WEBVTT 1 00:00:00.210 --> 00:00:03.030 Anna Delaney: Hello, welcome to the ISMG Editors' Panel. I'm 2 00:00:03.030 --> 00:00:06.090 Anna Delaney and we have a rather special episode for you 3 00:00:06.090 --> 00:00:10.230 this week as we explore the top legal and regulatory trends in 4 00:00:10.230 --> 00:00:13.980 data, privacy, and cybersecurity. To do that, we 5 00:00:13.980 --> 00:00:17.790 are joined by the star in the legal world. That is, of course, 6 00:00:17.820 --> 00:00:21.090 our good friend Lisa Sotto, partner and chair, global 7 00:00:21.090 --> 00:00:24.600 privacy and cybersecurity practice, Hunton Andrews Kurth 8 00:00:24.600 --> 00:00:27.960 LLP, and, of course, Tom Field, senior vice president of 9 00:00:27.960 --> 00:00:30.960 Editorial, and Mathew Schwartz, executive editor of 10 00:00:30.960 --> 00:00:34.350 DataBreachToday and Europe. Good to see you all. And Lisa, so 11 00:00:34.350 --> 00:00:36.000 great to have you back with us. 12 00:00:36.660 --> 00:00:38.220 Lisa Sotto: Thank you, Anna. I'm delighted to be here. 13 00:00:38.960 --> 00:00:41.540 Anna Delaney: And Lisa, where are you today? Is that an office 14 00:00:41.540 --> 00:00:42.080 I see? 15 00:00:42.740 --> 00:00:45.500 Lisa Sotto: It is. I'm on the 51st floor of the MetLife 16 00:00:45.500 --> 00:00:48.200 building in Manhattan and the view is glorious. 17 00:00:48.450 --> 00:00:52.680 Anna Delaney: We'd like to see that next time. Mathew? 18 00:00:53.560 --> 00:00:56.160 Mathew Schwartz: Yes, coming at you once again, live from 19 00:00:56.226 --> 00:01:00.257 Scotland. I'm just in Tentsmuir forest on the east coast here. 20 00:01:00.322 --> 00:01:04.354 Beautiful, lovely place to get away when I have a few moments, 21 00:01:04.419 --> 00:01:06.760 and what a walk along the North Sea. 22 00:01:06.000 --> 00:01:10.140 Anna Delaney: He surprised me that that's Scotland. I thought 23 00:01:10.140 --> 00:01:12.900 we were going to see sunny California. So, that's great. 24 00:01:14.550 --> 00:01:17.580 Tom, back at that place? 25 00:01:17.000 --> 00:01:20.630 Tom Field: It is where Chicago office separates ever further 26 00:01:20.630 --> 00:01:23.480 with a Billy Goat Tavern in the lower Michigan. I had a chance 27 00:01:23.480 --> 00:01:25.580 to return last week for the first time since COVID. 28 00:01:26.240 --> 00:01:28.700 Anna Delaney: Very good. Glad to hear that. And I am at the 29 00:01:28.700 --> 00:01:32.480 seaside, the South of France, thinking happy thoughts. Summer, 30 00:01:32.480 --> 00:01:35.840 after all. So Lisa, I know we all have a few questions for 31 00:01:35.840 --> 00:01:38.840 you. And I'm going to pass the baton over to Tom. Why don't you 32 00:01:38.840 --> 00:01:39.260 start off? 33 00:01:39.960 --> 00:01:41.790 Tom Field: Excellent. Lisa, glad to have you here. Today, I want 34 00:01:41.790 --> 00:01:44.430 to talk about - I know something you're deeply involved with is 35 00:01:44.430 --> 00:01:48.990 breach preparedness. I hear more organizations today that are 36 00:01:48.990 --> 00:01:52.560 involved in their senior management in boards in tabletop 37 00:01:52.560 --> 00:01:56.130 exercises upfront. To what degree do you find this is 38 00:01:56.130 --> 00:01:59.730 leading to better prepared organizations when the breach 39 00:01:59.730 --> 00:02:02.430 does strike, and what gaps do you continue to say? 40 00:02:03.500 --> 00:02:06.140 Lisa Sotto: Thank you for the question, Tom. Doing tabletop 41 00:02:06.140 --> 00:02:11.000 exercises is music to my ears. I love it. When executives talk 42 00:02:11.000 --> 00:02:14.450 about the most recent tabletop they've done, I think it really 43 00:02:14.450 --> 00:02:18.020 helps them become more conversant in how to manage 44 00:02:18.050 --> 00:02:22.190 these events. They understand from doing tabletops the fast 45 00:02:22.190 --> 00:02:26.150 pace of these events, the types of decisions that they're going 46 00:02:26.150 --> 00:02:29.390 to be called upon to make, and the fact patterns because the 47 00:02:29.390 --> 00:02:33.350 fact patterns, while they change from incident to incident, they 48 00:02:33.350 --> 00:02:36.590 don't take change so dramatically that you can't 49 00:02:36.590 --> 00:02:39.950 become sort of accustomed to the kind of framework that we're 50 00:02:39.950 --> 00:02:45.080 going to have to be operating in should a real event happen. It's 51 00:02:45.080 --> 00:02:49.370 also very important to identify gaps in the process because 52 00:02:49.370 --> 00:02:53.270 there are always gaps in the incident response process that 53 00:02:53.270 --> 00:02:58.550 can be fixed in advance. And those gaps change over time, as 54 00:02:58.610 --> 00:03:01.820 the threat landscape changes over time. And so, the important 55 00:03:01.820 --> 00:03:05.450 thing in doing tabletop exercises for executive teams is 56 00:03:05.450 --> 00:03:09.380 not to think of this as a one-and-done exercise. They have 57 00:03:09.380 --> 00:03:14.450 to be done continuously and you can exercise different aspects 58 00:03:14.720 --> 00:03:18.290 of the organization like you can exercise the executives and then 59 00:03:18.290 --> 00:03:22.340 you can start to think about comps and legal and how they all 60 00:03:22.340 --> 00:03:25.760 play in, and marketing and HR. So, there are many different 61 00:03:25.760 --> 00:03:29.840 types of of tabletop exercises that can be done over the course 62 00:03:29.840 --> 00:03:32.570 of the year. And I would encourage the more the merrier. 63 00:03:33.920 --> 00:03:35.780 Tom Field: This is shifting gears a bit. I want to revisit a 64 00:03:35.780 --> 00:03:39.770 topic we discussed in the past, which is the disparate privacy 65 00:03:39.770 --> 00:03:42.980 laws that are bursting throughout the United States. I 66 00:03:42.980 --> 00:03:46.580 believe we have six states now. Help me out here. 67 00:03:46.560 --> 00:03:49.776 Lisa Sotto: It's five states. It's California, Virginia, 68 00:03:49.849 --> 00:03:54.528 Colorado, Utah, and Connecticut. But you know, to say six is not 69 00:03:54.601 --> 00:03:58.987 - it's prognosticating in a very sensible way. Because there 70 00:03:59.061 --> 00:04:03.081 certainly will be more more states to follow. And we're 71 00:04:03.154 --> 00:04:07.395 watching the landscape very closely. How do we manage this 72 00:04:07.468 --> 00:04:11.781 real mess, I mean, it is a hodgepodge right now of laws and 73 00:04:11.854 --> 00:04:15.729 very fragmented and hard to manage for companies that 74 00:04:15.802 --> 00:04:20.261 operate in multiple environments and in the United States and 75 00:04:20.334 --> 00:04:24.721 overseas as well. So, we have this real cacophony of privacy 76 00:04:24.794 --> 00:04:29.326 laws. Now, the key is to think about the basic principles, the 77 00:04:29.399 --> 00:04:33.639 framework, what underlies all of these data protection and 78 00:04:33.712 --> 00:04:37.953 privacy laws, whether in the United States or overseas, we 79 00:04:35.320 --> 00:04:59.561 Anna Delaney: What a lovely time to be a privacy professional. 80 00:04:38.026 --> 00:04:42.558 have to think about transparency and privacy notices. We think 81 00:04:42.631 --> 00:04:46.433 about the choices that we want to offer to users, to 82 00:04:46.506 --> 00:04:51.185 individuals, we think about the rights that they're now entitled 83 00:04:51.258 --> 00:04:55.571 to under all of these laws, access rights, deletion rights, 84 00:04:55.644 --> 00:05:00.323 the right to say no to marketing communications. So, there are a 85 00:05:00.066 --> 00:05:26.834 Lisa, I appreciate your insights. I'm gonna pass this 86 00:05:00.396 --> 00:05:04.855 number of rights that are now embedded in really all of these 87 00:05:04.928 --> 00:05:09.461 laws. How do we manage service providers? Do we need contracts 88 00:05:09.534 --> 00:05:13.628 to restrict how service providers will use the data that 89 00:05:13.701 --> 00:05:18.234 they're entrusted with? How do we think about security issues? 90 00:05:18.307 --> 00:05:22.766 And then, of course, enforcement at the end of the day? Do we 91 00:05:22.839 --> 00:05:26.714 have a good internal audit mechanism? Do we have good 92 00:05:26.787 --> 00:05:31.320 checks and balances to make sure that our program is enforced? 93 00:05:27.339 --> 00:05:39.460 off now to Mathew. Matt? 94 00:05:39.000 --> 00:05:42.030 Mathew Schwartz: Great. I love the discussion of tabletop 95 00:05:42.030 --> 00:05:47.460 exercises and what organizations can do to get better. Great to 96 00:05:47.460 --> 00:05:50.130 have you back, Lisa. Last time we were here we were talking 97 00:05:50.130 --> 00:05:53.700 about preparedness and what organizations can be doing. So 98 00:05:53.700 --> 00:05:57.810 again, tabletop, love to hear it. Ransomware, however, 99 00:05:57.840 --> 00:06:02.820 continues to be a huge threat targeting organizations. Love 100 00:06:02.820 --> 00:06:06.060 that ransomware groups have gone by the wayside, but some of them 101 00:06:06.060 --> 00:06:10.410 have stuck around, such as LockBit. I think it's one of the 102 00:06:10.410 --> 00:06:14.400 more aggressive, making the most profit type of organizations, 103 00:06:14.610 --> 00:06:17.250 usually does health promotion, as we've seen, and they've 104 00:06:17.250 --> 00:06:22.620 recently gone from LockBit 2.0 to LockBit 3.0. I know you're 105 00:06:22.620 --> 00:06:25.920 tracking this. What does this portend for you? 106 00:06:25.000 --> 00:06:29.018 Lisa Sotto: LockBit is certainly one of the more active groups 107 00:06:29.098 --> 00:06:34.081 now and, yes, they have gotten more sophisticated and they are 108 00:06:34.161 --> 00:06:38.983 announcing to the world that they have achieved a different, 109 00:06:39.063 --> 00:06:43.242 a new, and a higher level of sophistication in their 110 00:06:43.323 --> 00:06:47.984 exploits. So, they and other groups are now charging more. 111 00:06:48.064 --> 00:06:52.163 They have an upcharge for Bitcoin over Mineiro, for 112 00:06:52.243 --> 00:06:56.905 example. They're charging separate fees for a delay in the 113 00:06:56.985 --> 00:07:01.646 timer, they're charging a fee for not deleting data or not 114 00:07:01.727 --> 00:07:06.227 posting the company's logo, and then another one for the 115 00:07:06.307 --> 00:07:11.370 decrypter. So, in case you don't need the decrypter, but you're 116 00:07:11.451 --> 00:07:16.032 sensitive about your data being posted or your logo being 117 00:07:16.112 --> 00:07:21.014 posted, that's okay. There's a cure for that, and you can pay 118 00:07:21.095 --> 00:07:26.318 to have the logo not posted. So, we are seeing real evolution and 119 00:07:26.399 --> 00:07:31.140 tactics. Of course, the war in Ukraine has also changed the 120 00:07:31.221 --> 00:07:35.802 landscape. Some we're seeing less from Ukraine, more from 121 00:07:35.882 --> 00:07:40.543 Russia. And the threat actor groups really have not slowed 122 00:07:40.623 --> 00:07:45.686 down their game very much. There are some that have folded, but 123 00:07:45.767 --> 00:07:50.589 we're also seeing some of the same malware being used by the 124 00:07:50.669 --> 00:07:55.652 new groups. So, they're really folding and then reconstituting 125 00:07:55.732 --> 00:07:57.340 as different groups. 126 00:07:58.500 --> 00:08:00.750 Mathew Schwartz: I know tracking all of this activity is 127 00:08:00.750 --> 00:08:04.890 something that is of increasing importance across the legal 128 00:08:04.890 --> 00:08:07.170 community to cybersecurity community, and the US government 129 00:08:07.170 --> 00:08:13.080 has really been making a move here. The FBI, among others, has 130 00:08:13.080 --> 00:08:17.580 said that knowing what event, when business pays a ransom, 131 00:08:17.610 --> 00:08:21.210 would be extremely useful information for it. They said 132 00:08:21.210 --> 00:08:24.030 sometimes we can help you recover this. Also, it helps 133 00:08:24.030 --> 00:08:28.980 them trace the flow of Bitcoin ransom payments, identify some 134 00:08:28.980 --> 00:08:31.530 of these threat actor groups, maybe identify some of the 135 00:08:31.530 --> 00:08:35.490 individuals involved. So, on that front, I know the Cyber 136 00:08:35.490 --> 00:08:39.270 Incident Reporting for Critical Infrastructure Act - always a 137 00:08:39.270 --> 00:08:44.790 mouthful - of 2022 was looking at critical infrastructure 138 00:08:44.820 --> 00:08:50.010 sectors having a mandatory reporting requirement, if they 139 00:08:50.010 --> 00:08:52.920 pay a ransom. I think I've gotten that nuance right. But 140 00:08:52.980 --> 00:08:55.260 what do we know so far about this? How do you think this 141 00:08:55.260 --> 00:08:57.780 might shake out? Is this what we've been waiting for? 142 00:08:58.860 --> 00:09:01.020 Lisa Sotto: I am wondering what the acronym is going to be. Are 143 00:09:01.020 --> 00:09:05.880 we going to be calling it CIRCIA? I'm not sure. Look, it 144 00:09:05.880 --> 00:09:10.410 is critical for the government to have visibility. If they 145 00:09:10.410 --> 00:09:15.180 don't have visibility, there's no ability for law enforcement 146 00:09:15.180 --> 00:09:20.010 in the United States to connect the dots and to understand the 147 00:09:20.040 --> 00:09:24.000 modus operandi of the various threat actor groups. The FBI is 148 00:09:24.000 --> 00:09:28.620 extremely sophisticated now in tracking these groups, and they 149 00:09:29.340 --> 00:09:34.410 share information rapidly with the private sector. And that's 150 00:09:34.410 --> 00:09:39.690 been extremely helpful. And I do see a real uptick in private 151 00:09:39.690 --> 00:09:43.440 sector sharing with the government. Now, some of that is 152 00:09:43.440 --> 00:09:48.180 mandated, but in many cases, it's not. And it's voluntary and 153 00:09:48.300 --> 00:09:51.360 the fear of sharing data with the government has really 154 00:09:51.360 --> 00:09:54.510 diminished very significantly. So I think that that's 155 00:09:54.510 --> 00:09:59.370 important. And that kind of transparency is critical to, you 156 00:09:59.370 --> 00:10:02.370 know, hopefully - well, eradicating is too strong a word 157 00:10:02.370 --> 00:10:08.040 - but minimizing the negative impact of these groups. We do 158 00:10:08.040 --> 00:10:12.990 have a long way to go before the reporting obligations kick in in 159 00:10:13.020 --> 00:10:17.430 the Cyber Incident Reporting for Critical Infrastructure Act. 160 00:10:18.000 --> 00:10:21.330 There will be reporting obligations, but there are 161 00:10:21.360 --> 00:10:24.390 regulations that need to be issued prior to those reporting 162 00:10:24.390 --> 00:10:29.460 obligations coming into play, so we have a number of months to go 163 00:10:29.460 --> 00:10:33.750 before we see real information sharing as a result of that law. 164 00:10:34.830 --> 00:10:37.052 Mathew Schwartz: Lots of efforts and initiatives to disrupt 165 00:10:37.105 --> 00:10:40.069 ransomware. Excellent. Well, thank you so much for that, 166 00:10:40.122 --> 00:10:43.669 Lisa. I'm going to hand you over to the correspondent on the beach. 167 00:10:43.000 --> 00:10:45.946 Anna Delaney: Yes, here I am. Thank you so much. I really 168 00:10:46.015 --> 00:10:50.058 enjoyed listening all these answers and insights, Lisa. So, 169 00:10:50.126 --> 00:10:54.580 when we spoke at the end of last year, ironically, I think it was 170 00:10:54.649 --> 00:10:58.555 a snow scene I used. Thinking back, it was us, it was our 171 00:10:58.624 --> 00:11:02.941 winter special. And you said it was going to be a busy year for 172 00:11:03.009 --> 00:11:07.326 the FTC. What activity has been of most interest to you in this 173 00:11:07.395 --> 00:11:09.040 first-half of this year? 174 00:11:10.620 --> 00:11:12.750 Lisa Sotto: Well, the FTC has been extremely active. We've 175 00:11:12.750 --> 00:11:17.670 talked about this. And it is fascinating to watch what the 176 00:11:17.670 --> 00:11:21.930 commission is doing. There is, I would say, three themes that I 177 00:11:21.930 --> 00:11:26.700 would just bring to the fore today. First, there's a focus on 178 00:11:26.700 --> 00:11:31.620 strengthening kids' privacy. That is true both at the FTC and 179 00:11:31.620 --> 00:11:38.310 in Congress. It's a reasonably non-controversial point. So, 180 00:11:38.310 --> 00:11:43.710 it's somewhat easier than other types of data protection to 181 00:11:43.710 --> 00:11:46.950 protect kids' privacy. So, we're certainly going to see a 182 00:11:46.950 --> 00:11:51.030 continued focus on strengthening the privacy of children's data. 183 00:11:52.260 --> 00:11:55.590 I'll also note that the FTC recently came out with a 184 00:11:55.590 --> 00:11:59.580 statement indicating that they are essentially putting in place 185 00:11:59.610 --> 00:12:04.350 a de facto data breach reporting obligation at the federal level, 186 00:12:04.590 --> 00:12:11.190 that is a real sea change. There are no general data breach 187 00:12:11.190 --> 00:12:14.910 reporting obligations at the federal level there. There are, 188 00:12:14.940 --> 00:12:17.340 of course, at the state level, there are 54 data breach 189 00:12:17.340 --> 00:12:20.790 notification laws in the United States, which is the 50 states 190 00:12:20.790 --> 00:12:25.200 plus Guam, US Virgin Islands, Puerto Rico and DC. But at the 191 00:12:25.200 --> 00:12:29.670 federal level, we have industry-sector-specific 192 00:12:29.670 --> 00:12:33.720 reporting obligations, like under HIPAA, under the 193 00:12:33.720 --> 00:12:38.190 Gramm-Leach-Bliley Act, but not a generalized breach reporting 194 00:12:38.190 --> 00:12:42.780 obligation. The FTC recently brought an enforcement action 195 00:12:42.780 --> 00:12:46.320 and then also came out with a blog post to say that in some 196 00:12:46.320 --> 00:12:51.570 cases, there would be a de facto breach reporting obligation. So, 197 00:12:51.570 --> 00:12:55.140 that is going to be also interesting to watch to see 198 00:12:55.140 --> 00:12:58.980 whether they use their section five authority with respect to 199 00:12:59.430 --> 00:13:03.690 breach notification, where it may not be required at the state 200 00:13:03.690 --> 00:13:08.400 or other federal level. And then, I would say the other, the 201 00:13:08.400 --> 00:13:13.770 third area to watch is that the FTC is considering a rulemaking. 202 00:13:14.520 --> 00:13:19.440 They would like to curb lax security practices. They also 203 00:13:19.440 --> 00:13:25.200 want to focus on not allowing algorithmic decision making for 204 00:13:26.400 --> 00:13:30.960 where it may result in unlawful discrimination. And then also 205 00:13:31.500 --> 00:13:36.660 focus on curbing privacy abuses. So I think those are three areas 206 00:13:36.660 --> 00:13:39.480 to watch and a number of others coming from the FTC now. 207 00:13:40.350 --> 00:13:42.570 Anna Delaney: And in general, in the field, are you watching 208 00:13:42.570 --> 00:13:44.310 anything else the rest of this year? 209 00:13:45.590 --> 00:13:49.970 Lisa Sotto: Oh, boy, what a busy time. Both the cyber and the 210 00:13:49.970 --> 00:13:56.090 privacy landscapes are active on the privacy front. Not only are 211 00:13:56.090 --> 00:14:00.530 we watching for additional state laws, but we're also watching 212 00:14:00.530 --> 00:14:04.610 closely to see what Congress does. There has been quite a bit 213 00:14:04.610 --> 00:14:08.780 of activity at the federal level. And, you know, we're 214 00:14:08.780 --> 00:14:12.860 hopeful that we can get a federal privacy law preemptive, 215 00:14:13.010 --> 00:14:17.960 I'm hoping, privacy law in place this year. On the cyber front, 216 00:14:18.410 --> 00:14:23.060 you know, more of the same, I would say, but stepped up 217 00:14:23.060 --> 00:14:27.200 activity, so it's more of the same on steroids. The ransomware 218 00:14:27.200 --> 00:14:31.580 is rampant, DDoS attacks also, cyber extortion without 219 00:14:31.580 --> 00:14:36.350 ransomware, Daxin. So we're seeing quite a number of of 220 00:14:36.350 --> 00:14:42.380 exploits now. And the federal government also is stepping up 221 00:14:42.380 --> 00:14:48.320 its game in responding to these exploits. So, quite a landscape 222 00:14:48.320 --> 00:14:48.950 to watch. 223 00:14:49.370 --> 00:14:51.830 Anna Delaney: For sure, as Tom said, fun times to be in the 224 00:14:51.830 --> 00:14:56.750 field. But final quick question, at least we'll give you a pause 225 00:14:56.750 --> 00:15:02.930 for a moment. What has been a gain for privacy in 2022? Matt? 226 00:15:06.410 --> 00:15:09.315 Tom Field: I think Lisa nailed it that we have Congress now 227 00:15:07.580 --> 00:15:30.740 Tom Field: I think Lisa nailed it...I'm sorry. Go ahead. 228 00:15:09.376 --> 00:15:12.645 talking about a broad-based privacy law for the United 229 00:15:12.706 --> 00:15:16.399 States and there seems to be bipartisan support. As you know, 230 00:15:16.459 --> 00:15:19.971 I just came from our government cybersecurity summit in DC 231 00:15:20.031 --> 00:15:23.966 yesterday and the one theme that came through was the belief that 232 00:15:24.027 --> 00:15:27.175 cybersecurity and privacy legislation are bipartisan 233 00:15:27.236 --> 00:15:30.626 interest and are going to survive what might happen, you 234 00:15:30.686 --> 00:15:34.379 know, whether it's a Republican or Democratic Congress, going 235 00:15:30.770 --> 00:15:35.960 Mathew Schwartz: No, no. Go ahead, Tom. I'll follow. 236 00:15:34.440 --> 00:15:36.620 forward. So I find that encouraging. 237 00:15:35.000 --> 00:15:39.950 Mathew Schwartz: And I'll amplify what Tom said. When I 238 00:15:39.950 --> 00:15:43.340 started covering data breaches back when California brought in 239 00:15:43.340 --> 00:15:49.640 its pioneering state data breach notification law around 2003, I 240 00:15:49.640 --> 00:15:52.100 expected something to follow on the federal level relatively 241 00:15:52.100 --> 00:15:52.640 quickly. 242 00:15:53.190 --> 00:15:55.767 Mathew Schwartz: My expectations have been broken so many times 243 00:15:55.823 --> 00:15:59.186 since then, and it probably will continue to be broken going 244 00:15:59.242 --> 00:16:02.660 forward somewhat. I mean, but it's good, it's heartening that 245 00:16:02.716 --> 00:16:06.134 we've got Congress talking about it. Does this mean we'll get 246 00:16:03.710 --> 00:16:20.510 Tom Field: Twenty years later... 247 00:16:06.191 --> 00:16:09.273 much further, who knows? But the fact that we're having 248 00:16:09.329 --> 00:16:12.691 discussions at the level we're having, the number of people, 249 00:16:12.747 --> 00:16:15.885 different kinds of privacy legislation, it is profoundly 250 00:16:15.941 --> 00:16:19.023 different than it was two decades ago when I was young, 251 00:16:19.079 --> 00:16:22.050 naive and full of hope. So possibly, we'll get there. 252 00:16:22.049 --> 00:16:25.066 Anna Delaney: Don't lose that hope. I was going to mention 253 00:16:25.134 --> 00:16:28.632 Apple's new security feature Lockdown Mode, because 254 00:16:28.700 --> 00:16:32.883 obviously, it's not intended for the average user. But in the 255 00:16:32.952 --> 00:16:37.135 wake of state-sponsored attacks, it's been a positive move to 256 00:16:37.203 --> 00:16:41.112 protect against Pegasus and other spyware. So early days, 257 00:16:41.181 --> 00:16:44.952 but I know it's been well received by the community. So 258 00:16:45.021 --> 00:16:49.272 hat tip to Apple - don't usually say that. There you go. Lisa, 259 00:16:49.341 --> 00:16:51.330 what's the highlight for you? 260 00:16:52.680 --> 00:16:56.262 Lisa Sotto: I will add that I testified before Congress in 261 00:16:56.340 --> 00:17:00.780 2006. And I told members of Congress that the cataclysmic 262 00:17:00.858 --> 00:17:05.765 data breach event at the federal level had occurred, that would 263 00:17:05.843 --> 00:17:10.204 be the tipping point to federal data breach notification 264 00:17:10.282 --> 00:17:15.345 legislation. My crystal ball was very murky and wrong. So, no, we 265 00:17:15.423 --> 00:17:20.252 have not had - despite events that have hit billions of people 266 00:17:20.330 --> 00:17:25.003 worldwide - we have not had whatever cataclysmic event needs 267 00:17:25.081 --> 00:17:29.676 to happen to have to get a federal data breach notification 268 00:17:29.754 --> 00:17:34.661 law. But I am equally encouraged as my colleagues with respect 269 00:17:34.739 --> 00:17:39.802 to a data protection law. We are really out of step with the rest 270 00:17:39.880 --> 00:17:44.631 of the world and we're the only first-world country that does 271 00:17:44.709 --> 00:17:49.616 not have a comprehensive omnibus data protection law. So, if we 272 00:17:49.694 --> 00:17:54.289 can get there this year in Congress, that would really be a 273 00:17:54.367 --> 00:17:55.380 step forward. 274 00:17:55.000 --> 00:17:58.360 Anna Delaney: Right. Well, Lisa, this has been a great pleasure 275 00:17:58.428 --> 00:18:02.680 to have you join us again, and hope we can do this again soon. 276 00:18:02.680 --> 00:18:03.730 Lisa Sotto: Thank you very much. 277 00:18:04.660 --> 00:18:06.430 Anna Delaney: And thank you so much for watching. Until next 278 00:18:06.430 --> 00:18:06.760 time.