For small and medium size companies staying current with cybersecurity, it is important to remember that it can be an asset, not just a liability, according to Joe Dickinson, a member of the data privacy and security, intellectual property, commercial, and litigation practice groups at the Raleigh office of Kaufman & Canoles.
Dickinson has been in the game for over 30 years since before the dawn of the World Wide Web. He was an applications programmer at Progressive Insurance before earning his Juris Doctor from Cleveland State University Cleveland – Marshall College of Law. As part of his data privacy and security practice, he served as the chief privacy officer and chief information security officer for a large academic medical center and health care provider in Ohio.
In a recent interview with Attorney at Law Magazine Executive Publisher Bob Friedman, Dickinson discussed appropriate cybersecurity risk levels for small and medium-sized companies.
JD: Data privacy and cybersecurity impact all businesses, large and small. Computers and information drive everything that we do from a business perspective. Data used to be your customer information, intellectual property, and financial information. Now, everything you do, all the information your business accesses and processes, is really data.
Data is like the new oil. It’s like the new gold in today’s world.
The most common impacts can be seen in the gaining and losing of business deals and the valuations placed on a business as a result of it either addressing or ignoring the privacy/cybersecurity issues. Many businesses mistakenly believe the primary risks are regulatory enforcement and related penalties. Those risks, and managing those risks are important but not necessarily the most likely to have an impact.
AALM: What about the argument that “my company is too small to be targeted in a cyberattack?”
JD: We all see the blogs and the class action lawsuits when there are large data breaches. It’s a two-edged sword. From a positive aspect, it can be a really tremendous marketing tool, especially for small and medium-sized businesses. If you can tell your potential customers that you’ve already addressed those risks, that makes you a more attractive business partner. You need to think about data not only from the perspective of compliance but from the perspective of it being an asset. It’s asset management and risk management.
AALM: But isn’t cybersecurity a losing proposition because the bad actors will always outman and outgun the regulators?
JD: Cybercriminals have tremendous budgets. They’re sponsored in many cases by government or other state-backed entities. Think China and Russia. What small businesses need to remember is that this isn’t solely about perfecting compliance or eliminating all vulnerability; it’s also about what we refer to as “herd immunity.” What can you do given your resources, money, personnel, etc., to best position yourself to minimize and manage that risk, not to eliminate it, to not be the easy target.
So, we look at the common themes we see with data, who are the threat actors, what are the applicable security regulations and laws, and how small and medium-sized businesses with very limited budgets can identify the priorities and manage to the key priorities not to perfection.
AALM: But the challenge is, they didn’t go into business to be computer techies.
JD: We’re dealing with a lot of smart folks, business founders, healthcare executives, or financial services executives. Sometimes, they’re overwhelmed with trying to run a business. They need help understanding what the risks are and how to prioritize and manage them.
We see a lot of business owners and lawyers burying their heads in the sand because technology is not the area they grew up in. But it’s critical for the legal community and the technology community to communicate. Technology advances at a much faster pace than the law, so it’s important to be able to coordinate the legal issues with real-world business and technical issues.
AALM: We don’t typically think of data security and privacy lawyers as being a company’s first line of cyber defense. Do you see yourself replacing a company’s in-house or outsourced IT tech support when it comes to data privacy and security?
JD: No. We can help engage and manage other resources, including tech experts. We can help spec software functional needs, but we do not program or configure. We often lead and manage the program but need the tech experts when assisting with CMMC compliance as well as HIPAA, GDPR, FTC Section 5, and various state laws.
Where we’ve been the most successful, and the most helpful, is when we are having frequent, sometimes daily, conversations with business owners and C-Suite executives who are losing sleep at night over the data privacy and security dilemma. We take that off their plate so they can focus on bigger issues.
We encourage them to get us involved with straightforward business transactions before there’s a problem. In today’s world, even the most basic business deals include due diligence, and everybody uses the same checklists. We can help them identify “good cybersecurity controls”, including the policies and procedures that they need to have in place. That tends to be much less expensive than when they first address these concerns after a breach or a ransomware attack.
Because of the technology background, I think our team can translate communications between the technology experts and the business experts and we can protect those communications with attorney-client privilege. We have been very successful in enabling businesses to identify their security gaps, and fix and resolve those issues while minimizing the unprotected communication.
AALM: AI was one of the core issues in the recently settled strikes by actors and writers. Many industries are also grappling with the role AI should play. To what extent should law firms depend on AI?
JD: AI enables the discovery and the revelation of information at a level we’ve never known before, but in addition, AI generates a lot of risk. AI is also imperfect. So, with artificial intelligence, we often see situations where the factual information is incomplete or inaccurate. If you think about how artificial intelligence works and data storage works, data storage is often not linear. If you think about how information is stored in a computer, and when AI is out gathering information, it’s very hungry and trying to get as much information as possible. AI will generate information that seems to be very thorough and very complete. Still, it may not be accurate, so managing the inaccuracies and the impression of artificial intelligence adds to the challenge of trying to understand, appreciate, and make use of its value.