Aaron Tantleff, left, and Mark Krotoski, right.
Aaron Tantleff, left, and Mark Krotoski, right. (Courtesy photos)

In this feature, we talk to two lawyers to help us unpack major regulatory action in Washington — including at least one who’s served as a federal regulator or prosecutor. This month, reporter Joel Stashenko moderated a three-way conversation between lawyers Mark Krotoski and Aaron Tantleff.

Krotoski, a former federal prosecutor, is a cybersecurity/privacy partner at Morgan, Lewis & Bockius in Palo Alto and Washington; Tantleff is a partner and intellectual property lawyer at Foley & Lardner in Chicago.

Along with cybersecurity challenges that threaten the companies and organizations they represent, the lawyers discussed the Trump administration’s likely approach toward cybersecurity, and regulatory conflicts that may emerge between federal agencies and states as they grab pieces of cybercrime deterrence. Krotoski and Tantleff also criticized Yahoo Inc.’s recent handling of its massive data breach, which ended with the resignation of its general counsel, Ron Bell.

The National Law Journal: Mark, you’ve been in a regulatory seat at the DOJ’s antitrust and criminal divisions. What is going on now with people who are in the same position that you were in at the DOJ?

Krotoski: People are waiting to see who will be selected by the new administration as leaders. From that we’ll get further guidance on the policies. Some of the questions will be, whether or not there will be legislative changes. One area that I believe will be important is amending the Computer Fraud and Abuse Act. There are also regulatory issues: Will some of the agencies be seeking more specific cybersecurity rules? For example, the Federal Trade Commission has been seeking legislation … to pre-empt state data breach notification [laws] and also with regulatory authority to modify rules in that area.nlj: Will the Trump administration be all that different on these issues than the Obama administration?

Tantleff: One of the problems, when you [are] talking about what the current administration is going to do versus the prior administration, is [that] you have to go back a step and realize we are talking about the difference between the Republican and a Democrat.

From a Democratic perspective, we are talking centralized regulation, and from a Republican administration we are talking about a state’s rights issue. … We are also seeing states taking things into their own hands. … We have New York regulations. We have California and Illinois looking at doing something as they relate to privacy and security that would be applicable and would interplay with any type of federal regulation on security. So it’s unclear.

NLJ: Mark, how do regulators proceed in an area like cybersecurity when it is really not clear in what direction the regulations may end up going?

Krotoski: We are finding multiple regulators at the federal level, the state level and then we also have activity at the international level. One of the themes that is emerging is uniformity and harmonization. When we assist clients, we often see that they are subjected to multiple cybersecurity standards and requirements and many, many clients want to comply with the law, but are finding that it is difficult to navigate these different standards when they are conflicting or disparate.

So one emerging theme that all regulators should be taking into account is, what is the landscape for cybersecurity right now? If you are going to impose new standards, is there a reason to impose novel standards or harmonize any new standards with existing ones?

NLJ: How do you keep up with the latest developments in what is, at best, the unclear regulatory environment currently surrounding cybersecurity?

Tantleff: One thing is scouting out, to see what’s out there. We have our own research and information services, an internal group. We have a government relations and lobbying group. They prepare reports and they do research on those things. We work with other firms, lobbying firms. I know people at various levels of government. Krotoski: Our approach is very similar … We have our practice groups, and within those groups we have dedicated associates — but also partners — who actively monitor this area. We keep up with our contacts in government. nlj: Yahoo is still wrestling with the fallout of a 2013 hack and subsequent hacks of the company’s network that they said in December 2016 may have compromised more than 1 billion user accounts, the largest in history. In addition to reducing the company’s sale price by hundreds of millions of dollars in its planned acquisition by Verizon Communications, Yahoo said on March 1 that its general counsel Ron Bell has resigned amid company contentions that its legal staff did not do enough to respond to the security breach. Was that a fair outcome?

Tantleff: I believe that [Yahoo CEO] Marissa [Mayer] should have taken more responsibility. Granted, there was docking of [her] pay and loss of bonus, but I believe the difference with what the CEO and the general counsel ended up with, I don’t believe that’s the correct implementation of the remedy for what happened in this case. Ultimately, it is the CEO’s position to make the call as to whether that information had gotten released or not and we are aware from public statements that the CEO had access to that information long ago. There is nothing to indicate that the CEO said, ‘Yes, we should release this’ and the general counsel said, ‘No, we shouldn’t.’

Krotoski: Given the significance of what happened in that case, it escalated to the top and would have been much more of a signal to the public and to other companies of what’s right and what’s wrong.

Aaron K. Tantleff

Age: 40

Firm: Foley & Lardner, Chicago

Position: Partner

Practice Specialities: Privacy, security and information management; state, federal and international restrictions on the use of information; big data, technology and internet of things.

Past Career Experience: Ungaretti & Harris (now Nixon Peabody); SSA Global Technologies Inc. (acquired by Infor Business Solutions).

Law School: Chicago-Kent College of Law.

Favorite Cybercrime Movie/TV Show: ”Sneakers,” 1992, starring Robert Redford and Sidney Poitier; and “The Americans,” currently on FX Networks, starring Keri Russell and Matthew Rhys.

Mark Krotoski

Age: 58

Firm: Morgan, Lewis & Bockius, Palo Alto, California, and Washington, D.C.

Position: Partner

Practice Specialties: Cybersecurity and privacy, economic espionage and government investigations.

Past Career Experience: Federal prosecutor, U.S. Department of Justice, Washington and U.S. Attorney’s Office, Northern District of California. Senior counsel and coordinator, National Computer Hacking and Intellectual Property (CHIP).

Law School: Georgetown University Law Center

Favorite Cybercrime Novel: ”Intrusion,” by Reece Hirsch (a partner at Morgan Lewis).

In this feature, we talk to two lawyers to help us unpack major regulatory action in Washington — including at least one who’s served as a federal regulator or prosecutor. This month, reporter Joel Stashenko moderated a three-way conversation between lawyers Mark Krotoski and Aaron Tantleff.

Krotoski, a former federal prosecutor, is a cybersecurity/privacy partner at Morgan, Lewis & Bockius in Palo Alto and Washington; Tantleff is a partner and intellectual property lawyer at Foley & Lardner in Chicago.

Along with cybersecurity challenges that threaten the companies and organizations they represent, the lawyers discussed the Trump administration’s likely approach toward cybersecurity, and regulatory conflicts that may emerge between federal agencies and states as they grab pieces of cybercrime deterrence. Krotoski and Tantleff also criticized Yahoo Inc. ‘s recent handling of its massive data breach, which ended with the resignation of its general counsel, Ron Bell.

The National Law Journal: Mark, you’ve been in a regulatory seat at the DOJ’s antitrust and criminal divisions. What is going on now with people who are in the same position that you were in at the DOJ?

Krotoski: People are waiting to see who will be selected by the new administration as leaders. From that we’ll get further guidance on the policies. Some of the questions will be, whether or not there will be legislative changes. One area that I believe will be important is amending the Computer Fraud and Abuse Act. There are also regulatory issues: Will some of the agencies be seeking more specific cybersecurity rules? For example, the Federal Trade Commission has been seeking legislation … to pre-empt state data breach notification [laws] and also with regulatory authority to modify rules in that area.nlj: Will the Trump administration be all that different on these issues than the Obama administration?

Tantleff: One of the problems, when you [are] talking about what the current administration is going to do versus the prior administration, is [that] you have to go back a step and realize we are talking about the difference between the Republican and a Democrat.

From a Democratic perspective, we are talking centralized regulation, and from a Republican administration we are talking about a state’s rights issue. … We are also seeing states taking things into their own hands. … We have New York regulations. We have California and Illinois looking at doing something as they relate to privacy and security that would be applicable and would interplay with any type of federal regulation on security. So it’s unclear.

NLJ: Mark, how do regulators proceed in an area like cybersecurity when it is really not clear in what direction the regulations may end up going?

Krotoski: We are finding multiple regulators at the federal level, the state level and then we also have activity at the international level. One of the themes that is emerging is uniformity and harmonization. When we assist clients, we often see that they are subjected to multiple cybersecurity standards and requirements and many, many clients want to comply with the law, but are finding that it is difficult to navigate these different standards when they are conflicting or disparate.

So one emerging theme that all regulators should be taking into account is, what is the landscape for cybersecurity right now? If you are going to impose new standards, is there a reason to impose novel standards or harmonize any new standards with existing ones?

NLJ: How do you keep up with the latest developments in what is, at best, the unclear regulatory environment currently surrounding cybersecurity?

Tantleff: One thing is scouting out, to see what’s out there. We have our own research and information services, an internal group. We have a government relations and lobbying group. They prepare reports and they do research on those things. We work with other firms, lobbying firms. I know people at various levels of government. Krotoski: Our approach is very similar … We have our practice groups, and within those groups we have dedicated associates — but also partners — who actively monitor this area. We keep up with our contacts in government. nlj: Yahoo is still wrestling with the fallout of a 2013 hack and subsequent hacks of the company’s network that they said in December 2016 may have compromised more than 1 billion user accounts, the largest in history. In addition to reducing the company’s sale price by hundreds of millions of dollars in its planned acquisition by Verizon Communications , Yahoo said on March 1 that its general counsel Ron Bell has resigned amid company contentions that its legal staff did not do enough to respond to the security breach. Was that a fair outcome?

Tantleff: I believe that [Yahoo CEO] Marissa [Mayer] should have taken more responsibility. Granted, there was docking of [her] pay and loss of bonus, but I believe the difference with what the CEO and the general counsel ended up with, I don’t believe that’s the correct implementation of the remedy for what happened in this case. Ultimately, it is the CEO’s position to make the call as to whether that information had gotten released or not and we are aware from public statements that the CEO had access to that information long ago. There is nothing to indicate that the CEO said, ‘Yes, we should release this’ and the general counsel said, ‘No, we shouldn’t.’

Krotoski: Given the significance of what happened in that case, it escalated to the top and would have been much more of a signal to the public and to other companies of what’s right and what’s wrong.

Aaron K. Tantleff

Age: 40

Firm:  Foley & Lardner , Chicago

Position: Partner

Practice Specialities: Privacy, security and information management; state, federal and international restrictions on the use of information; big data, technology and internet of things.

Past Career Experience:  Ungaretti & Harris (now Nixon Peabody ); SSA Global Technologies Inc. (acquired by Infor Business Solutions).

Law School: Chicago-Kent College of Law.

Favorite Cybercrime Movie/TV Show: ”Sneakers,” 1992, starring Robert Redford and Sidney Poitier; and “The Americans,” currently on FX Networks, starring Keri Russell and Matthew Rhys.

Mark Krotoski

Age: 58

Firm:  Morgan, Lewis & Bockius , Palo Alto, California, and Washington, D.C.

Position: Partner

Practice Specialties: Cybersecurity and privacy, economic espionage and government investigations.

Past Career Experience: Federal prosecutor, U.S. Department of Justice, Washington and U.S. Attorney’s Office, Northern District of California. Senior counsel and coordinator, National Computer Hacking and Intellectual Property (CHIP).

Law School:  Georgetown University Law Center

Favorite Cybercrime Novel: ”Intrusion,” by Reece Hirsch (a partner at Morgan Lewis ).