Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Online Extra: The Evolving Nature of Cyber Law

By Gabrielle Orum Hernández
June 01, 2018

As a law student, Anne Toomey McKenna worked as a research assistant for a professor who happened to be working on a treatise on wiretapping. McKenna thought she was headed for a career as a civil litigator and took the opportunity as kind of a one-off thought exercise, something that was unlikely to shape much of her career.

Quickly, she realized she was wrong. McKenna found the knowledge base she'd developed while working on this system was a far bigger question for the organizations she was working with than she'd expected. Questions about phone call retention quickly evolved into data retention, and before she knew it, she was a cyber law expert.

“If you think back to the 1990s, there was really a sea change about how business was run. For lawyers, the fact that everything went to electronic record radically changed law and evidence. These electronic evidence issues kept becoming more and more a part of my practice,” she said.

McKenna recently joined Penn State's Dickinson Law and Penn State Institute for CyberScience as a distinguished scholar of cyber law and policy and professor in practice. She'll be heading up interdisciplinary research and learning with students looking at the cyber and data privacy space. Cybersecurity Law & Strategy's ALM sibling, Legaltech News, recently caught up with McKenna for a Q&A:.

How do you think recent technological transformations have translated into law school training?

When people graduated from law school in 2010, they could get away with just taking the basic law school classes like civil procedure and common law. You didn't have to have a component of, “How did this change in terms of privacy? How does this change now that everything is online?” Now, if a student graduated and they just had evidence without exposure to electronically searchable information and ESI, they're not prepared to practice law today. It's almost a disservice.

That's what really exciting what's really exciting about [Penn State's] Institute for Cyberscience and Dickinson [Law School]. Their focus is that we're preparing for this from the development of technology. They're doing so many cool things with internet of things; they're doing so many cool things with virtual reality and augmented reality. It's so neat to be someone large enough where all the engineers and the software people want to work with lawyers, and they want to do it right. You don't see that many places, maybe because they don't have a law school, but maybe because they're just busy engineering.

Do you get the sense that engineering will continue to work faster than lawyers, or that engineers and lawyers will start to work a little more closely in the future?

In U.S. law, we tend to be more reactionary to technological development, but I think what's changing that is the EU. With this [General Data Protection Regulation], everybody who wants to do business on a global scale that in any way touches Europeans is required to come into compliance.

Have you noticed that every single app is sending you privacy notices?

Yeah, my inbox is totally full. Isn't it so annoying? But at the same time it's so good, because they're trying to be proactive. In the U.S., we tend to regulate in a technology-specific way, meaning that like, cellphones come out and then we create some new legislation, so again, a reactionary response. But with GDPR, by treating data just as data that requires protection in and of itself regardless of platform, it's not technology-specific, it's privacy-specific, data protection specifically.

I think that the law, particularly in the U.S., we have just been responding and trying to keep abreast of things. Think of how behind the Supreme Court is in addressing technology. In United States v. Jones, they were just trying to decide GPS tracking, and we're so beyond that with things like IoT. All of our devices are tracking us at all times, communicating with each other.

That's one of the cool things about cyber law, is keeping abreast of the technology. We're moving towards U.S. lawyers in particular necessarily being required to understand global approaches to this from a legal standpoint. Any client that wants to have a presence—the positive side of GDPR is that U.S. legislation is going to file on top of that, because our businesses have to comply with it, particularly larger businesses.

The differences are also so fascinating in the U.S. about the way we treat data. Medical data—that was HIPAA. Everyone in the legal space was familiar with HIPAA, but they weren't familiar with financial sector law, because it wasn't their space. Now all this information is being defined as personally identifying information, and instead of siloing data as we do in the U.S., it's really much more comprehensive in scope about data itself as opposed to breaking into medical versus financial.

What kind of technical background do you think law students need at this point to be competent attorneys?

I think that's critical. I think law students should be educated hand-and-hand with information technology students.

When I was visiting at Penn State Law earlier this year, I worked with [Information Services and Technology] faculty, and we did a cyber hack simulation where we did a phishing email. We showed the IST students and my law students how a hack goes down, what it looks like from a technical standpoint. We sat there and typed in the breach, showed how the breach occurred, showed how we mimicked and obtained all the passwords for the system. Then what laws come into play?

That's how we have to educate people, or we're just not going to develop and educate lawyers who are prepared for what the legal market and the business world and individuals need right now. Lawyers can no longer be just like, “I specialize in law and cyber.” Everyone has to have engaged knowledge.

It seems like a lot of these issues have broad implications outside of business compliance, in cases like public security and surveillance. How do some of these legal frameworks apply here?

We have such different concepts of individual privacy in the U.S., this notion that our home is our castle, that type of personality. That right of privacy from surveillance in the U.S., we've really seen this gradual erosion of these concepts because we are moving towards a surveillance state, and I don't say that in like in a “1984″ way, because that's inevitable.

I've worked with the [U.S. Department of Justice] and the Police Foundation on things like the use of drones in community policing. And that sounds really creepy, but if you think about the use of unmanned aerial vehicles for law enforcement, it's helpful provided the community is aware and on notice — it can help in search and rescue, it can help in all kinds of things. But it poses all of these problems because our courts haven't framed laws, or at least guidelines under common law to figure out how this works. Again, we're reactionary.

[At the same time], we all are walking around now with recorders ourselves in our phone, police stopping people from recording them when they're engaged in the course of public duty, and every circuit court has addressed it and is like, “Nope, the public has the right to record the police at all times.”

We're all in a more heightened surveillance state. It's a two-way street. But the U.S. is much more; that's where we are. We tend to be a little stronger than the Europeans, in that we still perceive the right to electronic privacy. There's a problem, though, because there's such a disconnect between how government is regulated and law enforcement is regulated and what they can lawfully obtain, and what we willingly give over to private industry. We give everything to private industry, and then with the third-party drop trend, if we share it with the app, the app just gives it to the government.

Right now the third-party doctrine is a big problem in protecting citizens' privacy. Just by nature, these platforms necessarily require exposure of all our data to third parties, so if we keep the third-party doctrine, we've eviscerated our right to protect from the government seizing information on us.

*****

Gabrielle Orum Hernández is a reporter with Legaltech News, an ALM sibling of Cybersecurity Law & Strategy, covering legal technology startups and vendors. She can be reached by email at [email protected], or on Twitter at @GMOrumHernandez.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.