The Oklahoma Bar Journal September 2023

technical cybersecurity controls that decrease risk and can limit damage in the event of a breach include multi-factor authentication, firewalls and endpoint detec tion and response (EDR). Quality EDR programs utilize artificial intelligence to monitor networks and detect odd patterns that could indicate an infection within the system. This type of monitoring is crucial because viruses can live on networks for months before being detected or deployed. Still, no system is perfect, and a breach of some type may occur even with the most rigorous of cybersecurity programs. As a result, attorneys advising corporations on cyber-related events need to bear in mind two overarching concepts: First, the scope of attorney-client privilege during a cyber event is currently in debate. 31 Streamlining communications and controlling communications during a cyber event is therefore critical to pro vide the best shot at retaining the privilege in the event of litigation.

considered to be one of the most, if not the most , onerous of data privacy laws. LOOKOUT NO. 5: IT IS NOT IF YOU’LL BE HACKED BUT WHEN Every client will want to know what they can do to ensure they will not be hacked. The answer is, “Nothing.” There are, however, best practices. For example, cyber insurance and data privacy poli cies often limit access to data on a “need-to-know” basis. Limiting access to data can be accomplished in a myriad of ways, ranging from passwords to tokenization. 29 By limiting who can access what data, companies are able to lower the risk of unauthorized access. Technical controls, such as tokenization or encryption, 30 achieve both data privacy goals and cybersecurity goals. If data privacy policies are done well and actually operationalized, then if a breach occurs, the amount of data that could be gathered is ostensibly lowered as well. Other common

2) Does the company fall within the scope of the law? For example, in California, the company must gross a certain amount of money or possess data on a certain number of households or derive a certain percentage of its revenue from the buying and selling of data before the law applies. 27 Corporations gen erally disapprove of this patchwork regime; as a result, there has been a sincere push to federally regulate data privacy in recent months – if for no other reason than to reduce administrative costs to companies. What the federal law will look like and to whom it will apply is unclear. As a result, attorneys may be asked how to prepare for a federal law. At this stage, compli ance with California’s, Colorado’s and Virginia’s data privacy laws would likely be safe starting points for compliance with federal law. Alternatively, compliance with the European Union’s General Data Protection Regulation (GDPR) 28 would likely meet the bar of any federal law because the GDPR is

Statements or opinions expressed in the Oklahoma Bar Journal are those of the authors and do not necessarily reflect those of the Oklahoma Bar Association, its officers, Board of Governors, Board of Editors or staff.

10 | SEPTEMBER 2023

THE OKLAHOMA BAR JOURNAL