It’s been a weird couple of weeks for security and stability on the internet, thanks to Elon Musk’s glitchy Twitter takeover and the implosion of cryptocurrency company FTX.
Pretty good time, then, for a lawyer like Joe Swanson to jump into action.
Swanson is vice president of CTRL, the new privacy and cybersecurity compliance consultancy at Tampa-based law firm Carlton Fields. CTRL aims to help businesses navigate the murky legal waters of digital commerce, from adhering to fast-changing laws to preparing for the consequences of a cyberattack.
“It was something we saw a need to fill,” said Swanson, 43. “To put it mildly, that law is pretty fluid.”
Before Carlton Fields, Swanson worked three years in the criminal division of the U.S. Attorney’s Office for the Middle District of Florida, where he served as the office’s computer hacking and intellectual property coordinator. As cybersecurity threats have evolved, he said, so have companies’ and customers’ understanding of how those threats can impact business.
“Consumers are interested in knowing: what data do you collect, with whom do you share it, is that data secure?” he said. “Where those questions have not been answered sufficiently, that tends to lead to disputes that find their way into the courts.”
Swanson spoke recently about the digital threats businesses now face, and how the law can (and cannot) protect consumers in the event of a data breach. (This conversation has been edited for length and clarity.)
From 2012 to today, what’s been the biggest way in which the law as it relates to the digital world has changed?
Just the constantly evolving nature of the cybersecurity threats that organizations and individuals face. That would have been true when I was at the government, and it’s certainly true in private practice. Look at the explosion of ransomware over the last couple of years. That was not nearly as prominent 10 years ago, for example, as it has been over the last couple of years.
And even within those last couple of years, the way in which ransomware is used has evolved. It used to be simply locking up a company’s systems and demanding a ransom payment. It now is quite often a multifaceted attack that involves taking sensitive data from the organization’s systems and then threatening to release that data unless the ransom is paid.
How do centuries-old concepts like negligence and breach of contract and things like that apply to modern fact patterns involving ransomware and stolen data? What might have seemed reasonable form a negligence standpoint five, six years ago is different today.
Small businesses, I imagine, could imagine be overwhelmed in an attack, if they don’t know what they’re doing.
Oh, yeah. They are in many ways a prime target for those attacks. Their cybersecurity defenses may not be as robust as a larger company’s would be. They may not have backup data that they can fall back to in the same way that a larger organization could. But in today’s economy, where data is important to companies of all shapes and sizes, they have all kinds of data that are interesting to threat actors and can be used to exert leverage. If they don’t get their business back up and running soon, their margins are so lean and their resources are stretched so thin that this will put them out of business.
Can the law keep up with the technology and tactics used by bad actors?
Probably not. The bad actors are tweaking their approaches daily, and so it is hard for the law to be truly up to date. There certainly have been enough cases filed alleging deficient cybersecurity, or noncompliance with privacy standards, that there is a growing body of decisions from the courts on what is reasonable security and what is sot of a minimum floor. But that may be driven by the facts in a particular case, and what that opinion might say today could be a lot different from what it might say six months or a year from now. They’re changing all the time in this space.
Are there cyber law issues looming that you think are going to become a much bigger deal for a much wider array of consumers and companies than is the case today?
Two things come to mind. One, will more states and/or the federal government pass cybersecurity-focused laws that do any of the following: Mandate specific security standards that need to be in place, and/or require certain steps to be taken in the wake of a data breach? Will there be a broader-based set of security requirements, like you must have multi-factor authentication, you must encrypt your data? And then on the privacy side, will other states or the federal government pass a sweeping privacy law that regulates what data is collected, what kinds of consents need to be obtained, and what kind of disclosures and rights need to be afforded to consumers in connection with that data?
Any idea what new identity and cybercrime issues might result from Elon Musk taking over Twitter? There have already been blue-check identity issues. Does that open Twitter up to any liability for failing to protect somebody whose identity is being usurped?
I suppose it could give rise to an allegation of some kind of damage, but this is a common theme in the litigation and cybersecurity space. What, in fact, are the damages? Are there monetary damages that stem from a loss of data or a failure to comply with a privacy obligation? Are the courts going to recognize a non-economic damage like reputational harm, or even a fear that your identity may become compromised in the future? The courts have answered that in different ways depending on the facts and the jurisdiction. That would be an issue to keep an eye on.
The FTX crash again seems to prompt questions about the role of oversight in the cryptocurrency industry. Is it possible that companies might jump into an industry like that without fully understanding the state of the law?
Much of it is unregulated, and so you’ve got the risks attendant to that. On the other hand, you’ve got businesses small and large that see this as the future, saying, “This is a way to differentiate myself. This is going to cause a splash when I’m the only coffeeshop in South Tampa that takes payment in Bitcoin.” Certainly, there’s some advertising upside and notoriety that comes from making that part of your business. But there are risks to it as well. – Tampa Bay Times/Tribune News Service