Redefining Society Podcast

Book | Cybersecurity Law Fundamentals | Defining 'Reasonable Cybersecurity': A Legal Perspective | A Conversation with Author, Jim Dempsey | Redefining CyberSecurity and Society with Sean Martin and Marco Ciappelli

Episode Summary

In this engaging episode, Sean Martin, Marco Ciappelli, and Jim Dempsey explore the evolving landscape of cybersecurity law, discussing pivotal topics such as the concept of 'reasonable cybersecurity' and the shifting legal liabilities for software developers. Jim Dempsey, with his vast experience in teaching and advising on technology policy, provides valuable insights into how historical legal principles are adapting to modern challenges, making this a must-listen for anyone interested in the intersection of law and technology.

Episode Notes

Guest: Jim Dempsey, Senior Policy Advisor, Stanford Program on Geopolitics, Technology and Governance [@FSIStanford]; Lecturer, UC Berkeley Law School [@BerkeleyLaw]

On LinkedIn | https://www.linkedin.com/in/james-dempsey-8a10a623/

____________________________

Hosts:

Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]

On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin

Host: Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast & Audio Signals Podcast

On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli

View This Show's Sponsors

___________________________

Episode Notes

Join Sean Martin and Marco Ciappelli for a dynamic discussion with Jim Dempsey as they unearth critical insights into the rapidly evolving field of cybersecurity law. Jim Dempsey, who teaches cybersecurity law at UC California Berkeley Law School and serves as Senior Policy Advisor to the Stanford Program on Geopolitics, Technology, and Governance, shares his extensive knowledge and experience on the subject, providing a wealth of information on the intricacies and developments within this legal domain.

Cybersecurity law is a relatively new but increasingly important area of the legal landscape. As Dempsey pointed out, the field is continually evolving, with significant strides made over the past few years in response to the growing complexity and frequency of cyber threats. One key aspect highlighted was the concept of 'reasonable cybersecurity'—a standard that demands organizations implement adequate security measures, not necessarily perfect ones, to protect against breaches and other cyber incidents. This concept parallels other industries where safety standards are continually refined and enforced.

The conversation also delved into the historical context of cybersecurity law, referencing the Computer Fraud and Abuse Act of 1986, which initially aimed to combat unauthorized access and exploitation of computer systems. Dempsey provided an enlightening historical perspective on how traditional laws have been adapted to the digital age, emphasizing the role of common law and the evolution of legal principles to meet the challenges posed by technology.

One of the pivotal points of discussion was the shift in liability for cybersecurity failures. The Biden administration's National Cybersecurity Strategy of 2023 marks a significant departure from previous policies by advocating for holding software developers accountable for the security of their products, rather than placing the entire burden on end-users. This approach aims to incentivize higher standards of software development and greater accountability within the industry.

The discussion also touched on the importance of corporate governance in cybersecurity. With new regulations from bodies like the Securities and Exchange Commission (SEC), companies are now required to disclose material cybersecurity incidents, thus emphasizing the need for collaboration between cybersecurity teams and legal departments to navigate these requirements effectively.

Overall, the episode underscored the multifaceted nature of cybersecurity law, implicating not just legal frameworks but also technological standards, corporate policies, and international relations. Dempsey's insights elucidated how cybersecurity law is becoming ever more integral to various aspects of society and governance, marking its transition from a peripheral concern to a central pillar in protecting digital infrastructure and information integrity. This ongoing evolution makes it clear that cybersecurity law will continue to be a critical area of focus for legal professionals, policymakers, and businesses alike.

Episode Transcription

Book | Cybersecurity Law Fundamentals | Defining 'Reasonable Cybersecurity': A Legal Perspective | A Conversation with Author, Jim Dempsey | Redefining CyberSecurity and Society with Sean Martin and Marco Ciappelli

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.

_________________________________________

Sean Martin: [00:00:00] Marco.

Marco Ciappelli: Sean.

Sean Martin: When, uh, when was the last time you reviewed some law materials?

Marco Ciappelli: Well, let's see. So I'm a doctor in political science. I study a little bit of basic law, and I don't remember at the time any cyber security law. And the time was like in the early 90s. So no, the answer is no. And I don't remember the last time.

Sean Martin: Right. And I think a lot of things, even in a few short years, a lot has happened.

Marco Ciappelli: Big things, a lot of

Sean Martin: small things, a lot of overlapping things, a lot of conflicting things. A lot of things.

Marco Ciappelli: A lot of things happening.

Sean Martin: A lot of things, and of course if If you want to do the right thing, you should probably abide by the laws that, uh, that have surfaced over the past few years.

Um, so we're going to talk a bit about that, looking at, uh, law and, and cybersecurity, a bit of privacy as well, because [00:01:00] I think a lot of the most well known laws kind of revolve around privacy. And, uh, there's more to it than that. And I think we're going to get into some of those details today with our guest, Jim Dempsey.

Jim, good to see you again.

Jim Dempsey: Sean, Marco, great to be back with you.

Sean Martin: And, uh, for those that don't know, we had a, we had a brief chat, uh, out of the RSA conference, uh, Jim presented there and, and, uh, we enjoyed the conversation with him. We wanted to get in, into more details. We invited you back and we're thrilled to have you back, Jim.

Maybe a few words just to refresh folks about who you are, what you're up to, and then we'll get into it.

Jim Dempsey: Well, I'm a, I'm a lawyer. Um, I always say I, I don't do technology, I do technology policy. Um, I, uh, teach cybersecurity law at UC California Berkeley Law School, which I've been doing now for, I don't know, six or seven years.

Um, I'm also Senior Policy Advisor to [00:02:00] the Stanford Program on Geopolitics, Technology, and Governance. And, uh, I am the proud co author of the second edition of Cybersecurity Law Fundamentals, which was just, uh, published about a month ago, just in time for RSA, by the International Association of Privacy Professionals.

Sean Martin: That's fantastic. And congratulations on that. I know it's, uh, a lot of, a lot of blood, sweat, and tears goes into a project like that. I don't know personally, but every story I hear from folks, there's a lot, a lot that goes in there. So, maybe, can you, can you give us an overview of What prompted you to pull this material together?

Was there a need that you saw or?

Jim Dempsey: Well, yeah, it's a funny story, quote unquote, funny story. Um, like I say, about six or seven years ago, I was at UC Berkeley, uh, running the Berkeley Center, uh, for Law and Technology, uh, [00:03:00] within the law school. And after I was in that position for about a year, The assistant dean approached me and asked if I would put together a course on cyber security law for the LLM program, Master of Law program, which is mainly foreign students who are already bar admitted in their home country and come to the U.

S. for a year or so to get an additional degree focused on U. S. law. Anyhow, uh, they asked me would I teach a course on cyber security and up until then, I had been mainly focused on the privacy side of things. Thank you very much. government surveillance issues as well as consumer privacy issues. But I had sort of seen this very beginning emergence, particularly around breach notification laws, of something that you could call cyber security laws.

So I said, sure, I'll teach the course. The first year honestly wasn't very good. I was still pulling together, still trying to understand it, still trying to define it. [00:04:00] But I think it did get better as I went along. And after about two or three, four years, I, I had a whole set of PowerPoints, I had an outline, I had a structure, I had a, my own conceptualization of the issue, and I said, Oh, this will be easy.

Let me just take all my class notes, all my PowerPoints, uh, each topic that I cover, I covered about 12 topics, uh, 12 chapters, you got yourself a book. Well, two years later, I had a book. Um, so, partly because, one, the more I got into it, the more in depth I got, of course, and it wasn't just a matter of what I could fit on a PowerPoint.

There was a lot more depth. Plus, I don't think there has ever been an area of the law, literally in the history of mankind, that has ever evolved and developed and progressed so rapidly as cybersecurity law. And [00:05:00]

Sean Martin: yes, go slowly, .

Jim Dempsey: So putting this together in the book was fascinating. And then what I started doing was maintaining a website because I had to publish the updates to the book because literally the minute I sent the book off to be printed, new things kept happening.

So I maintain a website, cybersecuritylawfundamentals. com, where I post regular updates. I did just one this morning. Yesterday, the SEC, Securities and Exchange Commission, issued a notification rule for broker dealers and investment companies who actually had not previously been under an SEC rule on breach notice.

Strangely, since most other sectors long since had been under such a rule. So I, I've been following the issue and now You know, the first edition came out in 2021. Immediately new things were happening. I was tracking [00:06:00] them on the website and it became time, uh, to do edition two. I added as a co author John Carlin, who's an attorney now partner at the Paul Weiss law firm.

But John has a long and distinguished and varied career at the Department of Justice and in prior administrations really helped, including at the beginning of the Biden administration, helped lay the foundation for the current Department of Justice. Cyber security strategy. So adding john, who has tremendous on the ground experience.

I mean, I'm sort of looking at this from an academic perspective. John brings in the hands on day in and day out advising of companies and his perspective and then. Is DOJ experience. So I'm very proud of the way it's gone. Um, it's at some level an incoherent body of law. We can talk about that more. It's a crazy [00:07:00] quilt.

Um, but what I try to do is try to make sense of it and put it into sort of a framework.

Marco Ciappelli: So, Can I?

Jim Dempsey: Yeah, Marco. Thank you, . I'm just, you don't have to raise your hand. No, no. I know I normally don't do

Marco Ciappelli: that, but because I, I'm thinking I'm in class with you. I, I had to raise my hand, so thank you. Uh, so I wanna go back a little bit more.

How do you apply laws when something is so new that there are no laws, right? Yeah. So you, you get a car, there is no car. You're the first one in the car. Somebody yell at you and say, Hey, follow the laws, and you're like. Well, I do what I want. It's the car.

Jim Dempsey: Yeah, that's that's that's

Marco Ciappelli: getting back into the beginning even way before you wrote the book when cyber security became a thing.

Jim Dempsey: So, you know, in the United States, at least, we have the common law, which is the law that we inherited literally. From, uh, [00:08:00] England when we broke away as a colony and became an independent nation, we carried with us all of the existing common law of England at the time, and then our courts continue to take it forward and you have, uh, tort law, you have contract law, you have law around fiduciaries, uh, trust relationships, um, so you had this common law and one of the principles of the common law is It applies without limitation.

So artificial intelligence, we have no law of artificial intelligence in the United States, but the law of negligence applies. The law of contract applies. And on top of that, we had, um, Federal Trade Commission Act going back to the beginning of the, um, of the 20th century. century, which in very broad terms made it illegal to engage in unfair [00:09:00] or deceptive trade practices.

Now, deceptive, that's what we're talking about. The relatively easy half of it. If a company says, we collect your data, we're a merchant, we collect your credit card data, you give us your credit card data, and we protect your data, or with e commerce to privacy policies or the statements that companies were making, don't worry, give us your data, we will protect it.

And then they don't protect it. Well, that starts looking like deception. So you take this concept from the beginning of the 20th century, And now you can apply it at the beginning of the 21st century. What is deception? And ultimately, the FTC got into the unfairness side. And they said, even if you don't make a promise, it is unfair to take somebody's data and not protect it.

That is a,

Marco Ciappelli: which is, which is what kind of happened to computer law, internet law from radio law, which came [00:10:00] from exactly outta law. Exactly right.

Jim Dempsey: Intellectual property law. Mm-Hmm. . What is copyright? How does copyright apply to, uh, digital content? Right. So throughout the history of the internet, uh, we have taken the existing law.

started with that. Now, then Congress will come along. The state legislatures will come along. The regulatory agencies will come along and they will add on top of that. And that's why I say you have this crazy quilt. You have some stuff that's 200 years old, 300 years old. Uh, and you have rules that were issued yesterday.

Uh, and you have everything in between and that's how you put these pieces together and they don't fit perfectly. Absolutely. There are still gaps. Absolutely. That's how we've built up this law. We started with what we already had in the concept. Um, a [00:11:00] famous judge and law professor wrote an article a number of years ago, uh, called the law of the horse.

It's not like we have one rule for horses and one rule for other types of property. We, we, we don't, it's, he said, it's better have good Underlying concepts, good rules of contract, good rules of tort liability, good rules of copyright. And then, if they're good enough, every time a new technology comes along, you do what lawyers do, you do what we all do, really, instinctively, which is you reason by analogy.

You say, well, this is like something we saw before. Um, it happens to be ones and zeros. It happens to be non tangible, but we've had, you know, we've had, we've dealt with intangible, uh, harms, uh, for literally again, for centuries, reputation, uh, privacy, uh, privacy goes back, um, hundreds of years, uh, slander, [00:12:00] you know, taking somebody's data and using it to hurt them.

Uh, that goes back hundreds of years.

Sean Martin: So let me ask you this. I don't know how, uh, versed you are in it, but. Was it 19, late, mid 80s? 1986 or something like that? The, uh, Computer Fraud and Abuse Act came out. And, so, I don't know what that is built upon, but that basically says you're, you're not allowed to break into other people's systems and do, do harm.

Um, it's a conversation that, um, We've had on ITSP magazine many times because there are good hackers, right? Ethical hackers that do use their brain right in tools Yep to to explore and see what things are vulnerable and responsibly hopefully responsibly disclose. Yep. What's going on there? [00:13:00] Basically against that law in many cases.

So how how do individuals and organizations kind of navigate because I don't know that they're what kind of I think there are some lawsuits, but I don't even know convictions. Anyway, I'm speaking out of my own Well realm here, but yeah with the state of that and I guess the point I'm or the question I'm trying to ask is how do people and individuals understand The real intent of the law where the lines are drawn what what really could happen to them.

Jim Dempsey: Yeah, Sean. No, that's exactly right on point. I have a whole literally whole chapter in the book on the Computer Fraud and Abuse Act and other other criminal laws and as you say, it emerged in 1986, particularly 1984. Originally, um, and, uh, it based was based in a way on some traditional concepts of [00:14:00] theft, trespass, So it makes it a crime to steal our data, uh, from certain computers to destroy data, to interfere with the operation of computer systems.

Interestingly enough, it even applies to ransomware because it makes it a crime to extort, uh, to threaten to cause damage to a computer in order to extort money. And it was built up again over the years. Congress started with a relatively narrow focus on government computers and then financial institution computers, and then vastly expanded it when they adopted the term protected computer, which is now basically any computer connected to the internet.

Any computer used in interstate commerce, which is the extent of the federal power over interstate commerce. Now you're 100 percent right. [00:15:00] Sean, you start out with terms like authorized, whoever accesses a computer without authorization or whoever exceeds authorized access to a computer and thereby causes damage or takes information, copies information, et cetera, shall be guilty of a crime.

And there were some notorious cases, which I traced the history of in the book. There were some notorious cases early on where. Um, people, ethical hackers, uh, were threatened with prosecution. Um, they were also threatened with prosecution under the, um, Digital Millennium Copyright Act because what they were doing, uh, it was alleged to violate, um, copyright.

Now, there's a remarkable

Sean Martin: Like with reverse engineering, right?

Jim Dempsey: Exactly. Yeah, yeah. Exactly. And there [00:16:00] has been a remarkable evolution there. Um, partly through Department of Justice policy, partly through some lower court cases, and then finally, um, in 2021, um, 2021 22, um, the Supreme Court decision, yeah, 2021, Supreme Court decision in a case called Van Buren, where the Supreme Court narrowed some of the focus of that statute, um, Meanwhile, on the copyright side, the Copyright Office issued some interpretations that narrowed the focus.

And the government came to embrace the concept of the bug bounty. And the bug bounty being, hack away at our system, with the understanding that if you [00:17:00] find a breach, you won't exploit it. You'll tell us, the system operator, that you found it. We may even pay you money. For finding that the flaw in our system, that's the bug bounty side, but the sort of responsible vulnerability disclosure is now government policy.

Every government agency, the D. O. D. Actually, interestingly, was first to adopt that. And now every single government agency says you are authorized to hack away at our system. Don't actually steal anything. Don't actually destroy anything. And if you find a breach, tell us. But if you meet those three conditions, you will not be prosecuted under this statute.

That's a combination of both some of the courts being skeptical with these terms of service and basically some of the courts rejected the notion that terms of service can create criminal liability. Um, there may still be contract liability since the term of service is a contract. So fascinating [00:18:00] example though, Sean, you're a hundred percent right to single it out or pick it as one, one example of how You start sort of from some fundamental concepts of trespass, theft of property, destruction of property, interference with property, translate them to the digital world, and then it's not a direct one to one match, of course, and that's where the problems come in, that's where the questions come in, that's where the challenges come in.

Marco Ciappelli: And that's where a question I have.

Jim Dempsey: Yeah, Marco.

Marco Ciappelli: Yeah, because everything before was And I, I have conversation about cyber bullying or other things that are cyber and people Nobody knows you are a dog on the Internet, right? Like the old joke from the New York Times. But we do now. And there is this difficulty, even in preaching [00:19:00] cyber security to FAA, MFA, and people like, Yeah, I don't get it.

I get, uh, lock my door twice or lock my car, but Why do I want to lock my phone twice? It's a pain in the butt and so on. So I'm glad you went there because I was just going to the kind of like the psychological aspect of applying concrete, real stuff into a digital world. Like how is that working?

Jim Dempsey: Yeah.

So, you know, um, you referenced, uh, telecom law, you know, um, this is the whole question. You know, sort of the evolution of the Internet. The internet was never really a law free zone. The internet was built on top of telecommunications law. The initial internet service providers benefited from some rules that the Federal Communications Commission had laid down regulating AT& [00:20:00] T, which was the monopoly telco provider in the United States for decades and decades.

And the FCC said, no, you've got to open up to interconnection and you've got to allow anybody to hook any device to your network so long as it doesn't damage it. That decision became very, very important when people came up with the modem. Um, and it became very important when people came up with the, um, uh, internet concept of a, of a, of an ISP.

So we've always built internet law on top of the pre existing law and in a way the telecom law was built on top of postal law, etc. Um, but It's it's never a perfect fit that gets us into these questions. We live. A lot of these harms are intangible. Although again, you go back, the concept of reputation always had [00:21:00] an intangible element to it.

Um, the Supreme Court has an interesting decision on on standing. They say that, um, in order to get into federal court, you must have a concrete. Injury, but they say in the very next sentence, an intangible injury can be concrete

and a lot of what we're talking about

Sean Martin: in the concrete is around your feet and exactly here in the

Jim Dempsey: now, one thing that's interesting about the evolution here is. We've almost come full cycle now with the emphasis on OT. Everything used to be about IT, information technology, theft of data. Colonial pipeline was a watershed moment because attacking the IT system, the attackers there had an impact on the physical world, leading the company to shut down the pipeline.

[00:22:00] And that opened the eyes of a lot of policy makers. To the vulnerability of our physical systems, which, of course, are now increasingly Internet connected, you know, um, you know, those cranes that you see at the major ports, the things that look like huge dinosaurs with the long necks that take the, the, um, the shipping containers off of the, off of the boat, put them on the dock and vice versa.

80 or 85%. of those cranes at American ports were made in China. Probably now every single one of those cranes has some internet digital feature to it. And so suddenly the, the potential ability of the Chinese government to force the makers of those cranes to deliver a software upgrade, which actually, Bricks the crane, turns the crane off.

Suddenly the digital [00:23:00] vulnerability comes back around to a physical world vulnerability. And that's one of the major, major changes in focus. It's not like we've forgotten about the data. Vulnerability. Uh, but now cybersecurity has expanded from its origins in privacy law into or back to a concern with the physical world.

Sean Martin: And Marco and I had a conversation. We were talking about the international political geopolitical, uh, Impact your selection of technologies, be it a crane, be it a network switch or whatever, either put you at risk, put you in alliance with folks. It's very interesting. I want to, well, I have you here and of course you can come back for more conversations, but I'm, I want your thoughts on software liability because there, [00:24:00] I think pretty much any product that you can think of has some, some liability where the provider, the builder provider offers some level of warranty, right?

And if the warranty fails, you have some recourse, either money back or, and if there's, if you're harmed, then you can, you have a case, right? Um, software, I think is one of the only, if not the only area where that's not. So what are your thoughts on that?

Jim Dempsey: Well, I think it's. I mean, my own personal belief is it's time for the software industry to catch up with these other industries, as you suggest, and that's what the Biden administration called for in its national cyber security strategy.

Of March, uh, 2023, the Biden strategy, uh, 80% of it was probably the same as what was in the Trump strategy, which was [00:25:00] 80% the same as what was in the Obama strategy, which was 80% the same of, you know, going back literally decades across administrations. But in one way, two ways, but one way in particular, the Biden administration strategy marked a radical departure from prior, uh, consensus.

In calling for liability to be shifted from the users of software to the vendors, developers of software. And basically what the strategy pointed out was that the software developers have been able. Partly as a result of their market power, but, um, partly just nothing has caught up. They've been able with terms in their contracts are now licenses.

It's all licenses. to disavow liability. So if you look at any [00:26:00] software license, whether it's for personal use or more particularly for more importantly, even for enterprise use, all of the software licenses say we make no warranty about the performance of this or very limited warranties, and we are not liable for any consequential damages.

If the software crashes, you lose business, you lose your data, you suffer harm. We, the developer of the software, are not liable, even if that was caused by a flaw in our product, even if we knew that our product was vulnerable, even if we knew that damage like this might occur. Um, and those, those waivers, uh, disclaimers, Have, um, been the norm and have stuck now for 20, 30, 40 years, uh, in the software development, uh, and marketing, uh, field.

And consequently, as we all know, we're, we're heavily dependent upon some pretty buggy software. [00:27:00] Um, software with flaws and the developers do not. bear the liability, the cost of those failures fall on the users. And the administration said it's time to change that and the developers who put together, compile these, these complex software programs should do a better job and should be incentivized to do a better job of eliminating flaws.

Not eliminating all flaws. Nobody is claiming, nobody is expecting that there will be perfection. We don't have perfect airplanes. We don't have perfect, uh, we don't expect perfection in any other field. But in all, as you say, I don't know if there's another field that quite enjoys the immunity that the software development field has been enjoying.

And my argument is that may have made sense 50 years ago when the industry was in its infancy, may have made sense [00:28:00] 40 years ago, may have made sense 20 years ago or 10 years ago. But now the industry has matured to a point and has become so obviously. Absolutely everything we do. Personal lives, business, entrepreneurship, nation state relations, democracy itself, all dependent upon software.

And now, getting there is not going to be easy, although, you know, Marco, again, my feeling is, let's go back to some of the concepts of tort law. Yeah, also known as common sense. 100 years, 100 years ago, plus now. 1916, Buick motor was brought into court, an early automobile, uh, the wheel blew out or collapsed or fell apart, the car crashed, injury occurred, [00:29:00] person sued, and Buick said, no, no, no, no, we're not liable.

First of all, we didn't sell you the car. You bought the car for the dealer. We sold the car to the dealer. You bought the car, if you got a complaint, sue the dealer. The court said, no, no, no, no, you may, you, Buick, you made the car, you put it into commerce. You can't dodge liability. Secondly, and this is directly relevant to the way software is developed today, Buick motor said, but we didn't make the tire.

Someone else made the tire. And we went and just got the tire from the repository or the library or the warehouse. Um, but sounds like how software is done. Uh, we just took somebody else's tire. And so again, shoo, the tire maker, Justice Cardozo on the Supreme Court of New York, you car maker. You're the final compiler and assembler of all of these components.

The [00:30:00] burden is on you based on the amount of risk to do due diligence and to inspect those components that you put together.

Marco Ciappelli: Otherwise you can sell the car without the tires. And you said you guys go and buy your own tires. And then you're responsible. Yeah, exactly. Can I ask you this? Because I know we're pulling, I'll pull you on the society and Sean is pulling you on other things.

But there is the chapter that I'm looking at here, the topics, and it's related kind of to this. Because you say you talk about defining reasonable cyber security, which is reasonable. In air quote, actually it's in real quote in the book, I'm assuming, but can we talk about that?

Jim Dempsey: So that, to me, that is one of the central questions of the evolution of this area of the law.

Because as I said, whether you're the custodian of data, a bank, a credit card company, [00:31:00] a merchant, a hospital, um, or whether you are the maker of a product. The standard is not perfection. The standard is good enough. And in the law, we call that reasonableness and the automobile, the tire doesn't have to be perfect.

The tire has to be reasonably. Safe. Now, what does reasonable mean? Traditionally, at the automobile, we define that case by case, jury by jury, tire by tire, carmaker gets their expert, the plaintiff gets his or her expert, uh, they say, well, what were the alternative ways to build the tire? Could you've used a better class of rubber or whatever?

And, um, if you chose not to take the reasonable alternative, was the product [00:32:00] unreasonably dangerous or not reasonably safe? And we've sort of sorted that out with automobiles. It took a hundred years. Um, and by the way, we had the intervention in the 60s, 70s of the, uh, federal government. Highway Safety Transportation Administration, which started issuing federal motor vehicle safety standards, which are now, uh, there are hundreds of them, and they are very, very, very specific in defining what is a reasonably safe, um, component.

One of my examples, um, there's a federal motor vehicle safety standard on the boiling point of brake fluid, your brake fluid in a passenger car. cannot, uh, boil at a temperature less than X, whatever it is, 290 or 380 or 4 something degrees Fahrenheit. [00:33:00] Because if your brake fluid boils, it vaporizes, vapor is compressible, and your brakes start working if your brake fluid has vaporized.

Very, very, very precise standards, which we've built up. And you look at building codes, and you look at all kinds of areas of human endeavor. We've built up these very precise definitions of what is reasonably secure, because by the way, if your brake fluid boils right above that limit, you're fine, even though it could be dangerous.

Those little caps on the medicine containers, you know, we have a standard that says the caps on the medicine containers cannot be opened by more than 80 percent of a panel of four year olds in more than, in less than 10 minutes. Which says that 20 percent of four year olds can open them. We accept that because if no four year olds could ever open them, no adults could too.

So no one would be able to take their medicine. So [00:34:00] we have these trade offs. We have these trade offs where we try to define what is reasonable. What we are trying to do right now in the law, whether it's the electrical power grid or those Chinese cranes or software, we are trying to draw that line and it's not easy.

We're going ahead bit by bit, um, trying to define. What is reasonable, and that's going to be a challenge now for the next decade.

Sean Martin: Yeah, and I I think kind of back to Marco's point of what's we're talking about safety and human life It's easy to make the connection with between that and physical things a car or something blowing up or whatever When we get in the world of cyber, it's a little less direct and harder to visualize.

I think for a lot of people And so if we can't connect it to physical harm The other way to [00:35:00] look at it perhaps is through monetary arm, and I think we see that with some of the stuff the SEC is doing, and there is another air quote, material.

Jim Dempsey: Exactly.

Sean Martin: Incident. Exactly. So the impact to people who invest money.

Right. To, uh, that for a company to experience a breach. So I could read the definition, but I'd like your, your view of what material means and it's just going to make an impact, do you think?

Jim Dempsey: So, um, just to back up for the, um, 0, 0, 0, 1 percent of your audience who isn't aware that the, uh, Securities and Exchange Commission has issued a rule requiring publicly traded companies to make public disclosure basically to the investing public through their filings with the SEC.

If they have experienced a material cyber security incident, and this is [00:36:00] again taking law that has been around since 19 thirties when the Securities and Exchange Commission was created and where our modern day structure of regulating the stock markets took effect, that whole legal system is based upon the premise that investors have a right to know what they're buying.

They have a right to know about the financial condition of the company that they're putting their money into buying the stock of, which is why publicly traded companies are under this requirement annually to publish their financial, uh, data showing how well they're doing and, and if anything changes from that annual report, you must do quarterly updates.

And then if anything, material. Changes [00:37:00] you must report within four days, uh, to the public because the older report is no longer reliable because something material your your financial condition has materially changed and again material to the average person. Investors. We've got all these concepts.

Reasonable material average. Um, but what we're doing again is is we're taking them. And now what the SEC has basically said is if you have a if a hurricane or tornado hits your major warehouse, your major distribution point, and you're going to be shut down for weeks, that's material. So you have to tell the public we got a problem.

The SEC's theory is if a ransomware attacker, another cyber attacker hits your computer system and shuts it down so you can't ship product for [00:38:00] days or weeks until you recover and restore, the investing public deserves to know that. So within four days of determining that a cyber incident has had a material impact, you must act.

Let the public know. And then, as additional information becomes clear about how bad the incident was, you must continue to update through these, uh, uh, uh, uh, uh, periodic updated reports. Um, I think that makes sense. I think it, it, it, it created a lot of, uh, uh, FUD, fear, uncertainty, and doubt. Um, the SEC has tried to say, look, we're not going to try to play a game of gotcha here.

Um, it's interesting. I think companies have, in a way, started over reporting. A number of companies have made filings in which they said, well, we don't think it's material, but we're publishing it anyhow. Okay, fine. I think that will settle out over time. Um, but again, [00:39:00] what is material? This is where, this is very interesting, you guys, because this is where for a company now suddenly Your CISO and your cyber team is talking to your corporate law team, talking to the folks who handle all the relationships with investors and stockholders and the board and the SEC, because it's not up to the CISO solely to decide what is material.

You've got to have your chief information security officer talking to chief SEC lawyer and they've got to be able to communicate with each other and they've got to be able to understand each other's language To make that determination Is this material

which means?

Marco Ciappelli: We have our brain Cyber which

Jim Dempsey: means that's yeah exactly which means suddenly you see how [00:40:00] cyber Starts affecting a much wider scope of corporate governance um You obviously long sense for the past, at least five years, if not 10. It's been clear that cyber security must be a board level concern.

And many boards, of course, have now created specific committees, subcommittees to address this. Cyber issues, uh, or else it's the audit committee, uh, who handles it. But, but certainly the board needs to pay attention to, needs to hear from the chief information security officer. Um, and the board is on the hook ultimately, um, for overseeing the cybersecurity operations of the company and asking the hard questions.

Uh, so, so suddenly that this issue, which had been a relative niche issue, Starts taking on [00:41:00] broader corporate wide implications.

Marco Ciappelli: So we started wrapping here because we have to. Otherwise we're going to keep going forever. Yeah, you could get me going forever. And maybe we will ask you to do something with us so we can keep doing it forever.

But, you know, I want to go back to a couple of things that was the beginning. Like you said, this book is already a book. It's a book that never ends being written. In a lot of ways, it's never ending, right? I mean, with new things, new technology, new situation, new relationship, international, whatever it is.

But we also forget, and I remember, I'm reminded many times by practitioners that we expect a lot from cybersecurity, which is a very relatively young industry. Thank you. And we expect maybe too much from the [00:42:00] CISO. And that's why burnout. And that's and then I can go in a completely different story. But to maybe close with the beginning, what do you envision in coming up in the next few years?

And is there a community of people involved like you that are I mean, I'm assuming you don't have this burden all on your own because that's, that would be, yeah, well,

Jim Dempsey: yeah, no, no, no. Well, first of all, you know, cybersecurity law has emerged now as its own discipline, uh, still related in a way to privacy law, but in many ways, uh, different.

And, um, that's a major change from when I first started teaching the course and first started working on the book. Um, secondly, we've now got, uh, clear, White House [00:43:00] and congressional attention to it. Obviously, Congress has problems with being gridlocked on so many issues. Uh, but the Biden administration, and I think this would continue even under a Trump two administration.

Um, the, the, the executive branch is using the powers in the laws that it has safety and reliability laws for telecom and railroads and pipelines and Deviation, um, port security, uh, laws, again, dating back 50 or 100 years now being used to address the problem of, as I mentioned, of the Chinese cranes. So, you're going to see that whole process, uh, continue.

Um, you both alluded to the nation state aspect of this, so we are obviously in competition, particularly with China. There is a huge cyber element to that competition. [00:44:00] We see TikTok is just the teeniest, tiniest tip of that iceberg, uh, of data and hardware, uh, and sort of a global, uh, scale. So in all of these areas, there will continue to be, um, development.

Right now, Congress is considering a privacy law. I don't know if it'll pass, but it has a cybersecurity provision in it. We're now up to 18 states adopting comprehensive privacy laws, each one of which has a cybersecurity mandate in it. So it's going to be one of continuing, continuing evolution, a development.

Um, and happy to come back at any time when you, when you see something hit your screen, a new development, um, maybe, maybe, uh, come on and try to contextualize it and explain it. Plus, I don't know, Sean,

Marco Ciappelli: 45 minutes. We did a mess on AI. I mean,

Sean Martin: there [00:45:00] you go. There you go. And we, and we, we didn't say GDPR either.

Marco Ciappelli: Double drink. Oh, no, this was fascinating. I'm glad that, yeah, we had this conversation.

Sean Martin: Yeah. And I think, I think, uh, updates from you would be great. So we can figure out what that looks like. I'm certain our audience would appreciate that as well.

Marco Ciappelli: Audience, if you want this. Comment and ask. Yeah. We'll, we will, we will.

maybe we will anyway, but we'd love to hear from you guys.

Sean Martin: Well, I'm gonna put the a hundred questions in my head in a note. And, uh, we'll save them for future conversations,

Marco Ciappelli: taking notes,

Sean Martin: uh, lo loads of fun stuff here. And fun air quotes.

Jim Dempsey: Yeah,

exactly.

Um,

Marco Ciappelli: where,

Jim Dempsey: where we are, Linda.

Sean Martin: It's, it's, it's interesting though, and I think, uh, and fascinating so people,

Jim Dempsey: well, and it's fascinating to see in real time [00:46:00] how.

Our society as I was happy globally, but just the U. S. Society is developing a body of law in real time

Marco Ciappelli: to me. The airplane is flying.

Jim Dempsey: Exactly. Exactly. Exactly. We are building the airplane and modifying the airplane in mid flight. Yeah, which is kind of crazy. It's fascinating.

Sean Martin: Yeah. I love it. It is fascinating.

All right. Well, Jim, thanks for, uh, thanks for coming back and taking this time with us and letting us, uh, point you, I felt like we were spinning you. That's all right. And look over here now. No, good stuff. Yeah, I love it. I love it. Uh, super impressed with your, your, your level of understanding a lot of this stuff and hopefully our audience enjoys it.

Audience, thanks for listening and watching. This episode and, uh, here on ITSP magazine, many more, please do subscribe, share with your friends and enemies. And, uh, Jim, we'll see you back. Marco. See you soon.

Marco Ciappelli: Absolutely. Yep. For sure. [00:47:00] Take care, everybody.

Jim Dempsey: Take care.