Privacy Officer's Roadmap: Data Breach and Ransomware Defense – Speaking of Litigation Video Podcast

New episode of our video podcast, Speaking of Litigation:  As a privacy officer, what keeps you up at night?

Is it the ransomware boogeyman, or perhaps the data breach creeps?

Whatever it may be, Epstein Becker Green litigators J.T. Wilson III, Stuart Gerson, and Brian Cesaratto are here to shed light on the subject in this episode of Speaking of Litigation.

The growth of artificial intelligence, foreign state-sponsored cyberattacks, and labyrinthine compliance regulations have placed an unprecedented amount of importance on an organization's ability to bolster privacy and cybersecurity. Tune in as we outline critical safeguards and strategies to have in place before a breach and after one occurs.

Video: YouTube.

Podcast: Amazon Music / Audible, Apple Podcasts, Audacy, Deezer, Google Podcasts, iHeartRadio, Overcast, Pandora, PlayerFM, Spotify, YouTube.

Transcript

[00:00:00] J.T. Wilson III: Today on Speaking of Litigation, we're discussing data breaches, preventing them, recovering from them, and defending against class action lawsuits following them. We'll also cover ransomware, to pay or not to pay, and then we'll look at compliance. As data breaches become increasingly more sophisticated, often aided by artificial intelligence, privacy officers must focus on the intricacies of their vendor contracts and insurance policies.

[00:00:27] J.T. Wilson III: Hello everyone, I'm your host today, J.T. Wilson III III. And I'm a member in Epstein Becker Green's employment litigation practice, and I'm based out of our Chicago office. According to Gary Kovacs, privacy is not an option, and it shouldn't be the price we accept for just getting on the internet. Every recent poll of CEOs and corporate board members demonstrates that their most pervasive, keep me up at night issues are cybersecurity and data privacy.

[00:00:57] J.T. Wilson III: Most public conversations surrounding privacy issues tend to focus on the impacts of identity theft. But in reality, there are far more damaging and frightening privacy issues that companies should be wary of. Joining our discussion today is Stuart Gerson, former acting Attorney General of the United States and current EBG member in Washington, DC. Welcome Stuart.

[00:01:21] Stuart Gerson: Thank you.

[00:01:22] J.T. Wilson III: We're also joined by Brian Cesaratto, a member in our New York city office. Welcome Brian.

[00:01:26] Brian Cesaratto: Thank you.

[00:01:27] J.T. Wilson III: Let's start with talking about data breaches. So you've had a data breach. What do you do now? Who are you calling?

[00:01:39] Stuart Gerson: It's not Ghostbusters. Ideally, you could get back in a time machine, strengthen your compliance, and do a number of other things to anticipate it.

[00:01:50] Stuart Gerson: But let's assume that you haven't, and you have a data breach. You're faced with relevant law in all of the 50 states, in every United States territory, in many of the states, an increasing number of the states. And so you have issues of reporting, remediation, and of course, you have the fundamental issue related to your business, which is to protect its intellectual property.

[00:02:15] Stuart Gerson: It's intellectual capital and its customer base. And so there are a lot of things to do all at once. We can talk about some of the steps, but it starts with appointing a single individual to be the quarterback of the response, the remediation and the rehabilitation of your files.

[00:02:33] Brian Cesaratto: When you suffer a data breach, it's already too late, as Stuart says, to go back and prepare.

[00:02:43] Brian Cesaratto: What you want to be doing is, in advance of a data breach, you want to have in place policies, procedures and communication charts and tables, so that at the time the data breach occurs, you're already prepared to mitigate the damage. At the time you suffered a breach, it's already too late to do that.

[00:03:39] J.T. Wilson III: We realize that as businesses become more and more sophisticated and collaborative, we operate in a global economy.

[00:03:46] J.T. Wilson III: We realize that the areas of potential exposure are growing exponentially by the day. How important are contractual safeguards when it comes to companies’ vendors or suppliers? Brian, interested in your thoughts here?

[00:04:01] Brian Cesaratto: I would say that should be your focus in the first instance, because if you look at the major data breaches that occurred and have been newsworthy, most of them occur through some sort of what we call supply chain risk.

[00:04:19] Brian Cesaratto: So that's a vendor that you either entrust your protected data to, or who you give access to in your facilities to that data to perform work and services for you. So you want to select the right vendors. You want to make sure you have a process in place to ensure that the vendors’ safeguards and privacy controls are robust, you want those safeguards to float directly into your contracts with those vendors so that those vendors are obligated as a contractual matter to comply with those safeguards.

[00:05:07] Brian Cesaratto: You also want to have the right, which goes with that, the ability to audit them and to make sure they're complying with those safeguards in a way that's verifiable by you. And then ultimately you want to think about what happens if, even though they've taken steps, who's responsible for liability and the costs that are associated with a data breach.

[00:05:43] Brian Cesaratto: And keep in mind that the cost on average per breached record is $250 dollars per record, and that can add up to many millions of dollars, either through data breach damages to class action lawsuits and the like, but just also the forensic costs of remediating your network, making sure that the hackers are no longer there.

[00:06:11] Brian Cesaratto: Who pays for that? That's all a matter of contract and that should be thought about ahead of time.

[00:06:33] Stuart Gerson: I would just add a little to that. Indemnification certainly is an important element of vendor contracts. The stress point that I would make is that perhaps we've been discussing this as a voluntary effort. Less and less it's the case. Under emerging D.O.D. standards, for example, under the way the False Claims Act is applied, you as the primary entity involved in all of this are responsible for doing these things and you're no less liable than your vendor in many of these cases. Even if you have contractual provisions in place that might shift costs, and so the weak link is always your employees.

[00:07:30] Stuart Gerson: This idea of responsibility for vendor security is not just a good idea that you would pursue voluntarily. It's now one that increasingly by large government agencies and others in the private sector are being imposed upon you.

[00:08:14] Stuart Gerson: Understand, remember, that we talk about cyber security and data breaches in terms of the statutes that are on the books or regulations that increasingly are being promulgated at the federal and state level. Those talk to issues like breach notification, remediation and the like of that.

[00:08:34] Stuart Gerson: But remember that the whole common law still applies as well. And so when you're negotiating contracts with your vendors, with your other third parties, you want to have things like waivers of class action. You want to have as many protections as you can build into contracts, arbitration, for example, as opposed to litigation.

[00:09:17] Brian Cesaratto: Yeah, that's an excellent point, Stuart. Let me follow up on that in one instance. Of course, you have both federal and state statutes that talk about data breach notification. If you get a data breach, under those statutes, you have an obligation to notify individuals or regulators. There's increasingly, though, a body of regulation and statute that imposes safeguards and specific safeguards on the organizations that hold the data, and what we're seeing, particularly at a federal level, and in some select states, is increasingly there's mandated minimum safeguards, either by regulation or just by enforcement activity. For instance, many times now, when you see settlement decrees of data breaches by regulators, and you go through the settlement agreements, they talk to things like having a written plan.

[00:10:34] Brian Cesaratto: Doing a risk analysis or risk assessment, multi-factor authentication. And Stuart, as you pointed out quite aptly, because 80% of the breaches occurred through social engineering, which is employee error in some sense, that folks make a mistake, they click on a link or they take some other action, they're fooled: training.

[00:11:02] Brian Cesaratto: So when you're thinking about your contracts, you want your contracts to conform to those safeguards and you should think about language, not just like generic language, like the vendor will comply with reasonable safeguards, but specify those things that are most important, not only to protect your data, but are most important in the eyes of the regulators.

[00:11:30] Brian Cesaratto: So mandate that those vendors take certain steps and put that in the contract or an addendum. I think that's very important to, as we say, being prepared for that day, that horrible day where you may have a data breach. You want to be able to say that you acted reasonably with respect to your vendors.

[00:11:58] Stuart Gerson: Breaches are, generically, are a moving target. You can't just put a plan in place and leave it there. I've been involved in cybersecurity since the 1960s, since the days of the Pueblo being seized by North Korea when I was a counterintelligence officer in the Air Force. And I've always been conscious of what is kind of a shibboleth in the industry, which is you can build a bigger and better idiot-proof system, but as soon as you do, a bigger and better idiot comes along.

[00:12:19] Stuart Gerson: And so you're constantly needing to train your employees and to test what they do. Tabletop exercises are one example of that. But you've got to develop outcomes. And indeed, if you haven't developed outcomes with regard to your compliance program, and if you're not getting negative results, you don't have a compliance program.

[00:12:44] Stuart Gerson: Human beings are inherently fallible, even those who are the most astute and assiduous. And indeed, when you're negotiating with government agencies and you're suggesting that you ought not be held culpable because you have a compliance program in place, the first question that will be asked is, well, if you have such a good compliance program, why are we here talking?

[00:13:08] Stuart Gerson: And that is a material question that needs to be answered. Another thing is we can talk in abstract terms about good compliance and good testing. But the fact of the matter is that compliance programs are to agencies and the states what airlines were to third world countries.

[00:13:33] Stuart Gerson: Everybody's got to have one. And so you have varying standards in the area of data privacy and the sorts of things that a holder of data, that Brian was alluding to, have to deal with. The gold standard is not United States statute or regulation. It's the European Union's general data privacy law, which then has been mimicked by California and other states. Do these statutes and regulations prevent private causes of action?

[00:14:04] Stuart Gerson: In most places, they do not. Certainly under very few state laws are private causes of action prohibited. And there are many theories under which they can be brought under federal law. And so you need to deal with varying standards. Nobody gives you a certification of compliance and good behavior in advance, and nobody gives you thanks afterwards either,

[00:14:39] J.T. Wilson III: Brian, you and Stuart, a recurring theme I'm hearing from your comments so far is that a good offense is the best defense in this space. But Brian, you mentioned the exposure, the liability and the subsequent class action litigation that typically follows data breaches.

[00:14:57] J.T. Wilson III: How does one, and we understand that the contractual agreements, Stuart, you mentioned indemnification provisions within those agreements, are just one tool in the toolkit to prepare yourself for this unfortunate day. But how does one, what are some of the other tools that one can use to begin to lodge and prepare a defense when such a breach occurs?

[00:15:22] Brian Cesaratto: To my view, the most important thing is mitigation and mitigating damage and potential harm to those folks that have entrusted the organization with their data. As Stuart points out, the threat landscape is constantly changing and evolving. And there's this give and take between the defenders and the attackers that goes on as technology has evolved.

[00:15:55] Brian Cesaratto: So the fact of the matter is that any company, no matter what the size, can be breached, even if they take all the right steps ahead of time, they can suffer a data breach. The class action lawsuits are going to be brought on behalf of individuals who say that they've been damaged, that something's happened that's caused them some loss with respect to the breach of the data.

[00:16:31] Brian Cesaratto: And those are the facts that get litigated in those data breach litigations. You want to be able to defend against those actions by saying there hasn't been any damage in the first instance, and there are legal questions of standing that the courts have, that the courts have wrestled with.

[00:16:56] Brian Cesaratto: But you also want to be able to say, look, not only did we put in place preventative and detective measures ahead of time that were appropriate. But when the breach happened, we did everything reasonable to mitigate the harm and to protect the data that was entrusted to us.

[00:17:19] Stuart Gerson: That’s certainly true. And I wish we lived in a world where you always had to prove actual damages to get standing. There's a long standing split of the circuits on this issue. But I've often been involved in class action litigation where there's no demonstrable injury at all, except for fear that there's going to be identity theft or something like that.

[00:17:39] Stuart Gerson: And I think that somebody pointed out early on in this conversation that identity theft is a… while it's certainly serious and something to be given great consideration, is a minor problem compared to what state sponsored hackers and other organizations are trying to do. You've got a multiple level of things that you have to address upon a breach.

[00:18:03] Stuart Gerson: Notification applies under various statutory regimes. Some are very controversial, like the SEC's recent regulation on the subject. First, you have to find out that you've had a breach. Sometimes it takes time in order to do that. And agencies are putting great pressure on you to make notifications within 24 hours or 48 hours when it might take a week, actually, to verify what's happened. Situations have become greatly aggravated because, we're going to talk about ransomware in some detail a little later in this conversation, but the new wrinkle in ransomware or the newer wrinkle in ransomware has been the exfiltration of data.

[00:18:44] Stuart Gerson: And so not only are you locked out of your data, but competitors can get a hold of it or it can be sold. Your first order of business, of course, is to your customers and clients, but to the business itself. And you also have a public relations issue. Getting the right people in place is something that you can't do on the fly.

[00:19:06] Stuart Gerson: You've got to have a contingency plan. The most important thing that you've done along the way here, of course, is risk assessment, setting up a plan that meets that. That's, in a sense, easy to do. These plans are garden variety, NIST, CISA, every agency, even the Department of Health and Human Services Office of Civil Rights, will gladly provide you with plans.

[00:19:26] Stuart Gerson: it's easy to come up with a plan. It's harder to execute it. And you've got to do it on multiple fronts. As I suggested earlier, you've got to have a general in charge of the operation.

[00:19:44] Stuart Gerson: And then suitable lieutenants to deal with public relations, public notification, especially if you're a privately held company, because not only are you going to face breach litigation, you're going to face securities litigation. You're also going to face, if you're a government contractor, and that's everybody in the health care sector that's getting reimbursed under Medicare or Medicaid, you're also going to face the potentiality of third-party relators bringing False Claims Act cases seeking treble damages. That's much better than a class action in tort or under a breach law where you can only get single damages. And so the risks are very great. You've got to deal with them on multiple fronts. And you've got to be prepared for the fact that there's damage that's irremediable.

[00:20:31] Stuart Gerson: Also, you have to be prepared for the fact that you're a victim of crime. But you're not treated that way by most agencies of the government. You're treated more like the criminal than the victim. And as Brian pointed out, there's a lot of things that happen to companies over which they have no control.

[00:20:50] Stuart Gerson: We've seen a lot of recent penetrations of open-source software. Who creates that software? How well can it be tested? You have to do more and more, but there are a lot of things that are out of your control that you're still held responsible for. So sometimes you feel like a mouse on a treadmill. It's a tough road to hoe. You have to plan as best as you can, and we'll come back to some of those issues shortly.

[00:21:17] J.T. Wilson III: Brian, moments ago you mentioned the fact that every company is susceptible to a breach. That includes law firms, and statistics show that law firms have increasingly been the target of attempts for data breaches, and we've seen some very public instances where that occurred. Stuart, you mentioned the importance of a risk assessment. When a breach occurs, I mean, how screwed are you?

[00:21:45] Stuart Gerson: Let me back you up just a half a second and you pointing out that law firms are the frequent subject of breaches is a very interesting point. And the reason why this is true is the tempting targets of breaches, particularly in the financial sector, have much better security than law firms have.

[00:22:07] Stuart Gerson: And so rather than attempting to breach the walls, if you will, of a fortress, you're much better dealing with an outlier and law firms and accounting firms particularly are the subject of breaches because they're easier. They generally as a rule are easier targets than some of their clients.

Risk assessment is extremely important. But again, there are no time machines available. If you haven't done one, and you haven't assessed your risks very well, irrespective of the fact, whether the class has suffered demonstrable damages, and fear is enough in particular courts and it is in many, you're going to be screwed. And at that point you're negotiating a settlement.

[00:23:26] Brian Cesaratto: J.T, to go to law firms, law firms increasingly, as Stuart points out, hold valuable data and are targets, and are everyday targets of cyber attack.

[00:23:43] Brian Cesaratto: For instance, New York State CLE requirements now require lawyers as part of their annual CLE requirements to take cybersecurity or cybersecurity ethics training. And that training should include the types of attacks that lawyers face on an everyday basis, which are very sophisticated and will even become more sophisticated over the coming years as artificial intelligence makes phishing attacks much more difficult to detect and more persuasive. And you asked how screwed are you?

[00:25:13] Brian Cesaratto: I don't think it's just a question for law firms. It goes to any organization that is breached and yes, there are legal issues. So as Stuart points out, in some courts you might not be able to get a case dismissed on standing, but I like to think of it as a defense in depth, like a legal defense in depth.

[00:25:54] Brian Cesaratto: And I want to be in a position, if I'm advising a client about how to prepare for a data breach, that they want to be on the high ground. Whatever the results are and whatever the damages they want to say that they thought about these issues ahead of time, and they train their people and they put in place appropriate programs ahead of time.

[00:26:23] Brian Cesaratto: And the fact that they got breached occurred, no question about it, but they took the right steps ahead of time. I think that's just a very practical and sound way of being prepared for a data breach litigation, and whether it's actually litigating the case in the courts or working to resolve it, it's always helpful to say that you took the right steps ahead of time.

[00:26:56] Stuart Gerson: It’s helpful in some specific ways also. All too few statutes and regulations have safe harbors for good compliance. I'm on several working groups for the National Chamber of Commerce. We deal with ever increasing numbers of laws and regulations, and we're always lobbying for safe harbors as incentives for businesses to have good compliance programs.

[00:27:17] Stuart Gerson: But even if that's unavailable, private rights of action are available and there are no safe harbors. Nevertheless, when you're negotiating with the government, for example, you get substantial credit when you have decent compliance in place.

[00:27:37] Stuart Gerson: So that's something to attend to. Back to law firms. Law is a service business and other service businesses as well, another reason they're particularly vulnerable is they want to help. They want to develop business. Indeed, there are lots of incentives within law firms and other businesses to develop business. Up until a couple of years ago, the number one threat that businesses faced was ransomware attacks.

[00:28:04] Stuart Gerson: Ransomware has diminished in some cases because of good compliance. But what has been on the rise is what's called business email compromise, which is the largest issue today at least numerically. And of course, a lot of that leads into ransomware exploits and other zero-day exploits later on down the road.

[00:28:23] Stuart Gerson: But all too often it's employees who want to be helpful, and they don't pay attention to the URL designations on suspicious email. They respond to questions because they simply want to help, and social engineering, which is what business email compromise is about, is an amazing threat because of that fact.

[00:28:48] Stuart Gerson: And so any successful compliance program starts from the point of risk assessment, but then the vector for all risk is your employees. And you need to train them, you need to test them, and you need to hold them responsible.

[00:29:05] J.T. Wilson III: Stuart, you've touched upon this several times already, so, let's advance our conversation to this realm of ransomware.

[00:29:12] J.T. Wilson III: To pay or not to pay? What are your thoughts on that? Brian, let's start with you, and then Stuart, I'm interested in hearing your thoughts on it as well.

[00:29:19] Brian Cesaratto: My first thought is, it's a theme, is to think about whether you're going to pay or not to pay ahead of time. The decision whether to pay or not to pay shouldn't be made when you now receive a ransom note, because at that point you're under tremendous stress and it's difficult to make an informed decision.

[00:29:50] Brian Cesaratto: Number 1, you want to think about it ahead of time, and then you want to look at the data.

[00:30:23] Brian Cesaratto: you have a decision to make as an organization and you need to look at the factors that are involved. So, ransom gets negotiated. It's a cost. If you pay the ransom you're going to pay a certain cost and you want to, first off, have proof that if you do pay, at least that the hacking group has the decryption key.

[00:30:54] Brian Cesaratto: And has provided you proof. So that at least you can get some of your data back. You need to also consider the fact that even if you pay, you may not be able to get all your data back. In fact, the studies show that roughly, those organizations that pay get only about 65 to 70 percent of their data back. And tied in with all of this is how confident are you that if you don't pay, you can restore your data from independent sources and ensure that it's clean, that it's not subject to compromise. So that as a business executive you're confident that you can take a stronger position not to pay, because you've tested your backups from independent sources. You know that you're clean, and you know that you can restore the data.

[00:31:48] Brian Cesaratto: The decision whether to pay or not pay ransom is complex. It's tied in with not only business, but regulatory requirements. And the most important thing is to have that planned out ahead of time so that on the day that it happens, you're prepared and you have an action plan in place to address it appropriately.

[00:32:13] Stuart Gerson: Let me back up and make sure that all of our listeners and watchers know what ransomware is. Ransomware is an algorithm that's injected into one of your systems. It may be a zero-day exploit, which is activated at a particular time and place. But what it does is encrypt all of the data in your files.

[00:32:38] Stuart Gerson: And so when Brian mentioned the decryption key. That's what you're bargaining for. In other words, some code that will unlock the files and restore your access to them. The lay of the land in the ransomware universe has changed a lot. And it's changed a lot because of one important fact. 80 percent of the critical infrastructure of the United States is in private hands.

[00:33:04] Stuart Gerson: And so what has happened is, traditionally you would do a cost benefit analysis. The FBI and other government agencies with which you might have contact during an exploit will tell you, well, do that cost benefit analysis and if the costs of restoring your data, of resiliency, are less than what the ransomware demand is, well, go get the Bitcoin and pay the ransom.

[00:33:40] Stuart Gerson: That's changed tremendously. That's no longer the advice of any federal agency. It may be a reality, especially for smaller businesses, that if deprived of their data and their customers and clients' data for any period of time, are going to go out of business.

[00:33:57] Stuart Gerson: That kind of exigency is important. But for the major breaches the answer is, no longer do you have this presumption of payment under cost benefit analysis. You have to think it through and you need to work with agencies. Brian mentioned agencies like that in the Department of the Treasury, OFAC, the Office of Foreign Asset Control, which has a list of excluded organizations that are aligned with adverse foreign interests.

[00:34:25] Stuart Gerson: You now have a duty to check those rosters. You can't pay if you're able to determine after due diligence that you're dealing with an entity that is an attenuation of a banned foreign source. There are a lot more restrictions. You need to be able to work with InfraGard, for example, which is the FBI's division that deals cooperatively with the private sector with regard to data, and you need to come up with a plan.

[00:34:59] Stuart Gerson: National security has become a major issue with this. And there are a lot of instructive cases. The most instructive that I talk about is Colonial Pipeline. If you'll remember, a couple of years ago, the Colonial Pipeline, which is the distribution source of gas for automobiles, fuel for homes, on the east coast of the United States.

[00:35:24] Stuart Gerson: Its central facility was subject to a ransomware exploit. Through cooperation with the FBI, what in essence was a sting operation that was set up, the ransom was paid. It was a huge ransom, but the FBI was able to breach the blockchain. Again, there was a Bitcoin transaction, and was able to recover most of the money, trace it back to individuals, some of, all of which reside in foreign countries, but some of whom were caught.

[00:35:54] Stuart Gerson: It's the wave of the future because national security has become such an important issue. And as is the unfortunate truth, if you pick up your newspaper or its analog on the web, you see that we're in constructive disputes with a number of countries. We have substantial threats posed by four major countries, Iran, Iraq, North Korea, and the People's Republic of China, and to say nothing of Russia.

[00:36:27] Stuart Gerson: And these are things that have changed the nature of ransomware. There's one other thing that Brian mentioned. He talked about not getting all your data back. You may get it back but what ransomware bad guys increasingly are doing is exfiltrating data so that you may not get the benefit of the bargain, and your data may be out there in the world and sold in a secondary market.

[00:36:54] Stuart Gerson: That's another thing that inhibits ransomware payments. We're doing much better in terms of enforcement. But the fact of the matter is it's still a major league problem. And it's one that has evolved substantially.

[00:38:53] Brian Cesaratto: And another part of the equation is, as Stuart says, the legal landscape is rapidly changing. So the Critical Infrastructure Act which the Cybersecurity Infrastructure Security Agency will be promulgating rules in March for, requires reporting. If you do pay a ransom you have to report the incident within a very short period of time to CISA.

[00:39:44] Brian Cesaratto: So the decision to pay or not to pay is multifaceted and all of these elements that Stuart and I are talking about, it's just incomprehensible that you would try to factor in all of those elements under the stress of a ransomware attack and maybe having your entire business or significant parts of your business shut down.

[00:40:32] Stuart Gerson: I would just add to that fine narration, the issues that the cloud has presented. Oftentimes companies are not in possession of their data. They access it from a third-party source in the cloud someplace. And this increasingly is a problem. In addition, it isn't hard for somebody to get into the ransomware business. You don't need the technical capability. You can just buy it.

[00:41:16] Stuart Gerson: And so going back in our little time machine that we hoped we’d had at the beginning of this discussion. You need to assure your resilience. You need to have independent backup for data. You need to know where all your servers are and who's running them. And it's not just a question of the financial issues involved in it and indemnification and the like of that.

[00:41:41] Stuart Gerson: This is the lifeblood of your business, is data. We live in a data age. Not only that, it's data that you hold, but it isn't yours. It's your customers’, it's your clients’. And you've got a responsibility to keep it secure. I always recommend when you know that you're at a breach, it's best not to hide it.

[00:42:07] Stuart Gerson: First, you make your statutory disclosures, but then you develop, you should have an advanced, a relationship with law enforcement. You need to know who to call in the FBI, in NIST, in CISA, in OFAC, in any of the agencies that you have to deal with in this. And having that kind of strategic plan that also involves public relations is really important and you've got to test it. It's a huge expense but it's money well spent.

[00:42:40] J.T. Wilson III: Given the depth, the breadth, and the speed regarding the complexity of all the moving pieces that we're discussing in the space of ransomware, which experts can you leverage in addition to, Stuart, you mentioned the importance of engaging your contacts at NIST, at CISA, at OFAC, and in other similar agencies.

[00:43:05] J.T. Wilson III: What are some of the resources that you can leverage in terms of experts and when you engage counsel to assist companies in this space where they've experienced a breach or when they're dealing with ransomware?

[00:43:19] Stuart Gerson: You mentioned two elements which may cover the whole universe, and that's your lawyer and your insurer.

[00:43:24] Stuart Gerson: You as a business will have, likely have, if you're of any size, you're going to have an IT department with people who are experts in cybersecurity. But they know nothing about dealing with breaches and disputes and the like of that. So you should have counsel. It's self-serving for a member of a law firm to say this, but it's so.

[00:43:51] Stuart Gerson: We have on hand relationships with any number of vendors who deal with both security questions and breach questions, we have cooperative relations with a number of those people. In addition any program that one has on the client side has got to have an insurance element to it. Cyber insurance is an evolving and tricky market, where law firms and your law firm may play a role in negotiating wordings that make sure you get covered.

[00:44:20] Stuart Gerson: If you're hit with a business email compromise, and that leads to a ransomware situation. Is that a breach? You've been let in. Somebody's left the door open for you. Is that a breach? You better make sure, insurance companies often defend on that and deny coverage.

[00:44:41] Stuart Gerson: You have to make sure that your wordings encompass your risks. And then it's helpful to deal with a law firm, and not only because of access to vendors, but because during the investigation that you're undertaking and your remedial activity, you'd like to cloak as much of the discussion as you can under attorney client privilege.

[00:45:04] Stuart Gerson: And so again, that's another aspect of why doing it through a law firm as an intermediary to individual experts, the CrowdStrike’s and other companies of this world, is a helpful way to go.

[00:45:24] Brian Cesaratto: One thing to add on to that from a practical point of view is that you don't want to be flying blind on the day that you have an incident.

[00:45:37] Brian Cesaratto: And many folks are under the misapprehension that you can get a forensic expert into your system and visibility after the fact. And that's just not the case. It can take typically, at best, a week or longer to be able to get a forensic expert in to say what happened.

[00:46:05] Brian Cesaratto: And many times that's too late. For instance, in the ransomware circumstance, the attempt to extort you to pay is to pay immediately within 24 or 48 hours. So one of the things on the expert front that you want to think about is, you want to think about, and further to Stuart's point, through your attorneys, is to have a forensic provider already in place so that you have visibility from a technical perspective into your system at the time that the attack occurs. So that you can make informed decisions based on the forensic evidence about what's happening in real time.

[00:46:56] Brian Cesaratto: And in many cases, that's a very important piece when you think about your outside legal counsel or your experts.

[00:47:06] J.T. Wilson III: Let's shift gears a little bit. Stuart, you touched upon it moments ago, and it's been circulating. We talked about the emergence and the advancements that we're seeing in the space of artificial intelligence, and we talked about it on the… as it's used to increase phishing and attacks and business emails and the like.

[00:47:30] J.T. Wilson III: But I want you to discuss for a moment how companies can also leverage AI to assist in the detection or to decipher whether attack is present or imminent, or to help beef up its defenses to protect against some form of a breach.

[00:47:49] Stuart Gerson: You can use AI in the same way that the bad guys use AI.

[00:47:53] Stuart Gerson: Understanding what we call AI today is not anything that has independent identity or a self-conscious nature. What we're dealing with are algorithms that are predictive in nature, that know how words are strung together and then put together results that are based upon probabilities.

[00:48:13] Stuart Gerson: And a human could do that too, it would just take forever. And so the advantages that these AI systems provide is speed and depth. You start with security, but if AI, and this has been particularly true in the open source software area where AI has been a big weapon to penetrate the activities that are done with open source software, they're efficient.

[00:48:43] Stuart Gerson: And they can scour databases in a hurry, figure out what's there. And then focus exfiltration on those things, but you can do the reverse. You can protect yourself the same way using the same kinds of expert systems. Artificial intelligence works by being trained on a given database.

[00:49:04] Stuart Gerson: And again, it's on the defensive side. You want to make sure that your database is a closed one, not the whole internet, but something over which you have control. But AI, these AI algorithms are tools. And like a hammer or a screwdriver they can be used by anybody to further their particular means.

[00:49:30] Stuart Gerson: And what AI gives you is speed and you can, if you're on the bad guy’s side, you can look for targets of opportunity in a hurry and find them as you read through other people's systems. On the good guy's side, you can do the same thing and patch and secure.

[00:49:51] J.T. Wilson III: We also discussed the GDPR and other similar statutes that actually give a private cause of action.

[00:50:01] J.T. Wilson III: I know Illinois has one in the Illinois Biometric Information Privacy Act, or BIPA as it's frequently referred to as. What are some of the nuances that companies should consider and also implement when applying some of the issues that we see in litigation around automated biometric data technology?

[00:50:26] Stuart Gerson: What we're seeing are things that fit very well into traditional legal models, not necessarily new ones. BIPA is the classic example of a biometric privacy law that has a private right of action. And the number one element that you see, that informs cases, are susceptible to treatment under employment discrimination and other laws that deal with disparate treatment and disparate impact.

[00:50:59] Stuart Gerson: A lot has to do with how these systems are trained and formulated, that they do produce adverse results, oftentimes with minority populations, that things that are good identifiers for Caucasians might do a less good job, say, dealing with the images of African Americans, and so we see a great many cases that have to do with misidentification or other adverse impact, denial of benefits in the health care area, where a lot of biometric and other types of so-called AI are being used in the diagnostic sense.

[00:51:41] Stuart Gerson: Again, there is adverse impact often that has been seen as a result of poor training, by which I don't mean human training. Dealing with the quality of the database and the abilities of the system. And you don't need new law to deal with these things. And we're seeing causes of action that relate to that.

[00:52:04] Stuart Gerson: So biometrics, very significant.

[00:52:27] Brian Cesaratto: Yeah, to follow up on that biometric data. First off, you have to look at the legal definitions to ensure that what you're actually doing, whether it's some sort of facial recognition or fingerprinting, or palm printing, or whatever it is, is actually biometric data under the legal definitions. And J.T., further to your point, the GDPR and other statutes including California's privacy statute provide that biometric data, true biometric data, is sensitive data and requires express protections. And indeed, typically requires that the individual be notified ahead of time that there's use of biometric data. And I think what you're going to see increasingly, both through biometrics, use of AI in conjunction with biometrics, is increasingly you're going to have statutory rights and protections around biometric data because the loss of that data is so damaging to privacy, and to the extent that you're holding that data, you need to treat it differently than other data that may not present as high a level of of risk.

[00:54:10] Brian Cesaratto: And indeed, the statutes require that, that sensitive data be subject to enhanced protections. For example, under the GDPR, you actually have to do a mandated risk assessment if you collect that type of data.

[00:54:34] Stuart Gerson: Some biometric statutes exclude health care data, but most don't. And we speak a lot in Epstein Becker to health care providers and insurers and others in that sector. AI and biometric, the biometric subdivision thereof, is increasingly important in medical diagnosis and treatment options and is highly beneficial.

[00:55:04] Stuart Gerson: Again, these things work fast. They're able to compare and contrast a lot of data in a hurry. And they're very helpful and they're particularly helpful in places that don't have a lot of staff who's very well trained. One of the weaknesses in American medical care is the quality of diagnosis.

[00:55:22] Stuart Gerson: And these things help. But what they also do is access and retain a great deal of data. And they are as breachable as some of the data, types of databases that we were talking about earlier. And so there's a whole security issue, an external security issue that applies when we're talking about that kind of biometrics, and increasingly we're seeing them with regard to diagnosis, to remote treatment and telehealth, the whole area that goes along with it.

[00:56:00] Stuart Gerson: So it's a big risk. It's a big area of potential benefit, and it's a big area within the universe of health care.

[00:56:09] J.T. Wilson III: Yeah, and Stuart, to your point about health care, there was a recent case in Illinois finding that health care workers in the flow of providing care and treatment to a patient, is actually excluded from the purviews of BIPA from the perspective of biometric data or biometric information.

[00:56:28] J.T. Wilson III: But it's also important to your point, Brian, BIPA actually regulates the use of biometric information as well as biometric identifiers. And so that's information that's related to or tied to, derived from, a biometric identifier. And so it's a bit more challenging, a complex issue, a bit more nuanced that has been heavily litigated and the courts are still making decisions in that space.

[00:56:51] J.T. Wilson III: Let's take the time to wrap up here. We want to thank the audience for listening to this very engaging discussion on these topics and issues. Stuart, let's start with you. What's one key piece of advice you would give to an organization looking to safeguard themselves from looming threats like ransomware or data breach?

[00:57:14] Stuart Gerson: Prepare, assess risk, train, and test.

[00:57:21] J.T. Wilson III: Thank you. Brian, as artificial intelligence continues to rapidly evolve. What's one thing keeping you up at night that privacy officers and general counsel should be worried about more?

[00:57:31] Brian Cesaratto: I'm going to give two things because I think they're equally important.

[00:57:38] Brian Cesaratto: Number one is, one of the concerns I have for the next, for the immediate future, the next year or so, is I think that general counsel and that privacy officers should be thinking about how to handle deep fake technology that targets their executives and employees because that is increasingly a reality.

[00:58:12] Brian Cesaratto: It's not just hypothetical. It's actually occurring. And as we think of AI to be used for attacks, I would put that up there as something at the top of my list to prepare for and have a plan in place for if that occurs. The second thing is also related to AI, but it's related, as Stuart points out, AI is premised upon data, large volumes of data, and the structure of cloud resources and the Internet. In order for AI to work and work properly, and to do what it's supposed to do, and to help people, including in the health space, it has to be secure, and I think that projects like OWASP with the Open Web Application Security Project, which talks about security around AI, are very, very important.

[00:59:19] Brian Cesaratto: If you're a covered entity or a provider, a technology provider, that's using AI, you need to focus in on ensuring that the data sets that transmit over the Internet are secure and that they're not polluted or tainted or otherwise compromised, because otherwise you're not gonna get those valuable and reliable results that are gonna save people's lives.

[00:59:50] Brian Cesaratto: And you have to be confident that that data is secure. So I would put those two things right at the top of my list when it comes to AI in the immediate future.

[01:00:05] J.T. Wilson III: Stuart Gerson, Washington, DC, thank you so much.

[01:00:08] Stuart Gerson: Thanks for having me.

[01:00:09] J.T. Wilson III: Brian Cesaratto, New York, thank you so much.

[01:00:11] Brian Cesaratto: It was a pleasure. Thank you.

[01:00:13 J.T. Wilson III: And to our listening and watching audience, our time is up and we thank you for yours. Please remember to subscribe to Speaking of Litigation on YouTube or wherever you get your podcasts. Enjoy the rest of your day.