.svg)
Punishing the Victim: What’s Broken in Cybersecurity Law with Andy Lunsford, CEO of BreachRx
Summary
Cyber incidents are no longer rare - they’re inevitable. In Episode 105, Andy Lunsford, CEO of BreachRx, breaks down why most legal response systems fail and what in-house legal teams can do about it. From global breach laws to privilege pitfalls, this episode is a must-listen for GCs preparing for the next wave of risk.
Key Insights
1. The System Punishes Victims
Early on, Andy noticed something fundamentally unfair — companies attacked by hackers were being treated like criminals.
“If your house gets broken into, the police don’t fine you for having a good lock that someone picked. But in cybersecurity, that’s exactly what we do.”
He argues the law must evolve from a punitive model to a resilience model — rewarding preparation and transparency rather than punishing breach victims.
2. Automation Is the New Legal Infrastructure
With 200+ global breach laws that change constantly, manual compliance is impossible.
Andy and his co-founder Matt built BreachRx to be the “TurboTax for breach response” — automating notifications, tracking actions, and creating an immutable record of responsible behavior
“You shouldn’t have to memorize the world’s privacy laws to do the right thing.”
3. Transparency > Silence
Traditional legal advice was “don’t write anything down.” Andy calls that a mistake. Without records, companies look irresponsible.
“If you don’t document your response, you can’t prove you acted responsibly.”
He advocates for a dual-track approach: keep a clear factual record of response actions, and segregate privileged legal communications in a separate system.
4. Defend the Defenders
Recent cases targeting CISOs and privacy officers for breach handling have chilled the profession.
“We can’t expect people to protect our economy if doing their job might land them in jail.”
BreachRx’s mission — “defend the defenders” — is about giving security leaders the tools and records to show due diligence and avoid personal liability.
5. Preparation Beats Reaction
Most companies still treat incident response as a fire drill. Andy believes it should be a muscle memory exercise.
He urges GCs to build cross-functional response teams, practice regularly, and establish a system of record for every incident — not just a PDF plan on a shelf.
6. Is Legal Training in Disguise
Leaving a successful consulting business to start BreachRx was a bet on timing. He launched in 2018 — just as GDPR went into effect. It took years of grind and “punching through brick walls” before customers caught up to his vision — but now the market’s ready.
7. Closing Insight
“If we want the best minds in cybersecurity, we have to stop treating them like criminals.”
Andy Lunsford’s mission is simple—turn breach response from chaos into confidence and make sure the law finally catches up to reality.
In this podcast, we cover
00:00 Introduction
02:07 Andy’s path into privacy law: From philosophy to shaping early FTC breach cases
06:19 The shift from rare black swan breaches to everyday business risk
08:54 How GDPR’s 72-hour rule changed incident response expectations
13:53 Founding Beacon Group: bridging litigation, incident response, and expert testimony
16:53 The law punishes victims: why breach response is legally broken
21:00 Defending the defenders: Mental toll and leadership under breach pressure
22:48 Personal Risk in Cybersecurity: Why CISOs and Legal Leaders Need Protection Too
27:28 How GCs Can Prepare for Breaches: Building Systems, Not Just Plans
32:23 Rising executive accountability: how GCs can protect their teams and companies
34:49 From legal consultant to tech CEO: building BreachRx as a category-defining platform
40:52 The challenge of early-market education and building industry standards
42:35 Rapid-fire Questions
.svg){kind=small}
.svg)
.svg)
.avif)
.avif)
