 From Miami Beach, Florida, it's theCUBE, covering Acronis Global Cyber Summit 2019. Brought to you by Acronis. Hey, welcome back, everyone. This is theCUBE's two-day coverage of Acronis's Global Cyber Summit 2019. Here in Miami Beach at the Fontainebleau Hotel, I'm John Furrier, your host of theCUBE. We are at Coptia Fisher Partner, Chief and Chief Privacy Officer at Greens Food Martyr. Legal advice is right here on theCUBE. Ask her anything. We're going to do a session here. Thanks for coming on. Appreciate it. Thank you very much. I'm going to have to do the little disclaimer that all lawyers do, which is nothing here as to be construed as in bias. It's just opinions and information only. I didn't mean to set you up like that. All kidding aside, we're close to the panel here for Acronis's conference. Obviously, cyber protection is their gig. Data protection is cyber protection. Makes sense. I think that category is evolving from a niche, typical enterprise niche, to a much more holistic view as data becomes critical in the security piece of it. What were you guys talking about on the panel? Well, so the first issue that you have to understand is that cyber protection is something that has now become critical for pretty much every individual on the planet, as well as governments. So something that we talked about on the panel today was how governments are actually dealing with incoming cyber threats. Because now they have to take a look at it from the perspective of, first of all, how they themselves are going to become technologically savvy enough to protect themselves and to protect their data, but also in terms of regulation and how to protect citizens. So that was what the panel discussion was about today. On the regulatory front, we've been covered on SiliconANGLE, our journalism site. The innovation balance is regulatory action, helpful or hurtful to innovation. Where is the balance? What is the education needed? What's your thoughts on this? Where are we? I mean, early stages, where's the progress? What needs to get done? What's your view of the current situation? So I'm an attorney, so my views are perhaps a bit more conservative than some of the technologists you might speak with and some of my clients as well. I think that regulation is, as a general matter, it can be a good thing. And it can be quite necessary. The issues that we see right now with regard to regulation, I think one of the hottest issues today is with respect to data laws and data privacy laws. And that's obviously something that I think everyone is familiar with. I mean, take a look at, in the United States alone, we've seen the city of Baltimore dealing with breaches. We've seen other parts of the government from the federal level all the way down to municipalities dealing with breaches and cyber attacks. We've seen data breaches from banks, Capital One, right? I believe Dunkin' Donuts suffered a breach, Equifax. And then at the same time, we've also seen individuals up in arms over companies like 23andMe and Facebook and how data is used and processed. So data seems to be a very, very hot button issue today across the board. So something that we're really thinking about now is, first of all, with respect to the regulatory climate, how to deal with it not only in the United States but on a global level. Because when we talk about technology and the internet, we're in an era of globalization. We're in an era where a lot of these things go across borders. And therefore, we have to be mindful of the regulatory regimes in other places. So I'll give you an example. You might be familiar with the GDPR. So the GDPR is in the European Union. It's been in effect now for the last year and a half. But it affects all my US clients. We still have to take a look at the GDPR because at the end of the day, my clients, my firm, might be dealing with foreign companies, foreign individuals, companies that have some sort of nexus in the European Union, et cetera. So because of that, even though the GDPR is a set of regulations that's specific to the European Union, it becomes extremely important in the context of the United States and globally. At the same time, the GDPR has certain issues that then end up conflicting oftentimes with some of the regulations that we have here in the United States. So for example, the right to be forgotten is perhaps the most famous clause or part of the GDPR. And the right to be forgotten is this concept in the GDPR that an individual can have information erased about him or her in order to protect his or her privacy. The problem is that from a technical perspective, first of all, it's an issue because it becomes very, very difficult to figure out where data is stored if you're using third party processors, et cetera. But from a regulatory perspective, the conflict comes in when you take a look at certain US laws. So take a look, for example, at banking regulations in the United States. Banks have to hold some types of data for seven years and other types of data they can never delete, right? Lawyers, I am licensed by the New York State Bar Association. Lawyers have their own rules and regulations with regard to how they store data and how they store information. HIPAA, medical records. So you see these conflicts, and there are ways to deal with them appropriately, but it becomes some food for thought. So it's complicated. It's really complicated. There's a lot of conflicts. First of all, I've talked to a storage guy who's like, data? I don't even know what strives that song. Storage has not elevated up to the level of state of the art from a tracking standpoint. So it's just, on the business logic, it's complicated. I can imagine that. So I guess my question to you is, are you finding that the jurisdictional issue is the biggest problem in terms of cross border on the business side, or is it the technical underpinnings that with GDPR is a problem? What's the, or both? What's your? I mean, it's both, right? There are a lot of issues. You're right, it's very complicated. I mean, in the United States, we don't have some sort of overarching federal law. There's no cyber protection law in the United States. There's no overarching data protection law. So even in the U.S. alone, because of federalism, we have HIPAA and we have COPPA, which protects children. And we have other types of acts, but then we also have state regulations. So in California, you have the California Privacy Act. In New York, you have certain regulations with regard to cybersecurity. And you have to deal with this patchwork. So that becomes something that adds a new layer of complexity and a new layer of issues as we take a look, even within the U.S. alone, as to how to deal with all of this. And then we start looking at the GDPR and all of this. From a technical perspective, I'm not a technologist. Coss, let me ask you a question on the entrepreneurial and business front, because I think one of the things that I'm seeing, it may or may not be an example, but I want to get your legal weigh-in on this. Sure. You know, it used to be when you started a company, you go to Delaware, very friendly, with Domicile and Delaware, do some formation there, whether you're a C Corp or whatever, that's where we tend to go, raise some money, get some preferred stock here in business. Is there a shift in where companies with Domicile, their entity, or restructure their companies around this complexity? Because there's two schools of thought. You just brute force at everything coming at you, or you restructure your corporate formation to handle some of the nuances, whether it's I have a Cayman or a Bermuda, whatever's going on in the regulatory regime, whether it's innovative or not, are people thinking like that, or what's your take on it, what's some of the data you're seeing from the field around, restructuring around the problem? So, with respect to restructuring, specifically around data laws and data protection laws, I'm not seeing too much of that, simply because of the fact that regulations like the GDPR are just so all-encompassing. With respect to companies setting up in Delaware as opposed to other jurisdictions, those are usually based on two issues, right? Two core ones, if I can condense it. One has to do with the court system and how favorable a court system is to the corporation, and the second is taxes. So, a lot of times when you see companies that are doing all of this restructuring where they're setting up in offshore zones or et cetera, it's usually because of some sort of a tax benefit. It might be because of the fact that, I don't know, for example, intellectual property. If you have a company that's then licensing IP to the United States, there's a 30% withholding tax when royalties are paid back over seats. So, a lot of times when you're looking at international structuring, you're trying to figure out a jurisdiction that might have a tax treaty with the United States that will create some sort of an opportunity to get rid of that 30% withholding. So, that's where things usually come into play with regard to taxes and IP. I haven't seen yet on the side of looking for courts that are more favorable to companies with respect to data privacy and data protection. I just haven't seen that happen yet because I think that it's too soon. How do companies defend themselves against claims that come out of these new regulations? I mean, GDPR, I've called it a shit storm when it came out and I never was a big fan of it. It just didn't, I mean, I'd get the concept, but I kind of understood the technical issues. But like, let's just say you're a small growing business and you don't have the army of lawyers or if someone makes a claim on you, I have to defend it. How are companies defending themselves? Do they just shut down? Do they hire you guys? I mean, obviously, lawyers need to be involved, but at some point, there's a line of where, I'm a U.S. company and someone consumes my media in Germany and then it says, hey, I'm a German citizen. You, American company, delete my records. How does that work? Do I have to be responsible for that? I mean, what's... So it's really case by case basis. First of all, obviously with regard to what I was talking about earlier, with respect to the fact that there are certain regulations in the U.S. that conflict with GDPR and the right to be forgotten, if you can actually assert a defense and sort of a good reason for why you have to maintain that information, that's step one. Step two is if it's, you know, some complaint that you receive to delete the person's information, right? There's an easier way to do it. Yeah, just do what they want. Just comply with what they want. If somebody wants to be off of a mailing list, take them off the mailing list. The third is putting in best practices. So I'm sure a lot of things that people see online, it's always great to go ahead and obtain legal counsel, even if you're consulting with a lawyer just for an hour or two, just to really understand your particular situation, take a look at privacy policies online. Take a look at the fact that cookies now have a pop-up whenever you go to a website. I'm sure you've noticed this, right? Yeah. So there are little things like this. Think about the fact that there are, what is known as click-rap agreements. So usually you have to consent, you have to check a box or uncheck a box with respect to, you know, reading privacy policy is being approved for having your email address and contact information somewhere. So use some common sense. So basically don't ignore the problem. Don't ignore the problem. Don't ignore it, don't stick your head in the sand. It'll bite you. Correct. And the thing is to be honest, for most people, for most small companies, it's not that difficult to comply. When you start talking about mid-size and large businesses, the next level and the next step, obviously beyond hiring attorneys and the like, is try to comply with standards and certifications. So for example, there's what is known as ISO standards. Your company can go through the ISO2701 certification process. I think it costs around approximately $20,000, but it's an opportunity to go ahead, go through that process, understand how compliant you are. And because you have the certification, you're then able to go to your customers and say, hey, we've been through this, we're certified. Yeah. Well I want to get caught to your thoughts as we wrap up on this segment. Around crypto and blockchain. Obviously, we're bullish on blockchain. We think this is a supply chain, the immutable blockchain can be a good force, although something that some work needs to be done on the whole energy side of it, which is we would agree, but still I'm not going to make that be a wet blanket of excitement. But cryptocurrency has been fraudulent. It's been the SEC's been cracking down in the US in the news, Libra's falling apart. Although I call that separate lead, but had nothing to do with that Libra. It was more of Facebook. But Telegram, we were talking about that. Others, people are getting handcuffed on this stuff. They're really kind of clamping down. But overseas in Asia, it's still an unregulated, seems to be rigged kind of market. Your advice to clients was to shy away, be careful. My advice to clients is as follows. First of all, blockchain cryptocurrency are not the same thing, right? Cryptocurrency is a use case coming out of blockchain technology. I think that in the United States, the best way to think about it is to understand that the term cryptocurrency from a regulatory perspective is actually a misnomer. It's not a currency, it's property. Right? It's an asset. It's digital assets. So if you think about it the same way that we think of shares in a company, it's actually much easier to become compliant because then you can understand that it's going to be subject to US securities laws just like other securities. It's going to be taxed just like securities are taxed, which means that it's going to be subject to long and short-term capital gains. And it's also going to be subject to the other regulatory restrictions that are inherent to securities both on the federal and state level. It's interesting that you mentioned security, word security, you know, if you look back at the ICO craze, internet coin offerings, crypto offerings, whatever you'll call it, the people who got whacked the most were the ones that went out as utility tokens. Not to get nerdy on this, but utility and security are two types of tokens, the ones that went out and raised money as a utility token, had no product, raised money using a utility that doesn't exist. That's essentially a security. And so no wonder why they're getting slapped. They're securities. Look, Bitcoin, different story because Bitcoin is the closest to being, I guess what we're going to consider to be truly decentralized, right? And the regulatory climate around Bitcoin is a little bit different from what I'm talking about with respect to securities laws. Although from a tax perspective it's the same. It's tax as property. It's not tax the way that foreign currency is taxed. But ultimately, yeah, you had a lot of cowboys who went out and made a lot of money and were just breaking the law. And now everyone is shocked when they see what's going on with this season to assist order from the SEC against Telegram and these other issues. But none of it is particularly surprising because at the end of the day we have regulations in place. We have a regulatory regime and most people just chose to ignore it. It's interesting how fast the SEC modernized their thinking around this. They really, from a speed standpoint, all government agencies tend to be glaciers, speed kind of movement. They were pretty fast. I mean, they kind of huddled on this for a couple months and came out with direction. They've been proactive and I got to say, it was usually skeptical of most government organizations. I don't think they're well informed. In this case, I think the SEC did a good job. So I think that the issue is as follows. Crypto is a very, very, very small portion of what the SEC deals with. So they actually paid an inordinate amount of attention to this. And I think that they did it for a couple of reasons. One is because you asked me at the beginning of this interview about regulation versus innovation. And I don't think anyone wants to stifle innovation in America. It's a very interesting technology. It's very interesting ideas, right? No one wants that to go away. No one wants people to stop experimenting and stop dreaming bigger. At the same time, the other issue that we've seen now, especially not only with the SEC but with the IRS now getting involved, is the fact that even though this is something very, very small, they're very concerned about where the technology could go in the future. The IRS is extremely concerned about erosion of the tax base. So because of that, it makes a lot of sense for them to pay attention to this very, very early on, nip this in the bud and help guide it back into the right direction. I think that's a good balance, a great point. Innovation doesn't want to be stifled at all, absolutely. What's new and exciting for you? Share some personal or business updates in your world. What's going on? What's getting you excited these days in the field? What's getting me excited these days? Well, I have to tell you that one thing that actually has gotten me excited these days is the fact that the blockchain and cryptocurrency industries have grown up substantially and now we're able to take a look at those industries in tandem with the tech industry at large because they seem to sort of be going off in a different direction and now we're taking a look at it and now you can really see sort of where the area is that things are going to get exciting. I look at my clients and I see the things that they're doing and I'm always excited for them and I'm always interested to see what new things that they'll innovate because again, I'm not a technologist so for me that's a lot of fun. And in addition to that, I think that other areas are extremely exciting as well. I'm a big fan of Acronis, I'm a big fan of cyber protection issues, data protection, data regulation. I think something that's really interesting in the world of data regulation that actually has come out of the blockchain community in a way is the notion of data as a personal right, as personal property. So one of the big things is the idea that now that we've seen these massive data ratios with Facebook and 23andMe and the way that big companies are using individual's data is the idea that if data were to be personal property, it would be used very, very differently and technologists who are using blockchain technology say that blockchain technology might actually be able to make that happen because if you could have decentralized Facebook, let's say, people could own their own data and then use that data as they want to and be compensated for it. So that's really interesting. If the user's going to be the product, they might as well own their data, right? Exactly. Thanks for coming on theCUBE. Thanks for the insight, great, compelling, narrative, thanks for sharing. It's all right, thank you very much. Appreciate it. I'm John Furrier here on theCUBE, Miami Beach at the Bundablue Hotel for Acronis' Global Cyber Summit 2019. We'll be back with more coverage after this short break.