2025-10-07 –, Belvedere I/ Security, Compliance & the Law
Open-source cryptographic libraries like OpenSSL are foundational to the internet’s security—but when misused or misconfigured, they don’t just open the door to cyber threats. They open the door to legal ones. This session explores the collision between technical missteps in cryptography and high-stakes legal exposure, examining how supply chain vulnerabilities, licensing misunderstandings, and implementation failures can escalate into breach reporting obligations, regulatory investigations, and contractual liability. We’ll also unpack how legal teams can support engineering in building stronger risk models and contract guardrails when deploying open-source cryptography.
Cryptographic failures aren’t just a technical problem—they’re a legal and compliance crisis waiting to happen.
This session will dissect how cryptographic implementation issues, like weak key management, improper OpenSSL usage, or outdated dependencies, have triggered legal responses ranging from data breach notifications to class-action lawsuits. Drawing from public incidents and private practice, we’ll walk through how seemingly small mistakes—like leaving a critical config file unchanged—can cascade into major liability under GDPR, HIPAA, and evolving state privacy laws.
But the legal fallout doesn’t stop at regulators. We’ll also dive into how open-source licensing issues and vendor contracts can create risk in the software supply chain—and what legal protections (or exposures) your indemnity clauses, SLAs, and warranties might actually offer.
The session will close with actionable strategies for building a cross-functional defense: helping legal and technical teams align on encryption expectations, OSS governance, and breach preparedness.
Whether you're a developer embedding encryption libraries or a counsel drafting indemnification clauses, this session is the API between code, legal, and compliance—and makes the case for treating cryptographic hygiene as a board-level concern.
Key Takeaways
1) Understand how cryptographic errors can trigger breach notification obligations under U.S. and international privacy laws
2) Learn from case studies involving OpenSSL misconfigurations, key reuse, and supply chain attacks
3) Spot common legal pitfalls in OSS usage, including license conflicts and lack of indemnification
4) Explore frameworks for aligning legal, engineering, and procurement on secure OSS adoption
5) Gain practical tools for integrating legal foresight into encryption-related threat modeling
Ashley Pusey is your favorite API—Ashley Pusey Interface—a New York-based attorney navigating the fault lines between AI, cybersecurity, and global data regulation. She advises companies across industries on cyber incident response, privacy compliance, and the legal guardrails around emerging technologies. Whether handling complex breaches across EMEA, LATAM, and APAC or engaging with regulators like the Office for Civil Rights on HIPAA and GLBA issues, Ashley brings clarity and strategy to moments of uncertainty.
But Ashley’s practice isn’t just about managing risk—it’s about building trust. She helps organizations operationalize responsible tech, guiding product launches, adapting to evolving AI regulations, and crafting data governance frameworks.
Her passion for law and innovation didn’t start in a courtroom—it started on the runway. Fascinated by smart textiles and wearable tech disrupting the fashion industry, Ashley found herself drawn to the legal, ethical, and cultural questions embedded in emerging technologies.
Ashley is credentialed with CIPP/US, CIPP/E, CIPM, and the IAPP’s Fellow of Information Privacy (FIP) designation. She holds certifications in Cybersecurity (MIT), Artificial Intelligence (Center for AI and Digital Policy), and Fashion Law (Fashion Law Institute)—a blend that reflects both her creative and regulatory DNA.
At the interface of law, code, and culture, Ashley champions a future where innovation is as ethical as it is exciting—and where every system, suit, or software release is built with integrity.