Cybersecurity and cyber risk are evolving faster than most organizations can keep up with, and understanding the difference is critical for leaders today. John Riley speaks with Leopold “Lee” Lueddemann about how companies can analyze risk through the lens of AI threats and vulnerabilities, prioritize limited resources, and prepare for the “collision course” between privacy laws and artificial intelligence. Lee explains why CEOs must focus on compliance and liability reduction, shares emerging trends from AI-powered phishing to global IP concerns, and stresses the importance of advanced incident response planning. He also reflects on his career in privacy and IP law, his global travel adventures, and his latest project helping a museum protect its digital assets.
—
Watch the episode here
Listen to the podcast here
Cyber Risk Vs. Cybersecurity: Preparing For AI Threats With Leopold Lueddemann
We have an awesome guest who is a passionate traveler and enjoys exploring the world with his family. He’s achieved an impressive feat of visiting every continent on the globe. He returned from an exciting adventure in Rwanda. He embraces cultural experiences through cooking classes and volunteering during each trip.
Welcome to Lee Lueddemann, owner of Lueddemann Law.
Thanks. I’m happy to be here.
Cybersecurity Vs. Cyber Risk: The Three Little Pigs Analogy
We’re going to jump right in here. How would you explain the difference between what cybersecurity is and what cyber risk is?
I see cyber risk as an overall approach. The other is the actual aftermath of how that approach is implemented and put into action. Let’s break that down. I see cyber risk as an analysis of threat versus vulnerability, and therefore, you get the risk. With vulnerability, how much threat is there? That would give a risk. Cybersecurity is the way, once you know the risk, to mitigate the risk intelligently, especially if you have limited resources.
Maybe even evaluate the level of risk on each one, right?
Agreed.
Maybe there needs to be a formula for each company. We got something we can work on together to make that happen.
I have one. I used to teach privacy in law school, and I used to teach it with The Three Little Pigs. Everybody’s familiar with this story. The big bad wolf is the actual threat. With each little pig, you have straw, sticks, and bricks. That’s your vulnerability. If there’s no big bad wolf, it doesn’t matter if your house is made out of straw, sticks, or bricks. There’s zero threat. It’s not going to be blown down.
When you have the big bad wolf, you have the threat, and then you have a vulnerability of straw, which is very vulnerable. There’s a 100% risk. Sticks are very vulnerable. There’s a 100% risk. The threat is there with the brick house, but no matter how hard the wolf blows, there’s no vulnerability. He couldn’t blow the house down. Therefore, no risk. I see it as a matrice. Sorry for nerding out on you. You have the vulnerability, the threat, and therefore, the risk.
I don’t know if it’s nerding out using nursery rhymes. That might not be too much of a nerd thing. I get your point. I’m not sure it’s 100% on a stick house. At least it’s something to cover it. I agree. It’s still going to get blown down if the right person comes with the right force. It will fold like a cheap suit. It depends on the wolf and how they’re looking, but they’re getting better every day. What would you say is the most significant cybersecurity threat that’s facing companies?
The ones that are most relevant to my law practice are the emerging threat of AI and AI uses. We see this with a lot of the EU AI Act and what’s put into play in 2024 and over the next few years. Also, on July 23rd, 2025, I believe the White House officially released an AI action plan. We have a lot of people working on AI action plans and state patchwork of laws in the US, Brazil, and all sorts of other areas, including the EU.
Those regulations are going to get more and more as we move forward. It’s going to become more complicated. You also do some privacy work. There are privacy laws in all 50 states for the privacy of data, correct?
To some extent. There are a few stragglers, but it depends. There are also overall federal regulations in terms of privacy in certain aspects. What I’m seeing is that privacy laws are, in my opinion, on a collision course with Artificial Intelligence.
CEO’s Cyber Priority: Proactive Planning & Liability
That’s a great way of putting it. I can see that. How should a CEO prioritize their cyber risk? If you were in the CEO’s shoes of a medium to large corporation, where does that prioritization come from?
In Omnistruct, with regulatory compliance, you first look at identifying risk and then meeting regulations. Omnistruct can help with this. You can’t always avoid a breach, but you can certainly reduce your liability. In talking to a lawyer, it’s not just the action. Are you liable? Are there defenses to it, etc.? How does this all play out on the bottom line in terms of liability, both in the public for as well as financially and other aspects as well?
AI Cybersecurity: Privacy laws are on a collision course with artificial intelligence.
Do we have a leg to stand on? Did you track what you were doing to prevent this, or only every couple of years?
It’s certainly not something you can sweep under the rug. It’s something you need to keep up with because it’s changing rapidly, and it seems to speed up more and more. It’s not just speeding up, but changing, too. The threats change. The means change. The bad actors change. It’s something you constantly need to keep up with. It’s not something that you can chase around. The dog can’t chase the tail anymore. You need to anticipate it.
Prepare for it. Understand that it’s coming. There is no 100% security blanket that’s going to cover you, even if you have a brick house. I live in Florida, so I’ve seen brick houses underwater. It may not be a big bad wolf, but it can still go under.
That’s right. With your brick house, there are still glass windows.
That is correct. From your perspective, what emerging trends do you see that we’re going to have the most impact on cybersecurity in the near future?
Clearly, I tie it into AI. With the global marketplace and bad actors, you’ve got people using AI for all sorts of things. I look at not just cybersecurity, but also potentially liability. For example, patent infringement, trademark infringement, and copyright infringement. All these are liabilities for a company with untrained or novice AI users. This could be buying into voice phishing, phishing schemes, and all sorts of other things these people are coming up with. For example, chatbots are a cheap and low-tech way that bad actors are starting to exploit, I believe. You would know. I know you’re an expert in this as well. AI has opened up a lot more avenues and different amounts of money that people can spend to compromise a company.
When you’re talking about voice phishing and that type of thing, I’m getting concerned about having my voice on my recording for leaving a message. All they need is that little snippet for them to be able to create my voice and do voice authentications with my bank or something. A friend of mine had that happen. Be protective from a personal standpoint. You’ve got to try and figure out what level of risk you are personally taking, not just from a company standpoint.
It also works for the good. For example, when you look at the biometric acts like Illinois and in the EU, when they’re looking at such things, it’s not just voice, but voice inflections, facial recognition, and furrowing of eyebrows. Even the words you type, how you react, and how long it takes you to type could be used for bad to impersonate other people and lead to scams, but also to detect if that’s recorded in a bank if somebody is committing fraud, breaking into an account that isn’t the account owner. If it doesn’t match those biometrics, they can potentially shut that down. I believe that has occurred. It’s good and bad, but it’s certainly evolving and a little scary.
When Disaster Strikes: The Post-Hack Journey
If you were in those shoes, and somebody had hacked your business or your account, or if you were a CEO of a company, what does that journey look like? That feeling in the morning when you wake up and your data has been attacked by ransomware, and you got some message from somebody that says, “I hope you don’t pay,” but you’ve already released the data or whatever. Tell me what you think that feels like. I’m sure you’ve dealt with some of the people who have had that.
I know where you want to be and where you don’t want to be. This comes in with a little bit of advanced planning. An ounce of prevention is worth a pound of cure. If you have a plan set up, you know who to call, you spring into action, and you have a team ready to go. There are different departments and outside people to help you with that.
Certainly, if you wake up to that and find out that being the CEO, somebody has created a deep fake of your voice, made even your visual, and tried to commit a fraud, worst-case scenario, I suppose, but all sorts of other things as well, this is not the time to be calling people to figure out, “Who do I call?” and making introductions. This is the time you say, “This is what we’re ready for.”
You can put together an action plan, but the only thing that matters when it happens is the fact that you have planned for the event. Probably, it isn’t going to go 100% to the scenarios and the hypotheticals that you planned for, but at least you have a plan in effect, and you can act. You pretty much know what to do. You can wake up and try, or you could wake up and say, “Here we go. This is what I’ve been preparing for.”
“This is how we practiced it.” There was a Marvel show or something where he goes, “Prepare the plan, write the plan, and then throw the plan out because it doesn’t matter anymore. You’ve got to go with what’s going on.” I don’t remember exactly what the thing was, but it was similar. When you get in that emergency situation where your bells and whistles are going off, then you make things go. It does help to have that contact, the PR company, the lawyer, and all the deposits paid and ready to go, because if you don’t, then they don’t take your call.
You have a 24 or 48-hour deadline to act.
Tell me a little bit about yourself. How did you get here? You like privacy. You like AI. You’re doing trademarks. How did you end up in that situation of being a lawyer?
One of my first gigs out of law school was general counsel of a pharmaceutical company. That was in 2000. That was my introduction to privacy law. I don’t even know if it was called privacy law back then or not. I’m a registered patent attorney. I’ve always had one foot in science and technology. Part of my practice is patents, trademarks, copyrights, and license agreements.
We had clinical trials all over the world. We were dealing with patient data, both with oncology and drugs, as well as medical devices, which our company had a few. That was my introduction to privacy when HIPAA was three years old. Regardless of whether I’ve worked for the state, the federal government, or various law firms, I’ve always dealt with privacy in one sense or another.
In 2012, I started this practice with those two areas of law and focused. AI has become a big part of my practice, as you’ve probably already gathered. It’s very fun for me, unintentionally. Those two continue to merge closer and closer. Those two, intellectual property privacy and the merger of AI, are just one way they’re merging into one.
It is going to be an interesting intersection of how those are going to come together because AI is sucking in any data that it can, whether it’s privacy data or not. We’re coming into some changes that may need to be looked at. How’s that?
Amen.
Evolution Of Law: Adapting To The AI Frontier
Tell me, and this could be life advice. What changes would you make?
Not a lot of changes, to be honest. One of my strengths is to be open and try to listen to what’s going on around me. I would’ve never guessed many years ago when I was introduced to privacy and I started my legal career that AI would be as it is now, and that privacy would be in its own right and area of law. Clearly, patents are the first specialty in law set up in the Constitution of the United States, so that was not an awakening.
Where this has taken me is certainly interesting. I’m glad that I am open to it and try to look around for what changes. I see many good companies that get complacent and rest on their laurels. They, unfortunately, may not meet their demise but become less relevant than they once were. It’s good to stay out of your comfort zone.
That’s where growth happens. In life, you have to be challenged. Steel doesn’t become steel just by sitting there. It has to be worked and heated to become steel. Tell me about your passions. What do you do outside of work? We talked about travel, volunteering, and such. What else do you do? Where’s your next trip to?
We got back from gorilla trekking in the mountains of Rwanda, which was a bucket list item for us. It was very rewarding and surprising. We were probably within five yards of a silverback and a whole gorilla family. Getting out there and marching around in the elevations of the mountains of Rwanda was fun. We went through Tanzania with some safaris and ended up on the beach in Zanzibar. We are off next to the fjords of Norway, specifically because 2025, I am pretty sure, is the last year that you can take an emissions vehicle into the UNESCO World Heritage Sites of Norway. After 2025, it’ll be non-emissions only. We are going to go see Iceland, the fjords of Norway, and a few other countries.
That’s beautiful. I love it. What else do you like to do besides travel?
I like to garden. I love my fruit trees and berry bushes.
I love it. I’ve got two apple trees, a cherry tree, a pomegranate tree, and a couple of citrus trees. I may probably not have nearly as big a garden as you have, but I’m working on it. I’m working my way up to it.
It’s enjoyable to get outside and deal with something that can be very non-technical, rewarding, and simple. These events with almost immediate gratification are rare in life. If I’m out mowing the lawn, I’m picking an apple or some cherries and enjoying that right away.
That’s excellent. I bought a tractor. I’ve been playing with that. I’ve been digging holes and that kind of stuff.
I’ll be right over. That sounds like a great time.
Protecting Digital Assets: A Museum’s IP Challenge
Come on over. I’ve been digging holes, moving dirt around the property, and playing. Don’t get me wrong. I’ve also hit the house once or twice with the excavator. That’s another episode that we might have to do on that one. What are you working on that you’re most excited about?
This is new for me, and it’s exciting for me. I am helping a nonprofit museum to create an online presence. I’ve been going through and working with their engineers to protect their intellectual property through what can be somewhat novel means, given the technology of scraping and using their images, their text, etc., besides the normal legal protections. I’ve been working with their engineering, creating novel ways to protect it. That is a lot of fun for me because it’s something I’ve not done before.
That would be interesting for a lot of people. You’re playing with some new technologies. You’re exploring education. There are lots of good features coming out of that one. How can people reach you? Would you like it to be an email or LinkedIn? What’s the best way?
Send me an email.
I appreciate your time on this one and your insight into all the privacy stuff. It’s not very often that we get a privacy expert who understands this, as well as the learning of AI and how that’s intersecting. I appreciate you being on and taking the time to be on here.
It is my pleasure. It’s always great to speak with you.
We have fun when we’re together. Maybe we’ll start traveling together. I like your plans. Everybody, thank you to our audience for tuning in. I hope you’ve learned something. Pass this on to a friend. We’re always looking to find more people on the show. It’s been another great episode of the show. We’ll see you next time.
Important Links
About Leopold “Lee” Lueddemann
Lee has explored every continent with his family, blending travel with cultural immersion and service.
From hands-on cooking classes to volunteer work, each journey deepens his connection to global communities and shared human experiences.
