guide them through the data breach incident response process. Cybersecurity and data privacy attorney Shawn Tuma presented this continuing legal education session on March 10, 2017. It was delivered live at the TexasBarCLE presents the 8th Annual Course
Essentials of Business Law:Four Modules for a Robust Practice Cosponsored by the Business Law Section of the State Bar of Texas.
Designing for Trust – Presentation at Interact 2011, Lisbon, PortugalAndreas Woelk
There is a discrepancy between actual and perceived risk. To tackle this perception issue, we created a design framework and defined design principles based on customer insights and expert knowledge to build a common understanding of how to develop a holistic and consistent approach towards trust and safety on eBay.
The Power of Benford's Law in Finding FraudFraudBusters
FRN combines the high quality, authoritative anti-fraud and audit content from the leading providers, AuditNet ® LLC and White-Collar Crime 101 LLC/FraudAware.
The two entities designed FRN as the “go-to”, easy-to-use source of “how-to” fraud prevention, detection, audit and investigation templates, guidelines, policies, training programs (recorded no CPE and live with CPE) and articles from leading subject matter experts.
FRN is a continuously expanding and improving resource, offering auditors, fraud examiners, controllers, investigators and accountants a content-rich source of cutting-edge anti-fraud tools and techniques they will want to refer to again and again.
White-Collar Crime Fighter Newsletter Subscribe Now at No Cost!
FraudResourceNet has made the premier Anti-Fraud newsletter, White-Collar Crime Fighter freely available to all. All this is required is to complete the registration form with your work email address!
The widely read newsletter, White-Collar Crime Fighter brings you expert strategies and actionable advice from the most prominent experts in the fraud-fighting business. Every two months you'll learn about the latest frauds, scams and schemes... and the newest and most effective fraud-fighting tools, techniques and technologies to put to work immediately to protect your organization.
When it comes to fraud, knowledge of the countless schemes, how they work and red flags to look for will help keep you, your organization and your clients safe.
At FraudResourceNet we understand this and take great pride in providing our FREE White Collar Crime Fighter newsletter -- filled with exclusive articles and tips to provide the knowledge you need.
Make sure you stay informed. Sign up for White Collar Crime Fighter newsletter and we’ll keep you up-to-date on special promos, training opportunities, and other news and offers from FraudResourceNet!
Signing up is easy and FREE. If you have not already subscribed to our newsletter, please sign up to get started!
Sign up for the White Collar Crime Fighter Newsletter (a $99 value ... now completely FREE)
Developer’s silence raises concern about surespot encrypted messengerAnonDownload
- The developer of the encrypted messaging app Surespot, Adam Patacchiola, stopped responding to questions about whether the app had received any government demands for information, raising concerns they may have been issued a gag order.
- Surespot is used by supporters of ISIS but also many others seeking private communication, and it would be inappropriate for governments to compromise the privacy of all users while investigating a few.
- The recent silence from Surespot developers and an outage of their server mirrors what happened to Lavabit, another encrypted email service, when they received a secret order to hand over encryption keys from the US government regarding Edward Snowden.
The document discusses security measures businesses can take to protect themselves from cyber threats like ransomware and hacking. It recommends training employees on security best practices to prevent phishing scams from infecting networks. It also suggests creating an acceptable use policy to regulate employee internet usage and requiring strong passwords. Other tips include keeping networks up-to-date with software patches, having excellent automated backups, using a firewall, and not allowing unauthorized software downloads. The overall message is that small businesses are frequently targets of cyberattacks and need to take security seriously to avoid losing data or funds to hackers.
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Shawn Tuma
Shawn Tuma delivered this presentation on April 9, 2019, at the Oklahoma State University 4th Annual Cyber Security Conference in Oklahoma City, Oklahoma.
In twenty years of practicing cyber law, Shawn Tuma has seen a multitude of cybersecurity and data breach cases that have helped him understand the real-world risks companies face and the practical things they can do to prioritize their resources and effectively manage cyber risk. In this presentation, he will share his experience on issues such as:
· Why cybersecurity is an overall business risk issue that must be properly managed to comply with laws and regulations
· Why strategic leadership is critical in cybersecurity
· Why teams are critical for cybersecurity and how to personalities and psychology can impact that team
· The most likely real-world risks that most companies face
· How to prioritize limited resources to effectively manage the most likely real-world risks
· What is reasonable cybersecurity
· How to develop, implement, and mature a cyber risk management program
· Why cyber insurance is a critical component of the cyber risk management process
Cybersecurity: Cyber Risk Management for Lawyers and ClientsShawn Tuma
Shawn E. Tuma, cybersecurity and data privacy attorney at Spencer Fane, LLP, delivered the presentation titled "Cybersecurity: Cyber Risk Management for Lawyers and Clients" at the Texas Bar CLE's 16th Annual Advanced Business Law Course on November 8, 2018.
The Legal Case for Cyber Risk Management Programs and What They Should IncludeShawn Tuma
Spencer Fane LLP Cybersecurity and Data Privacy attorney Shawn Tuma delivered "The Legal Case for Cyber Risk Management Programs and What They Should Include" at the Texas Society of Certified Public Accountants' TSCPA CPE 2018 CPE Expo Conference on November 30, 2018, in Addison, Texas.
Real World Cyber Risk. Understand it. Manage it.Shawn Tuma
Renaissance Executive Forums 2019 CEO Summit presentation by Shawn E. Tuma, Co-Chair, Data Privacy & Cybersecurity Group, Spencer Fane, LLP
March 7, 2019
Dallas, Texas
Cybersecurity Legal Issues: What You Really Need to KnowShawn Tuma
Presentation delivered at the Cybersecurity for the Board & C-Suite "What You Need to Know" Cyber Security Summit Sponsored by the Tarleton State University School of Criminology, Criminal Justice, and Strategic Studies' Institute for Homeland Security, Cybercrime and International Criminal Justice. Shawn Tuma, Cybersecurity & Data Privacy lawyer at Scheef & Stone, LLP in Frisco and Dallas, Texas.
The presentation date was September 13, 2016.
As a cybersecurity and privacy attorney, Shawn Tuma spends much of his time assisting clients proactively prepare for the legal aspects of cybersecurity incidents and respond to incidents when they occur. His work with management, legal, as well as the technology departments, and focus on the legal aspects of cybersecurity, gives him unique insight into how the non-technical areas of companies understand and evaluate cybersecurity.
In his presentation, Tuma will explain how, in his experience, the traditional fear, uncertainty, and doubt – the fear -- that has been used to “sell” cybersecurity has now gone too far and has created a feeling of hopelessness in many companies that has led many to simply quit trying. Instead of always focusing on the fear, he will explain how cybersecurity professionals should help empower companies to do what they can, even if they can’t do everything, so that they can at least improve their cybersecurity posture even if they can’t become “secure.”
Tuma will explain how recent legal and regulatory compliance developments encourage companies to take this approach by doing what is reasonable and provide specific action items that virtually all companies can implement to better themselves in this regard – especially if they find themselves in an incident response situation.
After completing this session, you will:
• Understand why cybersecurity is as much a legal issue as it is a business or technology issue.
• Understand how most legal and regulatory compliance actions support a “take reasonable measures” approach instead of a “strict liability” approach to companies’ pre-breach activities.
• Understand the need to, and how to, focus on the basics of risk and preparation for mitigating such risk.
• Understand the 2 primary legal and regulatory compliance areas that pose the most risk to companies and key action items that can help mitigate that risk.
• Know the 3 pre-breach must-haves for every company to have in place.
• Understand the importance of cybersecurity and privacy focused contractual agreements have on companies and how such agreements can be negotiated.
• Understand why selling the FUD impedes all of these objectives and harms companies’ cybersecurity posture more than it helps.
SecureWorld Expo Dallas - Cybersecurity Law: What Business and IT Leaders Nee...Shawn Tuma
This presentation was delivered by Shawn E. Tuma, Cybersecurity and Data Privacy Attorney, to SecureWorld Expo Dallas on September 27, 2016.
This presentation was significantly updated from past presentations and included a discussion of the groundbreaking New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies.
The main points of this presentation are:
(1) Cybersecurity events create a crisis situation and should be treated as such;
(2) Cybersecurity incidents are as much legal events as they are IT or Business / Public Relations events;
(3) Companies must have a cybersecurity breach response plan in place and tested, in advance;
(4) While consumer class action data breach litigation is a significant threat to companies and their leadership, it is not as great of a threat as regulatory enforcement by agencies such as the FTC and SEC, or the shareholder derivative claims for officer and director liability; and
(5) The odds are that all company will be breached, but preparation and diligence can help minimize the likelihood that such a breach from being a catastrophic event.
This presentation addresses the role of attorneys as the first responders in leading their clients through cybersecurity and data loss crisis events. The discussion begins by looking at the risk business have of being the victim of a cybersecurity or data loss incident and examining the nature of such incidents and the crisis environment they create. Then, because of this crisis environment, the need for leadership in helping keep the parties calm, rational, and making deliberate, calculated decisions.
The discussion then explains why cybersecurity events are legal events and legal counsel is the natural leader that should fulfill this role and how they can do so. It will then discuss the process legal counsel will take, including assembling the key players in such an event, both internally and externally. It discusses the obligations for responding to such an event, the steps that must be taken, those that must be considered, and certain factors that go into the decision-making process. It briefly addresses the costs of such an incident and the liability issues that can arise from such an incident and failing to properly respond to the incident. This section includes a discussion of the cybersecurity lawsuit landscape, cybersecurity regulatory landscape, and the issue of cybersecurity-related officer and director liability stemming from shareholder derivative lawsuits based on cybersecurity incidents.
It concludes with a discussion of the steps that companies can take to prepare for and be in a better position to respond to and mitigate the negative repercussions of such an incident.
Get the FUD out of Cybersecurity! ISACA CSXNA 2016 in Las VegasShawn Tuma
This presentation was delivered by Shawn E. Tuma, Cybersecurity and Data Privacy Attorney, to ISACA CSXNA 2016 in Las Vegas on October 18, 2016.
https://www.isaca.org/cyber-conference/index.html
This presentation was significantly updated from past presentations and included a discussion of the groundbreaking New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies.
The main points of this presentation are:
(1) Cybersecurity events create a crisis situation and should be treated as such;
(2) Cybersecurity incidents are as much legal events as they are IT or Business / Public Relations events;
(3) Companies must have a cybersecurity breach response plan in place and tested, in advance;
(4) While consumer class action data breach litigation is a significant threat to companies and their leadership, it is not as great of a threat as regulatory enforcement by agencies such as the FTC and SEC, or the shareholder derivative claims for officer and director liability; and
(5) The odds are that all company will be breached, but preparation and diligence can help minimize the likelihood that such a breach from being a catastrophic event.
This presentation addresses the role of attorneys as the first responders in leading their clients through cybersecurity and data loss crisis events. The discussion begins by looking at the risk business have of being the victim of a cybersecurity or data loss incident and examining the nature of such incidents and the crisis environment they create. Then, because of this crisis environment, the need for leadership in helping keep the parties calm, rational, and making deliberate, calculated decisions.
The discussion then explains why cybersecurity events are legal events and legal counsel is the natural leader that should fulfill this role and how they can do so. It will then discuss the process legal counsel will take, including assembling the key players in such an event, both internally and externally. It discusses the obligations for responding to such an event, the steps that must be taken, those that must be considered, and certain factors that go into the decision-making process. It briefly addresses the costs of such an incident and the liability issues that can arise from such an incident and failing to properly respond to the incident. This section includes a discussion of the cybersecurity lawsuit landscape, cybersecurity regulatory landscape, and the issue of cybersecurity-related officer and director liability stemming from shareholder derivative lawsuits based on cybersecurity incidents.
It concludes with a discussion of the steps that companies can take to prepare for and be in a better position to respond to and mitigate the negative repercussions of such an incident.
Cybersecurity (and Privacy) Issues - Legal and Compliance Issues Everyone in ...Shawn Tuma
This document provides information about Shawn Tuma, a cybersecurity partner at Scheef & Stone, L.L.P. It includes his contact information, areas of expertise, industry affiliations, and qualifications. The document highlights that Tuma serves on several boards and committees related to cybersecurity, data privacy, and technology law. It also lists some of the awards and recognitions he has received for his work in these fields.
Cyber Risk Presentation to Murphy Chamber of Commerce (5.28.15)Shawn Tuma
Cybersecurity is a growing challenge as the odds of a company being hacked are very high. The document discusses cybersecurity best practices companies can implement to protect themselves, including having basic IT security, policies around data security, and assessing risks. It also covers responding to data breaches by notifying relevant parties, investigating the breach, and managing public relations impacts. The overall message is that while all companies will likely experience a breach, following basic security practices and having an incident response plan can help reduce liability and costs.
The document outlines terms and conditions for influencers using the Connex platform, including:
- Influencers agree to work exclusively through Connex for any new business opportunities and comply with content boundaries.
- Content boundaries prohibit adult, crude, violent, illegal, spam, malware or personally identifying content.
- Influencers must provide contact information and metrics like social media followers for their profile.
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsShawn Tuma
This presentation focused on cyber security protections for businesses and other law firm clients. Cybersecurity and data privacy attorney Shawn Tuma presented this continuing legal education session on March 10, 2017. It was delivered live at the TexasBarCLE presents the 8th Annual Course
Essentials of Business Law:Four Modules for a Robust Practice Cosponsored by the Business Law Section of the State Bar of Texas.
This is my keynote speech at IPExpo 2018. In this talk i highlight how cybersecurity need to take lessons learnt from the development of safety in the motor industry and apply them to the cybersecurity industry
This document discusses ways for parents to protect their children from inappropriate or dangerous online content. It outlines six main risks children face, such as accessing pornography, being cyberbullied, or being contacted by predators. It then provides tips for a family game plan, including keeping open communication, supervising internet use, teaching children online safety skills, and using internet filters and parental controls. The overall message is for parents to take time to educate their children about online dangers and how to stay safe through teaching biblical values and maintaining oversight of children's online activities.
Online Trust and Safety, A New Dimension for Real-Time EngagementTiffany Xingyu Wang
How online trust and safety is rising to be a new dimension for real-time engagement. This was first published as part of Agora's RTE2020 Conference.
Presented by Tiffany Xingyu Wang, Chief Strategy Officer at Spectrum Labs and GM and Co-Founder at Oasis Consortium.
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data LossShawn Tuma
Shawn Tuma is a cybersecurity lawyer with expertise in data privacy law. He is a partner at Scheef & Stone LLP, a commercial law firm in Texas. Tuma has extensive experience advising businesses on cybersecurity issues and data breaches. He serves on several boards and committees related to cybersecurity law and policy. The document provides an overview of Tuma's background and experience in cybersecurity law.
Cybersecurity Issues All Lawyers Should Know -- Especially LitigatorsShawn Tuma
This document profiles Shawn Tuma, a cybersecurity lawyer and partner at Scheef & Stone, LLP. It lists his extensive experience in cybersecurity law, data privacy law, and information governance. The document also provides an overview of key issues at the intersection of law and cybersecurity, including unauthorized access laws, data breach notification laws, cybersecurity best practices, breach response processes, officer and director liability, cyber insurance, and developing a cybersecurity risk management program.
Cyber Liability Insurance Counseling and Breach ResponseShawn Tuma
This presentation focused on how teaching attorneys how to counsel their clients on cyber insurance and guide them through the data breach incident response process. Cybersecurity and data privacy attorney Shawn Tuma presented this continuing legal education session on March 10, 2017. It was delivered live at the TexasBarCLE presents the 8th Annual Course
Essentials of Business Law:Four Modules for a Robust Practice Cosponsored by the Business Law Section of the State Bar of Texas.
Designing for Trust – Presentation at Interact 2011, Lisbon, PortugalAndreas Woelk
There is a discrepancy between actual and perceived risk. To tackle this perception issue, we created a design framework and defined design principles based on customer insights and expert knowledge to build a common understanding of how to develop a holistic and consistent approach towards trust and safety on eBay.
The Power of Benford's Law in Finding FraudFraudBusters
FRN combines the high quality, authoritative anti-fraud and audit content from the leading providers, AuditNet ® LLC and White-Collar Crime 101 LLC/FraudAware.
The two entities designed FRN as the “go-to”, easy-to-use source of “how-to” fraud prevention, detection, audit and investigation templates, guidelines, policies, training programs (recorded no CPE and live with CPE) and articles from leading subject matter experts.
FRN is a continuously expanding and improving resource, offering auditors, fraud examiners, controllers, investigators and accountants a content-rich source of cutting-edge anti-fraud tools and techniques they will want to refer to again and again.
White-Collar Crime Fighter Newsletter Subscribe Now at No Cost!
FraudResourceNet has made the premier Anti-Fraud newsletter, White-Collar Crime Fighter freely available to all. All this is required is to complete the registration form with your work email address!
The widely read newsletter, White-Collar Crime Fighter brings you expert strategies and actionable advice from the most prominent experts in the fraud-fighting business. Every two months you'll learn about the latest frauds, scams and schemes... and the newest and most effective fraud-fighting tools, techniques and technologies to put to work immediately to protect your organization.
When it comes to fraud, knowledge of the countless schemes, how they work and red flags to look for will help keep you, your organization and your clients safe.
At FraudResourceNet we understand this and take great pride in providing our FREE White Collar Crime Fighter newsletter -- filled with exclusive articles and tips to provide the knowledge you need.
Make sure you stay informed. Sign up for White Collar Crime Fighter newsletter and we’ll keep you up-to-date on special promos, training opportunities, and other news and offers from FraudResourceNet!
Signing up is easy and FREE. If you have not already subscribed to our newsletter, please sign up to get started!
Sign up for the White Collar Crime Fighter Newsletter (a $99 value ... now completely FREE)
Developer’s silence raises concern about surespot encrypted messengerAnonDownload
- The developer of the encrypted messaging app Surespot, Adam Patacchiola, stopped responding to questions about whether the app had received any government demands for information, raising concerns they may have been issued a gag order.
- Surespot is used by supporters of ISIS but also many others seeking private communication, and it would be inappropriate for governments to compromise the privacy of all users while investigating a few.
- The recent silence from Surespot developers and an outage of their server mirrors what happened to Lavabit, another encrypted email service, when they received a secret order to hand over encryption keys from the US government regarding Edward Snowden.
The document discusses security measures businesses can take to protect themselves from cyber threats like ransomware and hacking. It recommends training employees on security best practices to prevent phishing scams from infecting networks. It also suggests creating an acceptable use policy to regulate employee internet usage and requiring strong passwords. Other tips include keeping networks up-to-date with software patches, having excellent automated backups, using a firewall, and not allowing unauthorized software downloads. The overall message is that small businesses are frequently targets of cyberattacks and need to take security seriously to avoid losing data or funds to hackers.
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Shawn Tuma
Shawn Tuma delivered this presentation on April 9, 2019, at the Oklahoma State University 4th Annual Cyber Security Conference in Oklahoma City, Oklahoma.
In twenty years of practicing cyber law, Shawn Tuma has seen a multitude of cybersecurity and data breach cases that have helped him understand the real-world risks companies face and the practical things they can do to prioritize their resources and effectively manage cyber risk. In this presentation, he will share his experience on issues such as:
· Why cybersecurity is an overall business risk issue that must be properly managed to comply with laws and regulations
· Why strategic leadership is critical in cybersecurity
· Why teams are critical for cybersecurity and how to personalities and psychology can impact that team
· The most likely real-world risks that most companies face
· How to prioritize limited resources to effectively manage the most likely real-world risks
· What is reasonable cybersecurity
· How to develop, implement, and mature a cyber risk management program
· Why cyber insurance is a critical component of the cyber risk management process
Cybersecurity: Cyber Risk Management for Lawyers and ClientsShawn Tuma
Shawn E. Tuma, cybersecurity and data privacy attorney at Spencer Fane, LLP, delivered the presentation titled "Cybersecurity: Cyber Risk Management for Lawyers and Clients" at the Texas Bar CLE's 16th Annual Advanced Business Law Course on November 8, 2018.
The Legal Case for Cyber Risk Management Programs and What They Should IncludeShawn Tuma
Spencer Fane LLP Cybersecurity and Data Privacy attorney Shawn Tuma delivered "The Legal Case for Cyber Risk Management Programs and What They Should Include" at the Texas Society of Certified Public Accountants' TSCPA CPE 2018 CPE Expo Conference on November 30, 2018, in Addison, Texas.
Real World Cyber Risk. Understand it. Manage it.Shawn Tuma
Renaissance Executive Forums 2019 CEO Summit presentation by Shawn E. Tuma, Co-Chair, Data Privacy & Cybersecurity Group, Spencer Fane, LLP
March 7, 2019
Dallas, Texas
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsShawn Tuma
Everyone should now understand that no bank or financial institution is immune from cyber risk. Many are now ready to move forward with improving their cyber risk posture but do not know what to do next or how to prioritize their resources. Recognizing that cybersecurity is an overall business risk issue that must be properly managed to comply with many laws and regulations governing banks and financial institutions, this presentation will provide a strategy for how to better understand and manage such risks by:
(1) Providing an overview of the legal and regulatory framework;
(2) Examining the most likely real-world risks; and
(3) Providing strategies for how to manage such risks, including cyber insurance and the development and implementation of an appropriate cyber risk management program (which is not as difficult as it sounds).
Shawn E. Tuma, cybersecurity and data privacy attorney at Spencer Fane, LLP, delivered the presentation titled Cybersecurity: Cyber Risk Management for Banks & Financial Institutions (and Attorneys Who Represent Them) at the Southwest Association of Bank Counsel 42nd Annual Convention on September 20, 2018 (formerly, Texas Association of Bank Counsel).
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)Shawn Tuma
Cybersecurity requires a strategic, team-based approach. Effective cybersecurity teams require an understanding of roles, personalities, and psychology. Strategic leadership is needed to develop both proactive security and reactive incident response teams. Tabletop exercises are important for assessing teams and allowing members to practice their roles. While cybersecurity lawyers cannot provide a "magic wand" of privilege, they can help by actively leading risk management programs and investigations to maximize potential privilege protections.
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Shawn Tuma
Presentation to the Association of Continuity Professionals, North Texas Chapter, by Cybersecurity & Data Privacy Attorney Shawn Tuma, on October 19, 2017. For more information visit www.businesscyberrisk.com
The Legal Case for Cybersecurity - SecureWorld Dallas 2017 (Lunch Keynote)Shawn Tuma
Cybersecurity & Data Privacy Attorney Shawn Tuma presents the lunch keynote on the Legal Case for Cybersecurity at SecureWorld-Dallas in 2017.
Here is a link directly to the YouTube video of this presentation: https://youtu.be/3ZeJ86Ebas0
This document provides an overview of FRSecure LLC, a full-service information security consulting company. It describes FRSecure's services such as information security assessments, program development, management, penetration testing, and training. The document discusses the need for information security to protect organizations from risks. It also outlines FRSecure's approach to performing security assessments based on ISO 27002 standards and delivering actionable recommendations and implementation assistance. Presentation topics are provided to discuss the benefits of partnering with FRSecure.
Lifecycle: Responding to a Ransomware Attack - A Professional Breach Guide's ...Shawn Tuma
Shawn Tuma, a professional "breach guide" (aka, breach quarterback, coach, privacy counsel, etc), is an attorney who has practiced in cyber law since 1999. His day job as Co-Chair of Spencer Fane LLP's Data Privacy and Cybersecurity Practice is leading companies through the cyber incident response and recovery process. In this presentation, he provides a virtual tabletop exercise explaining the lifecycle of responding to a typical ransomware attack through a detailed timeline.
The audio for this presentation, in podcast form, is here: https://www.secureworldexpo.com/resources/podcast-ransomware-attack-lifecycle
2015 LOMA Conference - Third party risk management - Session 20Marc S. Sokol
The document discusses implementing an effective third party risk management program. It notes diverse challenges companies face including low interest rates, economic issues, and growing cyber threats. It highlights common issues in third party risk management like lack of due diligence and oversight. The document outlines 12 categories of third party risk and presents a framework for assessing risk. It notes how many breaches originate with third parties and examples of companies impacted. The framework involves validating the risk appetite, evaluating inherent risks, controls, and determining the residual risk.
This document discusses managing insider threats and building a successful audit program. It emphasizes the importance of educating users about insider threats, as employees are often the biggest security risk. It outlines the key components of an insider threat program, including policies, processes, access controls, risk management, and auditing. It also provides tips for tool selection, governance, documentation, and implementation. Throughout, it stresses that insider threats are difficult to detect but can be mitigated through visibility and understanding risky behaviors.
Keeping an Eye On Risk - Current Concerns and Supervisory OversightCBIZ, Inc.
In this presentation, you will
-Gain an understanding of leading edge risk management practices for Credit Unions.
-Gain insight on the Board and Supervisory Committees’ role in the internal control structure.
Recognize areas of potential weakness in the organization.
Gain an understanding of the regulatory environment and impact on risk management.
How to Boost your Cyber Risk Management Program and Capabilities?PECB
The webinar explores how understanding your organization in crisis due to an exploitation of risk can develop the organization’s resilience and team in the drive for a stronger level of compliance maturity.
Main points covered:
• Information Security maturity
• ROPI
• Risk Management
• Incident Response
• Forensic Readiness
• Table Top Exercises
• Training
• Legislation
Presenter:
Our presenter for this webinar is Peter Jones, an experienced management professional, digital forensic analyst, cybersecurity professional, ISO 27001 and ISO 17025 auditor and University Lecturer. Peter has a wealth of experience and expertise which incorporates knowledge from being an academic and a practitioner in relation to best practice, data management, cyber security, digital system security and digital forensics, where he has conducted thousands of examinations on behalf of law enforcement and the private sector. Peter has extensive information technology and telecommunications experience which ranges from retail to enterprise environments including supporting the BBC with their hit drama series, ‘Silent Witness’.
Link the the YouTube video: https://youtu.be/aREo4l-pDgc
The Story of a Lean Law Firm: Escaping the Overhead Swamp, Surviving Disrupti...Gary Allen
The webinar will address the challenges of high overhead, legal industry disruption and ethical compliance in a time of dizzying technological change.
Attendees will learn:
the fundamentals of lean practice,
practical ways to reduce the cost of doing business,
how to develop new business models and
how to ensure the confidentiality of client information in the Internet Age.
We’ll discuss revenue, operations and behavioral changes so that you’re well-positioned to compete in today’s changing marketplace.
You don’t have to be a tech expert.
Lean is a way of thinking.
Lean is a way of operating.
Lean is the future.
A lean practice puts you in the position where you’re not captive to your overhead.
LeanLaw, an Idaho-based legal software and services company is conducting a 90-minute webinar, in process to be approved by the Idaho State Bar for 1.5 hours of CLE Ethics credits.
Enhancing Cyber threat hunting for your team | 2021KharimMchatta
At the ISACA annual meeting, our presentation delved into diverse strategies aimed at empowering cybersecurity teams to elevate their cyber threat hunting capabilities within their organizational systems. Through a comprehensive exploration of innovative techniques, best practices, and emerging trends, we aimed to equip attendees with actionable insights to proactively identify and mitigate potential threats. By highlighting the significance of continuous improvement in threat hunting methodologies, we sought to contribute to the advancement of effective cybersecurity practices in a rapidly evolving digital landscape.
Presented by Dr Sam De Silva, partner at Nabarro to over 100 CEOs and Executives in London.
Explains what leaders should do immediately after becoming aware of a cyber attack, from a legal perspective.
OSB50: Operational Security: State of the UnionIvanti
The document discusses operational security and the state of cyber threats. It provides an overview of key trends including less control over data and devices, more complex networks, the rise of insecure internet of things devices, and the need for security to balance risk mitigation and enable business opportunities. Survey results show that security tasks are often split between IT and security teams. The document argues that organizations need to take a risk-based approach to security centered around understanding inherent risks, how assets could be compromised, and ensuring effective controls are in place. It also discusses challenges to achieving effective security.
Similar to Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to Manage Cyber Risk (20)
Incident Response Planning - Lifecycle of Responding to a Ransomware AttackShawn Tuma
Shawn Tuma, Co-Chair of Spencer Fane LLP's Data Privacy & Cybersecurity practice, was a guest lecturer on this topic at Columbia University for the Executive Masters of Technology Management Program on November 21, 2020.
The document provides a checklist of good cyber hygiene practices for companies. It recommends starting with a risk assessment and developing written cybersecurity policies covering data protection, monitoring, privacy, access limits, passwords, and BYOD. It also stresses training employees on policies, conducting phishing tests, using multi-factor authentication, antivirus software, access controls, updating software and backups. The checklist additionally includes recommendations for encrypting sensitive data, adequate logging, an incident response plan, third-party risk management, firewalls and cyber risk insurance.
This checklist outlines the steps a company should take in response to a cyber incident. It includes determining if the incident warrants escalation, documenting decisions, mitigating any ongoing compromise, engaging legal counsel, activating an incident response plan, notifying relevant parties such as insurers and business partners, investigating the scope of data compromised, assessing legal obligations, determining if law enforcement or public notification is required, and implementing measures to prevent future breaches. The checklist emphasizes having an incident response plan in place before a breach occurs to facilitate a coordinated response.
Something is Phishy: Cyber Scams and How to Avoid ThemShawn Tuma
Reginald A. Hirsch and Shawn E. Tuma presented this talk at the Annual Meeting of the State Bar of Texas for the Law Practice Management Section of the State Bar of Texas. The date of the talk was June 22, 2018, and the location was Houston, Texas.
Cybersecurity Fundamentals for Legal Professionals (and every other business)Shawn Tuma
Cybersecurity & Data Privacy attorney Shawn Tuma delivered this presentation to the Mid-Year Meeting of the State Bar of Oklahoma's Intellectual Property Law Section on June 2, 2018. For more information visit www.shawnetuma.com
NYDFS Cybersecurity Regulations - 23 NYCRR Part 500Shawn Tuma
The document summarizes New York's Department of Financial Services cybersecurity regulations. It provides an overview of key dates for covered entities to comply with various aspects of the regulations, describes which businesses are considered covered entities and subject to the rules. It also summarizes several of the main components required by covered entities, including maintaining a cybersecurity program, designating a chief information security officer, conducting risk assessments, implementing controls like multi-factor authentication, and reporting cybersecurity events.
Effective cybersecurity for small and midsize businessesShawn Tuma
This presentation was delivered at the Center for American & International Law's Second Annual Cybersecurity & Data Privacy Law Conference on April 13, 2018, by Shawn Tuma, Cybersecurity & Data Privacy Attorney at Scheef & Stone.
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitShawn Tuma
Cybersecurity & Data Privacy Attorney Shawn Tuma delivered this presentation at Misti's InfoSec World during the Privacy & Risk Summit on March 22, 2018, in Orlando, Florida.
The Legal Case for Cyber Risk Management Programs and What They Should IncludeShawn Tuma
Cybersecurity & Data Privacy Attorney Shawn Tuma presented this session to The American Institute of Architects' Large Firm Round Table on March 15, 2018. For more of Shawn Tuma's presentations please visit: https://shawnetuma.com/presentations/
"What Could Go Wrong?" - We're Glad You Asked!Shawn Tuma
Dallas cybersecurity and data privacy attorney Shawn Tuma delivered this presentation on social media law to Social Media Breakfast on February 22, 2018.
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...Shawn Tuma
was delivered as a webinar to the State Bar of Texas Women and the Law Section on February 15, 2018, by Shawn Tuma, Cybersecurity & Data Privacy Attorney at Scheef & Stone.
Cybersecurity: How to Protect Your Firm from a Cyber AttackShawn Tuma
Cybersecurity attorney Shawn Tuma discusses the importance of cybersecurity for law firms. He notes that cybersecurity and privacy issues impact all law firms as clients demand adequate security and firms store sensitive data for multiple clients. While most breaches are from simple issues like weak passwords, law firms remain an attractive target. Tuma outlines 15 common cybersecurity best practices that firms should implement, such as risk assessments, security policies, workforce training, access controls, backups, and incident response plans. He emphasizes adopting a comprehensive cyber risk management program to protect firms from threats.
Recovering from a Cyber Attack was delivered on February 7, 2018, at the Texas Bar CLE Cybersecurity Workshop course by Todd Hindman, Global Director, Data Breach Response Services of ID Experts Corp. and Shawn Tuma, Cybersecurity & Data Privacy Attorney at Scheef & Stone.
The document discusses best practices for managing cybersecurity and data privacy risks from third party vendors. It recommends (1) conducting due diligence on third parties' security practices before engaging them, (2) using contracts to obligate third parties to comply with security standards and notify clients of incidents, and (3) periodically assessing third parties' security based on risk. Following these practices can help companies minimize risks from third parties as required by laws and frameworks.
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory RealmShawn Tuma
The #CyberAvengers' Paul Ferrillo (a/k/a Director Fury) and Shawn Tuma (a/k/a Hulk) presented at the Practical Cybersecurity Risk Management Strategies program of the New Jersey State Bar Association (NJSBA) Cybersecurity Institute on November 17, 2017. In this presentation, Fury and Hulk focused the core #CyberAvengers message of the real-life cybersecurity issues facing most companies -- the basics of good cyber hygiene -- and explained how artificial intelligence and machine learning will help companies do a better job at getting these right, along with how and why AI/ML play a critical role in the future of cybersecurity.
Cybersecurity Fundamentals for Legal ProfessionalsShawn Tuma
Cybersecurity & Data Privacy Attorney Shawn Tuma delivered this presentation at the 55th Annual Conference on Intellectual Property Law at The Center for American and International Law on November 13, 2017.
The Essentials of Cyber Insurance: A Panel of Industry ExpertsShawn Tuma
Patrick Florer (Risk Centric Security, Inc.), Mark Knepshield (McGriff, Seibels & Williams), and John Southrey (Texas Medical Liability Trust) are cyber insurance industry experts who have been working in the industry for longer than most of the newly-minted experts have even known about cyber insurance. In this panel presentation at the North Texas ISSA Conference, cybersecurity and data privacy attorney Shawn Tuma moderated their discussion and it was outstanding even though they did not make it through half of the slides due to the depth of their discussion. The presentation date was November 10, 2017.
Indonesian Manpower Regulation on Severance Pay for Retiring Private Sector E...AHRP Law Firm
Law Number 13 of 2003 on Manpower has been partially revoked and amended several times, with the latest amendment made through Law Number 6 of 2023. Attention is drawn to a specific part of the Manpower Law concerning severance pay. This aspect is undoubtedly one of the most crucial parts regulated by the Manpower Law. It is essential for both employers and employees to abide by the law, fulfill their obligations, and retain their rights regarding this matter.
Corporate Governance : Scope and Legal Frameworkdevaki57
CORPORATE GOVERNANCE
MEANING
Corporate Governance refers to the way in which companies are governed and to what purpose. It identifies who has power and accountability, and who makes decisions. It is, in essence, a toolkit that enables management and the board to deal more effectively with the challenges of running a company.
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to Manage Cyber Risk
1. Spencer Fane LLP | spencerfane.com 1
CYBERSECURITY IS A TEAM SPORT
Why Teams, Strategies, and Processes are
Essential for Managing Cyber Risk
Shawn E. Tuma
Co-Chair, Data Privacy & Cybersecurity Practice
Spencer Fane LLP
2. Spencer Fane LLP | spencerfane.com 2
You must take the
poll to get credit
for the CLE!
4. Spencer Fane LLP | spencerfane.com 4
Cybersecurity is a legal issue
• Types
– Security
– Privacy
– Unauthorized Access
• International Laws
– GDPR
– Privacy Shield
– China’s Cybersecurity Law
• Federal Laws and Regs
– FTC, SEC, HIPAA
• State Laws
– All 50 States
– Privacy (50) + security (25+)
– CCPA, NYDFS, Colo FinServ
• Industry Groups
– PCI
– FINRA
• Contracts
– 3rd Party Bus. Assoc.
– Privacy / Data Security /
Cybersecurity Addendum
5. Spencer Fane LLP | spencerfane.com 5
Common business objections
1.We have an “IT Guy”
2.We have an “IT Company”
3.We are “compliant”
4.We have cyber insurance
5.We are not a large company (or, “tech” company)
6.Our data is not that valuable
12. Spencer Fane LLP | spencerfane.com 12
Takeaway: Cybersecurity is no longer just an IT issue – it is an
overall business risk issue – indeed, the ONE risk...
13. Spencer Fane LLP | spencerfane.com 13
Since cyber is an overall business risk issue,
who is on the team?
14. Spencer Fane LLP | spencerfane.com 14
Who is on the cyber risk team, and when?
Internal team
• CISO
• IT
• Information Security
• Business
• Risk
• Legal
• Privacy
• CFO
• COO
• HR
• Audit
• Marketing
External team
• Legal
• MSP / MSSP
• Security Firm
• Forensics Firm
• Insurance
• Cyber, etc.
• Broker
• Carrier
• PR Firm
• Notification Vendor
• Law Enforcement
15. Spencer Fane LLP | spencerfane.com 15
Team considerations
Questions to consider
• Do you have a “cyber risk
committee”?
• Who is the “head coach”?
• Who are the “coordinators”?
• i.e., who takes the lead on and “owns”:
• Proactive risk management
• Incident response
• Chain of command
• Have you considered the team
members’ personalities, experience,
and other intangibles vis-à-vis the role
they play?
Planning considerations
• Who is on the field during which
situation?
• Do the players know their role?
• Are the players eligible to play?
• i.e., pre-approval of vendors,
engagements executed
• Can they communicate?
• Understand language
• Logistics for communicating
• How often do they practice?
• Do you play scrimmages?
16. Spencer Fane LLP | spencerfane.com 16
Takeaway: It takes a team of many different stakeholders within and
outside of the organization, working together as a team,
to effectively manage cyber risk.
18. Spencer Fane LLP | spencerfane.com 18
Common cybersecurity best practices
1. Risk assessment.
2. Policies and procedures focused on
cybersecurity.
– Social engineering, password, security
questions.
3. Training of all workforce on P&P, then security.
4. Phish all workforce (esp. leadership).
5. Multi-factor authentication.
6. Signature based antivirus and malware detection.
7. Internal controls / access controls.
8. No outdated or unsupported software.
9. Security patch updates management policy.
10. Backups segmented offline, cloud, redundant.
11. Incident response plan.
12. Encrypt sensitive and air-gap hypersensitive data.
13. Adequate logging and retention.
14. Third-party security risk management program.
15. Firewall, intrusion detection and prevention
systems.
16. Managed services provider (MSP) or managed
security services provider (MSSP).
17. Really top-notch battle-tested CISO.
18. Cyber risk insurance.
19. Spencer Fane LLP | spencerfane.com 19
Canary in the coal mine
• What is your role?
• How does your company (or
others) handle:
– P&P + Training
– MFA
– Phishing
– Backups
– IRP & IR Team
– Cyber Insurance
21. Spencer Fane LLP | spencerfane.com 21
How mature is the company’s cyber risk
management program?
• “GMR Transcription Services, Inc. . . . Shall . . . establish and implement, and thereafter maintain, a
comprehensive information security program that is reasonably designed to protect the security,
confidentiality, and integrity of personal information collected from or about consumers.” In re GMR
Transcription Svcs, Inc., Consent Order (Aug. 14, 2014)
• “We believe disclosures regarding a company’s cybersecurity risk management program and how the board
of directors engages with management on cybersecurity issues allow investors to assess how a board of
directors is discharging its risk oversight responsibility in this increasingly important area.” SEC Statement
and Guidance (Feb. 21, 2018)
• “Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity
and availability of the Covered Entity’s Information Systems.” NYDFS Cybersecurity Regulations § 500.02
• “Taking into account the state of the art, the costs of implementation and the nature, scope, context and
purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of
natural persons, the controller and the processor shall implement appropriate technical and organizational
measures to ensure a level of security appropriate to the risk, including …” GDPR, Art. 32
“A business shall implement and maintain
reasonable procedures, including taking any
appropriate corrective action, to protect from
unlawful use or disclosure any sensitive personal
information collected or maintained by the
business in the regular course of business.”
– Ken Paxton
22. Spencer Fane LLP | spencerfane.com 22
What is reasonable
cybersecurity?
Too little – “just
check the box”
Too much –
“boiling the
ocean”
23. Spencer Fane LLP | spencerfane.com 23
Reasonable
cybersecurity is a
process, not a definition
24. Spencer Fane LLP | spencerfane.com 24
Takeaway: Reasonable cybersecurity is a process, not a definition: it
includes understanding your risks, prioritizing your efforts,
and executing your priorities in a systematic manner.
25. Spencer Fane LLP | spencerfane.com 25
Once you have your team in place and understand what
your risks are that you’re trying to manage, what do you do?
26. Spencer Fane LLP | spencerfane.com 26
What do you think?
What do you think is the most glaring thing missing when I look at substantial
incidents and data breaches I have handled over the past 20 years?
1. Lack of hardware, services, gadgets, and gizmos?
2. Lack of support from management?
3. Lack of funding?
4. Lack of talent?
5. Lack of skills and knowledge?
6. Lack of strategy?
29. Spencer Fane LLP | spencerfane.com 29
Strategic leadership and planning
“Strategy without tactics is the slowest route to victory, tactics
without strategy is the noise before defeat.” – Sun Tsu
What does strategy consider?
• Risk analysis – present and future
• Resources – present and future
• Who is on your team?
• For different situations, understand team capabilities – internal and external
• How is your team executing?
• Don’t forget 3rd and Nth party risk!
• Prioritize and execute for evolving threats
• Objectives – what is a “win”?
31. Spencer Fane LLP | spencerfane.com 31
Takeaway: Winning is withstanding the attacks so your company can stay
focused on its primary mission. Winning comes from
preparation, resilience, and continuously learning and adapting.
32. Spencer Fane LLP | spencerfane.com 32
Shawn Tuma
Co-Chair, Cybersecurity & Data Privacy
Spencer Fane LLP
972.324.0317
stuma@spencerfane.com
• 20+ Years of Cyber Law Experience
• Practitioner Editor, Bloomberg BNA – Texas
Cybersecurity & Data Privacy Law
• Council Member, Southern Methodist University
Cybersecurity Advisory
• Board of Advisors, North Texas Cyber Forensics Lab
• Policy Council, National Technology Security Coalition
• Board of Advisors, Cyber Future Foundation
• Cybersecurity & Data Privacy Law Trailblazers, National
Law Journal (2016)
• SuperLawyers Top 100 Lawyers in Dallas (2016)
• SuperLawyers 2015-20
• Best Lawyers in Dallas 2014-20, D Magazine
• Chair-Elect, Computer & Technology Section, State Bar of
Texas
• Privacy and Data Security Committee of the State Bar of
Texas
• College of the State Bar of Texas
• Board of Directors, Collin County Bench Bar Conference
• Past Chair, Civil Litigation & Appellate Section, Collin
County Bar Association
• Information Security Committee of the Section on Science
& Technology Committee of the American Bar Association
• North Texas Crime Commission, Cybercrime Committee &
Infragard (FBI)
• International Association of Privacy Professionals (IAPP)