Cybersecurity Law Report: Former Twitter and eBay Counsel Talks Overblown Fears, Third-Party Data Management, and CDA Section 230

O’Melveny partner Tod Cohen, a former in-house counsel for big tech heavyweights, sat down with Cybersecurity Law Report to discuss a broad range of data security and privacy issues facing private companies today. 

Cohen told the publication that companies should monitor impending cybersecurity laws that could change the rules of the game. “[L]aws are becoming more prescriptive and moving, for example, towards the model of financial services’ anti-money laundering laws, where a company is required to have certain controls in place and is liable if it does not have them, as opposed to simply enforcement after the fact,” he said. “The European GDPR and the upcoming California Privacy Rights Act and the new Virginia data protection law have prescriptive notice requirements not historically found in privacy laws.”

While companies should take their cyber hygiene seriously, Cohen cautions that not all cyber laws require the same strict adherence. He recommends a disciplined “consequence assessment” to determine which laws correspond to a company’s business practices. “There are always risks – there are lots of lawyers who will tell me there is risk because the law says you cannot do X and we are doing that,” he stated. “But that is only part of the picture. What is the real liability? I worked for StubHub. Every jurisdiction in the world has a ticket anti-resale law of some sort. But does any jurisdiction enforce that, aside from perhaps during the Olympics?”

Cybersecurity Law Report subscribers can read the full interview here.