Human Voices, Episode 5: Legislation’s Role in Cybersecurity

Welcome back to Human Voices, humanID’s podcast talking cybersecurity, privacy, and news in tech! This week, we are joined by Scott Watnik, and Michael Contos, two lawyers from Wilk Auslander who focus on cybersecurity and privacy. They’re here to talk with us about legislation in the cybersecurity space, and how it can affect companies, both big and small.

The transcript below has been edited for clarity and brevity by Scarlett Wang. Full podcast episode is available to be listened to at the top of the article and on Anchor here.

humanID: So, thank you everyone for listening in for the fifth episode of human voices. Today with us are Scott Watnik and Michael Contos, from Wilk Auslander, which is a full service law firm based out of New York City, acting globally, and specifically one of their many focuses is cybersecurity law. And that’s what we’re most we’re here to talk about today. Thank you Scott and Michael for your time. 

Scott and Michael :Thank you. Thank you for having us.

humanID: Cybersecurity law is certainly a very complicated and complex topic. Specifically, one that many entrepreneurs are probably more scared of when they hear about. How is your firm connecting to that space?

Scott and Michael: As you have mentioned, we are at the Wilk Auslander Center based here in New York City, and we are a full service firm on a commercial litigator case. We represent a broad range of clients. Our clientele ranges from business owners, partnerships, financial institutions, hedge funds to governmental entities. We found ourselves having to counsel clients on putting together cybersecurity manuals, and how to respond to cyber security that breaches new legislation emerging in this realm, such as the shield act that confers cybersecurity obligations on businesses. Our clients didn’t even know that this legislation passed, and that they have affirmative obligations under it. So, in everything that we’re doing for clients in the full service that we’re offering clients, cybersecurity is just becoming an inherent part of offering legal services. And we realized very quickly that we would really be doing our clients a disservice if we didn’t start cybersecurity practice, and build that into every facet of our practice as Scott mentioned.

One value that we add sort of to our clients, oftentimes are even aware that they’re collecting data that they need to be thinking about. We’re collecting people’s data that is being stored electronically right so just making them aware that they’re doing it is important, and it’s got various legislation that has to be considered that we counsel clients on but you know for people who aren’t in the tech space. You know it’s sometimes the realization that you slip back up there collecting data, you know if it’s your business you employ somebody you’re collecting their name, their address social security number, date of birth for tax purposes and otherwise. So just by virtue of employing somebody, you are collecting data, and it is, and we’ll get to this more in depth but it’s personal identifying that we’re collecting that data is covered by the cybersecurity law process. 

humanID: Is there a danger that  privacy legislation in general, helps the big tech firm because it puts up such big obstacles to enter the market that only big firms can really fulfill?

Scott and Michael: I think there is an element of that. But again as Scott was saying earlier, these laws are generally designed to take into account vast differences in resources that businesses have. So, generally, as long as businesses are taking steps that are reasonable considering their resources are going to be okay under these laws. So I think that there are some elements, where you have to have at least some baseline capability of addressing these issues in order to comply with the law but generally the laws are going to be flexible enough to take into consideration the fact that this is stuff with different resources. But on the flip side, these laws and the obligations that they do refer to can certainly be a roadblock to entrepreneurship. 

 humanID: So at humanID we take the PPI personal identifiable information, we take the data we verified, but then we encrypt it in a non reversible way, and basically don’t save any personal identifiable information. Where’s better than any no encryption is perfect obviously there’s just a limit of computer resources to get to it basically ultimately. Where is the specific standards defined for when something is so personal identifiable information when it is already an encrypted or a hash. 

Scott and Michael: So, your personal identifiable information is generally considered to be any form of information that can be used to identify an actual person. So, of course, that includes common information, such as name, address, social security number, driver’s license number etc. Legislation we see today in both the cybersecurity statutes and the private privacy statutes are extending the definition of personal identifying information to include things like biometric data. For example, facial recognition features. Thermal imagery electronic imagery etc geolocation data that can all be considered PII. But what if the organization is encrypting data in a way that there’s simply no way to decipher. Who’s the identity of the person who is behind the data. 

 humanID: So we think we want bigger companies to be built on top of this, we want the next Facebook to be built on top of humanID, but I think only if it is a non commercialized protocol that can be used by everyone, that is open source to can be trusted to not change direction in the future. Only then will it ever have that status as a generally acceptable identity standard. As soon as we are for profit, nobody will trust us to build their future business on top of it, and the users have just been burned too often by too many businesses that made big promises, and then later on change direction that they have become very cynical about it. So I think we as a team as well as our clients and our end users can only really have the trust that this will stay protective of all user data, if we are nonprofit and, but that enables us I mean a lot of the the infrastructure of the web when you, when you talk about protocols and coding languages and Wikipedia sort of the Knowledge Graph and even the internet itself. Our public infrastructure, and that’s how we think about humanID.

Scott and Michael: Well it seems to us, you know humanID can be revolutionary. Because if humanID has the practical effect of removing PII collection and storage from the equation, then that removes virtually all of the peoples that the statutes we’ve been talking about are designed to prevent. And in that sense, it would really revolutionize the internet. These evils however exist because there are companies out there that are seeking to profit and capitalize on, on this data. You know, it’s, it would be interesting to see how Facebook for example, which has openly admitted to Congress to to gathering and collecting information that amounts to PII and not informing its users that it’s doing that.