From Prevention to Litigation: A Cybersecurity Expert's Legal Perspective
A conversation with Joseph Steinberg, a globally recognized cybersecurity and AI expert with over 25 years of industry leadership experience.
Q: What kind of cybersecurity issues do you typically help businesses with, and how can your expertise help them win legal cases?
Many of the cases in which I am involved are ones in which there is a dispute over who should incur the financial loss resulting from a cybercrime; such situations are, unfortunately, quite common, because, in the vast majority of financial cybercrimes, whatever was stolen cannot be recovered from the crime’s perpetrators.
Often, for example, I am able to help parties recover money in situations in which financial institutions (or other parties with fiduciary responsibilities) refuse to reimburse accountholders after thefts – when such firms seek to ascribe blame for the thefts to accountholder negligence. In many such scenarios, for example, I am able to guide lawyers into obtaining evidence that I then use to demonstrate conclusively that legally-mandated security systems – systems that are required to account for the fact that human behavior and other factors regularly undermine the efficacy of authentication systems – should have stopped the fraud despite any alleged user negligence.
Other cases that I see involve the theft of data – or the alleged misappropriation of trade secrets. And, of course, there are many cases that are not specific to cybersecurity, but, because electronic information is the lifeblood of today’s economy, and the veracity of digital evidence can be easily challenged, such cases often require the testimony of a cybersecurity expert witness if a party is to be able to prove the merits of a case.
I am also brought in when parties suspect that an adversary may be attempting to cover up evidence – something that seems to happen far more often than a person outside of the cybersecurity field might have guessed; I have helped multiple aggrieved parties obtain punitive damages by demonstrating that their adversary manipulated log files ex post facto and/or hid evidence.
Part of my role is to strategize with the legal team that has retained me to help it determine for what evidence to search/request, and upon which collected materials to focus. Cases often settle after I write a detailed report explaining why the relevant evidence supports a particular ruling by a judge or jury.
Furthermore, I have had many cases in which one party presented all sorts of evidence related to a particular security failure and pointed to that failure as the cause of significant data leaks and financial losses -- but, when I reviewed the relevant evidence, I was able to show that those factors were not the proximate cause of any of the actual damage and, in fact, could not possibly have had any real-world impact unless other, much more serious security failures had already occurred.
Q: How do you explain complex cyber issues to lawyers, judges, or business leaders who may not have a technical background?
There is no “one-size fits all” when it comes to communication – decades of experience guide me on a case-by-case basis. I have been simplifying the understanding of complex technical concepts and evidence for lawyers, arbitrators, judges, and juries for many years – I was able to gain a level of experience in such regard that is extremely rare in my field. Additionally, over the past 30 years I have been delivering public keynotes to business audiences about cybersecurity, have written hundreds of cybersecurity-focused articles for general-audience publications such as Newsweek, Forbes, Inc., and Fortune, and have authored multiple editions of the best-selling book on the field for non-techies, Cybersecurity For Dummies. Additionally, I teach students who are not from security backgrounds in the School of Professional Studies graduate program at Columbia University. While some aspects of communication may be talent, the reality is that all of the aforementioned roles have played a big part in helping me hone the oral, written, and visual communication skills that I employ to help win cases as an expert witness.
I leverage that experience to guide those involved in the process of justice in various regards including understanding important elements of cybercrime-related cases, the consequences of various factors as they relate to both ascribing liability and recognizing the extent of the damage suffered by victims, and understanding why extraneous cyber-related evidence introduced by adversaries is often a red herring that is both irrelevant and misleading.
Q: What common mistakes do businesses make when dealing with cyber incidents that could hurt their legal case, and how do you help prevent that?
Probably the biggest mistake is not having their attorneys engage a cybersecurity expert witness early enough in the process.
If you were diagnosed with a particular, dangerous form of cancer you would quickly seek the advice of a physician with relevant expertise.
If you were being charged with a crime, you would quickly seek the advice of an attorney with relevant expertise.
Yet, somehow, when it comes to cyber incidents, many smaller firms fail to have their attorneys quickly engage a cybersecurity expert witness – and the delays sometimes severely undermine the firm’s chances of later fully recovering by prevailing at trial – as relevant digital evidence is often quickly lost, destroyed, modified, or rendered inadmissible.
Q: For businesses concerned about cybersecurity risks, what proactive steps can they take to avoid legal complications down the road?
First of all, when it comes to cybersecurity, an ounce of prevention is often worth many tons of cure.
Once data goes out the door, there is no going back – and the consequences of even a single serious cybersecurity incident can be nothing short of catastrophic for a smaller business or family office.
So, first and foremost, be proactive.
And don’t skimp when your security advisors tell you not to: Over the past 30 years, I have encountered numerous businesses that have severely regretted not having invested adequately in cybersecurity, but have never met even one that similarly regretted overspending. Keep in mind, that if you think investing in cybersecurity is expensive, just wait until you see what a significant breach actually costs.
One specific point that I should raise – make sure that you have board members or advisors who have experience specifically overseeing the management of cyber-risk. Many smaller business and family offices have engaged CISOs or other cybersecurity professionals who lack such expertise, and, as a result, do not adequately address important risks – a problem that can (and, in some cases, has) ultimately lead to catastrophic losses.
I also suggest taking a look at the article Three Tips to Achieve Great Cybersecurity Without Spending a Fortune.
Joseph Steinberg is a globally recognized cybersecurity and AI expert with over 25 years of industry leadership experience. He currently serves as a cybersecurity expert witness and advisor to businesses and governments worldwide, while holding a Lecturer position at Columbia University and key roles at organizations including the Global Foundation for Cyber Studies and Research. His widely-read column reaches millions monthly, and he has authored several authoritative books including Cybersecurity for Dummies.
As one of only a few dozen professionals worldwide to hold the complete suite of advanced information security certifications (CISSP, ISSAP, ISSMP, and CSSLP), Steinberg has founded multiple successful cybersecurity firms and holds innovations cited in over 550 US patent filings. He is an alumnus of NYU's Courant Institute of Mathematical Sciences and frequently contributes his expertise to high-profile publications, legal proceedings, and global technology initiatives. To connect with Joseph, please visit his website.