When Hunton & Williams partner Lisa Sotto first started studying cybersecurity and privacy law in 1999, someone gave her a small compendium of all the state and federal laws that had been passed on the topic.
On Thursday afternoon, Sotto held up her thumb and index finger to indicate the size of the compendium. “It took me an hour to read it, and then I was the expert,” she said.
Things have changed “dramatically,” according to Sotto: Now there are hundreds of cybersecurity and privacy laws at the federal and state levels, plus a number of laws passed in important foreign jurisdictions in recent years.
She delivered her remarks at the second annual Big Law Business Summit in midtown Manhattan, as part of a panel titled “Cybersecurity: New Business Realities.”
Speakers on the panel also included Harriet Pearson, a partner at Hogan Lovells; Bradley Gayton, GC at Ford Motor Company; and Buck de Wolf, GC of GE Global Research.
While panelists said a number of high-profile breaches have raised the business community’s consciousness, there’s still a lack of expertise, and a lack of communication across different functions within corporations.
“It’s probably one of most cross-functional issues,” de Wolf said.
Sotto noted that interest in cybersecurity exploded in 2005, after TJX Companies, which owns retailer T.J. Maxx, fell victim to a breach which cost more than $170 million.
Interest jumped again a few years ago after the payment card account information of 40 million Target customers was compromised.
“That was the first time a CEO, at least in part, resigned as a result of cybersecurity incident,” Sotto said of former Target head Gregg Steinhafel . “That was a sea change.”
Speakers on the panel also remarked on the need for law firms to beef up cybersecurity. "To the extent clients have a fortress, and there’s a bridge over that alligator-filled mote, we walk right across,” Sotto said.
De Wolf, nodding at Gayton, added that it’s important for law firms to confess quickly if an incident happens: “If there’s a breach, the most important thing is to tell the client immediately. You don’t want Ford reading about it in the news.”
At the end of the panel, the moderator asked panelists for their predictions for next 30 years: Pearson and Gayton said they’d be keeping an eye on Europe, which has more robust cybersecurity and privacy laws than the U.S.
After noting that, by 2020, 50 billion devices will be connected to the internet, De Wolf argued that cybersecurity’s status as a novel topic for legal symposiums won’t last forever.
“There won’t be a panel on cybersecurity,” he said. “It’ll be like having a panel on the internet. It’ll just be what it is.”
Couldn’t make the Big Law Business Summit in New York? Don’t miss our Summit of the West in Los Angeles .