author photo
By SecureWorld News Team
Mon | Oct 16, 2017 | 10:33 AM PDT

You may have seen cybersecurity lawyer Shawn Tuma on TV or heard him on the radio.

He's been on the airwaves a lot lately, because those who can crystalize cybersecurity's legal issues into simple terms are in high demand. 

And we had a chance to interview him this week while he was prepping for his upcoming appearance at SecureWorld Dallas.

Legal angles InfoSec teams need to consider

Tuma says those in cybersecurity actually need to think of several things that fall into their area or responsibility.

"Infosec is directly impacted by three very distinct kinds of laws that must be understood. (1) "hacking", or unauthorized access laws such as the Computer Fraud and Abuse Act; (2) "security" laws that require companies to protect the data that resides on their networks; and (3) "privacy" laws, such as the 48 states' data breach notification laws, that require companies to disclose and report when they have breaches that impact other people's information that they hold."

Cybersecurity leaders often learn to think legally after an incident

Since he works with companies before and after a breach, we asked him when the message to operate with legal ramifications in mind really resonates with InfoSec teams. You guessed it: they really pay attention after an incident.

"It is sad but true that even with all of the information we have about cybersecurity threats and what they can and do mean for businesses, we still have a huge challenge in getting companies to take action," he says.

"The best thing that can happen to any company is to have an incident occur that looks like it is going to be very bad, force them to go through the real incident response process and make the preparations to be ready to disclose it publicly and at the very last minute learn that it was a false-alarm. Then, they have experienced it first hand but ultimately did not have the problem they thought they had and do not have to disclose."

And Tuma says an ounce of legal prevention is worth a pound of legal cure.

"One of the most effective things they can do, before an incident, is to implement a continuously maturing cyber risk management program that is uniquely tailored to the evolving needs and risks of their business, including the legal and regulatory risks that they face."

Risks that, just like business objectives, are always changing.