Remember that minimizing risk, including compliance risk, is not a question of having a well-written policy, but a question of having well-thought-out procedures, well implemented.
Attacks are not going away, they are only increasing, and every organization is a target.
The law is changing — compliance is only going to become more stringent.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Christopher Hart, partner and co-chair of Foley Hoag’s Privacy & Data Security practice.
Christopher Hart is a litigation partner at Foley Hoag, LLP, where he co-chairs the firm’s Privacy and Data Security practice and is a member of the Cybersecurity Incident Response Team. A certified privacy professional, Chris counsels a wide variety of different clients — from tech and life sciences start-ups to Fortune 500 companies — on regulatory compliance, breach response, government investigations, and domestic and international litigation relating to data privacy. In addition to his substantial practice as a privacy lawyer, Chris is active as a member of the International Association of Privacy Professionals (IAPP) privacy bar board of advisors and a member of the American Bar Association’s privacy and security steering committee. Chris also writes and speaks extensively on privacy and security issues and has been quoted in publications such as the Wall Street Journal, Washington Post, and Politico.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I was born and raised in San Diego, California, as the son and grandson of Mexican immigrants. I moved to the east coast for college, where I studied social and political theory. After working for a startup consulting firm, I received a master’s degree in liberal arts and then moved on to law school. I’ve been a practicing lawyer since 2016, following a judicial clerkship.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I came to the field by chance. I had worked in a law firm in Washington D.C. for several years before lateraling to my current firm, Foley Hoag, LLP, which had a growing privacy and security practice. When I expressed interest, I was given early assignments that provided me with expertise I have been building for about a decade.
Can you share the most interesting story that happened to you since you began this fascinating career?
I can’t, because my stories involve representations of clients, and much of that work is privileged and confidential! But I have been fortunate to work on a variety of different kinds of matters, which include compliance, incident response, government investigations, litigation, and policy-related work.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
My colleague and partner Colin Zick, who has chaired Foley Hoag’s privacy and security practice for over a decade, has been a great source of guidance. He has taught me a great deal about data privacy and cybersecurity and has helped me grow my practice.
Are you working on any exciting new projects now? How do you think that will help people?
Again, much of my work is privileged and confidential. But, that being said, I do teach data privacy courses at Northeastern law school in Boston, Massachusetts, which I hope has been helpful to students interested in learning more about the space.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
You need to determine what’s important to you and appropriately balance your life according to those priorities. Work isn’t everything!
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
First, technology and its uses are fluid and dynamic. Every day, new uses for technology — data-driven technology in particular, since that’s why the industry matters — create new dangers and opportunities.
Second, the law itself is also fluid and dynamic, creating a great deal of complexity and novelty in how we think about privacy and security, and what the parameters ought to be around the uses of personal data.
Third, how we think about privacy and security in terms of rights, obligations, and privileges is shifting and evolving, informed by and informing uses of technologies and developments in the law.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
I worry about the ubiquity of nation-state threats against ordinary data use; recent history suggests that the threat landscape extends to every institution and individual — all data is valuable, and nation-state actors are willing to deploy resources to attack vulnerable information.
I also worry about artificial intelligence being used to create increasingly-sophisticated models that can predict and infer behaviors tied to specific identities, and what it will mean for corporate and government surveillance and power over individuals.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
Unfortunately, I can’t share specific information because of privilege and confidentiality. But as a general matter, as a privacy lawyer advising organizations on incident response, I cannot stress enough how important it is to think carefully before an incident occurs about how an incident might occur and how the organization will respond. Organizations suffering breaches that are the most hard-hit are the ones that have been caught flat-footed in their response capabilities, which often signals lax security procedures creating larger problems when an incident occurs.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
I am a lawyer and not a technical expert, so I rely on strong forensics firms to investigate and remediate. But as a lawyer, what is important to me is making sure an organization knows what its data map looks like — the who, what, where, when, how, and why of its data flows. Once organizations are able to map their data, it then becomes easier to map appropriate policies and practices, train employees, and outline contractual obligations.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Again, the mapping exercise is important. The interview process that I engage in is critical to understanding what organizations understand about their own data. Many organizations need to outsource their security work; whether that is appropriate, or hiring an internal team is better, depends on their data flow, risk profile, and resource restriction.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
I defer to technical experts on technical signals. But I will say that certain practices, or lack thereof, will heighten someone’s risk of an attack. For example, not updating privacy policies and not regularly training employees will greatly increase the risk of a harmful incident.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Hopefully, the organization has already developed an incident response plan that they can follow. If there is an incident, the organization should contact counsel and a forensics firm to run an investigation and determine compliance obligations. Every incident is different, but counsel will be able to help identify and minimize liability risk and develop a compliance plan, while a forensics firm will have the expertise to identify the security vulnerability and remediate it.
Most of my compliance work involves the CCPA and the GDPR. These are enormously important laws that have changed the industry and forced resource-intensive compliance efforts.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
There has certainly been an increase in attacks, and social engineering attacks in particular. I have seen an increase in successful phishing attacks in part because people are working in remote environments using personal devices and are not necessarily vigilant about what they are clicking on.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
I would summarize the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” as follows:
- Think of data privacy and security as issues of core enterprise-wide risk management, not as something belonging in a technical silo.
- Remember that minimizing risk, including compliance risk, is not a question of having a well-written policy, but a question of having well-thought-out procedures, well implemented.
- Train, train, train, and train some more. Train employees about social engineering attacks, train your employees responsible for incident response on how to respond, train your organization to think about privacy and security as core components of the business.
- Attacks are not going away, they are only increasing, and every organization is a target.
- The law is changing — compliance is only going to become more stringent.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Are we still talking about privacy? If so, then I represent a diversity of clients with different needs and will leave policy to the policymakers.
How can our readers further follow your work online?
If interested in following my work, I am co-editor and frequent contributor to Foley Hoag’s Security, Privacy and the Law blog which focuses on the security and privacy issues encountered by businesses that often require immediate and discreet solutions. Visit www.securityprivacyandthelaw.com to discover more.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!