A GC's Guide To Cyber Risk: Understanding The Questions To Ask And How To Evaluate The Answers

Level: Advanced
Runtime: 63 minutes
Recorded Date: April 26, 2021
Click here to share this program
Download PDF


• Helping General Counsel ask 5 key questions in assessing Cyber Risk
        - Using the PPT Framework to help answer key questions
        - "What do we have to protect?"
                • Identify the data and systems that need protection
        - "Who holds our data?"
                • Identify and protecting against third-party risks
        - "Can we Identify a problem early?"
                • Reviewing internal detection processes and IR protocols
        - "Are our risks properly managed?"
                • Ensuring that risk is properly assigned to responsible parties in the business
        - "Is help lined up?"
                • Do we have in place resources needed in the event of an incident?
• Overview of Cyber Regulatory risks

1 hour, 3 minutes
Recorded: April 26, 2021


Cyber risk management is a difficult issue for most attorneys who advise businesses. It seems to be a technical risk, yet it will be the lawyer defending the firm's actions to regulators, in third party lawsuits, and to internal constituencies. With cyber threats increasing in volume and sophistication and a stricter regulatory framework around data privacy worldwide, cyber risk is a key concern for legal and risk leaders.

This presentation will cover the cyber risk landscape in 2021, covering highest-impact threats, most commonly targeted assets, and the methods used by threat actors (whether external or internal). The program seeks to help advisory council ask the right questions to understand a client's cyber risk and provides guidance on how to evaluate and verify answers they receive.

This program was recorded on April 26th, 2021.

Provided By

American Bar Association


Jonathan Fairtlough

Managing Director, Cyber Risk

Jonathan Fairtlough is a managing director with Kroll's Cyber Risk practice, based in the Los Angeles office, from where he also leads client cyber engagements in Canada and throughout the Asia Pacific region. Jonathan joined Kroll after a distinguished career with the Los Angeles County District Attorney’s Office, where he served as both a prosecutor and Co-Founder of the Office’s High Technology Division. At Kroll, Jonathan leads teams that provide comprehensive investigative services for digital forensics, data breach response, and complex cyber-crimes.

Prior to joining Kroll, Jonathan was the Deputy in Charge of the Eastlake (Central) Juvenile Office. Earlier, he served as the Assistant Head Deputy and Co-Founder of the High Technology Division of the Los Angeles County District Attorney’s Office. During his career, Jonathan held a number of positions within the District Attorney’s Office and was involved in many high-profile cases, including the first major data breach filed in Los Angeles County for which he received the International Association of Financial Crimes Investigators (Southern California Chapter) award for Prosecutor of the Year in 2006.

Jonathan is an instructor for the National Computer Forensic Institute on the subject of cyber investigations, advanced digital evidence and computer forensics.

Terry Willis

Associate Managing Director, Cyber Risk

Terry Willis is an associate managing director in the Cyber Risk practice of Kroll, based in the Los Angeles office. He leverages over 24 years of experience as an expert incident handler, computer forensics practitioner, investigator, expert witness, author, instructor and speaker. In his current role, Terry helps clients resolve myriad computer-related concerns—from malicious intrusions to theft of intellectual property—through a wide range of complex technical and investigative activities.

Prior to Kroll, Terry worked with the Los Angeles Police Department (LAPD) for 21 years, serving most of his career as a detective investigating white-collar crimes. For five years, his investigations focused on corporate and financial fraud, including internal thefts, embezzlements, bank fraud and identity theft. In 1996, he was promoted to Detective III - Officer-in-Charge Computer Crimes Unit, where he established and designed the LAPD’s computer forensic function to address the full lifecycle of digital evidence for all criminal, administrative and internal investigations. He also managed LAPD’s resources and investigations as a supervisor in the U.S. Secret Service Electronic Crimes Task Force and the Southern California High Technology Crime Task Force.

In his court experience, Terry has been associated with the following cases: Robert Blake Civil Trial, Burbank Superior Court; People v. Robert Blake and Earle Caldwell, Los Angeles Superior Court; People v. Henry Hayes, Los Angeles Superior Court; and People v. Chance Webberman, Los Angeles Superiors Court.

He has been involved in teaching and giving presentations on various topics, which include “Computer Forensics and Digital Evidence in the Courtroom” at the Los Angeles County District Attorneys Training Day; “Computer Forensics and Digital Evidence” at the California Department of Justice; “Managing an Intrusion Investigation” at the U.S. Secret Service, Los Angeles Electronic Crimes Task Force; “Computer Forensics and Digital Evidence” at the Southwest Law College, Los Angeles; “Cybercrime Investigations” at the Southern California Regional High Technology Crimes Task Force; and “Unix as a Forensic Platform” at the Internet Crimes Against Children Task Force Training Seminar.

Terry’s article titled, “Criminal Liability in Cyberspace” has been published in GPSolo Magazine (a publication of the American Bar Association), and his article titled, “Starting a Computer Crime Unit” has appeared in The Informant (a publication of the National White Collar Crime Center).

Terry is a PCI Forensic Investigator (PFI) and an EnCase Certified Examiner (EnCE). Additionally, he holds the following certifications: SANS Global Information Assurance Certification – GIAC Certified Incident Handler (GCIH) Incident Handling; UNIX Systems Certification; and Computer Crime Certification, California Peace Officer Standards of Training (POST). Recently, he also completed training in SANS Advanced Incident Response, Threat Hunting and Digital Forensics.

Chris Ballod

Associate Managing Director, Cyber Risk

Christopher Ballod is an associate managing director in the Cyber Risk practice of Kroll, based in Philadelphia. He leverages over 15 years of experience in data privacy and cyber security, counseling clients in the preparation for a cyber incident, and during the response and notification process after an incident occurs. Chris’ expertise negotiating and drafting agreements, counseling clients during the assessment of risk and placement of cyber liability coverage, coordinating breach response services and supporting clients in litigation can greatly reduce legal, financial, and reputational risks in the event of a cyber incident.

At Kroll, Chris leverages his expertise to provide clients appropriate response protection in the event of a data breach incident, and he will also assist clients preparing for, or going through, CFIUS audits. He brings years of experience in digital forensics and incident response, particularly as it relates to PII/PHI exposure. He also helps clients identify trends and actors that may impact their systems and assess potential exposure post-incident to avoid data leaking via dark web forums.

Having guided hundreds of clients through complex cyber security incidents, Chris brings extensive experience in conducting tabletop exercises practicing breach response procedures, and multi-day stakeholder "boot camps" training key personnel in all aspects of risk management and response.

Before joining Kroll, Chris was a partner and vice chair of the Data Privacy & Cybersecurity practice at Lewis Brisbois Bisgaard & Smith LLP, which received the Advisen Cyber Risk Award for Best Legal Practice in 2019 and 2020. He also served as a member of the firm’s Corporate and Complex Business and Commercial Litigation practices. His experience included leading the coordination of over 500 breach responses for clients across multiple sectors, including defense, construction, energy generation, financial services, healthcare, hospitality, school districts, universities and retail.

He has spearheaded compliance and security programs for publicly traded traditional market companies and cutting-edge companies, including cryptocurrency exchanges and machine-learning data analytics firms. He has conducted a risk assessment analysis for a nuclear and traditional fuel energy generation company in the acquisition of new generation assets. Christopher has also coordinated breach response services for clients of all sizes and across varied sectors including construction, energy generation, ?nancial services, healthcare, hospitality, municipal government, and retail.

Christopher’s regulatory compliance counseling experience includes compliance with CCPA, HIPAA, payment card industry standards (PCI-DSS), NYS Department of Financial Services compliance and GDPR. In addition to litigating the first "virtual property" case in the U.S., Bragg vs. Linden Labs, he counseled multi-national vendors of goods and services in a virtual world game about their participation in virtual currency exchange, and the legality of their gaming businesses under state and federal gambling laws.

He is frequently invited to speak on data privacy and cyber security, and he has been featured in various publications. During his previous legal practice, he won the Pennsylvania Super Lawyers Rising Star awards in 2016 and 2008.

Christopher holds a Juris Doctor from the Delaware Law School. Additionally, he is a Certified Information Privacy Professional/U.S. (CIPP/U.S.) and Certified Information Privacy Professional/Europe (CIPP/E).

Justine Phillips

Sheppard Mullin

Justine Phillips is a partner in both Data Privacy & Security and Labor and Employment Practice Groups in the firm's San Diego office.

Justine focuses her practice on cybersecurity, data privacy, employment litigation and counseling, and commercial litigation. Her representations involve every aspect of cybersecurity from information governance, diligence in acquisitions/investments, incident preparedness and response, drafting incident response plans and conducting breach simulations, to advising on California Consumer Privacy Act, responding to regulators, and defending companies in litigation relating to cyber events. Justine takes a practical and thoughtful approach to assist multi-national and emerging companies on everyday issues related to electronically stored information including: privacy/security by design, cyber risk management and mitigation; eWorkforce policies; compliance with data regulations; retention/destruction policies and protocols; information-security and data privacy; crisis management and forensic investigations for data breaches; business email compromises; developing policies/protocols/trainings within an organization to create a culture of cyber-awareness; electronic discovery; and social-media issues. Justine also founded Women in eDiscovery-San Diego, Mother Attorney Mentoring Association-San Diego, and frequently publishes and speaks on cyber-related issues.

As an employment attorney, Justine handles commercial litigation for clients in the following public and private industries: cybersecurity and technology, healthcare, tribal, sporting enterprise, insurance, medical device, education, defense, cybersecurity, manufacturing, retail, non-profit and for-profit industries. Justine also regularly advises clients on issues relating to: classification; leave policies; defense of ADA and FEHA disability discrimination claims; interactive process and reasonable accommodation; wage and hour matters; information management; social media; employment agreements; and employee handbooks. Justine has defended companies in both state and federal court against claims of discrimination, harassment, retaliation, and wrongful dismissals.

Similar Courses

Card image cap
77 minutes
§ 363 Sale Issues
Dive into Section 363 sales issues, including whether there are limits to “free and clear”; the GM conflict between Sections 365(h) and 363(f) (“lease-stripping”); sales free and clear of leasehold interests, restrictive covenants and override royalties; being free and clear of successorships in CBAs; selling free and clear of environmental liabilities (La Paloma, Exide); and loan-to-own strategies.

American Bankruptcy Institute


Add to Cart
Card image cap
63 minutes
2018 CA Consumer Privacy Act: The Big Tail Wagging the U.S.
In this session, two leading information governance attorneys will share why you need to and how you can be ready.



Add to Cart
Card image cap
60 minutes
2019 HIPAA Update: Enforcing Privacy & Security Standards
In this session, we will discuss the most critical issues in the HIPAA update and best practices for enforcing privacy & security standards in your company.



Add to Cart
Card image cap
97 minutes
26 Words that Created the Internet - Basics of the Communications Decency Act Section 230 Safe Harbor
This program will examine the basics of CDA 230 and its day to day affect for those who advise internet businesses as well as those who litigate against them. It will give practical guidance as to what extend internet companies can or should edit or censor the information their users contribute to their sites and to what extent those users will actually be liable.

New Media Rights


Add to Cart
Previous Next