On February 23, 2016, Nyemaster held its 2016 cybersecurity update. The presenters included Nyemaster attorneys Matthew Eslick, Kevin Collins, Ben Roach, and Tom Walton, as well as Mark Lanterman, the chief technology officer for Computer Forensic Services (“CFS”) in Minnetonka, Minnesota. The seminar was held at the conference center at the Des Moines Golf and Country Club.
Mr. Eslick, a shareholder in the firm's Litigation Department, began the morning by presenting on director and officer liability for data theft losses. He outlined the seminal cases on the subject and discussed the parameters of the board’s duty of oversight regarding cybersecurity matters. He also highlighted several regulatory schemes affecting the board, as set forth by the SEC, FINRA, and the FCC. Finally, Mr. Eslick left the attendees with a helpful checklist to assist a board with managing cybersecurity matters. Some important items include: (1) viewing risk as an enterprise-wide (not just IT) problem; (2) requiring management-level employees to establish a risk management framework to ensure the adequate allocation of human and financial resources; (3) frequently addressing cybersecurity matters at board meetings; (4) giving the board access to individuals with the necessary technical expertise to troubleshoot, run internal tests, and rapidly respond to a cybersecurity events; (4) reviewing internal policies with individuals possessing technical expertise; (5) considering specialized insurance to insure against data theft and incidents; and (6) identifying director exculpation clauses and director indemnity agreements to minimize personal exposure.
Mr. Collins, Mr. Roach, Mr. Walton, and Mr. Lanterman then held a panel discussion on the best practices for preparing for and responding to a cybersecurity event. While there were many excellent takeaways from their discussion, one critical point included differentiating between a “security incident” and a “data breach,” as the classification will significantly impact the company’s response and legal consequences. The group discussed the importance of understanding and complying with each state’s data breach notification requirements, responding to the intrusion, and assuming normal business operations after the event.
Finally, Mark Lanterman presented on his experiences in successfully leading forensic investigations, and collaborating with and supporting companies to manage and respond to cybersecurity events. Prior to becoming the chief technology officer for CFS, Mr. Lanterman was a criminal investigator with over 11 years of law enforcement experience that included the Secret Service. Mr. Lanterman’s “real life” stories highlighted the importance of preparation and planning, forensic analysis, and proper management of each cybersecurity event. Mr. Lanterman emphasized these points by highlighting the dangers and unknowns present in the “dark web,” the “internet of things,” and advanced and ever-evolving malware. Mr. Lanterman’s expertise and humor were a highlight at the morning seminar.