MMBJ’s Puplava communicates strong message on cyber security

It is no wonder that [Trivalent Board Member] Jennifer Puplava of Mika, Meyers, Beckett and Jones jumped at the chance to get involved when her client, Trivalent, talked with her about presenting at their “Solutions Expo.”

A dynamic and interesting speaker, she saw the opportunity to communicate both on her subject matter and about how she as an attorney, and others at MMBJ, can help.

Because Trivalent Group is “the leading provider of Managed IT [Information Technology] Solutions such as Cloud Computing, Managed Networks and Managed Services in Michigan,” and its expo caters to a clientele interested primarily in the IT world, Puplava, whose practice has an emphasis on technology law, focused this year on privacy policy and aspects of cybersecurity. These could have been very dry topics indeed, but she made them very real to her audience, primarily through the use of language that “popped.”

For example, in her presentation “Prepare for the Worst — Best Prac-

tices for Responding to Cybersecurity Breaches,” she referred to a list of private rights of action over which a company with a security breach can be sued as  “The Parade of Horribles.” Included were negligence, breach of contract, breach of fiduciary duty, unjust enrichment, and others.

When warning of the likelihood that some manner of breach will happen, Puplava said that the only way to avoid it with certainty was to “go caveman” and avoid all contact with any form of technology or the Internet.

What she advised instead was a lot of planning in advance on what to do in the event of such a breach.

“Breach” is defined by Michigan law as “the unauthorized access and acquisition of data that compromises the security or confidentiality of ‘Personal Information’ maintained by a covered entity as part of a database of ‘Personal Information’ regarding multiple individuals,” and Personal Information is defined as the first name, or first initial, and last name linked to one or more of the following: Social Security Number, drivers’ license or Michigan ID, and/or a financial account number or credit/debit card number in connection with any required code, or password, that would permit access to the accounts. (In response to an audience question, Puplava said mailing address are not considered that type of information.)

As another of her presentations advised, it is critical to do everything within a company’s power to avoid breaches, but because technology is ever-changing and there seems to be no lack of individuals wanting to access private information illegally for their own gain, she warned that two of the important areas for advance planning were public relations and messaging, and notification.

The law is fairly specific about the content of notices, though she referred to the timing requirement, “without delay,” as “squishy.” They must be “written in a clear and conspicuous manner,” advise specifically what information was accessed, and give a description of what the firm or department has done to prevent further breaches, including giving a phone number and warning potentially compromised individuals to be on the lookout for unauthorized uses and symptoms of identity theft.

“We lawyers like to over-complicate things — and sometimes it’s intentional,” she said with a smile, “but this is a case where we’ll advise you to be as clear and concise as possible.”

The rub may lie more in who and how to notify than with the content, which is one of the very good reasons to think about it in advance. For example, if a company’s customers are in a number of states, it is not impossible that notification requirements will differ, and it would be very difficult to figure all that out in a timely fashion after rather than before the breach.

However, Puplava noted, “Many of the states have similar rules.” She added that in most instances where there are differing federal and state regulations, the federal takes precedence.

Her other cybersecurity presentation covered how to protect a business from internet crime, but noted that the laws in this area are “a moving target.”

And her privacy policy presentation advised that even if no such policy is required, it is advisable to have one. She suggested first assessing the way data will be collected and used, and potentially shared, and then exploring what legal restrictions apply before drafting the policy statement. Borrowing wording from another company is ill-advised because none of these areas are “one-size-fits-all,” so an attorney’s advice is almost certainly going to be required.

Puplava is well-equipped to delivery such advice, and her practice also delves into technology where it overlaps with intellectual property law, another of her specialties. She represents clients in litigation and trademark proceedings, and counsels them on trade secret and copyright agreements and other documents;  and her technology law expertise spans domain names to information security, including the subjects of her presentations.

She graduated magna cum laude from Saint Mary’s College in Notre Dame, Indiana, and cum laude from Indiana University School of Law.

In addition to committee and section memberships with the Grand Rapids, State and American Bar Associations, Puplava is or has been a member of the Cascade Downtown Development Authority Board, the Humane Society of West Michigan board, the International Trademark Association, the American Intellectual Property Law Association, and the Grand Rapids Chamber of Commerce; she has also been very active in the Woman Lawyers Association of Michigan Western Region.