>> Narrator: From Miami Beach, Florida, it's theCUBE, covering Acronis Global Cyber Summit 2019. Brought to you by Acronis. >> Okay, welcome back everyone. It's theCUBE's two day coverage of Acronis' Global Cyber Summit 2019, here in Miami Beach, at the Fontainebleau Hotel. I'm John Furrier, host of theCUBE. We're with Katya Fisher, Partner Chief and Chief Privacy Officer at Greenspoon Marder. Legal advice is right here on theCUBE, ask her anything. We're going to do a session here. Thanks for coming on, appreciate it. >> Thank you very much, I'm going to have to do the little disclaimer that all lawyers do, which is, nothing here is to be construed as advice. It's just opinions and information only. >> I didn't mean to set you up like that. All kidding aside, you closed for the panel here for Acronis' conference. Obviously, cyber protection's their gig. Data protection, cyber protection. Makes sense, I think that category is evolving from a niche, typical enterprise niche, to a much more holistic view as data becomes you know, critical in the security piece of it. What was on the, what were you guys talking about in the panel? >> Well, so, the first issue that you have to understand is that cyber protection is something that has now become critical for pretty much every individual on the planet, as well as governments. So something that we talked about on the panel today was how governments are actually dealing with incoming cyber threats. Because now, they have to take a look at it from the perspective of, first of all, how they themselves are going to become technologically savvy enough to protect themselves, and to protect their data, but also, in terms of regulation and how to protect citizens. So, that was what the panel discussion was about today. >> On the regulatory front, we've been covering on SiliconANGLE, our journalism site, the innovation balance, is regulatory action helpful or hurtful to innovation? Where is the balance? What is the education needed? What's your thoughts on this, where are we? I mean early stages, where's the progress? What needs to get done? What's your view on the current situation? >> So, I'm an attorney, so my views are perhaps a bit more conservative than some of the technologists you might speak with and some of my clients as well. I think that regulation is, as a general matter, it can be a good thing. And it can be quite necessary. The issues that we see right now, with regard to regulation, I think one of the hottest issues today is with respect to data laws and data privacy laws. And that's obviously something that I think everyone is familiar with. I mean take a look at, in the United States alone. We've seen the city of Baltimore dealing with breaches. We've seen other parts of the government, from the Federal level all the way down to municipalities, dealing with breaches in cyber attacks. We've seen data breaches from banks, Capital One, right? I believe Dunkin' Donuts suffered a breach. Equifax, and then at the same time we've also seen individuals up in arms over companies like 23andMe and Facebook, and how data is used and processed. So data seems to be a very very hot button issue today across the board. So something that we're really thinking about now is, first of all, with respect to the regulatory climate, how to deal with it, not only in the United States, but on a global level, because, when we talk about technology and the internet right, we're in an era of globalization. We're in an era where a lot of these things go across boarders and therefore we have to be mindful of the regulatory regimes in other places. So, I'll give you an example. You might be familiar with the GDPR. So the GDPR is in the European Union. It's been in effect now for the last year and a half, but it affects all my U.S. clients. We still have to take a look at the GDPR because at the end of the day my clients, my firm, might be dealing with foreign companies, foreign individuals, companies that have some sort of nexus in the European Union, et cetera. So because of that, even though the GDPR is a set of regulations specific to the European Union, it becomes extremely important in the context of the United States and globally. At the same time, the GDPR has certain issues that then end up conflicting often times with some of the regulations that we have here in the United States. So, for example, the right to be forgotten is perhaps the most famous clause or part of the GDPR and the right to be forgotten is this concept in the GDPR that an individual can have information erased about him or her in order to protect his or her privacy. The problem is that from a technical's perspective, first of all, it's an issue because it becomes very very difficult to figure out where data is stored, if you're using third-party processors, et cetera. But from a regulatory perspective, the conflict comes in when you take a look at certain U.S. laws. So take a look for example at banking regulations in the United States. Banks have to hold some types of data for seven years and other types of data they can never delete. Right? Lawyers. I am licensed by the New York State Bar Association. Lawyers have their own rules and regulations with regard to how they store data and how they store information. HIPAA, medical records. So, you see these conflicts and there are ways to deal with them appropriately, but it becomes some food for thought. >> So it's complicated. >> It's really complicated >> There's a lot of conflicts. >> Yeah. >> First of all, I talked to a storage guy. He's like data? I don't even know which drive that's on. Storage is not elevated up to the level of state-of-the-art, from a tracking standpoint. So, it's just on the business logic is complicated. I can't imagine that. So, I guess my question to you is that, are you finding that the jurisdictional issue, is it the biggest problem, in terms of crossport and the business side or is the technical underpinnings, that with GDPR's the problem or both? What's your-- >> I mean it's both, right? They're a lot of issues. You're right, it's very complicated. I mean, in the United States we don't have some sort of overarching federal law. There's no cyber protection law in the United States. There's no overarching data protection law. So, even in the U.S. alone, because of federalism, we have HIPAA and we have COPPA which protects children and we have other types of acts, but then we also have state regulations. So, in California you have the California Privacy Act. In New York you have certain regulations with regard to cyber security and you have to deal with this patchwork. So, that becomes something that adds a new layer of complexity and a new layer of issues, as we take a look, even within the U.S. alone, as to how to deal with all of this. And then we start looking at the GDPR and all of this. From a technical perspective. I'm not a technologist, but. >> Katya, let me ask you a question on the (mumbles) and business front. (mumbles) I think one of the things. I'm saying it might or may not be an issue, but I want to get your legal weigh-in on this. >> Katya: Sure. >> It used to be when you started a company, you go to Delaware, very friendly, domicile in Delaware, do some formation there, whether you're a C corp or whatever, that's where we tend to go, raise some money, get some preferred stock, you're in business. >> Is there a shift in where companies with domicile, their entity, or restructure their companies around this complexity? Because, there's two schools of thought. This brute force act, everything coming at you, or you restructure your corporate formation to handle some of the nuances, whether it's I have a Cayman or a Bermuda... whatever's going on in the regulatory regime, whether it's innovative or not. Are people thinking like that? Or, what's your take on it? What's some of the data you're seeing from the field around, restructuring around the problem? >> So, with respect to restructuring, specifically around data laws and data protection laws, I'm not seeing too much of that, simple because of the fact that regulations like the GDPR are just so all-encompassing. With respect to companies setting up in Delaware as opposed to other jurisdictions, those are usually based on two issues, right, two core ones, if I can condense it. One has to do with the court system and how favorable a court system is to the corporation, and the second is taxes. So, a lot of times when you see companies that are doing all of this restructuring, where they're setting up in offshore zones, or et cetera, it's usually because of some sort of a tax benefit. It might be because of the fact that, I don't know, for example, intellectual property. If you have a company that's been licensing IP to the United States, there's a 30% withholding tax when royalties are paid back overseas. So a lot of times when you're looking at an international structuring, you're trying to figure out a jurisdiction that might have a tax treaty with the United States, that will create some sort of an opportunity to get rid of that 30% withholding. So, that's where things usually come into play with regard to taxes and IP. I haven't seen yet, on the side of looking for courts that are more favorable to companies, with respect to data privacy and data protection. I just haven't seen that happen yet because I think that it's too soon. >> How do companies defend themselves against claims that come out of these new relations? I mean GDPR, I've called it the shitstorm when it came out. I never was a big fan of it. It just didn't. I mean, I get the concept, but I kind of understood the technical issues, but let's just say that you're a small growing business and you don't have the army of lawyers or if someone makes a claim on you, I have to defend it. How are companies defending themselves? Do they just shut down? Do they hire you guys? I mean, obviously lawyers need to be involved. But, at some point there's a line of where having a U.S. company and someone consumes my media in Germany and it says, hey I'm a German citizen. You American company, delete my records. How does that work? Do I have to be responsible for that? I mean, what's? >> So, it's really case-by-case basis. First of all, obviously, with regard to what I was talking about earlier, with respect to the fact that there are certain regulations in the U.S. that conflict with GDPR and the right to be forgotten. If you can actually assert a defense and sort of a good reason for why you have to maintain that information, that's step one. Step two is, if it's some complaint that you received, is to delete the person's information. There's an easier way to do it. >> Yeah, just do what they want. >> Just comply with what they want. If somebody wants to be off of a mailing list, take them off the mailing list. The third is, putting in best practices. So, I'm sure a lot of things that people see online, it's always great to go ahead and obtain legal counsel, even if you're consulting with a lawyer just for an hour or two, just to really understand your particular situation. But, take a look at privacy policies online. Take a look at the fact that cookies now have a pop-up whenever you go to a website. I'm sure you've noticed this, right? >> John: Yeah. So, there are little things like this. Think about the fact that there are, what is known as clickwrap agreements. So, usually you have to consent. You have to check a box or uncheck a box with respect to reading privacy policies, being approved for having your email address and contact information somewhere. So, use some common sense. >> So, basically don't ignore the prompt. >> Don't ignore the problem. >> Don't ignore it. Don't stick your head in the sand. It'll bite you. >> Correct. And the thing is, to be honest, for most people, for most small companies, it's not that difficult to comply. When we start talking about mid-size and large businesses, the next level, the next step, obviously beyond hiring attorneys and the like, is try to comply with standards and certifications. For example, there's what is known as ISO standards. Your company can go through the ISO 27001 certification process. I think it costs around approximately $20,000. But, it's an opportunity to go ahead, go through that process, understand how compliant you are, and because you have the certification, you're then able to go to your customers and say, hey, we've been through this, we're certified. >> Yeah. Well, I want to get, Katya, your thoughts, as we wrap up on this segment, around Crypto and Blockchain. Obviously, we're bullish on Blockchain. We think this is a supply chain. (mumbles) Blockchain can be a good force, although some think there's some work needs to be done on the whole energy side of it, which is, we would agree. But, still. I'm not going to make that be a wet blanket of excitement. But cryptocurrency has been fraudulent. It's been. The SCC's been cracking down in the U.S., in the news. Lieber's falling apart, although, I called that separately, but, (laughing) it had nothing to do with that Lieber. It was more of Facebook, but. Telegram. We were talking about that, others. People are getting handcuffed on this stuff. They're really kind of clamping down. But, overseas in Asia, it's still an unregulated, seems to be (mumbles) kind of market. Your advice to clients was to shy away, be careful? >> My advice to clients is as follows. First of all, Blockchain and cryptocurrency are not the same thing. Right? Cryptocurrency is a use case coming out of Blockchain technology. I think that in the United States, the best way to think about it is to understand that the term cryptocurrency, from a regulatory perspective, is actually a misnomer. It's not a currency. It's property. Right? It's an asset. It's digital assets. So, if you think about it the same way that we think of shares in a company, it's actually much easier to become compliant, because, then you can understand that it's going to be subject to U.S. securities laws, just like other securities. It's going to be taxed, just like securities are taxed, which means that it's going to be subject to long and short-term capitol gain, and it's also going to be subject to the other regulatory restrictions that are adherent to securities, both on the federal and state level. >> It's interesting that you mentioned security. The word security. If you look back at the ICO craze, internet coin offerings, crypto offerings, whatever you call it, The people who got whacked the most were the ones that went out as a utility tokens. Not to get nerdy on this, but utility and security are two types of tokens. The ones that went out and raised money as the utility token had no product, raised money using the utility that doesn't exist. That's essentially a security. And, so, no wonder why they're getting slapped. >> They're securities. Look, Bitcoin, different story, because Bitcoin is the closest to being I guess, what we could consider to be truly decentralized, right? And the regulatory climate around Bitcoin is a little bit different from what I'm talking about, with respects to securities laws. Although, from a tax perspective, it's the same. It's taxed as property. It's not taxed the way that foreign currency is taxed. But ultimately, yeah. You had a lot of cowboys who went out, and made a lot of money, and were just breaking the law, and now everyone is shocked when they see what's going on with this cease-and-desist order from the SCC against Telegram, and these other issues. But, none of it is particularly surprising because at the end of the day we have regulations in place, we have a regulatory regime, and most people just chose to ignore it. >> It's interesting how fast the SCC modernized their thinking around this. They really. From a speed standpoint, all government agencies tend to be glacier speed kind of movement. They were pretty fast. I mean, they kind of huddled on this for a couple months and came out with direction. They've been proactive. I got to say. I was usually skeptical of most government organization. I don't think they well inform. In this case, I think the SCC did a good job. >> So, I think that the issue is as follows. You know, Crypto is a very very very small portion of what the SCC deals with, so, they actually paid an inordinate amount of attention to this, and, I think that they did it for a couple of reasons. One is because, you asked me in the beginning of this interview about regulations versus innovation. And, I don't think anyone wants to stifle innovation in America. It's a very interesting technology. It's very interesting ideas, right? No one wants that to go away and no one wants people to stop experimenting and stop dreaming bigger. At the same time, the other issue that we've seen now, especially, not only with the SCC, but with the IRS now getting involved, is the fact that even though this is something very very small, they are very concerned about where the technology could go in the future. The IRS is extremely concerned about erosion of the tax space. So, because of that, it makes a lot of sense for them to pay attention to this very very early on, nip this in the bud, and help guide it back into the right direction. >> I think that's a good balance. Great point. Innovation doesn't want to be stifled at all, absolutely. What's new and exciting for you? Share some personal or business updates in your world. What's going on? What's getting you excited these days, in the field? >> What's getting me excited these days? Well, I have to tell you that one thing that actually has gotten me excited these days is the fact that the Blockchain and cryptocurrency industries have grown up, substantially. And, now we're able to take a look at those industries in tandem with the tech industry at large, because they seem to sort of be going off in a different direction, and now we're taking a look at it, and now you can really see sort of where the areas that things are going to get exciting. I look at my clients and I see the things that they're doing and I'm always excited for them, and I'm always interested to see what new things that they'll innovate, because, again, I'm not a technologist. So, for me, that's a lot of fun. And, in addition to that, I think that other areas are extremely exciting as well. I'm a big fan of Acronis. I'm a big fan of cyber protection issues, data protection, data regulation. I think something that's really interesting in the world of data regulation, that actually has come out of the Blockchain community, in a way, is the notion of data as a personal right, as personal property. So, one of the big things is the idea that now that we've seen these massive data breaches with Facebook and 23andME, and the way that big government, big companies, are using individuals' datas, the idea that if data were to be personal property, it would be used very very differently. And technologists who are using Blockchain technology say that Blockchain technology might actually be able to make that happen. Because if you could have a decentralized Facebook, let's say, people could own their own data and then use that data as they want to and be compensated for it. So, that's really interesting, right-- Yeah, but, if you're just going to use the product, they might as well own their data, right? >> Katya: Exactly. >> Katya, thanks for coming on theCUBE. Thanks for the insight. Great, compelling narrative. Thanks for sharing. >> Sure, thank you very much. >> Appreciate it. I'm John Furrier here on theCUBE, Miami Beach, at the Fontainebleau hotel for Acronis' Global Cyber Summit 2019. We'll be back with more coverage after this short break.