Today's speaker is actually a very interesting 11 that I've been waiting for as a cyber forensics researcher, but also from just an outside perspective. This is Todd McClelland. He is going to speak to us today about the legal fall out and legal issues of cybersecurity in corporate environments. So take it away. Thank you. Can you hear me? Can everybody hear me? First of all, with this? Fantastic. My name is Todd McClellan, school here. I was a mechanical engineer. I came here with the idea I was going to build big power plants was kind of my goal when I first came here. And then I took this aptitude test niche, instead used to be a lawyer. I didn't know how to take that. Lawyers are not known for their personalities exactly. And during this time I was a co-op and as we're for some great companies designing industrial control system that graduated. I went on where a subcontractor to Ford and Coca-Cola and I've traveled the contrary, program and industrial control systems PLC specifically. And now it's law school, started as a patent lawyer. That wasn't all that great. And that's our new and technologists, about 2000 everything was.com something. And during this time were doing the e-commerce deals, outsourcing tech deals, application service provider, which was kinda lead to cloud computing. And I'll component of these was privacy, but more specifically cybersecurity. We had laws out there. We had the EU data directive which then let it lead to the GDPR. We had HIPAA Jiao Ba and all these other laws that we deal with certain aspects of privacy, a little bit of security. We started having data breaches. And data breaches led to the proliferation of these breach notification laws and other obligations, certain standards for security. And slowly bit by bit, cyber became a bigger part of the industry at the time, CSOs are people in charge of security. We're kind of a part of the IT function. They're kind of siloed. Not many people thought about cybersecurity outside of the IT function, they defund off a portion of the CIO's budget. But over time, as we've seen more and more breaches, we've seen the rise of ransomware. We had APTs, got a tax hit in all industries all the time and they're starting to come very costly. We're starting to see cyber come an issue throughout the enterprise. Now, when I was a student attack, if you asked me how corporations run or do I know anything about corporations? No, not at all. I knew there were companies and I want to be hired by one, build my big power plants. That's about all I knew about companies have today. And what I want to share with you guys is kind of how cyber, the profession you guys are. It is starting to permeate throughout the corporate enterprise. It's a very big deal. It's, it has legal consequences on a walk through some of those today. But what you guys are getting into is the hottest area. You asked General Counsel, CEOs, what's their biggest concern? Cybersecurity. It's a big deal. So I want to walk through that today. I want to share with you kind of where cyber is starting to work through the enterprise. How laws are coming about, not just laws dictating. You gotta have cyber other areas of law like benefits. I'm the last person in my law firm I thought I'd be working with are my benefits people, your 401 k health and helping them think about cybersecurity issue. We're going to talk about where is it in the, in the industry, whereas, I'm sorry, in the corporate enterprise, what are the laws that are coming about that have starburst security implications are issues. Then I want to share with you two cases. One case is a criminal complaint filed against the former CEO, CFO for Uber. And then a second case is a lawsuit filed against the CEO, investors and the Chief Security Architect. Solar winds. Most of you are probably familiar to SolarWinds breach. I'm not going to go into that for each of them, but you guys probably know it inside and out. But I'm gonna tell you about some very serious consequences. The reason I'm going to talk about those two cases is that as a security professional, that their civil and criminal issues you just want to be mindful of as you go forward. So a couple of headlines says is just kinda give some context here. Verizon was bought, bought Yahoo during the time sometime between the sine and the close of the transaction, not who came forward a massive data breach. I remember how big it was, but there were fines, investigations, lawsuits. In the end, the investors who own Yahoo had a write off, $350 million and evaluation of that company. This isn't the mergers and acquisitions context. And here's a situation where a data breach led to a massive reduction in the value of accompany. And then we've also seen I mentioned benefits a sack and ago we've seen a wave of data breaches. Part of what I do is help companies with responding to data breaches. And we've seen a number of breaches where people, bad actors get in and get into a 401 k account, brain it and they're usually targeting the senior executives have a lot of money and therefore one case, they drain it and most people don't even know until sometime later they go check and see, hey, how's the balance on my 401 k to it? We've seen the SEC, this is the organization that manages and governs the curious docs bonds. For example, if you're a publicly held company, you have certain reporting obligations. The SEC is big time getting into the cybersecurity business. We've seen fines, we've seen investigations into companies, failure to disclose diver a security risk or cybersecurity incidents. So here's three examples of recent headlines that we've seen from the SEC. Ransomware has led to a big uptake and insurance last year the insurance industry took an absolute bath with all these brands more paths. When ransomware first started, I remember the first one out, so I was like $20 thousand. And in fact, the bad actor said, if you pay the 20000, We'll give you a full pen test report, exactly how we got in what they actually provided it. Probably the cheapest pen test you can buy these days. But now it's in the ten million dollars. Twenty million dollars. There are big ransom, so we're saying, so we're seeing an uptick and insurance costs, but we're also seeing an option taken the and the Chief Risk officers within companies looking to buy this insurance and it's going up and through the roof. We're also seeing a lot of stuff and the supply and the supply chain. Many of you may be aware of how Colonial Pipeline had a little incident not too long ago. It's a ledger lives in the IT environment as a proactive matter or at least what I understand, they shut down the operation side of it business to make sure that the rents were didn't propagate through the enterprise. But here's an example of a supply chain attack that has wide ranging downstream implications. Though everyone in the whole critical infrastructure sector, everyone throughout operations is actively looking at cybersecurity issues. We're seeing an IoT products this week, nist held a seminar to talk about the President's executive order where he wants to start branding IoT products with some kind of a bill of health and nutrition labels way I understand it. Unrelated to the cybersecurity of IoT products. For those of you who are familiar with IoT products, they're built fastener, belch shape, that's the deal. Now if we got to start, they can, in cybersecurity, it's going to change the landscape, the pricing, et cetera, for these IoT devices. So we're seeing an M&A, it's routinely that I get pulled in mergers and acquisitions and we pull and security people to help look at a target and that accompany that. Once we want to acquire, we're looking at their security, we're doing a deep dive. We may even deploy agents throughout the network. Edr, XDR or whatever to see is, are inactive and active infiltration going on at the moment. So we're seeing cybersecurity professionals being pulled into mergers and acquisitions to help look at the companies. And c is the value, right? You need to discount the price of the company because they've got major cybersecurity issues, big deal vendors and supply chain. We talked about Colonial Pipeline. We're seeing this throughout SolarWinds was another Paypal are supply chain issue. Though now people in procurement and other functions in the company are actively point in. Diverse creative professionals look at the vendors, are about to do business with whether it's in the technology or any other space for accompany the risks and benefits. I mentioned the 401 k recently, the US Department of Labor's has an April came down with guidance that if you are a plan sponsor for the issue, that those are the people within the company who administer plans for our companies. The people administer OR for one case and our health. If you're a plant sponsor, a fiduciary, you have an affirmative obligation. Be looking at cybersecurity and if you outsource it to somebody, they do to you have to do due diligence on them and make sure your contract has certain minimum security requirements in place. Proceed in HR. We still see employees has been wonderful, but the weakest points when it comes to cybersecurity, we, there's a bit of a saying, which is the smartest, best cybersecurity system the world has no match for the world's dumbest employee. There's a bit of truth to that. Were sent and just generic commercial contracts, if you remember, the old Target breach. And so it said that it came in through there. H vac vendor food of thought about cybersecurity in a contract with an HVAC vendor. Nobody, but now we are and privacy, there's a lot of overlap between GPR and cybersecurity implications there. Proceeding products liability. I mentioned securities filings, even an anti-trust issues. We're seeing an insurance where people are trying to manage the cybersecurity risk. Other things, risk retention, this list could go on. This is just a representative list. But hopefully what you're seeing though, because these are all different core functions within companies. And these are all examples where cyber security is a big issue there and it's growing. Then it comes the loss. I mentioned at the beginning that laws are starting to come about dealing with cybersecurity. First, we had laws dealing with personal data that seem to be the focus. We had GLB, a pipa at the time we had the EU data directive, which is now given way to GDPR. That's expanding. We're starting to see laws dealing with IoT devices. California, for example, has a lot of if you have an IoT device, you have to have reasonable security, whatever that means. I mentioned the Department of Labor guidance. If you sell products or services, the US Department of Defense or any kind of a defense contractor, there are specific requirements and certifications you may have to get to sell your product to the DOD. If you're a publicly held company, you've got to make certain kinds of filings. There was recently an action against the company because some kind of vulnerability was identified. That vulnerability was not shared immediately with the people who make those filings to the SEC, though, because the company did not have adequate controls to escalate that vulnerability internally within the company. People who make those filings, the company, the SEC hit him with a big, massive fine. So here's where once again, another function at the SEC function, we make your public filings. And that's an interaction that's starting to get formed between the security people and the people who make those violins. Common-law, what we're seeing, negligence claims, you didn't protect my data, were suing you. The FTC Act, the Federal Trade Commission governs consumer's are protects consumers, I should say. Or maybe I'm right, maybe they'd gotten consent. But anyways, what they're doing now is they're starting to look at unfair and deceptive trade practices and saying that if you don't have reasonable security, well, that's an unfair business practices. So we have the FTC stepping into the fold. Other laws, I've mentioned Computer Fraud and Abuse Act that we've seen pen testers where they did their pen testing, maybe they exceed their authority and accompany sued them or they're criminally prosecuted for violin, something called the Computer Fraud and Abuse Act. And the list goes on. So what we're starting to see is other sector laws are starting to address cybersecurity issues. And us, as cybersecurity professionals going to have to know these laws or at least be familiar with them or work with people who do because they will implicate or address the day-to-day things you do for companies. But they don't just come up in the legal landscape through laws and regulations were increasingly seen contracts between business parties, where we're starting to see more granularity, given an importance given to cybersecurity issues. Insurance is a common requirement. Audit requirements if you're my vendor and you feel like a cloud vendor are going to be storing a noisy my data. I want the right to audit, which is a nightmare for security professionals who have to deal with that because you got every customer burgers. Now CAN I want to audit your systems? They're getting very detailed and their control. So it used to be just be, hey, you're going to have reasonable security will trust you. Now you get like a 50 page document listing out very detailed because our security controls that you as a vendor have to comply with. And the list is growing. And of course there's different contracts. It's not just the technology contracts. I mentioned the HVAC vendor, but not everyone's thinking about it. You know, if Who would have thought with a pipeline that if I'm a petroleum company now, through this pipeline, I've gotta be thinking in my contract about cybersecurity issues. A lot of these are legacy contracts. They haven't that I guarantee it. And contracts going forward, they're thinking about cybersecurity issues. As I was mentioning, it used to be that we'd had this reasonable security. I when people asked me what is reasonable security, I jokingly say it's well, it's whatever you you when you have an incident, it's whatever you did not do that you could have done that Hadoop done would have prevented the breach. It's kind of the ultimate Monday morning quarterback or second guessing that increasingly, it seems to be what we're seeing when it comes to lawsuits and government enforcement where we are. So I can start and second guess people's decision-making when it comes to what kind of cybersecurity controls we're putting in place. And of course, as I mentioned before, the trend is towards getting more granular or loss. We're starting to see an individual laws coming about obligations to do risk assessment. I can't tell you how many companies we get in front of who have not done a basic cybersecurity risk assessment, that they really don't know what their data is. They don't know what they're trying to protect or where it is, that they don't know where they're vulnerable or have any sense of what their vulnerabilities might look like. And I sure don't know what threats they're trying to even defend. Again, this is commonplace unfortunately. But we're seeing laws out there and we're seeing lawsuits where companies are going after companies for failing to do basic cybersecurity risk assessments, for even have any kind of a risk management program in place. That's going to change. I think we're going to see a big uptake in corporate America changing where they are going to have a more active and formal risk-free risk assessments and risk management program. We're starting to see new laws dealing with the whole system or software development lifecycle. There's already metrics out there that if you address security early on in software development process, the cost deal with the security issue is exponentially lower than if you deal with it later on in the process. Partly true, we all know that. But now we're starting to see laws and regulations and expectations that companies do need to be addressed in these things early throughout the SDLC. But even once you release a product, now we got patching and we're starting to see metrics. I'm seeing and contracts days where we have service levels for how suny and you'd be patching a vulnerability based upon its CVE score, critical, high, medium, or low. We're starting to see a lot of vendor oversight. We're starting to see different types of specific controls like the use of MFA. And they're even dictating what kind of MFA you're starting to see. And then of course, data mapping. This kind of goes back to my first about risk assessments. Most companies don't know what they have when it comes to data. Gdpr, CCPA, other laws coming about are saying, Hey, you do need to know whether your data is throughout the organization, post-processing it. Where is it? What do you use an F4. What's the purpose for it? Data minimisation? Are you getting rid of it when you've done what you fulfill, whatever purpose you collect that data. These are all things that we're starting to see and there were requirements that impact all of you. I also mentioned breach notification, early 2000s, I think it was we sat in California, introduced their first breach notification law. Now we're at the point we're all 50 states have breach notification laws. Most of these laws still apply to personal data, but they're starting to go broader. If the systems that process personal data are impacted, some laws would require some form of a disclosure outside the US and other countries, even if personal data is not necessarily implicated. But if there's a breach of you, you have to disclose it. Under SEC reporting obligations if it's a material risk, whether it's personal or not, if it's a material incident, have to disclose it. So I think what we're going to see is the trend going forward. And what you guys are going to have to be mindful of is that when a company has an incentive to be thinking about, is this notifiable? Or who do I have to notify whether it's internally or externally about it. But in that kind of it's kind of transparency is definitely the trend going forward. Me pause there for a second. Any questions from anyone ops thrown, thrown a lot at you in question here are online. There is a question online. Let me pull it up. It was about an earlier comment you made. What sort of information would be on that tag? You mentioned the label, the cybersecurity label. And what would it take to get that approved through the industry? Yeah, we don't know that was the point. So nist, the National Institute of Standards and Technology, they had a conference this week is a two-day event. And I think that's what they're looking to explore, what is going to be on there. First of all, we're going to have standards for IoT. Nist has already issued guidance when it comes to hearing IoT devices, but I don't know that we know the answer to that. And that first meeting this week, badness was to explore what this kind of thing might look like. You can certainly see this is the trend going forward a minute. A cybersecurity nutrition label where their deficiencies or maybe it's like that piece of paper you see when you walk into a restaurant, Whereas I score, you hope it's in the high 90s, but 9598. And it's about the cleanliness of that restaurant that well, we have that going forward. I don't know. We very well could obviously going to be push-back. People don't want to have to do it. I mean, the competing interests when it comes to an IoT devices, these things need to be cheap. They are consumer products. We want to drive down cost. And right now, I mean, they're even less sophisticated than a Raspberry Pi, right? I mean, they are bare minimal devices. But what we're seeing is a lot of these devices are being used for hackers and we all heard about these nest cams being compromised. Other IoT devices that are out there. But the question is, is how much security to have to bake into it? And what is that kind of right point of this has got the right level of security. What is that? Middle now? But that's certainly the interests and I've gone off on a tangent here, of course, but as the label, we don't quite know yet. Folks, any other questions? Let's talk about a case. First. I want to talk about a criminal complaint. Uber had a breach in 2014. It got investigated by the Federal Trade Commission and the personnel mocking his name, his name today, but he is the Chief Security Officer for the company. He was one among the executives for the company who has chosen to help prepare their written responses to the FTC, and then to provide testimony under oath before the FTC. Do he did that and about this is back in 2016, these investigations on for years sometimes. But in 2016, this gentleman testified again or the FTC. Ten days later, he receives an email and email says, Listen, we've stolen data from you. We still in 57 million records. Of those records, there were 600 thousand drivers licenses for Uber drivers that were apparently in that population. And we want money. You know, this is not uncommon. So it's a ledge and everything I'm saying right now is based upon what is in the complaint. As I said, my disclaimer, I want to go back that should really emphasize that actually this guy is presumed innocent. We should always presume this guy's innocent. What everything I'm going to say right now is based upon what's in the complaint. It may not be true. I mean, there's probably a different story here. They're almost always is people who know this guy's Hayes, a stand-up gentleman who was allegedly acting. That's the direction of Legal Counsel for the company, though. But let's just say what is true because this is an important lesson nonetheless, whether it's true or not, DO anyways, breach in 2014, 2016, second breach occurs. He went back, confirmed yeah, these guys are telling the truth. They took this data and he has an e-mail communication with the guys and they work on some arrangement. He's going to pay them a $100 thousand bitcoin and he's going to have them sign an NDA non-disclosure agreement. And in the NDA, there's a statement that apparently the CSO insist to get put into this NDA that says we didn't actually take any data. And this all falls under our bug bounty program. This was a legitimate thing. And so the government didn't see this way. The government thinks you're trying to conceal this thing. You just testified from the FTC and said there's nothing going on here. Things are grey. 10 days later, there's another bridge. And then he did not go back to the FTC and to tell them what happens though, this is all about 2014, we're gonna ignore that, we're done with that. This is a new bridge. The FTC didn't ask specifically about the 2016 event and he wasn't forthcoming about it or at least so it's alleged at the same time, there was a new management the company, and apparently I think they he may have told them about this, but he didn't tell them everything according to the government. So there's the question of what he shared with the new CEO and new management. But apparently not all of it. So yes, the US Attorney's Office for the Department of Justice filed a criminal complaint against this gentlemen. The first charge was obstruction of justice. The gist of it is that he was actively trying to conceal it or by his omission, he was not being forthcoming in the course of appending FTC investigation. There's also another thing he was charged with this miss prison of a felony. Large that the crime is largely summarized in this last bullet, but it's where, you know, someone else has committed a felony and you've kind of take an affirmative steps to conceal it. But you didn't commit the film yourself. You didn't hack the company. But by just doing the NDA pay and a $100 thousand and Bitcoin is kind of a clause Iran, so he tried to help those people conceal it. Now, the good news is that in the course of doing these NDAs, somehow they got the names of these two guys and they're getting criminally prosecuted. But unfortunately so to this gentlemen as well get criminally prosecuted. But it was interesting, I found was not just the fact that this guy was getting criminally prosecuted from this and who knows about facts of the case and what's right or not. This is from the Department of Justice is press release that accompanied the filing of this criminal complaint. And I'll read it. We expect good corporate citizenship. Okay. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover ups. We will not tolerate illegal hush money payments. Wow, Though what he's characterize this breach as and this guy just not telling the FTC, he's thinking these guys actually tried this guy actively try to cover it up. And by paying a $100 thousand ransom, that was basically hush money. And the press release goes on. Concealing information about a felony from law enforcement is a crime. Wow. Wow. This case is an extreme example of a prolonged attempt as the vert law enforcement, we hope company stand up and take notice. Do not help. Criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people's personal data. No idea a lot with data breaches and what a lot of companies deal with when they're in the middle of a breach is do they have to go forward with notifying people? And we look at these laws, we slice and dice it. Is there some laws to our target? If there's access to data, some auditory acquisition, and then it's only triggered if it's certain types of data in the US, it's the combination of a person's name plus social date of birth. And some states, driver's license, health information, financial information, usernames and passwords. So, you know, if the data breach did not involve any of those companies aren't notified for every breach we see reported, there's probably a half dozen that don't get reported that you've never heard about. I've been through numerous breaches where, you know, well, there's no actual evidence of access or there's no actual evidence of exfiltration or well, the information here really doesn't squarely fit within these categories. If companies don't feel like it, if they're not forced to notify they want DO. Here we have an example or the FBI or sorry, the DOJ us and we want you to tell us and this is indicative of the trend we're seeing these breach notification laws. The prosecution's, we're seeing the government is trying to get the private sector to be more transparent, more forthcoming about what's going on. And for good reason, they want to help. They want to know what's going on so they can use their the tools at their disposal to ***** complaints, whatever, to go after the bad actors. They're in it for a good reason. But there's a competing interests with companies. I used to tell the story of the parable of the scorpion and the frog. The parallel goes. Frog and a scorpion want to get across the river and the scorpion knows the way, but the frogs, the one who can swim across and the frog says, the scorpion, you, I can't help you because you will sting me. You're a sport, but he has AL you silly Mr. Frog, I won't sting you. Then I'll die too. Though we trust them. They get halfway across the river and sure enough, the scorpions things there frog is. Why did you do that? Well, I'm a scorpion, that's what I do. I stink people. The comparison here is that the government investigates and if they find wrongdoing they prosecuted. But a lot of companies are reluctant to want to work with the government nevertheless. So here's the government's gotten great to work with when we do daily data breaches. It's one of our first considerations. Do we work with the FBI and most of times we do because they'd been very helpful. They give us the IOC's that give us other helpful information. There's still a reluctance to want to work with the government. And this is a good example is if I work with the government, I don't share everything with you are going to come around and later prosecuted me. But that's a lot of the concern a lot of people have right now is how much can I worked with the government? How much can I trust them if I don't tell them something and maybe I don't want to tell them everything. Am I going to want to be in criminally prosecuted? And that's one of the concerns this case really raised. Let me move on to the other the other one that was a criminal case. This is a civil case. This is a lawsuit where certain investors food solar winds after solar winds as breach. I put this slide up here because it's interesting to see who got suit is a lawsuit against the company as a lawsuit against the CEO, but is also a lawsuit against the Vice President of security architecture. I found this pretty interesting. And I'm going to go into why and kind of what they said in the complaint as to why they thought this got with someone, they had to sit, and then of course they sued the private equity owners. Now here's the narrative, the complaint, this is a summary of the complaint that was in there said that the company falsely and misleadingly told investors. So it's basically a fraud say that it had a robust cybersecurity program and adhere to specific data security practices set forth in a security statement. I've got to walk through what that looked like, prominently featured on its website. In reality, the company which was primarily controlled by two private equity firms. Sacrifice cybersecurity to generate short-term profits for its principal investors. Now the private equity industry, they buy companies, they make them profit, they sell them and try to reap the benefit by the increase in the price of the company. Though it's alleged that these private equity companies I got in slashed budgets, robot profitability and stuff and security was sacrificed in the process. Just as a quick timeline, that these private equity firms bought solar winds back in 2016, IPO in 2018, secondary public offering in 2019. And then of course, as we all know, that big data breach that we all read about occurred at the end of 2021. Now, the complaint talks about how the Chief Security security person made a lot of public statements about how great SolarWinds as cybersecurity Was. There is a security statement on its website. I'll walk through in a stack and they had this Trust Center where customers could go and find out what our security best practices. There's similar trust sites you can go through any other big company these days. There are numerous statements by this person, by the SVP. He quoted on multiple occasions having said that accompany as heavy duty cybersecurity, IG. And these guys were the model company. He had a blog, he did podcast and interviews and talk to numerous customers about how great theory was its solar winds. Reality, according to the complaint, once again, this is the compliant may or may not be true, but according to the people who are suing this person in there and these others, while they get they get said, Well, there was no CSO, no corporate security, there was no one coordinating security efforts. There's no process for ensuring that the products were unsure. Now with no awareness, training, workstations were not protected and the list goes on. This is a parade of horribles and an addition to that, apparently at some point in 2017, a whistle-blower came forward to meeting with several of the executives of SolarWinds. Take highs, things need to change here. He produced a PowerPoint and you walk through a parade of issues with security at the company. He said, listen, we need a C, So we need claimed the infrastructure and corporate systems that exist in a precarious state. And when talking about improving the security guys, we're just not there yet. And the list of things as a person merrily came forward. It was quite long and detailed about what's going on. And he resigned in protest. Now the security statement claims that they had a security team. This is what the BP setting out the IEP. He's apparently the one who has allegedly behind the security statement for the company because we got a security team. We have an information security policy, we do training, we have a password policy and all these other things we adhere to. I think it was the nist Cybersecurity Framework, among other things, the complaints as well. That's what your statement says, but none of these things exist. So I think that the thing to take away from, first of all, just at a high level from the criminal complaint in a civil complaint is you guys are going to have our isn't me a lot of focus on you. What you say to customers, what you say, The Press, what you say, or even internally within the company. It's going to give me a lot of weight placed on. It's going to be fodder for later of civil actions for criminal compliance. You know, you've gotta be very cautious about what you say or do things in a lot of people. Think, well, if I'm careful about when I say publicly or what I write articles, I'll be stifle every little writing you do gets captured. When we do data breaches or there's litigation holds put in place that reserve as records, email, Slack, channels, the text messages, all that gets preserved. And a lot of times we have litigation, we have to comb through that. And there's a lot of things people say like, Oh my gosh, we should have patch that's a long time ago. Tell me how many breaches I've seen where those little words a little statements turn up and that's Plaintiffs Exhibit a. But we've got to be very careful of cybersecurity professionals about anything we put in rotting and kind of the word or the kind of the wisdom as pass on me when I was a young associate was imagine that anything you put in writing, imagine it on the front page of The Wall Street Journal and New York Times. That's the approach you ought to have. And when it comes to cybersecurity, it's so true. We're in it, we're in a very litigious society these days. There's criminal prosecutions. There's a breach. The victim is not the victim. The victim is the one who gets targeted. And just look at SolarWinds. We gotta be very careful about what we put in writing, in what we say. If you're dealing with law enforcement, my guides to you is go to your company's legal counsel. Worked through legal counsel. You gotta be very cautious when we work with law enforcement. They can be a great tool that can be very helpful to us. But at the same time, we gotta be cautious because they're also thinking crockpot criminal prosecution. They're scorpions. They investigate people. That's what they do. I just realized you're often the representative for your company. Though. Folks in Florida, Do you have any questions or resume whenever there are two questions online which I'll read and then anybody else who has questions here? One is, with respect to data breaches, how would you characterize the comparative risk companies face of direct consumer or business lawsuits, for example, class action compared to US and state governments taking regulatory actions. That can part of that. He believed there's adequate enforcement of existing laws. Wow, fantastic question. Though. I would say there's equal chances of breaches and an investigation. So let's talk about what those mean. So we're all on the same page. A class action is when a group of individuals do together as a class of people who have experienced a similar arm. Now you read a lot like an asbestos litigation or other types of litigation or people who have experienced a similar injury come together. There's maybe one or two, just a couple of firms who represent the class. And there's certain efficiency. And if you're a plaintiff's attorney, damages that are rewardable as a part of a class action. What we have seen ah, I say there's a lot of board asbestos litigators because we've seen an uptick in the plaintiff's a growth in the plaintiffs bar, which are plaintiff's attorneys who bring these class actions. And anytime there's a big breach, there's almost a rush to the courthouse. The file a class action against the company who experienced the bridge commonplace. Now, at the same time when companies notify date attorneys general are other regulators about some kind of a breach. So experiencing demo, there's also commonly an investigation that follows. It's common when you notify certain state IgA, certain states or one tourists than others, that you will receive a follow-up letter asking for more detail about the breach. Most of the time, these things go away. If you give them a good answer, usually the questions are, why did it take you? So no, I don't want to notify us. Why was this data vulnerable? What's going to be the impact on people to do five, provide free credit monitoring. But there's an equal likelihood I would suggest is going to vary upon the nature of the incident as to whether or not there is class action or any other kind of litigation were increasingly seen as the solar once was a shareholder grow to say by the investors, were increasing facilitation. But we're also seeing enforcement actions now. But I think what we're also seen as more and different regulatory agencies are starting to have that oversight. I mentioned, for example, when it came to benefits, how the US Department of Labor is starting to get into the cyber security game. And we're expecting that they and others will start investigating breaches that involve our benefits like our 401 k account. We're starting to see a lot of those. And I think the last part of your question was, is there a lack of enforcement? I think there's pretty good enforcement now I would argue that, for example, in the EU were seen a lot of these data protection authorities are actively started to look into incidents. There is a letter written in India. India has got a very thorough breach notification law since that's a low trade when we have to notify their regulator. And there's interest in India where they want to see their regulator more actively investigate breaches. Colombia, Brazil, Mexico are starting to get more aggressive. We're also see in the South Koreans, Chinese are very aggressive when it comes to looking at incidents. So it's a global issue. So when we think about this, if you go into a global company, I've been primarily talking about US laws. But these issues apply on a global scale, including when it comes to regulators. I have one more question from the audience. Though. You touched on this and it'll be interesting to see what's your response here, your opinion on disclosing a breach to law enforcement and the shareholder equity impact it publicly disclosed. Wow, Two great questions. So depending upon the nature of the breach, more authors, usually, we will encourage the client to notify and work with law enforcement, mostly when it comes to ransomware attacks. We've seen different threat actors. I've had a lot of success reaching out to the FBI. They have different field offices that tackled different ransomware variance. And for example, we had one where the FBI field office up in upstate New York was focusing on this one. Actually, we help them with the prosecution of the bad actors. I got him many ways by reaching out to them. They gave us these IOCs, which will very helpful. We will get involved an upper age, we often reach out to external forensics poem under us. And they often have a lot of threat intel, which is helpful. But all too often we say the FBI has also some viable threat intel, which helps us know what kind of malware should we expect, you know, what's their kind of M0 or they, they use Cobalt Strike or what kind of a tool should we be looking throughout, looking for, throughout the environment? The FBI can provide us a lot of very valuable threat intel when it comes to that. Gloria, I'm sorry, I forgot the second part of that question. The second part, we just see the impact of shareholder equity. It publicly disclosed. We actually had a breach this about 10 years ago, where think the bad actors ultimate game was the short, the company anticipating the drop and the shareholder prize. And we thought that was their profit motive in it. In addition to steal and a huge on a credit card. It, You know, it's funny because initially we saw lot of drops. Consequently, companies, if they went forth a public disclosure, brought a on a, on an afternoon before a holiday weekend, as always, the best time to disclose bad news. But I haven't seen a whole lot of rapidly. I mean, you still see breaches where there is a drop, but it's not as common, I would say. But you have to anticipate there very well. Could it depends on the nature of the breach really and what the impact. Colonial Pipeline. I mean, I think they took a hit temporarily perhaps, but it depends on the company and then the nature of the impact on it. If it's just yeah, we we lost a bunch of much of employee data was ransomed up kinda over others or an everyday occurrence. Now it's not quite the sensational event that it used to be. Really, sir. Sorry that 72 hour notification, I think for GDPR that you noted, he was very quick. And in my experience, maybe before that was out there, it was war and months and years. And want to get your impression of that just to bother setting in hopes that it will be quicker. What's the reality? You know, I was sitting at a conference in Brussels has about seven years ago, eight years ago is when GDPR was filaments draft stage. And I sinner launch these lunch tables and the Irish commissioner of their GPA was sitting there and we started engage in that conversation. And then I kind of casually asked him, I said, the 72 hours, really. What do you expect me to tell you? 72 hours? They expect you to tell you what you can get the more forthcoming you can be. But the truth is in 72 hours, sometimes don't know if you have a reportable data breach may have a breach or a security incident is the better chromosomes. But whether the incident is a breach is something we can't necessarily diagnose in that short period of time. But what you do, there was legislation that was introduced about a month and a half ago now that for critical infrastructure would require notification a certain regulars and 24 hours that were going the wrong direction if you're in the power game, I think NOR confer Catholic, fix our application if it's going to affect power transmission. By that is like almost a race to see how short of a time frame we can make. But as your question kind of alluded, it's not realistic because all we know if something's happened. Yeah, Well, we see some IFC, someone's coming over to this IP from this IP, it's, it's not a well-known IP, or they access the system in the middle of the night from someplace far away from us, shouldn't have. So what do we know in 72 hours? Oftentimes, not a lot. Don't know. In a certain recognition by a lot of regulators that yeah, I I just want to know you had an incident the interests when it comes to critical infrastructure, Jen Easterly, who's now in charge of csa. Their interests is to try to partner with critical infrastructure and work with them and to really facilitate kind of more knowledge sharing so government can help us with, that's an admirable goal, but sometimes you get so many people working on it. It's, it's chaotic when a breach occurs that the government into it asking questions. Now, years ago we had a we had a breach and a local US attorney would not local here, but where the breach was, We're starting to come in and walk away with servers and one now like please, we're in the middle of trying to recover. And now we've got you bring down our back, threatening to comment and walkaway with servers. That's not helpful. But I think the government has been helpful. They've been taking a more proactive stance, more helpful stance. So yes, 72 hours goes by quickly. Yes, sir. What are you what are your thoughts on the Biden's executive order? 0 trust policies implications. While I'm actually hosting the event with John Kendra, evocative founder of trust is the way it's going, right? I mean, it's put in the controls around with you. That's definitely we're seeing a lot of companies burnout. I've even seen one offer. But it's certainly the way the regulation hating that by companies that implement based on 0 trust. The way to go. I'm a fan of Zero Trust. I went bad. John Kynar vogue and John was add Rosie whose at Palo Alto Networks who just recently went to accompany caught onto it. That's how I know they're the CEO is a friend of mine. But it's where things are going, Certainly. Yes. A lot of the blame for these cyber attacks seems to being placed on the development of cryptocurrencies, bitcoin, another like privacy ones. What do you see as kind of the future of the industry? Or maybe in terms of regulations to deal with that. Or if people are interested, especially because these cryptocurrencies don't have like a central authority who can be sued for facilitating this if at all they are liable. Where do you think that liability resides? And what socio, I'm a huge fan of crypto card eyes. Lot of people argue that cryptocurrency is what facilitated the Silk Road, Not all these other bad and evil things. On the other hand, we're seeing certain governments. I think it's El Salvador adopted it as one of its currencies, if I salaries. So there's a lot of benefit and because it's not controllable, it's not subject to a lot of the, the pumping of currency that we see. Some nation states do. You know, will, will, what will the US do? I have no idea. I think some in Congress have call it. I think Ted Cruz came out and was a huge advocate against trying to regulate it. Or maybe they were on that. But anyways, I think people are trying to figure out people don't know what to do. You know what the government is trying to do and we're cryptocurrency has been used in connection with cybercrime is of course, in ransomware payments. And they're, Oh, fact that they deal with the Office of Foreign Asset Control, they deal with prohibit us from doing business, Burton, bad actors and bad countries. And there's, there's this list of companies or individuals you can do business whether that's called the section entity list. And OFAT came down with guidance. I think it's earlier the shear where they said, Listen, if you pay a ransom to a person who was a nice section contrary entity. If they're a sanctioned entity, you pay it, you are liable for violating our FAQ. And there could be legal consequences if you make that ransom. Whether you knew who you are paying or not to when you pay a ransomware payment, you're kinda playing a little bit of Russian roulette from an OFAT compliance perspective. Because you very well may be pain, someone who's a sanction entity. Now, what has since become common practices? There are certain companies. There's a company called coef where if any of you've heard of them who help us negotiate and procure Bitcoin. Well, we're making these ransomware payments and they will issue, a lot of insurance companies are the ones who ultimately write these ransomware payments checks. They're the ones who usually finances for companies that are affected. But they will demand a memo in advance as the entity we're about to pay is not on the FAQ section entity list though, to answer your question, yeah, I don't know what's gonna go on. Crypto. I love Bitcoin. I can't say I've gone so far as to adopt those coin. But in terms of its use in connection with facility and ran some more payment, that there is some action by government to try to curtail people's anxious and our eagerness to pay these ransom or amounts. The real issues going to be the insurance. And if the insurance starts funding this company, I think a lot of clients who in connection with ransomware attack like well, insurance companies run the check ahead and pay it. That way. We'll know they're not going to do a big data dump on the dark web with the data they took. If the insurance company start, stop funniness and accompany, you gotta come up, cough up the 10 to 20 $1 million themselves. That may start reducing the amount of ransomware payments. We say. I'm sorry. Yeah, please do. Like to add onto that. There are a lot of companies operating in, like the blockchain decentralized application space that do other things that aren't directly like writing the Bitcoin code, but they might offer services to help corporations or other applications do things in this decentralized space. Do you think that they could be seen as liable in the event that like there as a supply chain contributor. Because they do provide things like libraries or code to help manage supply chains and other things. But they don't directly offer any actual infrastructure and the actual services. They just write code that is used by people but they don't really own anything. I hadn't thought about. Honestly, I haven't given them. It's an interesting question because if you're in the chain of facilitating the claim might be that you wrote something which facilitated these people do in the ransomware attacks because you facilitated IEP. You created their getaway car yeah. There, right. Yeah. And so, you know, someone who wrote the code that's used in the block chain, maybe you're doing the mining or whatever. I don't know if that's good. That's interesting question at the SEC is trying to get into this game. And they threatened with a Coin Base, I think two weeks ago. Then they were about to issue some kind of a loan program using cryptocurrency. And I think the SEC said, No, it's a regulated act or we think that might be a regulated activity, we suggest you not do it. Do you know how this will evolve? I don't know. That's a great question. Anybody else? Before I go to our online questions? One of the questions is, do you feel the complexities in regards to new cybersecurity laws are forcing the technology industry into more monopolies. And what pin smaller companies do to remain competitive? I don't know if they're forced them into new monopolies. I mean, certainly. One of the challenges with new companies in the cybersecurity space is you're up against the established big companies. And if you're procuring technology, there's a certain safety when it comes to protecting your position at the company to go in with a proven company. Tell us, Hey, you're looking to buy some new EDR solution and your options are XYZ startup, middle of the road company or Microsoft Defender. A lot of CIOs C says We'll go with if inner product, because it's Microsoft, it's a trusted solution that does that lead to some kind of, I don't want to say monopoly, but perhaps a bigger challenge for smaller companies, the crack the market maybe. But on the other hand, there are some amazing emerging growth companies in the cyberspace that cup that technologies that no one else does. And you know, they're counterweight is going to be, of course, things like patent protection, trade secret protection. But it's a great question. There's another one. In a lost IT. Discovery and certain privileges applied to forensic evidence can be important in controlling litigation. How important is it for companies, IT security department, understand this issue and to ensure evidence is preserved in a manner that can afford legal protections. Though the evidence itself, Let's break down. The evidence cannot protect facts, so. The attorney-client privilege is a privilege that exists between a lawyer and his or her client that allows communications to be free from being shared with the other party and the US legal system to go in civil law. The intent behind discovery, it's a it's a process of trial. So if you follow the compliance, there's some motions and then you have this long phase before trial called discovery. During discovery, the party shared documents back and forth. And the US legal system places an emphasis on disclosure. It almost an over-emphasis. If it's relevant, you got to turn over if the other side asks for. When we have these class action lawsuits where a plaintiff sues accompanies had a breach. A common issue is the the the the plaintiff will try to get access to all communications. Everything that happened before and after a breach. And one of the things that's common as we hire a forensics firm recombinant help us investigate the breach. So the issue is when that forensics firm yeah, CrowdStrike whoever went when they do their work. What about what they do? Whether it comes like the work product communications during their investigation or the final report where maybe they provide a whole. Here's how it happened, here's what happened. Here's controls that you could do for compensate against this risk going forward. Last Attorney want to get that someone else doing their homework for them. So the issue is attorney-client privilege. What does that protect now? A general principle, privilege does not protect backs. Do that. Your firewall had a password configuration of solar winds 1, 2, 3 or so. It's been alleged. That would not be a protectable fact in the attorney-client privilege. But when, you know, when when my forensics person sends an email, name is Todd, hey, we found this and we think this is what happened. That's the communication we want to protect and it very well might be protectable. There's all this litigation right now. I'm trying to penetrate the attorney-client privilege for that plaintiff's attorneys can get access to those kind of communications. And there's been some bad cases of late that are that are making it harder and harder to hold up the attorney-client privilege. The reason this is relevant to you is when there is a breach. One of the things that we try to encourage our clients to do is think about the attorney-client privilege, engage legal counsel, and before you jump into this investigation, think about it because you want to be able to have open and honest dialogue. And if you have to watch everything you say which you should do anyways, but if it's stressful and it's hard to have an honest dialogue during a breach if that's what you're always having to think about. But like I say, you should think about any way. Be careful about what you say anyways, many ways it's very important. Talk with your legal counsel and they'll instruct you on how to structure these communications to preserve the attorney-client privilege. I have another one else has one year and DC area and this is from the audience. I'm Jason and knock Leah, Do you see a change in ransom methods with the discovery of the FBI's blockchain explorer method of tracking payments, as we saw in the Colonial Pipeline incident. Yeah, that was one of the great things about colonial appointment. If there's anything right about it, what was the ability that they're able to claw back some of the ransom and we're certainly see that more and more. I haven't seen any changes yet. I mean, in terms of the ransomware model it has evolved. I mean, it used to be they've got an encrypt systems and demand the ransom. Now they're stealing data, put it through, put threatening to put it on the dark web and sometimes that you do. And I even lightly, I've seen them emailing customers of victims and we've got your data, we stole it from x. If x doesn't pay the ransom to us, your day is gonna go on the dark web. But we've seen evolutions on the attack side, but I haven't seen changes on the, on the brand some side yet. This is a different and it's along the same lines, but it says at what point did it become common place for companies to pay ransom layer payment? Wow, that's a great question. And as I said, the first one I had was that one the UK which had a pen test report they actually wanted to providing. And since then we've seen a slow escalation. And it kinda came in jumps. Initially, Ransom's were almost always 20 to $40 thousand and it is up to a million. And when I was 204020 to $40 thousand out of our clients pay that. It wasn't that big of a much money. If they got the key, is when ransomware first started hitting, a lot of companies didn't have good backups. They couldn't quickly recover from these things. Sometimes it's just easier to pay the ransom $20 thousand and decrypt your systems. And I think over time it's a theory, but you could argue that insurance companies, with the rise in insurance payments that's led to more companies pay an amount because it's the insurance company winds up writing the check. I can't see exactly when it became common practice. It's good question. Anyone else have any questions? Please write them. Is dead. I think it's worked. Is that a specified time-frame then the company should record the beads or does it after they have any colored and what is due soon or delete, you know, that you've hit. That is such a great question. Because it's a hard question to answer. There, there are certainly gentleman over here mentioned the 72 hour requirement under GDPR and certain states have requirements. Some states and the most expedient period of time possible way some states rate and some of them have a maximum not to exceed 30 days, 45 days, 60 days. And other countries I think I saw was 15 days when you have a breach. One of the first things and this is something that we valleys charts and diagrams. We have this stuff all mapped out. And so when a client of ours has a breach, we're able to say, okay, you're in these jurisdictions, that's how the data this is when we'll have this in the notices in so it's a pretty methodical process, but there's different types of communications. And frankly, I think the biggest challenge during a break is not the recovery of the forensics. That can be challenging. The communications. Communications, I think is perhaps the most an important part. And all types of communications, I'm talk communications, the press to your investors, to your employees, to your customers and consumers, and the list goes on, has done inappropriately. You can just, it can really hurt you. It allows other things. You get fines, penalties, you pay those. It's your reputation that it's hard to recover and she just can't quantify the value when you can when it gets tarnished. And communications or the way you can so horribly devalue your reputation very quickly if not done right. But to answer your question, Yeah. How do you define decided notify. Notify. That's done on an individual company basis. Do you trigger a notification obligation? Legally, you may also have contractual notification obligations. It's common in commercial contracts where you'll see a provision where it'll define what a security incident is and the defined some period of time within which the the breaching party has to notify the other partner there. And in contracts where you're the one want to notify you put an immediate not to exceed 24 hours, 40 hours, whatever it is. It's going to be different on a case-by-case basis. But the question of what do we notify is one of the most important questions. We're constantly thinking about that as we go through the brief and then how we notify, who notifies, and just how we manage the whole communications part of the bridge. All right. Well, thank you so very much for having me today. I hope this was helpful. Would love any questions if people have come up afterwards, I'll stick around for a few minutes if there's any questions people have. I hope I gave you a different perspective, my perspective on how breaches are starting to expand throughout the enterprise. You guys are an amazing school and a career that's about to take it that is taken up. And I'm kind of envious that we didn't have a cybersecurity program back when I was a tech is I think this is the oddest profession in the future. So congratulations, I'm going to tack and that love to take any questions you guys might have.