The Legal 500

Twitter Logo Youtube Circle Icon LinkedIn Icon

Steptoe & Johnson LLP

Work +1 212 506 3900
Fax +1 212 506 3950

The Legal 500 and Steptoe & Johnson LLP   Roundtable:Cyber In-Security

16th June 2015, New York

MR. DAVID BURGESS: I'd like to extend my thanks to Steptoe for hosting this evening's event. And for those of you who don't know, they do a weekly podcast on cybersecurity, which is available at It's an interesting weekly discussion, and well worth a listen for those of you who have to deal with this issue constantly. I'll put this evening into context. There are, as if often said, two types of companies, a company that's been breached and one that's been breached and doesn't know it. There was a report that came out very recently, it may have even been today, that says that the cost of a breach for an American company is, on average, about four million dollars. Now bear in mind, most of the companies around here aren't average. It's going to cost you a lot more than four million dollars.

Kroll suggest it's often about 270, 280 days before most companies realize they've actually been hacked. So, it really does bring us to the topic, which is not only preparing for it, but also living with it. But I think the best thing to do initially, is go around the table, and introduce ourselves.

MS. MARY KRAYESKE: Hi, my name is Mary Krayeske. I'm an attorney and work for Con Edison.

MR. MICHAEL VATIS: I'm Michael Vatis from Steptoe's New York Office.

MR. RICHARD NOHE: I'm Richard Nohe, general counsel for BT in the Americas.

MR. MARK SCHILDKRAUT: I'm Mark Schildkraut. I'm assistant general counsel IP for BD, Becton Dickinson and Company.

MR. DARREN BOWIE: Darren Bowie, Chief Privacy Officer and Associate General Counsel at AIG.

MR. ADAM RATNER: I'm Adam Ratner. I'm general counsel and chief compliance officer at New York and Company.

MR. JASON WEINSTEIN: I'm Jason Weinstein. I'm with Steptoe's D.C. office.

MR. DAVID HERMAN: I'm Dave Herman, in-house counsel, privacy and cybersecurity from Bloomberg.

MR. SHAI MEHANI: Hi, I'm Shai Mehani. I'm from Powa Technologies. I'm associate in-house counsel.

MR. GINO TONETTI: My name's Gino Tonetti. I'm also from Powa Technologies and I'm the VP of legal for North America.

MR. ALAN COHN: I'm Alan Cohn from Steptoe's Washington, D.C. office.

MR. ANTONIOUS PORCH: I'm Antonious Porch, Vice President and Senior Counsel at Viacom.

MS. SAMANTHA HIMELMAN: Samantha Himelman, Vice President, BNP Paribas covering cyber security and privacy.

MR. STEWART BAKER: And I'm Stewart Baker from Steptoe and Johnson.

MR. DAVID BEISTER: And I'm David Beister. I'm the general counsel at WTC Captive Insurance Company.

MR. BURGESS: The opening thing that we wanted to look at was the role of GC in dealing with cyber security issues. I think it would be interesting if a couple of you jump in and say within your organization, what the GC's role is. Some of the things we've mentioned are anticipating potential adversaries, planning the response to an incident, complying with the legal regimes, protecting privilege, reducing legal exposure. Richard first, within your organization, what are the issues that you are responsible for? group1

MR. NOHE: In BT, legal, governance, compliance and regulatory sit within the GC office. When you look at those individual items, certainly the legal piece is very relevant. It's about providing legal advice as to what our obligations are to disclose when a breach may happen. The laws around the world continue to evolve, especially in data privacy. Security and privacy have really come together quite a bit.

If you look at the governance aspect, the GC has a key role because, at least within BT, that is largely looking at how we set up the control mechanisms. What goes to the Board and whether it goes to the nominating in governance committee, whether it goes to the Board audit and risk committee, and so forth.

Then you go into the compliance area and, there again, the GC has a key role to play in helping set the rules and policies, but ultimately it's up to everybody in the corporation to comply. And then of course, regulatory, which I think is more particular to what industry you're in.

MR. BURGESS: Do you feel the same or is it different in your organization?

MR. RATNER: I think the other part is just ongoing education of board members, as they are more and more concerned every day about this. Every time there's an article that my head of audit sees, he sends it to me, did you see this? And so I think now it's reached that point where board members are seeing that there are lawsuits being brought against companies and there is personal liability to board members who aren't as attentive to these issues.

So, from my standpoint, a lot of what I do day to day is just making sure that I keep up to date on things that are developing. I'm communicating those, setting up board education sessions, so that even if it's not providing a lot more information than what they know, they feel like we're proactively in front of the issues. Enough so, that we're not viewed as being completely reactive to what's occurring in a negative way.

MR. BAKER: So, thinking about governance, I have a hobbyhorse here. You probably noticed that attribution of these attacks has gotten better or at least the government has gotten quicker to say that this one was North Korea and that one was China. That's because the tools for determining who is attacking you are much better than they used to be. The forensics people you hire will often tell you who they think it is and they're usually right.

Knowing who's behind these attacks changes the way you think about the attacks and the way you think about cyber security. And it changes our cybersecurit

Legal Developments worldwide

Legal Developments and updates from the leading lawyers in each jurisdiction. To contribute, send an email request to