Lisa Monaco, O'Melveny & Myers.

So what does one do as an encore to the role of Homeland Security Advisor with the Obama administration? For Lisa Monaco, the answer included becoming co-chair of the data security and privacy group at the firm of O'Melveny & Myers.

This isn't the first time that Monaco has had to follow up a prestigious gig. Other career highlights include 15 years at the Department of Justice and serving as counsel and chief of staff to Robert Mueller during his time as director of the FBI. She's no stranger to the startup scene either, having worked as an adviser to Lyft during her post-government career.

Legaltech News caught up with Monaco to discuss the challenges facing cyber enforcement, her views on ongoing privacy debates, and why companies should be paying more attention to the Internet of Things.

This conversation has been edited for length and clarity.

Legaltech News: How have you seen cyber enforcement change over the years?

Lisa Monaco: I think what you've seen, certainly at the federal level, has been a growing focus on enforcement in the area of cyber-enabled economic espionage and particularly a focus on intellectual property theft. And I think we've seen over the last several years a growing focus on the activity of nation-states in this area and an effort to try and vindicate the rights of victim companies who have been suffering under an onslaught of nation state attacks when it comes to intellectual property theft. …

[Also] I think what we've really seen is growing recognition across a number of industry sectors, in fact, that data security and cybersecurity needs to be considered an enterprise issue and an enterprise risk.

Do you feel like there's a cybersecurity concern or issue that people aren't paying enough attention to right now?

There are two things. One: the explosion of Internet of Things (IoT) devices, and what does that mean for vulnerability, for companies, their products? … We've seen a lot of activity when it comes to standards development in that space, so that's an area to be watched almost regardless of what industry sector you're in since IoT devices now just permeate our lives. The estimates are, at the low-end, that in the year 2020 there will be 20 billion IoT devices attached to the internet. …

Then the second area is supply vulnerability. Here again, the threat is agnostic as to the industry sector, and it's really incumbent upon companies and their general counsel to be thinking of vulnerabilities, the responsibilities, the legal exposure that they might have when it comes to supply chain vulnerability and the particular cybersecurity risks that that poses.

There's an ongoing debate over absolute encryption versus creating windows for law enforcement access. Where do you fall on this debate?

I think it's part of a broader privacy debate that you're seeing. … I mean, if you look at the California Consumer Privacy Act that goes into effect in 2020, that has really changed the conversation at the state level and has had an ensuing effect at the federal level. … So I think the encryption issue is one that nests within this growing focus on privacy, and what the legislative landscape is going to yield on that remains to be seen. But what is quite striking is how much the California law has really changed the dynamic and really accelerated the conversation both in the states and the federal level.

Is there value in having kind of a singular federal cyber standard, or is this something that's better handled at the state level?

The fact that California has put this statute in place going into effect in 2020 has really galvanized some momentum for other states to follow suit and at the federal level you're actually seeing calls, including some from industry, for a federal statute. … One singular federal law might be more easily complied with than a patchwork of different other statutes. So I think that's where you're going to see the debate move, which is what might be one coherent federal approach that could be something that industry could better comply with and more efficiently comply with rather than a patchwork of 50 different statues.

What are unique cybersecurity challenges facing today's startups?

I think all companies, regardless of their particular product, regardless almost of their size and scope, are having to confront new issues when it comes to data security, data governance. … You've seen the SEC now in the last couple years issue more guidance about cybersecurity disclosure, and these are things that companies of all types, if they are contemplating going public or obviously if they've already traded on the public market, need to be thinking about. What are the procedures, the policies that they need to put in place when it comes to data security? And this is again without regard to what type of customer service they provide.