Episode #95 - The Legal Side of Cyber Protection

welcome to the cyber rants podcast
where we're all about sharing the forbidden secrets
and slightly embellished truths
about corporate cyber security programs
we're ranting
we're raving
and we're telling you the stuff that nobody talks about
on their fancy website and trade show giveaways
all to protect you from cybercriminals
and now here's your hosts
mike ratando
zack fuller
and laura chavez
hello and welcome to the cyber ants podcast
this is your co host
zach fuller
joined today by mike ritano
but no laro chavez
he is out for the moment
so if you're tuning in for laro's corner
we apologize
you're gonna have to join us on the next one
but that being said
we have special guests here with us
john gray who is a
an attorney with louis rocha
that specializes in cyber security
and really has just a wealth of knowledge
in all the legal aspects of this field
so john it's pleasure to have you
looking forward to the conversation
yeah thanks zach
happy to be here
great great
well hey before we dive into that
mike why don't you kick us off with the news
will do hey
ferrari confirmed extortion attempt
the car maker refuses to pay ransom
ferrari confirmed monday that it was hit with a ransom
more extortion attempt by an unknown smart actor
and customer names
addresses email
and telephone numbers were exposed
in a letter to customers
the company was adamant that no payment details
and or bank account numbers
or other sensitive payment information
or details for i cars owned or ordered had been stolen
they also said the breach
had no impact on the company's operation
rory said in the statement
as a polity
priority will not
not be held to ransom
that tank has demands
fund criminal activity
enables threat actors to perpetrate
their attacks
for that i applaud them
the company said once it received a ransom demand
it immediately started a investigation
in collaboration with the leading global third party
security firm
not so on sector
and had confirmed their date as identification
they also informed the relevant authorities
and investigations
on their way
the reason they didn't use sound sectors
we couldn't decide what color ferraris we wanted
and fast enough
so that's i know what color i want so
well we'll just make that request after we jump off the
yeah yes i think it was laurie
in between red yellow
octa post exploitation method exposes the user password
a post exploitation attack method has been uncovered
that allows
adversaries to read clear text user passwords for octa
and gain access in corporate environment
before everybody panics
what it means is
after your optus server hasn't been exploited
they can do this
so if your optus server hasn't been exploited
this isn't going to happen yet
current actors
who have gained access to the company system
can then easily harvest users passwords
the privileges
and gain access
multiple enterprise assets
that use octa
this is possible because
occa saves user passwords to our blog
that the user actively types them
in the user name field
after audit
logs apply detailed information about user activity
including username
ip addresses
and login type staff
the logs also provided insights into successful
and unsuccessful login attempts
and whether they were performed by a web browser
or mobile app
hey look microsoft
in the news
sharepoint fishing scan
targets sixteen hundred across us and europe
a novel fishing scam
relying on legitimate servers from sharepoint
has been targeting users across europe
in the us and other countries
using a native notification mechanism
the first key security research
to describe the findings
in a new advisor published earlier today
adding cybercriminals use that can
to steal the credentials for various email accounts
including yahoo aol
outlook office
we five and others
the employee receives a standard of case
not someone sharing a file
upon clicking the link
victims are directed to a genuine sharepoint server
hosting a onenote file
that includes another link
this is the malicious one
the link is in turn open
link in turn
over the standard fictum site
that mimics the onedrive login page
which readily steals pretentials for yahoo
aol outlook
obviously fifty five and others
i didn't know aol is still a thing
but there you go
one of our favorite topics lately
rogue chat tbt extension
faith gbt hijack facebook accounts
cardio security scheme
hasn't covered
a new variant of a malicious chat tbt
chrome extension
that was already downloaded by thousands of days
a malicious extension is able to fill facebook session
cookies and compromise accounts in masses
the legitimate extension is named chad pbt for google
and allows the integration of chappie
gbt on search result
the version
employee and recent campaigns is based on legitimate
open source project
however but actors
added malicious code to steal faithful accounts
malicious chrome extension
has been distributed since march fourteenth
those sponsored google search result
and and has been uploaded
to the official crime store
chrome store
experts know
that it was first uploaded in the chrome store
in february
february fourteenth
lastly nexus
an emerging android choking
banking trojan
target four hundred and fifty financial apps
that was pretty
researchers
warren of an emerging android banking trojan
named nexus
that has avoided by multiple groups and attacks
as of this writing
against four hundred fifty
financial applications
nexus provides
all of the main features
to perform ato attacks
account takeover
against banking
portal and cryptocurrency
therapeutics
talkative credentials dealing
and fmf interception
it offer provides a built in list of injections
against financial applications
next is available via a mall
where as a service
subscription
has advertised on the ground forums
or through private channels
like telegram
since january
twenty twenty three
is available to rent
at a price of three thousand per month
so there was a lot in the news today
miter rolls out the by teen security prototype
just go fix the bunch of budget bugs
epidemic of insecure storage
backup devices
a windfall for cybercrim
so secure your stuff
in case you haven't heard
the TikTok ceo was
testifying before congress
that's interesting to watch
one of the few bipartisan things we've seen lately
uses a tool
detect hacking activity
in microsoft cloud services
one of the good place to start
right and then
there's more mean bugs
so definitely
check out the headlines
as well as just
listening to my adult
that i'm talking about the news
we're gonna miss
laurels corner he escaped
we'll get him locked back in
next week so
zach all right
mike well hey
thanks for all the
all the good
heartwarming news
i appreciate that
i guess i need your help
i guess our jobs are secure
is what you're saying
so at least this week
yeah i guess
that's the silver lining
so apparently
the criminals are still at it
well hey let's
dive in here
we got a lot to talk about
and some really interesting stuff
and extremely important stuff
around cyber
security liability
around the legalities
and what's going on
out there in the wild
so we're looking forward to
diving into that
after a quick
commercial break
want even more
cyber rants
be sure to subscribe
to the cyber
rants podcast
get your copy
of our best selling books
cyber rants
on amazon today
this podcast
is brought to you by
silent sector
the firm dedicated to building world class
cyber security programs
for bedmarket
and immersion companies
across the us
silent sector
also provides industry
leading penetration tests
and cyber risk assessments
visit silent sector
com and contact us
today we're back with the cyber ants podcast
and today we have attorney
john gray with us
from lewis roka
john great to have you
yeah thanks zach
really a pleasure to be here
great hey before we start
would you give us
the overview of
your background in law
and how you got into the cyber
security field
and really made that a focus
in your practice
yeah i'd be happy to
so my early background
was really in financial services
so i graduated from
arizona state university
here in phoenix
with degrees
in finance and economics
and then decided to go to law school
over at usc
in los angeles
and started
my legal career
out in los angeles
at a big firm
out there and did
a lot of work
for a lot of financial
services clients
including some of
the bigger folks
and of course
in that space
you're dealing with
the graham leech blili
act or glba
which you're probably
familiar with
and a lot of your listeners
may be familiar with
and so that law deals
with both privacy
aspects and
cybersecurity
aspects and so
i became familiar with that law
which was really
my first sort of
legal foray
into cybersecurity
and data privacy
and then just continued
down that path
and in twenty
seventeen joined
the arizona
attorney general's office
out here in arizona
where i became
the data privacy
team leader
because i had
some of that background
wanted to sort of
transition my practice
into that space
so that was a really great
opportunity for me
got to learn a lot about
data privacy
dealing with data breach notification laws
in fact we updated arizona's data breach notification
law while i was at the ags office here in arizona
and i was also invited to participate in the
twenty nineteen arizona cybersecurity team which was
an initiative led by governor doug ducey at the time
basically bringing together
the academic community here in arizona
the business community
and also the public sector
the government agencies
who deal with anything touching on cybersecurity
trying to get those communities together
to talk about cybersecurity
to prepare arizona's defenses
to make sure we're more resilient than
you know the next guy
to the extent that we can be
so you know
continued down that path of cybersecurity
and data privacy
and then joined lewis roka in twenty twenty
i'm now the co chair of our data privacy
and cybersecurity team
and we do a lot of work in this space
my particular practice is focused on litigation
and regulatory work
so i do a lot of data preach litigation
whether it's class actions or
some incident response matters
but i also do a fair amount of compliance work as well
so dealing with the california
consumer privacy act ccpa again
i'm sure a lot of your listeners are familiar with that
and some of the other state data breach
and privacy laws that have been popping up
whether it's virginia or connecticut or utah
and colorado for sure
is a big one
that's kind of a long winded summary of my background
and where i am right now in my practice
but i really enjoy talking about cyber security
and data privacy
so really happy to be here today
well i could just feel the listeners that aren't
yet proactive in their cyber risk management
kind of quivering right now
kind of shaking a little
getting a little nervous
because you're the guy that might be coming down on him
right if things don't go well for him
if the cybercriminals get to him
well i used to be that guy when i was at the ags office
now i try to
defend the companies that have data breaches
so most of my work is on the defense side
so if you do experience a data breach
give me a call
i'm happy to step in and try to help you out
good good you're the good guy then
well outstanding
want to make sure our listeners knew that
what do you see
if we start with the ten thousand foot overview
and kind of what's going on these days
what's happening
after today's breaches
you know what are you seeing out there in the wild
just the legal aftermath
what's going on
yeah so there's obviously a lot
um you know
unfortunately these days
anytime you do suffer a data breach
particularly if you have to notify the public about it
or a regulatory agency
the risk of you facing some sort of litigation
or class action or regulatory action is very very high
so the costs of any sort of
cyber security incident continue to increase
the amount of litigation continues to increase
so really when i'm talking about incident response
and the legal ramifications of that
i always try to talk about three categories
of four buckets
of risk that you're going to be dealing with
so if we're in a ransomware incident
for example
the first immediate bucket that you've got to deal with
is the ransomware itself
you've got to deal with
how do i get
my operations back up and running
how do i maintain my business during this immediate
period of time when the ransomware incident is hitting
now most of that is technical
that's you guys
that's the vendors
the cyber security experts
i'm not going to get in there and do the hard work
of the forensic investigation and that sort of thing
and i rely on folks like you
the experts
to make that happen
but you do want to get legal counsel involved
very early on
not only to manage those relationships with vendors
to potentially protect it
with attorney client privilege
or attorney work product privileges
so that's not going to be disclosed later on
in some further litigation
or regulatory matter
but also to assess some of those early legal risks
that come up
and i can talk about those in a second
so that's really
that first bucket
is dealing with the immediate aftermath
and again there are a lot of legal risks within that
but it's primarily technical
and then there's the second bucket
that i like to talk about
which is the notification requirements
or the disclosure requirements
that you're going to face
after you've had
a data breach
and again at that point
you've really got to involve legal counsel
because there's so many different disclosure
obligations nowadays
all fifty states
now have some sort of data breach notification log
there are federal laws that deal with this
in various industries
whether it's hipaa or
glba or other
industry specific laws
that require data breach notifications
and then you certainly got international
data breach notification
obligations as well
so that's really a significant
second bucket
of legal risk
it's primarily legal
because most of these obligations
arise from specific laws or regulations
that pertain to a particular business
so that's a big category
it's not quite
as immediate
as the ransomware incident itself
typically you've got a little bit of time
to make the notifications
sometimes you don't have a bunch of time
but you've usually got a little bit of time
to make sure
you're going through all of the appropriate steps
to notify the appropriate people
that you've had a data breach
or some sort of cyber security incident
and then the third bucket
comes later
again sometimes
it's much later
sometimes it's almost immediate
and that's really your litigation
and regulatory risk bucket
in other words
that's when you get sued
that's when
somebody comes and says
you didn't have the cyber security
you should have had
a regulator comes
and says the same thing
and tries to
extract some sort of money
out of you and again
that's a huge
category of legal risk
again as i think i said
the costs there just continue to increase
so those are really
the three buckets
that everybody faces
when you've got
a data breach or cybersecurity incident
that hasn't changed
a whole lot
over the last several years
but just within
each bucket
the risks have continued
to increase
the costs have continued
to increase
and if i could turn back to that first bucket
just for a minute
as an example
within that first bucket
you've got a bunch of
legal risks about
how do i respond
to this incident
because one of the big questions
obviously is
do i pay the ransom
if it's a ransomware of them
and you know
a big category of risk
that has been in the news recently
and something that we deal with constantly is ofac
sanctions risk
and ofac is the united states
treasury department's
office of foreign
asset control
and your listeners
may be familiar with
some of the sanctions that
they hear about in the news
whether it's russia
in connection with the war on ukraine
or some of the earlier sanctions
against iran
and north korea
and various
other countries
the united states doesn't really get along with
you know there are sanctions programs
in place that
generally speaking
prevent any united states citizen
from transacting
really in any way
with these foreign actors
that are on
any sort of
sanctions list
that ofac maintains
and so if you're making a ransomware payment
obviously in a typical scenario
you don't know who that payment's going to
it's going to
an anonymous
bitcoin wallet or
monero wallet
or whatever type of
cryptocurrency
the threat actors are using
and you don't really
know who you're paying
you might have a guess
as to who it is
you might be familiar
with the type
of ransomware that they're using
and that might
give you some indication
as to who you're
making a payment to
but as you know
a lot of these services now
are malware
as a service
basically um
so it really could be
anybody in the world
and making a payment to
to essentially
any organization
and even if you don't know who it is
even if you don't intend
to make a payment to
someone on the sanctions list
and even if you've done as much homework
as you can possibly
do there is
still some risk
on a strict
liability basis
that of fact
is going to say
well you made a payment to vladimir putin
and you really weren't supposed to do that
and so we're going to come down on you now
that hasn't happened
yet of fact
to my knowledge
has not ever
had a ransomware incident
which has led
to sanctions
enforcement
but they did issue
advisories in
twenty twenty
and twenty twenty
one i believe
that specifically
identified this risk
and said you really
need to be careful
if you're making a ransomware payment
so again even
when you're dealing with that super
early you know
ransomware response
it's very immediate
it's how do i get my data
back sometimes
the way you have to get your data back
is to make the ransomware payment
and even there
there's a lot
of legal risk
and of course
the last thing
i was going to say
is that these first
two buckets
whether it's the immediate
ransomware response
or the notification
obligations
which come pretty quickly after that
both of those
buckets of risk
are going to affect
the third bucket
which is litigation
so there are some things you can do
in the first
and second categories
that you're dealing with
to mitigate
the risks in
the third category
but they're never going to
eliminate them
you're almost always
going to have these
three categories
of risk and
that's what we see
over and over
again and just
most recently
it just seems
that the costs
have increased
i mean maybe
it's just inflation
but the costs
and the risks
in each of those buckets
continue to increase
over time i think
so that's what we're saying certainly
do you engage
at all with
any of the intermediate
intermediary companies
that do like
the negotiations
between the ransomware
pump ransom
where cybercriminal
and the company
have you ever dealt with
any of them
yes it seems
like it's a
cottage industry you know
all of a sudden
yeah and it's
really fascinating
actually so
for the listeners out there
who aren't familiar
there are companies out there
vendors for
incident response
matters who
specialize in
transacting with
these threat actors
and a lot of them
are very good
not only in
the negotiation
process itself
and trying to
bring the ransomware
number down
which they're often able
to do fairly
substantially
i mean sometimes
better than others
but one thing that they're really good at
is knowing who the ransomware actors are
to the extent that anybody can know that
they have kind of a bank of research
that i'm not sitting on personally
about you know
all of these different actors
whether it's
you know mespinosa type ransomware
or some other type of ransomware
that has popped up more recently than that
and trying to figure out
okay where is this payment going
can we make the payment without the sanctions risk
and so there is a constant back and forth there
between the legal council and those types of vendors
trying to figure out whether the payment's
you know able to be made
and they're pretty good about working with
the insurance companies too
because that's a huge consideration
and a lot of these ransomware incidents is
whether the insurance company is going to step up
and i don't know
if you want to facilitate the payment
but allow the payment to be made
in a way to get the data back or
to prevent the data from being released on the dark web
and so there are vendors who specialize
as you said
sort of in that negotiation process
and dealing with the threat actors
and a lot of them are pretty good at it
in my experience
so we've had some good luck in that regard
how do you reconcile the fact that the
federal government says
don't pay the ransom
but if you do
you can write it off
well i don't know if i can reconcile that
you know there's a lot that the federal government does
that i can't necessarily reconcile
yeah there you know
i will say that the feds
and an even state law enforcement
always try to walk this line of saying
we're not forbidding you from
making a ransomware payment
but we're strongly discouraging it
and you see that even in the ransomware advisories
that i mentioned from ofaq
um where they
they try to come down strong and say well
we can impose strict liability on you if you make a
end up making a payment to vladimir putin
even if you don't know it
and even if you didn't have any indication at the time
that you had some sort of risk in this regard
we could come down on you later
but for the most part as i said
they haven't really enforced that yet
to my knowledge
and i'm part of some
some groups that i think would be aware of that
if they did come down on anybody
so i don't think that
come down on anybody at this point
and honestly
in most ransomware incidents
i think a lot of the regulatory actors
and government agencies do understand that
the victim is a victim right
the company that gets breached
is itself a victim of ransomware
are there things that they could have done differently
yeah sure but if you're working with law enforcement
after the fact
you know telling them look
this breach occurred
you're reporting to the ic three system
which is the fbi's
online internet criminal
i can't remember what the three stand for
but whatever it is
it's their reporting system for
these types of incidents
you know as long as you're doing that
i think you know
the federal government or state governments
for the most part
understand that you've been victimized
just like anybody else has been victimized
and so they're not going to
try to come down too hard on you
so it is i mean
to me it is a legitimate business expense
if you do have to write it off
if you need to make the payment
then like any other expense
think also that there were some of the news about
the insurance companies are not allowing
in some cases
you to use it to pay ransom
to use the settlement to pay rent
correct yeah
so there insurance market right now
is seeing a lot of changes
within the cyber security space
and i know you had an expert on recently
in the insurance space
i really enjoyed that podcast that you had
on that topic
but i mean this is the huge thing
that we're dealing with all the time
i personally don't specialize in this
but we have a lot of folks in my firm
who do a lot of insurance work
deal with the insurance companies
and i know the insurance companies
are struggling with it right now
because there have just been so many incidents
that have been so expensive
and i don't think they properly anticipated that
five or six years ago
when a lot of them jumped into the market
i don't think the underwriting standards were really
where they probably should have been in a lot of cases
and so the insurance companies now
are trying to deal with it
in a lot of ways
obviously one of those is raising premiums
but as you said
one of the other ways is trying to exclude
whether it's ransomware payments at all
like completely or
some of them are trying to exclude ransomware payments
to nation state actors
so you know
if you know that it's a payment to china
even if china itself is not on a sanctions list
some of these insurance companies are basically saying
that's kind of like an act of war right
because they have war exclusions
they tried to use the war exclusions
and i think for the most part
in litigation
the courts have said well no
that's not really an act of war
so you've got to come up with some other
exclusion from your insurance policy to make clear that
you're not going to cover a ransomware payment
so insurance companies have done that
and then they've tried to come up with some other
creative solutions that you know
i think beasley
for example
which is one of the big insurance carriers recently
came up with
i think they were called
cybersecurity catastrophe bonds
which is essentially a way of
ensuring themselves
in the event of a truly catastrophic
cybersecurity incident
that you know
it's the industry wide
it affects the entire nation
if it's a billion dollar event
which certainly could happen
seems that they're trying to prepare for that
sort of thing
so the insurance industry is going through
a lot of changes
i'm not necessarily an expert on all of those
but that's a really interesting market
and actually
the last thing i would note on that is
i think just a couple weeks ago
the white house
and the biden administration came out with some updated
i don't think it was sort of
any sort of formal regulation
but it was a policy recommendation
about where we're headed with cybersecurity
and one of the things that they want to try to address
is ensuring the insurers
in other words
giving the insurers the opportunity to
be able to handle a catastrophic event
because i think that's what the insurers are really
worried about
i mean if it's a
one million dollar event or two million dollar event
they deal with those all the time
but if it's a billion dollar event with a b
that's going to be a lot more difficult to deal with
and so they have dealt with those
in a lot of different ways this far
they were referring to it as a digital pearl harbor
right yeah yeah that's
it's a scary thought
and i mean you know
we'll get there eventually
if we haven't already had maybe a couple of those
yeah that just continues to feed the cybercriminals too
you know and physical terrorism
of course we've talked about it on the shows and
you know these
on our episodes in the past
that this is coming from various agencies
not not from us
but a lot of this ransomware money is going to fund
to fund physical terrorism around the world
so yeah it's unfortunate
i almost wish there's
i don't think there's a good answer to any of this
but i almost wish that we would not do so much to
try to back up the idea of giving more dollars
to the enemy
you know it just
it just continuing to empower them
and they you know these
these companies
and i know it's not just me thinking of it
but these these
so you know
kind of escrow companies right
dealing with
helping organizations make the ransomware payment
i mean i think that's it
that's kind of a
evil service offering
in my opinion
i mean it should be difficult
first what we saw is cybercriminals making it easier
the cyber crime rings having good customer service
and getting back to you promptly
and helping you set up your bitcoin account
and all that kind of stuff
and now they
or somebody not
maybe not they
maybe that's harsh
but now has set up
essentially
escrow companies
to be able to help facilitate these transactions
so it's kind of a
kind of a you know
we're in a very weird spot here
a lot of gray area
it really is
and i mean there are certainly
you know considerations on both sides of that
i mean there has been a lot of discussion
among legislators and policy
makers sorry
my lights coming out here in the room
but there's been a lot of discussion among legislators
and policy makers about
you know how do we stop this
can we forbid companies from making ransomware payments
and there have been some laws that haven't forbidden
companies from making ransomware payments
but state agencies
so if a state agency gets breached
i believe there's a law in new york
or perhaps it was a proposed law
but the idea was that if a state agency gets breached
that state agency can't make a ransomware payment
just flat out can't do it
it's illegal
um but of course
then we've seen with
for example
i think it was baltimore
the city of baltimore
refused to make a ransomware payment several years ago
and they ended up spending
i think it was over fifty million dollars
at the end of the day
restoring their systems
you know bringing everything back online
getting back up to speed
and so there's always that consideration
if you could have paid five hundred thousand dollars
yeah maybe that goes to fund terrorism
but does it save taxpayers
fifty million dollars on the back end and
and with a city or a state agency
you could easily be really
truly saving people's lives right
i mean if you're
if you're a city or
a local government that deals with hospitals
or police departments or fire departments
and you're not able to operate
even for half an hour or an hour
you could have people's lives at risk
and so forbidding a ransomware payment that would allow
that city or entity or whatever it is
to get back up and running and save lives
as they usually do
i think it's a pretty strong
countervailing consideration
um and it i mean
it's always gonna be a balancing act right
like with everything in
in law and legislation
you've got cost
you've got benefits
and somebody's got to weigh those and it's
it's a really
really difficult thing to weigh and
and like you said
you know you've got these companies that are out there
facilitating these payments
seems kind of evil
seems wrong
and i absolutely understand that i get that
and it does send money to bad actors
there's no question about that
these actors
that we're sending money to our criminals
but at the same time
if those companies don't exist
to help victims of ransomware
then the victims of ransomware themselves are
probably going to have to be dealing with the threat
actors themselves
so as you said like
okay it's right
actor you tell me how to set up a bitcoin account
you tell me how to get you the payment
and so you're
forcing the victim to go through more steps
and deal more directly with
the ransomware actors themselves
and so you know
a ton of considerations here
a lot of countervailing interests on both sides
it's just a really difficult
thing to deal with
and certainly
that's something that we had a lot of struggles with
at the arizona attorney general's office
trying to craft solutions to these types of incidents
i mean one thing
that i think a lot of regulators are looking for is
you know did the entity that got breached have
inappropriate disclosures to consumers
were they telling consumers
we've got the best cyber security in the world
we're never going to get breached
or are they more reasonable than that
are they taking steps
to try to prevent these sorts of things
but as i said earlier
i mean they're not truly preventable
the most you can do is
try to prevent them
try to delay them
try to minimize their impact
but as the old cybersecurity cliche says
it's not if you get breached
it's when you get breach
so some really
really difficult considerations
in this area
for sure yeah
that's a good point
yeah especially
municipal services and hospitals and things
when lives are on the line
that's a whole different equation
and a lot more to think through
but yeah it's a very complex topic
and i think it's one that's going to be around for
as long as we're all alive
i don't know that
there's a right answer to any of this stuff
but what if we switch gears a little bit
and talk about
on the preventative side
from a legal perspective
so we're all about proactive cyber
risk management
and a key piece of that is protecting yourself legally
early on ideally
before a breach occurs
just like we want to protect our systems
before a breach occurs
what's your advice for people that are
maybe developing their risk management program
for the first time
what should they be doing
from a legal perspective
to be prepared in the event of a breach
yeah so i mean
being proactive
i think is the number one thing
as you said
be proactive with your technical
aspects of your cybersecurity
but also be proactive on the legal side
and obviously
that looks different for every organization
so i'll give the old legal cliche
that it depends
it depends on
you know what resources you have
what type of data you have
but really the first step is being proactive
trying to understand
what your risks are
trying to understand
what data you have
and what the costs are
and what you can spend
on trying to prevent some sort of risk
and obviously
dealing with your in house council
if you have
some sort of general counsel in house
or dealing with your outside council
if you have
that is always helpful
you know we can advise on some of these risks
we can advise on
what it is that's best for your organization
and what may be required of your organization
right because in a lot of cases
you are going to have affirmative legal obligations
if you're in particular industries
maybe you've got to comply with some nist
standards or
maybe you have insurance requirements
that sort of thing
but just looking at it sort of in the abstract
what can you do
well insurance is a big one
we've talked a little bit about that
that's not purely legal but again
your legal team should probably be involved in
helping you get the insurance
making sure that your insurance contracts look correct
in terms of what protections you actually have
you don't want to have an exclusion for ransomware
if that's something that you really
really need
and then other
you know legal things that you can do
you can get your legal accounts
your legal counsel
involved in preparing your incident response plan
for example
and that can be super basic
i mean if you've got a company that's even just three
four five employees
as long as you're thinking about okay
what would i do in the event of a ransomware incident
or a cyber security incident
and even if you're just writing down a couple pages
of material about okay
here's who i would call
i would call my legal counsel
and they'll help me
or i would call
you know silent sector
and they'll help me
those sorts of things
and again your legal counsel can help
in terms of putting together the incident response plan
if you're more sophisticated than that
you've got a bigger it team
you've got cybersecurity personnel
certainly you can be doing tabletop exercises
working with your board members
working with your executives
getting them involved
being proactive
and again a lot of that doesn't sound legal
but there's always a legal aspect to that
trying to protect a lot of that with
attorney client privilege
or attorney work product
like i said earlier
so that you're not having to reveal that down the road
if something goes wrong
those sorts of things
and a lot of the other stuff
is probably more truly legal
so privacy statements
like i said
disclosures to consumers
regulators want to see again
that you're not making promises that you can't keep
you're not trying to fool consumers
about what it is that you're doing with their data
you're making appropriate disclosures in that regard
and then contracts
obviously you've got
any organization has a large number of contracts
whether it's with vendors
which have come into play a lot recently
because we've seen so many supply chain breaches
so it's not
your company itself that gets breached
it's your vendor that gets breached
and then their system comes into your system
or vice versa
and so that's always an issue
and what do your contracts provide does your
does your vendor
need to inform you that they've had a breach
do they not need to inform
you that they've had a breach
and do you want your legal counsel
to try to protect you by
revising those contracts in a way that
gives you the maximum protection from your vendors
same thing with customers
if you're dealing with individual consumers
it's a bit harder to sort of
protect yourself on the front end
because you know
a consumer who's out there in the
in the wild
you know you can only limit your liability so much
with respect to them
but if you're a b to b type entity
business to business
and you're dealing with other companies as your clients
there's a lot that you can do in your contracts
to try to parse that risk
you know what risks am i going to accept
on my side of the transaction
and what risks are my business client going to accept
on their side of the transaction
so there's a lot of contractual work
that can be done on the front end
and of course
also contracts with employees
so you can have confidentiality agreements
you can have other contracts with your employees
to try to build into your own firm or organization
the types of practices and policies
and confidentiality agreements
that you want to have in place to protect yourself
because so many of these breaches arise
as you know
from internal company issues
whether it's employees affirmatively
stealing data themselves
which happens all the time
or just employee mistakes
clicking on a fishing link
that sort of thing
so many of these issues are caused by
the people within organizations
and so trying to deal legally
with those risks
can save you some headaches down the road
compliance audits
some of that's legal
some of that's technical
but you can certainly do
compliance audits on the front end
to make sure that you are complying with your legal
obligations
just as much as you're complying with your technical
obligations
so those are some of the things you can do
on the front end
and then the last thing i was gonna say is
just employee training
and again it doesn't really sound legal
it sounds maybe more technical
or even hr related
but there are so many things within
the legal space that are going to affect your employees
and your employee training
that i think is really important
to get your gc involved
if you have one
or even your outside council
to try to say okay
i'm going to be training my employees on cybersecurity
and privacy
for that matter
what do they need to know
what do we need to do
and i'm always a huge fan
in employee trainings
of the carrot approach versus the stick
i mean you want your employees
to have to feel like there's a culture of
positivity around cyber security
we're being proactive
i don't want to be ashamed
of clicking on a fishing link
because then i'm not going to report it
right so instead
if we can create a proactive
positive culture around cyber security
everybody understands the legal risks
everybody understands the financial risks
of these sorts of events
you're gonna be better off
because your employees are gonna care about that
they're gonna understand more
about what it is that's going on
so there's again
a lot of stuff that companies can do
again it depends on
what size you are
what your operations look like
what type of data you have
but i think every company
in general can try to be proactive about
putting some protections in place
for these types of events
if we switch gears a bit
and a company was not prepared and was not proactive
and an attack occurs
what should they immediately do
to help protect themselves legally at that point
or is it too late
yeah you're a little bit too late at that point
but immediately
pick up the phone and call your legal counsel
call me if you want
i'm available
but you know call your legal counsel
get them involved
call somebody like you
silent sector
get somebody
get an expert involved
and if they call you first
i assume you're gonna call legal counsel
and if they call me first i'm gonna call an expert
i'm gonna call you guys
i'm gonna call a vendor
to help make sure that all of the risks
not just the legal risks but all of the risks
are being mitigated to the extent that we can
now again like i said
you may be too late
there's only so much you can do after the fact
if you haven't put protections in place beforehand
trying to put them in place afterwards
is not going to be much of a band aid on the wound
but there are some things that you can do
again you can work with law enforcement
that helps particularly if you have
a regulated entity that you're dealing with
the regulators want to see that
you're working with law enforcement
you're working with regulators
you're trying to
solve this issue that has been created so
even if you haven't done all the work on the front end
there are some things you can do on the back end
to try to protect yourself
but the immediate call needs to be get
get your experts involved
legal cyber security
technical experts
get them involved
because they're the ones that are going to know how to
solve these types of issues
yeah i mean
that's to me
that's the scariest side of it all
is the legal side
much more so than the cybercriminals
or the technology piece
i mean that can go very very deep
and so i couldn't agree more
and i know in previous episodes
we've always encouraged people
hey make sure you get your legal counsel involved
and have them engage the
whatever you want to call it
act as your breach coach
and engage the forensics company
and handle it that way
because otherwise you could be in a world of hurt later
as we've seen with certain breach cases
that have made the news and such in the past
well hey that's been tremendously helpful
before we jump off
any other recommendations
any guidance or words of wisdom you might share
that we haven't covered already
no this has been a fantastic conversation
i really enjoyed talking with you and sharing
you know what little i know about cyber security
but again i think the number one thing for any company
is just to be proactive
in whatever way makes sense for your company
or even individually
right i mean
we can talk about individuals being proactive as well
because i do think a lot of this comes down to
individual actors
and if you've got
you know your home internet
and you've got your own personal email account
and your own bank accounts that you use online
go with two factor authentication
i mean i know it's kind of a pain in the butt
it takes an extra couple seconds every time you log in
but do those sorts of things
try to care about the data in a way that
will allow you to be proactive
because i think a lot of people
just don't really understand
that these incidents do happen all the time
and i think some of the notification obligations
are leading to people understanding
how often they happen
but just be proactive
be proactive in your own individual lives
be proactive at an entity or organizational level
and just keep on that journey
because cybersecurity is not an end state
as far as i can tell
there's no perfect cybersecurity
that you're going to arrive at
and then you can stop being proactive about it
it's just like the security
with the rest of your life
just try to be proactive about it
and that's i think
the best we can all do
hey mike any final thoughts questions words of wisdom
no i mean that is a great interview or a great podcast
and i appreciate your input junk
but you have to echo what you're saying
you'll be prepared
this is a continual forever machine and
yeah we do counsel
i just the deca what you said earlier
we do counsel people
get a lawyer
get a lawyer get a lawyer so they can review
you know make sure that they're covered and protected
because there's only so much we can do
for my cyber security side
once you get breached
you really get into a realm
it's way above our bay grades were like
with better word
so definitely appreciate you
appreciate you being on it
yeah thanks
john hey john
if people need help or they want to know more
they want us to explore whether they are set up
correctly from a legal standpoint
can they reach out to you
and if so what's the best way to do that
yeah absolutely
so my firm again is lewis roka
we're at lewisroka com
that's easy
enough you know
we have a physical presence throughout the
southwest united states
but we have attorneys that are licensed across
the nation in various different states
so we can at least try to get you the help you need
or if we need to involve somebody in europe
because you've got significant gdpr issues
we can do that as well
but if you want to reach me individually
it's j gray
and that's gr ay at lewisroca com for email
and my phone number is six o
two two six two
five three three one
and again really appreciate the conversation today
outstanding
well hey thank you so much john
and for those of you listening
we'll be sure to put john's info
in the show notes at cyber rants podcast com
so go there
check out the podcast
share the episodes with people that you
think might be able to use this information
so we can spread this knowledge
also be sure to rate the podcasts
as well on your favorite podcast platform
and help us get the word out
we all have a lot to do together to help secure
our nation from cyberattacks
a lot more work ahead of us
so help us do that by getting the word out
and help us
put the information out that you want to hear
by reaching out at cyberrants podcast com
submitting your questions
your requests for future topics
all that good stuff
and we will see you on the next episode
pick up your copy
of the cyber ants book on amazon today
and if you're looking to take your cyber security
program to the next level
visit us online at
silentsector com
join us next time
for another edition of the cyber rants podcast