SHEAR: The law hasn’t and never will keep up with technology, and many lawyers have a hard time understanding the nuts and bolts of various
data privacy and security
issues. For example,
when I found out that
most public schools
are saving students’ r
communities, data management experts, public relations experts and many others in order to successfully respond to cybersecurity incidents. The coordination of all of these teams, in addition to working with the affected clients, presents organizational, communications and leadership challenges that can be very satisfying and rewarding to manage in the midst of a crisis.
It is rewarding when we can help
the client in response to an unfortunate event in their business. Additionally, the technology and threats are constantly evolving, and staying on top of these developments can be challenging. Staying one step ahead of the attackers requires constant vigilance and support from
the growing field of white-hat security researchers, who sound the alarm when critical vulnerabilities are identified that could adversely impact the market. SHAFER: A fair amount of companies remain defiant about their risk exposure
SHEAR: Absolutely. The Federal Trade Commission (FTC) and our state and federal regulators first need to use the laws we have in place to break up some companies (e.g., separate Facebook, Instagram and WhatsApp). Our government has had the fortitude to break up monopolies such as Standard Oil and AT&T, and this spurred competition. If we can do that we can surely stand up to Mark Zuckerberg and his “friends.”
In regards to data privacy, the FTC needs to utilize its power to hold Facebook accountable for violating its 2011 consent decree regarding its misleading privacy practices arising from the Cambridge Analytica data scandal and other intentionally misleading activities. Any FTC fine under $50 billion is a huge win for
Facebook. Stronger digital privacy laws are also needed on both the state and federal level that have real enforcement teeth. KATZ: Not touching this one.
SHAFER: This is difficult to say, as there are several interrelated aspects of successful tech companies. For start-up companies, increased regulations could cause the
company to become insolvent or to become so risk-averse that they choose not to do research and development, which may have ultimately benefitted us all as customers.
Ultimately, I think the federal government should pass cybersecurity legislation that standardizes certain breach thresholds in order to create consistency among the states, while creating a privacy regulation similar to the European Union’s General Data Protection Regulation. The federal government should also do more to investigate infractions and enforce current regulations. There is a growing body of case law from the FTC regarding cybersecurity that should continue to be developed.
      personal digital
schoolwork and online f
interactions indefinitely,
I was troubled, because r
colleges and employers
will use this data to
discriminate against i
them in the future.
Therefore, I started
National Student Data
Deletion Day, which
requires K-12 schools to automatically delete unneeded digital data (e.g. student internet search history, biometric data, student emails, etc.) that they are collecting on our kids on a regular basis.
All of this information is a honey
pot for hackers, because it’s a major cybersecurity and privacy nightmare waiting to happen. Kids shouldn’t have to worry that their schoolwork and other superfluous data that schools and their vendors are collecting will be utilized against them later by colleges and employers.
KATZ: In many cases we have to rely
on technical experts such as forensic investigators, members of the United
States intelligence and law enforcement
ort
“
f ce
“
S
S
o
t
t
a
ay
m
t
yi
i
n
n
n
ng
th
h
g
o
s
s
sc
e
e
e
e
e
g
o
co
n
n
on
r
e
e
s
ns
ro
st
ow
s
t
wi
t
te
a
ep
an
in
pa
nt
ng
tv
g fifi
a
vi
h
he
ig
fiel
g
e
i
il
ld
a
a
la
d o
d
d
o
an
of
nc
a
f
w
o
f
t
h
t
hi
h
h
an
it
e
ea
n
te
e
d
at
ds
-
-h
tt
ta
su
ha
ac
up
at
p
t s
c
k
k
p
po
e
e
r
rs
s
   re
t
e
q
qu
ui
ir
re
es
s
   f re
r
ro
se
e
c
u
ur
ri
t
 ea
ar
rc
c
c
c
h
he
er
rs
s,
,w
w
h
ho
o
s
so
ou
u
n
n
d
d
t
t
h
h
e
e
a
a
l
la
ar
r
m
m
w
wh
h
e
e
n
nc
t
t
y
cr
r
r
y
   es
se
ri
it
ti
ic
ca
al
l
    vu
ul
ln
nera
a
a
a
ab
b
i
li
i
t
tie
es
are
ei
id
de
e
n
nt
ti
ifi
fie
ed
dt
tha
at
t co
ou
ul
ld
da
ad
d
dv
ve
er
rs
se
ely
y
  mp
h
pa
a
ct th
e
e m
m
ar
r
ke
et
t.”
                           | 22 | Baltimore Law
and refuse to see the benefit of maintaining a compliant cybersecurity posture. They very much have a reactive mentality, and accordingly tend to only
call when things have gone wrong. Additionally, because there is no preemptive federal regulation as it relates to cybersecurity breach notifications, practitioners are left to monitor the legislatures of each state to stay up-to-date with new cybersecurity requirements.
Similarly, when there is a data breach, you have to review each state’s statutes and regulations to ensure compliance, as attorneys general and state legislatures have been making material changes to their statutes and policies in recent years.
SHAFER: The constant learning, whether it is technical or legal. The technology is rapidly changing and the regulations are changing just as quickly, trying to keep up. The pace of change has kept the practice of law in cybersecurity and data privacy rewarding, and it’s so interesting to see how views and policies change over time.
For example, not that long ago the definition of personally identifiable information in most states was limited to Social Security number or name,
in combination with address or other simple information. Now, however, the definition in most states is broad enough to cover biometric information and insurance policy numbers.
What are some of the most challenging aspects of working in this field?
 Do you believe that the government should regulate
tech companies such as Facebook and Google?