With cybersecurity risks and incidents rising yearly, businesses increasingly take active steps in their cyber risk management and institute a chief information security officer (CISO). CISOs or equivalent positions have been shown to decrease the probability of information security breaches when included in top management and with board access. Yet, in the face of an inevitable data breach or ransomware attack, businesses face consumer class actions and regulatory investigations that may put CISOs and their employers in conflicting legal positions. Today, most regulators and company boards understand that during a cybersecurity incident, CISOs operate with incomplete and rapidly developing information. However, as recent examples have shown, in some cases CISOs may be found to have acted independently from their organization and face civil and criminal liability for their actions. CISOs, boards, and their counsel will find it essential to understand the boundaries of the CISO role, the legal implications of their actions, and how organizations can work together to prevent CISO liability from their actions.
- Attorneys will find this seminar essential in their practice of advising businesses to understand the potential liability CISOs face and the risks their behavior poses to an organization.
- Technologists will find this seminar a helpful primer on the potential liability they may face, the regulatory frameworks that govern their actions in the cybersecurity risk management of their organizations, and best practices for limiting liability.
In this seminar, our expert panelists begin by reviewing the primary characteristics and responsibilities of the CISO role, highlighting their importance for organizations’ cybersecurity and risk management. Our speakers then discuss the potential criminal issues that CISOs face, specifically for ransomware payments under OFAC and fraud claims under the False Claims Act and when facing regulatory inquiries. Our expert panelists conclude by reviewing a recent example of CISO criminal liability, US v. Joseph Sullivan (N.D. Cal. No. 20-cr-00337-WHO), and key takeaways for what it means for CISOs, their employers, and their counsel.
Topics covered in this webinar:
- CISOs’ Role in Cybersecurity and Data Privacy
- Potential Criminal Issues CISOs Face
- Case Study
Daniel B. Garrie, Esq. – Founder, Law & Forensics; Neutral, JAMS; Faculty, Harvard
Andrew Moss – Reed Smith LLP; Chicago, IL
Andrew Pak – Senior Counsel, Perkins Coie LLP