The following article originally appeared in Legaltech News and was written by Rhys Dipshan.
As cybersecurity issues make their way into every aspect of the modern economy, it is becoming increasingly common for legal professionals to find themselves advising on issues of information security and risk assessment. While these issues may be far from ones taught in law school, they are oftentimes picked up and mastered throughout a career serving high-risk industries.
John T. Araneo, for example, honed his cybersecurity expertise over a long legal career in the financial services industry. And recently, he used such experience to move into the cybersecurity space altogether, becoming general counsel and managing director of managed services at IT infrastructure and cybersecurity services company Align.
Legaltech News caught up with Araneo to discuss his interest in cybersecurity issues, where he will focus on steering Align’s legal departments in the years to come, and what impending cybersecurity regulations will most impact the corporate world.
Early on in my legal career I was drawn to the overarching theme of data privacy and data protection in the information era. My interest stemmed from an underlying belief that the new digital reality of the information economy would present a new medium thorough which age-old concepts of creating valuable assets and protecting them would emerge. I wrote articles and counseled clients on email privacy and on both understanding and protecting their “information assets.” These concepts eventually gave rise to the modern phenomenon of “cybersecurity.”
The answer is twofold:
First, an underestimated risk: We, as a society, underestimate the increasing dependence of connectivity in everyday life. This is the concept of the “internet of things”—that everything is connected, you to your computer, to your mobile device, to your car, to your router, to your thermostat and to your refrigerators.
Second, and most pressing: The rising sophistication of cyberattacks. One reported case overseas reads like a Hollywood script: A company’s entire staff was evacuated from its headquarters by a remote hack that blew the thermostat, and then the hacker coordinated a drone to enter the premises and take photos of its core, industrial trade secret IP. Once the story broke, the company experienced an enormous decrease in valuation. Soon thereafter, the company was purchased at a discount … shortly before it was revealed the purchaser coordinated the attack ahead of its plans to purchase the company at a favorable but false valuation. Yes, this is happening.
Both the U.S. and the EU are in the process of overhauling and reconciling their respective legal frameworks for cybersecurity. Here in the U.S., we are forced to contend with a crazy quilt patchwork of federal, state, local and industry-specific laws rules and regulations that are difficult to navigate. For example, the state of New York is enacting a new state law that will take effect on March 1, 2017; this law has gone through numerous objections, comment periods and iterations before being passed by the legislature. This is symptomatic of how confounding the issue of cybersecurity is to both lawmakers and regulators.
There are many we focus on. We have global clients in many jurisdictions and industries, so we need to understand the substance and application of a myriad of laws and regulations. My particular focus and depth of expertise lies in financial services and, more specifically, the investment management industries, so the federal, state and industry-specific laws are my bailiwick. In particular, the guidance and enforcement actions of the Securities and Exchange Commission are things I follow closely and am continually analyzing.
Internally, we will address the typical spectrum of corporate, IP, employment and other issues of global enterprise such as Align. Externally, we are assisting our clients with developing cybersecurity programs, and this has a legal element—dealing with understanding the various laws and regulators’ expectations, as well as implementing these programs within the organization.
Yes. In some respects, the role becomes narrower in nature, as you can focus on just one client yet, paradoxically, the role itself becomes much broader, substantively.
Photo Credit: Google