Articles Posted in Risk Evaluation and Management

Michael A. Gold, co-chair of JMBM’s Cybersecurity & Privacy Group, will host a panel of industry leading experts for the webinar, The Right Stuff: Validating Reasonable Information Security

Date: Thursday, June 18, 2020

Time: 10 AM – 11:15 AM PDT; 1 PM –  1:15 PM EDT

Register Now

Most organizations have never had to prove that they have reasonable information security. Business and legal pressures are changing this dramatically. The California Consumer Privacy Act exposes businesses that have been breached to serious financial liability when they do not have reasonable information security. With data breaches increasing in scope and damage regardless of the money spent on cybersecurity, businesses will need to validate – in effect prove – that they have reasonable information security in order to avoid financial, legal and reputational harm.

During this webinar, our panel of experts cover:

The meaning of reasonable information security: What is it? Why the established information security frameworks, such as NIST, ISO and CISO,  do not deliver reasonable information security; Why dynamic assessment of an organization’s information security posture is crucial; The impact of overlooked vulnerabilities in cloud and IoT environments.

The legal requirement for validating reasonable information security: The far-reaching impact of the California Consumer Privacy Act’s requirement for reasonable information security practices and procedures; Why the law is a precursor to similar requirements likely to be adopted by other states and the federal government; legal exposures arising from inability to validate reasonable information security.

The business and insurance imperatives for validating reasonable information security: Cyber insurance carriers will no longer take at face value an insured’s representations about its information security posture; Larger enterprises will decline to do business with companies that cannot validate the effectiveness of their information security measures; Regulated companies will no longer be permitted to self-certify their compliance with information security and privacy requirements. Continue reading

Robert E. Braun, chair of JMBM’s Cybersecurity & Privacy Group, will be the keynote speaker for the webinar, Privacy and Information Security – Best Practices and Imperatives.

Date: Wednesday, May 27, 2020

Time: 2:00 PM Pacific Time

Register Now Continue reading

Moving to the Cloud to Save Money

The Covid-19 pandemic has created profound challenges for almost every organization. As these challenges mount, companies are dramatically cutting their soft costs, including information security. Many companies are reducing their information security and privacy compliance spending by moving to the cloud. This is good, right? Maybe, and only if the move is managed in a well-informed way. Not asking the right questions up front can lead to serious consequences.

It is crucial to keep in mind that no information security or privacy law in existence today views being in the cloud, in and of itself, as constituting reasonable information security. Nor does any information security or privacy law view the cloud as a mitigating factor in the context of data breaches.

 Increasing Reliance on Cloud Computing

The use of cloud platforms has grown exponentially. One of the results of the work-at-home mandate, which will persist even as work restrictions are relaxed, is the continuing move to cloud computing, both because of the benefits of scalability and the dedicated IT and IS resources afforded by cloud vendors and also the need to conserve financial resources. It is difficult and expensive to maintain onsite information technology and information security operations and staff. Cloud computing reduces costs and increases accessibility.

Moving to the cloud, however, does not eliminate all risks – some hazards go away but others are introduced. Cloud environments are vulnerable if end-users fail to observe proper security hygiene – vulnerabilities at the end-user level will create vulnerabilities in the cloud environment. It is imperative as well that the cloud vendor has appropriate information security and privacy compliance measures in place. Many smaller cloud vendors and service providers who use the cloud have deficient information security and privacy compliance frameworks, assuming they have any in place at all. Many organizations, especially small and medium sized businesses, seldom evaluate whether their vendor’s cloud is a safe place to be.

Getting the move to a cloud environment right is crucial. The security and availability of an organization’s data is important for both operational and business continuity reasons. Moving to a cloud is no excuse for taking eyes off of information security or for lax privacy compliance. Continue reading

Leonard Lee of Thomson Reuters Legal Current interviewed Bob Braun, Co-chair of JMBM’s Cybersecurity & Privacy Group for a podcast titled, “Are You Practicing Social Media Hygiene?”

Listen to the podcast here.

In this brief podcast (18:28 minutes), Bob Braun discusses the risks that both companies and individuals face when posting information on social media.

Braun describes situations in which hackers spoof a company’s boss, based on real-time information posted on social media, resulting in unrecoverable monetary losses for the company.

“Posting information about yourself on social media can be used by a hacker to fool you or people you know,” he said.

Braun covers issues that individuals and employees should be aware of when using social media, including email.

“Sophisticated programs are easily available on the dark web. We are dealing with bad actors who are extremely skilled and creative,” he said.

“Habits on social media have to be consistent in business and personal lives.”

Listen to the podcast here. Continue reading

Robert E. Braun and Michael A. Gold, co-chairs of JMBM’s Cybersecurity & Privacy Group, will participate as panelists on the webinar, What is Reasonable Information Security?

Date:   Thursday, April 23, 2020
Time: 10:00 AM – 11:30 AM Pacific Time

Register Now

JMBM’s cybersecurity lawyers, along with a cybersecurity consultant, a Chief Information Security Officer, and a cyber compliance expert will address the following questions about reasonable information security:

  • What isn’t it?
  • What is it?
  • What does the legal landscape look like?
  • Is it a realistic goal?
  • How does it impact my 3rd party risk policies and practices?


Sean Weppner – Chief Strategy Officer, Nisos


Robert E. Braun – Partner and Co-chair of JMBM’s Cybersecurity & Privacy Group
Michael A Gold – Partner and Co-chair of JMBM’s Cybersecurity & Privacy Group
Art Ehuan – Vice President, Crypsis
Gerald Beuchelt – CISO, LogMeIn
Greg Kruck – Director, Sales Engineering, CyCognito

Register Now for This Informative Program


Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at or +1 310.785.5331.

Michael A. Gold is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Known for both legal expertise and an understanding of technology, he works with Boards of Directors, C-Suite executives, and IT directors to address cyber risks. He advises clients on domestic and international requirements for information privacy and security. He represents companies in complex litigation and arbitrations, including class action defense actions connected with data breach and privacy claims. Contact Mike at or +1 310.201.3529.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

Public Service Announcement: Social media use increases your cybersecurity exposure. Share appropriately.

If that were all it took.

In my earlier post, I described how casual use of social media (that is, failure to take into account its impact on privacy and security) can put your company’s information security profile at risk, and open your executives and employees to social engineering cyber scams. Additionally, social media accounts often contain sensitive personal data that can be accumulated, hacked, sold and resold. The most popular social media sites compound this problem when they release – unintentionally or not – personal information.  Facebook is a regular offender; just this month it confirmed that it “unintentionally uploaded” the email contacts of 1.5 million people without their consent. Business Insider reported that a security researcher noticed Facebook was asking some new users to provide their email passwords when they signed up — a move widely condemned by security experts.

While it’s unrealistic to enforce a policy banning the use of social media, companies can and should educate executives and employees on appropriate use as part of regular cybersecurity training. Social media “hygiene” should become as ubiquitous as the signs imploring that “employees must wash hands” in restrooms.

Look at Your Settings—Often

When apps or devices are updated, it’s common that privacy restrictions get reset to the baseline, which is often the most liberal sharing of data. As a result, even if you set your privacy preferences at an acceptable level recently, updating your operating system or applications – generally a good idea – may result in reestablishing the basic settings. Continue reading

It is difficult to overstate the current backlash against social media. Social media giants are under attack from virtually all sources, including both governments and individuals. The #humblebrag du jour is a social media addict publically stating the intent to close accounts, take social media sabbaticals, cull friend and follower lists, and boasting about how much better life has become after weaning themselves from the constant attention-drain – even if many do not follow through on the threat.

If you join the movement, you might be helping your company’s information security profile.

Social media accounts often contain sensitive personal data that can be accumulated, hacked, sold and resold in their own right.  But beyond that, they provide corporate hackers with enough information to guess passwords, whereabouts and interests, and provide enough data to craft sophisticated and effective spear-phishing emails – personalized missives that reflect the character and wording of the individuals they spoof, down to grammar, spelling and tone.

That’s why it’s so important to include a cybersecurity-focused review of your company’s social media policy and practices. If you aren’t going to set strict social media standards for C-level executives and consider conducting regular audits of their social accounts, then you at least need to educate them about the risk. Some of the key risks  – but only the most obvious ones – are below. Continue reading

Cybersecurity is a method to protect your data and systems. Cyber resiliency is a way of doing business in the face of the inevitable.

When Hurricane Michael struck the Florida Panhandle earlier this month, it wiped away wide swaths of Mexico Beach, a coastal town on the Gulf of Mexico. Left conspicuously standing was a house built just last year of reinforced concrete, specifically designed to withstand a Category 5 storm.

The house, elevated on pilings to survive the storm surge, lost its stairwell—by design. It was built to separate from the building without damaging the structure itself. Other than the missing stairs, the house suffered only minor water damage and a cracked shower window.

This story is an important lesson, and a metaphor for cyber resiliency, taking steps to weather a data or systems catastrophe while maintaining ongoing business operations. The adoption of cyber resiliency is an important mindset shift for those dealing with cybersecurity.

Cybersecurity is the approach that focuses on the methods and processes of protecting electronic data – the goal is to thwart an attack, and emphasizes training people and systems to recognize infiltration so it can be stopped. Cyber resilience, on the other hand, assumes an attack will occur. The underlying premise could be summed up this way: “What can go wrong, will. What are you going to do about it?”

Many companies have made meaningful improvements in protecting their data. They have implemented better firewalls, procedures and training to reduce the likelihood of an attack.  While these steps are essential, implementing a cyber resilience program focuses on how the enterprise can continue doing business in the midst of and in the wake of an attack. Cyber resiliency requires a different set of tools and, more importantly, a corporate culture more attuned with surviving natural disasters.  Continue reading

iheartcalifornia-300x138On June 28, 2018, Governor Brown signed the California Consumer Privacy Act of 2018, which goes into effect on January 1, 2020. But – because of certain look-back features in the new law – significant compliance will be required by January 1, 2019.

The Act is enforceable by the California Attorney General and authorizes a civil penalty up to $7,500 per violation.

Observers estimate that about 500,000 companies nationwide will need to comply with the California Consumer Privacy Act. The California Attorney General is expected to aggressively enforce the Act – and it will have the budget to do so. Consumer watchdogs and plaintiffs class-action lawyers will also be on the hunt for violators.


This is a serious law and violations will have serious repercussions for your bottom line and your reputation.


The Act provides many of the same consumer privacy protections as the European Union’s General Data Protection Act (GDPR). JMBM’s Cybersecurity & Privacy Group has counseled dozens of companies on GDPR compliance and is now discussing California’s new law with clients; we are eager to help you assess your own compliance and protect your business from expensive liability and litigation.

Some key points:

What does the Act do?

The new act says that California residents, including minors, who give personal data of almost any kind to a for-profit business, have the right to know how the data is being used, have it deleted, know who the data is being sold to, and object to the sale of their data. In short, California consumers now own their personal information and have a significant measure of control over it. It is important to note that personal data includes almost any data that can identify an individual, not just financial data.

Who is subject to the Act?

The California Consumer Privacy Act applies to any for-profit business that:

  • Does business in the state of California;
  • Collects consumers’ personal information (or is the entity on whose behalf such information is collected) and determines how that information is collected and processed;
  • Meets one or more of the following thresholds: has annual gross revenues in excess of $25 million; buys, receives, sells, or shares the personal information of 50,000 or more consumers, households or devices; or, derives 50% or more of its annual revenue from selling consumers’ personal information. The Act applies to small and mid-sized businesses, not just large companies.

What happens if a company does not comply?

The act is enforceable by the California Attorney General and authorizes a civil penalty up to $7,500 per violation.

In the event of a data breach, California residents will have a private right of action to recover up to $750 per incident, or actual damages. The statute directs courts to consider the nature, seriousness, persistence and willfulness of an incident, the number of violations, the length of time over which the incident occurred, and the violating company’s assets, liabilities and net worth.

Because of the minimum recoverable amount, consumers do not have to prove actual damages, only that there was a violation of the act.

What do you need to do now?  

California businesses will need to take several steps to achieve compliance, including:

  1. Adopt a method for handling consumer requests for personal information.
  2. Develop templates and procedures for responding to consumer requests.
  3. Develop procedures for collecting and processing data.
  4. Identify and document the legal basis for collecting and processing personal information, in order to respond to the consumer’s right to have their information deleted.
  5. Make appropriate changes to public-facing website disclosures, including adding a description of consumers’ rights under the Act, listing the categories of data collected, and including a conspicuous way for consumers to indicate that they do not want their data sold.

 What should you do now?

Contact us to discuss whether this new act applies to you, and how you should prepare for it. This is a serious law and violations will have serious repercussions for your bottom line and your reputation.


Michael Gold
Partner and Co-Chair of the Cybersecurity & Privacy Group
Bob Braun Photo
Robert E. Braun
Partner and Co-Chair of the Cybersecurity & Privacy Group


Agreeing to ransom terms is a losing proposition; spend your time and energy preparing for an attack.

Ransomware attacks are on the rise, partly because of the ease and anonymity of crypto-currencies. In a typical ransomware attack, cyber criminals invade a computer system and encrypt key data, then threaten to destroy the data unless the victim pays the criminal a relatively minor sum (ranging from hundreds to thousands, or in rare cases, tens of thousands of dollars). Schemes go by the teasing names of CryptoLocker and WannaCry, but there’s nothing playful about finding that you are a target. Ransoms are priced at a level that encourage compliance with the criminal demand. Yet there’s nothing that ensures a payment will actually free up your data and the utility of your system – in many cases, it’s clear that the criminals never intended to unencrypt the data.  Moreover, once a system has been compromised, there can be little doubt that the hackers accessed sensitive data and left behind malware allowing them to create more mischief.

There is fierce debate over how to respond to attacks; even the FBI at one point seemed to advocate paying ransom to reclaim stolen data, though it clarified its position in 2016 and no longer recommends payment.  At the same time, for many firms, spending a relatively modest sum to recover mission-critical data sounds better than spending a far greater sum to recover only a portion of that data.  The latter approach is, however, a poor use of resources; rather than trying to determine whether to agree to ransom terms, spend your time and energy preparing for an attack. Companies should consider a ransomware attack as you would any other cybersecurity breach. That is, it is going to happen, the only question is when. Sound preparation boils down to several key considerations.

1. Back Up Data and Store It Properly

Any system is vulnerable when there is only one copy of data, or when backups are stored on tied or companion systems. If cyber criminals encrypt data on your main system, it’s important to be able to access the original data, and that means copying and storing it on a separate, secondary system that is untethered from the main system, and where it is possible to extract uninfected data. This is sound practice no matter what the threat; ransomware has only highlighted its importance. Whether its financial data, health records, or city citations, having multiple ways to access data is key. Moreover, simply having a backup is not sufficient; unless the backup is tested, one can never determine whether it is effective, how long it will take to implement, and other key issues. Continue reading