Card image cap

A GC's Guide To Cyber Risk: Understanding The Questions To Ask And How To Evaluate The Answers

Level: Advanced
Runtime: 63 minutes
Recorded Date: April 26, 2021
Click here to share this program
Printer-Friendly Version
Closed Caption


• Helping General Counsel ask 5 key questions in assessing Cyber Risk
        - Using the PPT Framework to help answer key questions
        - "What do we have to protect?"
                • Identify the data and systems that need protection
        - "Who holds our data?"
                • Identify and protecting against third-party risks
        - "Can we Identify a problem early?"
                • Reviewing internal detection processes and IR protocols
        - "Are our risks properly managed?"
                • Ensuring that risk is properly assigned to responsible parties in the business
        - "Is help lined up?"
                • Do we have in place resources needed in the event of an incident?
• Overview of Cyber Regulatory risks

1 hour, 3 minutes
Recorded: April 26, 2021


Cyber risk management is a difficult issue for most attorneys who advise businesses. It seems to be a technical risk, yet it will be the lawyer defending the firm's actions to regulators, in third party lawsuits, and to internal constituencies. With cyber threats increasing in volume and sophistication and a stricter regulatory framework around data privacy worldwide, cyber risk is a key concern for legal and risk leaders.

This presentation will cover the cyber risk landscape in 2021, covering highest-impact threats, most commonly targeted assets, and the methods used by threat actors (whether external or internal). The program seeks to help advisory council ask the right questions to understand a client's cyber risk and provides guidance on how to evaluate and verify answers they receive.

This program was recorded on April 26th, 2021.

Provided By

American Bar Association
Card image cap


Card image cap

Jonathan Fairtlough

Managing Director, Cyber Risk

Jonathan Fairtlough is a managing director with Kroll's Cyber Risk practice, based in the Los Angeles office, from where he also leads client cyber engagements in Canada and throughout the Asia Pacific region. Jonathan joined Kroll after a distinguished career with the Los Angeles County District Attorney’s Office, where he served as both a prosecutor and Co-Founder of the Office’s High Technology Division. At Kroll, Jonathan leads teams that provide comprehensive investigative services for digital forensics, data breach response, and complex cyber-crimes.

Prior to joining Kroll, Jonathan was the Deputy in Charge of the Eastlake (Central) Juvenile Office. Earlier, he served as the Assistant Head Deputy and Co-Founder of the High Technology Division of the Los Angeles County District Attorney’s Office. During his career, Jonathan held a number of positions within the District Attorney’s Office and was involved in many high-profile cases, including the first major data breach filed in Los Angeles County for which he received the International Association of Financial Crimes Investigators (Southern California Chapter) award for Prosecutor of the Year in 2006.

Jonathan is an instructor for the National Computer Forensic Institute on the subject of cyber investigations, advanced digital evidence and computer forensics.

Card image cap

Terry Willis

Associate Managing Director, Cyber Risk

Terry Willis is an associate managing director in the Cyber Risk practice of Kroll, based in the Los Angeles office. He leverages over 24 years of experience as an expert incident handler, computer forensics practitioner, investigator, expert witness, author, instructor and speaker. In his current role, Terry helps clients resolve myriad computer-related concerns—from malicious intrusions to theft of intellectual property—through a wide range of complex technical and investigative activities.

Prior to Kroll, Terry worked with the Los Angeles Police Department (LAPD) for 21 years, serving most of his career as a detective investigating white-collar crimes. For five years, his investigations focused on corporate and financial fraud, including internal thefts, embezzlements, bank fraud and identity theft. In 1996, he was promoted to Detective III - Officer-in-Charge Computer Crimes Unit, where he established and designed the LAPD’s computer forensic function to address the full lifecycle of digital evidence for all criminal, administrative and internal investigations. He also managed LAPD’s resources and investigations as a supervisor in the U.S. Secret Service Electronic Crimes Task Force and the Southern California High Technology Crime Task Force.

In his court experience, Terry has been associated with the following cases: Robert Blake Civil Trial, Burbank Superior Court; People v. Robert Blake and Earle Caldwell, Los Angeles Superior Court; People v. Henry Hayes, Los Angeles Superior Court; and People v. Chance Webberman, Los Angeles Superiors Court.

He has been involved in teaching and giving presentations on various topics, which include “Computer Forensics and Digital Evidence in the Courtroom” at the Los Angeles County District Attorneys Training Day; “Computer Forensics and Digital Evidence” at the California Department of Justice; “Managing an Intrusion Investigation” at the U.S. Secret Service, Los Angeles Electronic Crimes Task Force; “Computer Forensics and Digital Evidence” at the Southwest Law College, Los Angeles; “Cybercrime Investigations” at the Southern California Regional High Technology Crimes Task Force; and “Unix as a Forensic Platform” at the Internet Crimes Against Children Task Force Training Seminar.

Terry’s article titled, “Criminal Liability in Cyberspace” has been published in GPSolo Magazine (a publication of the American Bar Association), and his article titled, “Starting a Computer Crime Unit” has appeared in The Informant (a publication of the National White Collar Crime Center).

Terry is a PCI Forensic Investigator (PFI) and an EnCase Certified Examiner (EnCE). Additionally, he holds the following certifications: SANS Global Information Assurance Certification – GIAC Certified Incident Handler (GCIH) Incident Handling; UNIX Systems Certification; and Computer Crime Certification, California Peace Officer Standards of Training (POST). Recently, he also completed training in SANS Advanced Incident Response, Threat Hunting and Digital Forensics.

Card image cap

Chris Ballod

Associate Managing Director, Cyber Risk

Christopher Ballod is an associate managing director in the Cyber Risk practice of Kroll, based in Philadelphia. He leverages over 15 years of experience in data privacy and cyber security, counseling clients in the preparation for a cyber incident, and during the response and notification process after an incident occurs. Chris’ expertise negotiating and drafting agreements, counseling clients during the assessment of risk and placement of cyber liability coverage, coordinating breach response services and supporting clients in litigation can greatly reduce legal, financial, and reputational risks in the event of a cyber incident.

At Kroll, Chris leverages his expertise to provide clients appropriate response protection in the event of a data breach incident, and he will also assist clients preparing for, or going through, CFIUS audits. He brings years of experience in digital forensics and incident response, particularly as it relates to PII/PHI exposure. He also helps clients identify trends and actors that may impact their systems and assess potential exposure post-incident to avoid data leaking via dark web forums.

Having guided hundreds of clients through complex cyber security incidents, Chris brings extensive experience in conducting tabletop exercises practicing breach response procedures, and multi-day stakeholder "boot camps" training key personnel in all aspects of risk management and response.

Before joining Kroll, Chris was a partner and vice chair of the Data Privacy & Cybersecurity practice at Lewis Brisbois Bisgaard & Smith LLP, which received the Advisen Cyber Risk Award for Best Legal Practice in 2019 and 2020. He also served as a member of the firm’s Corporate and Complex Business and Commercial Litigation practices. His experience included leading the coordination of over 500 breach responses for clients across multiple sectors, including defense, construction, energy generation, financial services, healthcare, hospitality, school districts, universities and retail.

He has spearheaded compliance and security programs for publicly traded traditional market companies and cutting-edge companies, including cryptocurrency exchanges and machine-learning data analytics firms. He has conducted a risk assessment analysis for a nuclear and traditional fuel energy generation company in the acquisition of new generation assets. Christopher has also coordinated breach response services for clients of all sizes and across varied sectors including construction, energy generation, ?nancial services, healthcare, hospitality, municipal government, and retail.

Christopher’s regulatory compliance counseling experience includes compliance with CCPA, HIPAA, payment card industry standards (PCI-DSS), NYS Department of Financial Services compliance and GDPR. In addition to litigating the first "virtual property" case in the U.S., Bragg vs. Linden Labs, he counseled multi-national vendors of goods and services in a virtual world game about their participation in virtual currency exchange, and the legality of their gaming businesses under state and federal gambling laws.

He is frequently invited to speak on data privacy and cyber security, and he has been featured in various publications. During his previous legal practice, he won the Pennsylvania Super Lawyers Rising Star awards in 2016 and 2008.

Christopher holds a Juris Doctor from the Delaware Law School. Additionally, he is a Certified Information Privacy Professional/U.S. (CIPP/U.S.) and Certified Information Privacy Professional/Europe (CIPP/E).

Card image cap

Justine Phillips

Sheppard Mullin

Justine Phillips is a partner in both Data Privacy & Security and Labor and Employment Practice Groups in the firm's San Diego office.

Justine focuses her practice on cybersecurity, data privacy, employment litigation and counseling, and commercial litigation. Her representations involve every aspect of cybersecurity from information governance, diligence in acquisitions/investments, incident preparedness and response, drafting incident response plans and conducting breach simulations, to advising on California Consumer Privacy Act, responding to regulators, and defending companies in litigation relating to cyber events. Justine takes a practical and thoughtful approach to assist multi-national and emerging companies on everyday issues related to electronically stored information including: privacy/security by design, cyber risk management and mitigation; eWorkforce policies; compliance with data regulations; retention/destruction policies and protocols; information-security and data privacy; crisis management and forensic investigations for data breaches; business email compromises; developing policies/protocols/trainings within an organization to create a culture of cyber-awareness; electronic discovery; and social-media issues. Justine also founded Women in eDiscovery-San Diego, Mother Attorney Mentoring Association-San Diego, and frequently publishes and speaks on cyber-related issues.

As an employment attorney, Justine handles commercial litigation for clients in the following public and private industries: cybersecurity and technology, healthcare, tribal, sporting enterprise, insurance, medical device, education, defense, cybersecurity, manufacturing, retail, non-profit and for-profit industries. Justine also regularly advises clients on issues relating to: classification; leave policies; defense of ADA and FEHA disability discrimination claims; interactive process and reasonable accommodation; wage and hour matters; information management; social media; employment agreements; and employee handbooks. Justine has defended companies in both state and federal court against claims of discrimination, harassment, retaliation, and wrongful dismissals.

Card image cap

Similar Courses

Card image cap
64 minutes
"I Am Not a Cat" Proceedings in a Virtual World
Besides becoming a pop-culture catchphrase, how has the shift to a virtual environment impacted proceedings over the last year, and what changes do you believe are here to stay? Our panel of experts will examine some of the greatest challenges, faux pas, and successes in virtual proceedings over the course of this transformative time.

Women, Influence & Power in Law Conference


Add to Cart
Card image cap
63 minutes
2021: The Year of the ELM
Panelists will clarify what constitutes an ELM platform, examine its unique and compelling capabilities, and discuss its strategic and tactical advantages, particularly those stemming from data-driven insights and machine-driven decision making. Attendees will gain a clear understanding of the significance of the emergence of ELM solutions, what firms and law departments can achieve with ELM platform, and practical and ethical considerations related to adopting an ELM solution.



Add to Cart
Card image cap
97 minutes
26 Words that Created the Internet - Basics of the Communications Decency Act Section 230 Safe Harbor
This program will examine the basics of CDA 230 and its day to day affect for those who advise internet businesses as well as those who litigate against them. It will give practical guidance as to what extend internet companies can or should edit or censor the information their users contribute to their sites and to what extent those users will actually be liable.

New Media Rights


Add to Cart
Card image cap
63 minutes
360-Degree View on How to Navigate a Crisis
During this session, our panel of experts will explore the following topics to arm you with a plan to protect the company and minimize long-term problems: - Building a crisis management team and understanding each person’s unique role -Preparedness – advance planning and assessing potential risk areas - First Response – responding in the critical first hours and days to minimize the long-term impact - Resolution Strategy – managing various actions stemming from the crisis to enable the best resolution for the company.

Women, Influence & Power in Law Conference


Add to Cart
Previous Next