Efforts to shield post-breach investigations through the attorney work-product and attorney-client privileges are bad for cybersecurity.
Randal Milch is a Distinguished Fellow at the Center on Law and Security at NYU School of Law and the NYU Center for Cybersecurity, focusing on cyber governance. He was most recently executive vice president and strategic policy adviser to Verizon’s chairman and CEO. He served as the company’s general counsel from 2008 to 2014, and before that was general counsel of several business divisions within Verizon. At Verizon, Milch chaired the Verizon Executive Security Council, which was responsible for information security across all Verizon entities. Milch was responsible for national security matters at Verizon beginning in 2006, and has served as the senior cleared executive at Verizon.
Subscribe to this Lawfare contributor via RSS.
The FTC has opened the new decade with a quiet revolution in their data security orders. Reasonableness, a touchstone of FTC data security, has disappeared from their newest orders. What replaces it does not put the FTC's cybersecurity program on much better footing.
The FTC’s cybersecurity enforcement program has faced increasing judicial scrutiny because of the inherent vagueness of the "reasonable" cybersecurity it seeks to require. Meanwhile, the Cybersecurity and Infrastructure Security Agency has struggled to achieve robust private sector engagement. Linking these agencies’ programs and enforcement practices will help each solve the other’s problem.
Despite appearances, there is some important bipartisan work afoot on Capitol Hill. On Aug. 1, Sens. Mark Warner, Cory Gardner, Ron Wyden and Steve Daines dropped the Internet of Things (IoT) Cybersecurity Improvements Act of 2017. The bill seeks to use the federal government’s purchasing power to drive much-needed cybersecurity improvements in internet-connected devices.