Information Inspirations
Listen, Subscribe, Comment
Transcript
[00:00:00] Greg Lambert: Any questions before we get started? Did we lose him? Steve, did we lose you?
[00:00:06] Marlene Gebauer: Oh, no. Welcome to The Geek in Review, the podcast focus on innovative and creative ideas in the legal industry. I’m Marlene Gebauer.
[00:00:22] Greg Lambert: And I’m Greg Lambert. In today’s episode, we talk with Professor Stephen Black, who is currently a visiting professor at the University of Houston School of Law, and is a renowned cybersecurity expert and consultant. And with everything going on over the past decade in cybersecurity issues, it’s good to have a consultant on retainer.
[00:00:45] Marlene Gebauer: Exactly, exactly. I was very happy when Professor Black reached out to me. We’ve been wanting to, you know, we’ve been wanting to get more episodes on cybersecurity and law, and here we are. Now we have one.
[00:00:57] Greg Lambert: So Marlene, I don’t know about you, but I’m entering that goofy time of year where lots of things are going on that involve travel.
[00:01:06] Marlene Gebauer: It’s like the first quarter that goes nuts.
[00:01:07] Greg Lambert: I don’t understand. So I’m off to Atlanta tomorrow for the 2020 Tiger Innovation Conference in Emory, and then next week we’re both off to Legal Week. So if you see us at Legal Week, we’ll probably say hi.
[00:01:20] Marlene Gebauer: Say hi.
[00:01:20] Greg Lambert: Yeah, say hi.
[00:01:20] Marlene Gebauer: We might have a microphone.
[00:01:21] Greg Lambert: We might have a microphone in our hands. But you’d think that the end of January, beginning of February would be kind of…
[00:01:29] Marlene Gebauer: Not the greatest time to travel, right?
[00:01:31] Greg Lambert: It is not. I mean, and especially to the Northeast, you know, hey, what could go wrong?
[00:01:37] Marlene Gebauer: Well, you know, I am a little biased.
[00:01:39] Greg Lambert: It’s one thing to live there. It’s another thing to travel there.
[00:01:42] Marlene Gebauer: Yeah, I’m actually off the rest of this week to our firm annual meeting. And I know we are going to be discussing innovation and how we can adapt to change.
[00:01:48] Greg Lambert: to be discussing innovation and how we can adapt to change.
[00:01:52] Marlene Gebauer: And I hope to take away some of the lessons I’ve learned from our guests on the podcast and be able to recount them for others.
[00:01:59] Greg Lambert: All right. Well, since we got a busy schedule, let’s go ahead and just jump into this week’s Information Inspirations. I read a white paper from Thomson Reuters Legal Insights called Becoming the Firm Where Millennials Want to Work. And there’s really a lot to digest in this one.
[00:02:22] Marlene Gebauer: I’m waiting to hear this.
[00:02:23] Greg Lambert: Yeah. So it covers some of the typical issues that you get regarding the personality of millennials, etc. But there’s a couple of things that I wanted to note that were in the report and a couple of things that I think they were missing. the report or we’re just missing the point. Oh, okay. So the part that I think is a misrepresentation is that millennials are still viewed by this publication as the new generation of workers.
[00:02:49] Marlene Gebauer: No.
[00:02:49] Greg Lambert: No, they’re not. In fact, the oldest are now entering their 40s and have been lawyers for 15 plus years.
[00:02:58] Marlene Gebauer: They’re just kids.
[00:02:59] Greg Lambert: Yeah, they’re just babies. So for the older millennials, they’re starting to already assume leadership roles within the firm. They’re definitely in the partner ranks, so they’re no spring chickens anymore. They’re no spring chickens anymore.
[00:03:13] Marlene Gebauer: Happens to the best of us millennials.
[00:03:15] Greg Lambert: Yeah. And on the younger side, there are those that ΓÇô I mean, the youngest millennials now are either in their last year of law school or have already finished law school. So it’s ΓÇô I mean, they’re not ΓÇô
[00:03:28] Marlene Gebauer: We got an entirely new generation of workers that are already in the workforce.
[00:03:33] Greg Lambert: So in fact, millennials are already the biggest population in the workforce as of 2016. Now, perhaps they have a couple of years to catch up in the legal since you have to be a little bit older to be a lawyer. But I think they’re definitely right there. And I got to thinking as I was reading this, there’s really two sub- generations of millennials in my opinion. And there’s the group between 2004 and 2012 when the Great Recession was ΓÇô as this lead up.
[00:04:05] Marlene Gebauer: Are you giving them a name?
[00:04:07] Greg Lambert: Oh, I don’t know. The Great Recession group? I don’t know. That sucked.
[00:04:14] Marlene Gebauer: We’ll go back and work on that.
[00:04:15] Greg Lambert: Yeah. We’ll come back and Marlene will have a name.
[00:04:19] Marlene Gebauer: An acronym.
[00:04:19] Greg Lambert: Yeah. So it’d be Gen Y1.
[00:04:24] Marlene Gebauer: Thank you. That’s even better.
[00:04:27] Greg Lambert: Or even worse. So there’s that group that were in the workforce going up and into and through the Great Recession. into and through the Great Recession. And then there’s the 2013 to present group. who actually have never worked during a recession. So in fact, I was talking with someone today that most of these associates still have never had a slow day that work has been there for most of them and have definitely not been on this end where they’ve had to deal with major layoffs, economic downturns. Most law firms, especially if you’re in larger law firms like us, work’s been pretty steady.
[00:05:15] Marlene Gebauer: It’s interesting. I mean, this lends itself to a longer conversation because when you were talking about this, I immediately thought, well, maybe not just because, okay, while these guys haven’t had this sort of thing happen to them personally, what about relatives, family, they kind of experienced it maybe secondhand. And I think about the kids of parents who went through the Great Depression and sort of their characteristics and whether that will be more close to sort of this older section of the millennials or if it will differentiate them.
[00:05:53] Greg Lambert: Yeah, it’s interesting. But of course, by the time we figure this out, the new Gen Zs are going to be entering the workforce.
[00:05:59] Marlene Gebauer: By the time we figure this out, I don’t think I’ll be working anymore. Well, Greg, everyone likes a good story, right? Absolutely. And I don’t know about you, but I always admire those people that you hear on The Moth because they tell their stories so well and they’re so compelling. And we keep hearing that to get people on board with adoption of a new product or change management, that storytelling is key. And now there’s a new online education platform called Story Ready, which combines interactive online workshops and one-on-one coaching to make you a better communicator. Now, some of the workshops deal with what makes the details of a story stick in your mind, self-awareness, and design thinking. Janice Schaefer is the brains behind this new platform, and she teaches and coaches as well. Now, she has a very interesting backstory. I was reading her bio, and she’s worked with some Hollywood heavyweights like Robert Downey Jr. and Scarlett Johansson. And my favorite little factoid is she created a Grammy award-winning musical, Troubadour, with Kristen Bush from the group Sugarland.
[00:07:10] Greg Lambert: Interesting.
[00:07:12] Marlene Gebauer: And that wraps up our information inspirations.
[00:07:20] Greg Lambert: Well, I’m really excited about our guest today. So we talk about cybersecurity.
[00:07:24] Marlene Gebauer: I’m afraid.
[00:07:25] Greg Lambert: Yeah, it’s a little afraid too. We talk about cybersecurity and its role within the legal industry with University of Houston visiting Professor Steve Black. I’m not sure about your thoughts on what Professor Black is going to tell us, but I have a feeling that we may have to play some dark place music as we’re going along.
[00:07:43] Marlene Gebauer: Dark music for the dark web?
[00:07:45] Greg Lambert: Absolutely. We’d like to welcome Professor Steve Black to the Geek & Review. Professor Black, happy to have you on the show.
[00:07:56] Marlene Gebauer: happy to have you on the show.
[00:07:58] Steve Black: My pleasure. Thanks for inviting me.
[00:08:00] Greg Lambert: Tell us a little bit about yourself and how you got into this, I’d say, very interesting line of both scholarship and consultancy. What was it about cybersecurity that drew you in?
[00:08:11] Steve Black: I am a total geek.
[00:08:14] Greg Lambert: Welcome.
[00:08:15] Steve Black: Well, thank you. I feel right at home.
[00:08:17] Marlene Gebauer: You’re in the right place.
[00:08:18] Steve Black: I started programming when I was 12. I majored in math in college. And I love tech. And my other areas of interest include tax and IP. And since cybersecurity involves IP and data and money, it’s a perfect combination. In fact, my wife loves to tell the story that when we were dating, we would go to parties and she would tell me afterwards, you have to stop telling people what you do for a living.
[00:08:46] Greg Lambert: Does it scare them?
[00:08:47] Steve Black: She said it stops the conversation. She came up with a solution too. She said, what you can do is you can either A, tell them that you are a circus performer, or B, that you’re a DJ and you can pick the radio station.
[00:09:00] Greg Lambert: There we go. Yeah.
[00:09:02] Marlene Gebauer: It’s a true story.
[00:09:03] Steve Black: So, you know, after that, every party it was… You know, am I a circus performer or a DJ today?
[00:09:09] Marlene Gebauer: I may have to borrow that.
[00:09:09] Greg Lambert: I may have to borrow that. Yeah. Well, wait, I have to ask one more question. So when you were 12 and you were programming, what kind of computer did you have?
[00:09:18] Steve Black: Oh, yeah, this is a good question. Oh, this is, yeah, this is a good question. So my neighbor had one of the very early Apple IIs. Okay. I know, right? And then I was able to use one of the Compaq, oh, what were they called? It was basically the lunchbox, which isn’t a lunchbox. It’s more the size of a, I was going to say a very large VHS, but that’s going to date me too. And the keyboard would double as the cover. It had a little green monitor that was about six inches in diameter.
[00:09:50] Greg Lambert: I remember those. Yeah, I remember those.
[00:09:53] Marlene Gebauer: Steve, it’s funny because you’re talking about it stops the conversation when you talk about what you do with other people. How can we really protect ourselves from cyber threats? I mean, aren’t some of the defenses really more like, you know, hiding under your desk during, you know, a bombing situation?
[00:10:11] Steve Black: Yes and no. You know, we hear a lot of scary stories in the news. And the truth is, most of us are not the target of a dedicated attack. If you are, then I think we need to have another discussion and, you know, we’ll talk about strategies for that. But I’d like to say, you know, if you put on your hacker who wants to get rich hat, which is one of my favorite hats to put on, right, it’s just a great thought process. And ask yourself, how do I make money? I think the answer for me is I would find places where data has not been protected well, or where it’s been forgotten. And then I just take it quick and easy. So some of the defenses that we discuss are really just the starting point. But it’s the way we make sure that we’re not the easy money for an amateur hacker.
[00:11:01] Greg Lambert: Other than money, why is it that people get into and become cyber criminals?
[00:11:07] Steve Black: Yeah, you know, money is always at the top of the list.
[00:11:10] Greg Lambert: It’s pretty much for everything.
[00:11:12] Steve Black: For everything. There’s a list that circulates about once a year that has the price list for things you can buy on the dark web. You know, an info that I can use to recreate an identity or to get a credit card is always at the top. I always find it’s interesting that children’s information with a social security number is much more valuable. Those items sell individually for upwards of two or three hundred dollars. Grown-ups information, adults information, they bundle in packs of a hundred because our information isn’t as exciting because, you know, we check our credit scores and nobody checks a 12-year-old’s credit score. So you get years to play with that information and to make money on it. But other than money, I’ve seen blackmail or revenge crimes be a motivation for hacking. I’ve seen political gain. Some of those are really frightening. Business advantage. So that would be espionage and other types of things. And then, you know, I don’t like to forget the disgruntled former employee or ex-client who just decides to destroy stuff.
[00:12:20] Greg Lambert: So I can see why people don’t want to talk to you at parties, right?
[00:12:24] Steve Black: I don’t even get an invitation a lot of times.
[00:12:27] Marlene Gebauer: So for those of our listeners who might not know what the dark web is, can you give us a, you know, a 30-second definition?
[00:12:36] Steve Black: OK, 30 seconds. Maybe 45. So below the surface of where most of us were, Google and Yahoo and Bing take us on the web. Anybody who can get an IP address can pop up what we refer to as, you know, the dark web, a site that nobody knows how to get to unless you know how to get there. And it becomes a place where if you know how to get there, then you can buy and sell nearly everything and everything. So it’s a gathering place for criminal organizations, for those involved in human trafficking, for those involved in drug transactions, weapons transactions and all kinds of other seedy things that go on. And it’s not it’s deliberately designed not to be seen by the rest of the web that’s indexed and and put into Google. So it’s a kind of like the the criminal underbelly of the web.
[00:13:35] Marlene Gebauer: Well, I mean, in terms of threats, are there specific geographies that they come from more often than not? And why?
[00:13:45] Steve Black: Yes. So we’re talking about Russia, China, North Korea and Iran topping the list today as far as nation state actors. They’ve invested in sophisticated arsenals and op centers that that can launch very high level attacks. But the interesting thing is that hacker tools are sold and some of them are very easy to launch, which means, you know, anybody with a little bit of money and interest can launch all kinds of attacks because they’re sold as services. So it’s like criminal enterprises are us, you know, and you give them your money and they give you tools and you can launch attacks. Those types of attacks can come from geographically anywhere where somebody says, hey, you know, this is an easier way for me to make money and I don’t think I’m going to get caught. You know, why are they doing that? The short answer is that information is power.
[00:14:36] Greg Lambert: It’s true. It’s the librarian’s motto. That’s right. Let’s get this over into the the legal industry. What are the risks that we have in the legal industry? And I’m thinking from law firms and in courts and government agencies, you know, what is it that we should be doing to protect ourselves?
[00:14:54] Steve Black: Yeah, I think the first answer that I always give when somebody asks me that is you need to ask yourself, what data do you have? What clients are you representing? What information have they entrusted to you? Who would want it and how at risk is that? You know, from there, I start asking, OK, so have you done a recent security assessment? Have you put that, you know, bad hacker hat on or had somebody else do that and go through your network and where you’re storing data and what you’re doing and who your employees are? Have you hired somebody to test your defenses? Those kind of people are fascinating to talk to because they wear those hats a lot.
[00:15:34] Marlene Gebauer: They see everything, I bet.
[00:15:36] Steve Black: They see it well. And it’s fun to follow them through because, you know, the old adage that if you have a clipboard, you can get in anywhere. And, you know, does your organization have an incident response plan? Are you planning for something bad and have you practiced it? If you have multiple offices, did they all respond the same and were the efforts coordinated? Frequently, if I were looking at taking down an organization, I would look for the weak link. So I’m looking for which of your offices is not as sophisticated or is there somebody there that I can develop a relationship with and get insider information without having to do a whole lot of effort? And do you have a crisis communication plan? Sometimes the worst thing is to have everybody on the evening news. You know, I definitely don’t want that. So for those of us who live where natural disasters can occur, we ask the same questions, right? Do you have anything prepared? Have you practiced? Does everyone know what to do? And does your team know what to look for? Sometimes when we tell people, OK, so if you see something reported, you know, teams like, OK, so what is it that I’m looking for exactly? What does a phishing email look like?
[00:16:46] Marlene Gebauer: And there’s got to be education programs in place to make people aware of, you know, like you said, what to look for.
[00:16:52] Steve Black: I think that’s that’s really the case. So, you know, and if my firm represents clients and mergers or in certain industries like health care that are sensitive, am I asking the right questions? There’s nothing worse than not knowing or, you know, asking a question but not getting the information back that I need to make a decision to help that client.
[00:17:12] Greg Lambert: Yeah.
[00:17:13] Marlene Gebauer: All right. So this is this is a pet question of mine, just because I think in all of our firms, we talk about this all the time and it just seems that we just go in circles all the time about it. There’s a debate about whether it is safer to put data in the cloud or behind the firewall at law firms. So what’s your take on it?
[00:17:34] Steve Black: So is this a question I can win by getting the right answer? Sure. Maybe.
[00:17:40] Greg Lambert: Depends on your answer.
[00:17:41] Steve Black: OK, so here’s here’s my lawyer answer. It depends on the cloud provider and the firm. Law firms collect and store a lot of valuable information, and that makes them an attractive target, just like hospitals and schools and other types of businesses. So I would start by asking how secure is the law firm that we’re talking about? Because I have affiliations with red teams whose job it is to assess how easy it is to breach your firm. You know, have you hardened your defenses? Are your employees trained? Are your employees happy? Unhappy employees? That’s great. That’s a sandbox I love to play in.
[00:18:20] Marlene Gebauer: Right. Yeah.
[00:18:21] Steve Black: Theoretically, of course.
[00:18:24] Marlene Gebauer: Everything is theoretically here.
[00:18:26] Steve Black: But, you know, if some of those answers are not the good answers, then your firm network may not be a safe place at all. On the other hand, if we’re going to the cloud, you know, we have all kinds of issues. The GDPR and the California CPA have new rights about being forgotten, and it’s easier to delete information if I’ve got it here. If I’ve put it with somebody else in the cloud, I don’t know how many servers that information may be stored on or backed up on. And so working with a vendor to say, have you really deleted this in every location is a tough question.
[00:19:03] Marlene Gebauer: But whose responsibility is it then? I mean, is it the employer who has sort of gone through all of the necessary steps? Or is it, you know, the Internet provider that is responsible if they haven’t done it?
[00:19:19] Steve Black: Yeah. My short answer is that the person who’s the lawyer is always responsible because that’s just how it I read all of those, you know, the disbarment and the discipline actions.
[00:19:32] Marlene Gebauer: If you’re a lawyer, it stops with you.
[00:19:35] Steve Black: So if you are the responsible party and, you know, if we take a look at what the ABA has been doing with the model rules of professional responsibility and dealing with tech competence, I think that’s the direction they’re going to. You can’t hope to shift responsibility to a vendor or a third party or a cloud provider. I think it. The answer that I’ve been hearing from everyone is no, it really is. If you are the person who’s being entrusted with data, you need to be cognizant of what everyone else is doing with that if you put it somewhere else, which can be tough because then, you know, I have to have conversations with vendors about, OK, so where are you storing that? And, you know, don’t go into too many details for me, but keep it simple. But tell me where this is located physically. And, you know, how are your defenses and are you compliant and are you sharing this with anybody or, you know, what are your are your employees happy?
[00:20:35] Greg Lambert: Yeah. What are some of your best practices on preventing either accidental or intentional release of client information to, I guess, in this case, to the cloud provider?
[00:20:49] Steve Black: Yeah. I have a friend who tells a story about flying next to a professional and the professional had a smartphone. And during the flight, the professional drifted off to sleep but left the phone on the tray table.
[00:21:03] Greg Lambert: What could go wrong?
[00:21:04] Steve Black: What could go wrong? Right. And so my friend asked, how tempting would it be to lift or clone the information off that phone? And, you know, without disclosing the make of the phone, it was one of those that if you touch that phone to another phone of the same make, they pair like magic and suddenly you had all this information. You know, if you are a professional and you have contacts and you have documents or you have phone numbers or you have passwords on your on your phone or your device, and you just leave it out there for anyone to take, that’s kind of an interesting question if you start, you know, if you’re kind of security conscious. So if you’re serious about accidental disclosure of data, you have to, I think you really start have to thinking like a hacker. You know, again, do you know where your data is? I asked that question to a lot of people and they’re like, oh, yeah, I’m sure this is where it is. And I’m like, okay, but what about this? I’m like, oh, did we have to worry about that, too?
[00:22:01] Greg Lambert: Well, not that data.
[00:22:02] Steve Black: Not that data. You know, where’s, where’s your financial data stored? Where’s your employee data stored? You know, if you’re an IP firm, where are, you know, are all those discussion notes about what the technology was and as you were drafting the patent claims, you know, all that stuff. Where have you left that? Because, you know, again, as the evil hacker, if I’m looking at it, it may be harder for me to breach a research document. It may be easier for me to breach a research lab. It may be easier for me to breach a law firm. And I get the same information either way. So if I’m serious about it, am I tagging the data so that everybody knows that this data is special, this data is sensitive and needs to be handled with care? Because, again, negligence starts with a duty and, you know, somebody just has to ignore the duty once and then we’re in a world of hurt.
[00:22:55] Marlene Gebauer: So what do firms need to be aware of when entering into a contract with cloud providers, such as data portability and destruction in the event the contract is terminated?
[00:23:08] Steve Black: Yeah, I was thinking about the last part of that. You know, what happens when a vendor goes out of business or the contract is terminated or the vendor’s located in an area of the world that experiences political instability? I used to have that discussion a lot with IP firms that were dealing with international patents and copyrights and things. And they said, yeah, there’s no problem with, you know, putting our design information in this country. I said, until there’s a coup.
[00:23:36] Greg Lambert: There’s no problem until there is a problem.
[00:23:38] Marlene Gebauer: Right.
[00:23:39] Steve Black: Maybe that’s our T-shirt, right? No problem until there’s a coup.
[00:23:43] Marlene Gebauer: I like it.
[00:23:44] Steve Black: I would come back to what I said before. I think the first thing that you need to remember is that you are the responsible party. You just can’t expect to shift responsibility to a provider. And so you should plan on doing a security assessment of if I’m moving or placing or storing data in the cloud, where is that actually? I mean, the cloud sounds nice, but when it comes right down to it, all you’re doing is just moving it to somebody else’s server located somewhere. And you’re having them manage it. And that can be a great thing to do, but you need to do your own internal due diligence before you say, yep, this is going to be a great idea for us. I work in higher ed, and so the Higher Ed InfoSec Council has put together a tool called the Higher Education Community Vendor Assessment Toolkit, or HECVAT. Basically, right, for acronyms sake.
[00:24:37] Greg Lambert: They need to work on that one.
[00:24:38] Steve Black: Yeah, yeah. I’ll let them know. Basically, what it is, it’s a questionnaire like all the other questionnaires that they submit. And the nice thing about it is it’s been streamlined for all the higher ed providers. So, if I’m a vendor dealing with a higher ed client, I only need to answer that questionnaire once, go through that vetting process once. And part of the difficulty that the vendors are having right now is that every client has their own 150 question, you know, set of questions that they need to have answered. And it’s just, it’s taking them a lot of time to go through that to say, yes, we’re really compliant, and we understand California CPA, so we’re really doing our steps to make sure that your data is safe. But there are some vendors out there that are not, because, you know, when you’re dealing with technology, sometimes you’re dealing with startups, and, you know, sometimes corners are cut, and I would just want to know. So, if I were developing a new set of questionnaires for my firm or for my clients, I may take a look at some of the industry groups that have already cut through those paths and thought about that. And then the last thing I would say is, you know, I’d ask my vendors, and then I would test. Part of my security duties is testing whether or not that data is secure and whether it has been deleted or it has been handled properly. I just can’t, you know, set it and forget it. That’s a really bad thing to do with data.
[00:26:00] Marlene Gebauer: Yeah, it’s interesting because, you know, there are technology standards that, you know, are kind of across the board that, you know, firms want their vendors to satisfy, but it seems a lot of the requirements are also driven by clients, which, of course, can vary from firm to firm, right?
[00:26:18] Steve Black: Yes, yeah. And, you know, part of that makes it difficult if I don’t fully understand what my clients’ needs are, and then part of it is, you know, am I the broker then that’s trying to make sure that the data is handled properly in all cases? And in some cases, I would guess that would mean that I don’t use the normal place that I’m storing data. I may have a filing cabinet in my office for normal information, but if it’s really special, I may have a fireproof fire cabinet, or I may have off-site storage.
[00:26:51] Marlene Gebauer: So, what do you say to folks when they say, well, look, you know, our clients are all putting their data in the cloud. You know, why can’t we put data in the cloud?
[00:27:01] Steve Black: You know, it’s a great thought. I think the first part is because, you know, the short answer is you’re a fiduciary. And if you are entrusted with data right now, it is, you know, the law has this pendulum effect where we discover a new problem, and then everybody rushes in to fix the problem. The pendulum goes way up on one side. Sometimes the fixes are over the top, and I would say right now one of the complaints is that there’s so much regulation going on that business is finding it hard to keep up. And I have a lot of people who ask me, okay, let’s talk about California’s regulation. Do we need to be compliant today? Because we don’t know what that is, so what happens if we wait? And that happens when we get a lot of regulation. I think what we will see is that the pendulum will start to come down as we figure out what we really need to do with some of the data. And not all data is created equal. You know, some data I just really don’t care about. It’s not all that sensitive. But if I had a high-profile client that had sensitive skeletons in their closet, I would treat that with more care than I would the fact of what I had for lunch today.
[00:28:33] Greg Lambert: One of the things that I think has helped us is we’ve had clients that have come in and have done tests of our system, but also insurance companies are requiring a lot more action.
[00:29:01] Steve Black: Are there any types of regulations or actions from clients or insurance companies that are really helping move us forward? You know, the insurance companies, some of them jumped in really quite early. What I would say is right now it’s a moving target. The ones that jumped in early quickly discovered that the risks got much higher than their models predicted. And so recently I have seen insurers claiming war exclusion clauses when one of their insureds is targeted by a national actor. And now the government comes back really quickly and says, that was not an act of war. That’s for political reasons, I get that. But the insurance company is saying, listen, if it’s a national actor, we’re not responsible. And I’ve seen them do, there are all kinds of other issues that have been popping up with cyber insurance. Another interesting one is the choice of breach consultant. So some insurers have said, listen, we need to get a handle on this, so we’re going to require you to use our consultants. So you may have a firm or a company that has existing relationships with vendors or with an outside breach consultant. And then when they actually read the insurance document, they discover that they need to bring somebody new on board. And I’ve heard complaints that it’s taken weeks contacting and getting a new consultant up to speed in the middle of an ongoing breach. So insurance is just interesting. Whether or not you buy into the cyber insurance scheme right now, I think there are just some things that make sense for everybody. You know, if you’re maintaining and patching your software, if you’re keeping your hardware up to date, if you are diligent with your employee and vendor training, you know, some of the insurance policies, if the vendor causes or allows a breach, or an incident, then that can negate coverage. And again, that’s tough, because you have no direct control there. But, you know, being on top of what the vendors do or don’t do can help in maintaining that insurance coverage. And then just developing and maintaining a culture of security. It’s a different way of thinking about it.
[00:31:22] Marlene Gebauer: Yeah, it’s and it’s hard. Again, change, change is hard. To get people to say, Okay, you know, we have to do these extra things. But if there is a data breach, you know, what sort of liability and damage numbers are we really looking at?
[00:31:45] Steve Black: That’s a great question. I was just thinking about the email and DLA Piper, their security team in the UK caught the breach within 20 minutes. And still, it took them 150 or 15,000 hours of overtime to start restoring their email servers, which meant that email was down for a week. Now, I don’t know how to quantify I mean, I guess I could write but how do you quantify for a 4000 person law firm, that email is gone for a week?
[00:32:28] Marlene Gebauer: High numbers, yes.
[00:32:29] Steve Black: High numbers, but the interesting, you know, liability and damages come in a lot of forms. And sometimes we’re so focused on litigation awards or penalties, that, you know, we forget that a drop in stock value, or bad publicity, or, you know, if I have forced resignations, that that’s going to disrupt business operations, or the loss of public trust, are all consequences related to a breach. And we really don’t quantify a lot of times the cost of doing something like that. Cyber forensics, or shoring up incident response plans, or doing new threat detection, or just the fact that my employees now have bad morale, because we’ve been breached, you know, those are all costs, too. But everyone likes to hear about numbers. So, you know, you could start with some of the fines coming out of the EU. So, Marriott had 123 million euro fine for its Starwood merger breach. Also in the UK, British Airways had a 204 million euro penalty due to their exposing client information. And then France fined Google 50 million euros. Those are all big numbers that are penalties. If you turn to settlements, everyone likes to point to Equifax, which the agreement was that they would initially pay $575 million, 300 million of which would go into a fund, but it could go all the way up to 700 million. Those are not small numbers. And it’s interesting because as you start looking at those, the fines go all the way down to like about 1000 euros, depending on, I just read one today about a company who had put one of their employees’ Facebook pictures up. And that employee complained, and so it was a $1,000 penalty. So you get this wide range of what can happen, but there are a lot of costs that can be associated with that.
[00:34:23] Marlene Gebauer: Some of these might be small, but it’s interesting, I mean, if they’re a reoccurring thing, like if they were putting a bunch of people’s pictures on Facebook, it’s kind of like Monopoly when you’re going around and you land on somebody’s space over and over and over again that has got a station on it. And you’re getting hit for a lot of money each time, each time, and it really adds up.
[00:34:45] Steve Black: I hate that. I really hate that in Monopoly.
[00:34:49] Greg Lambert: I just hate Monopoly.
[00:34:51] Steve Black: And I think that’s the worry with the California CPA is that final regulations have not come out and they’re expected in June. But in other regulatory matters, the AG has said, we’re not looking in the aggregate. We can look at every individual record as a separate breach. And so those penalties can really hit big numbers quickly.
[00:35:13] Marlene Gebauer: OK, so I want to wrap it up and bring it back to an area that Greg and I work a lot in, and that’s automation of process. That seems to be something that the legal industry is quite enamored with lately. But are we putting ourselves more at a risk for attack if we do this? Are we going to even know that it happened or it happens too quickly for us to even notice? How would it happen and what could we do to prevent it?
[00:35:47] Steve Black: So there was a survey that crossed my desk recently. There were 120 security professionals, and they were asked if they knew how to deal with a breach from beginning to end. And zero of them said yes. So the authors went on to say that maybe we need automation and AI to help us deal with threats, which I think is a wonderful suggestion. But again, rule 1.1 requires us to maintain competency, including technical competency. And so if we automate something, whether that’s document assembly or contract review or threat processing or even driving my car, somebody has to know what’s going on. And if somebody doesn’t know what’s going on, then that automation can itself become a point of attack. So if I only have one person in my firm or one person in my organization that knows how to automate and runs the automation and there’s no accountability, then that person becomes a very weak link if they decide to turn the automation into a weapon or start siphoning off data or doing any of those other types of things. So in terms of having somebody know what’s going on, you know, that could be like, you know, somebody in me and my team come out and we do assessments about the automation and what it exposes, and then lots of training and lots of questions. I talk with banks about this and governments and schools and law firms. It may involve a round of hiring tech-savvy lawyers or law librarians because, you know, as a group, this is the tech-savvy, interesting people. But then again, you know, if you’re looking at breaches and fraud, you look for, okay, so have I separated the job duties out? If we’re automating something and nobody’s watching what’s happening, you know, that’s just like money leaving the building.
[00:37:44] Greg Lambert: Well, Steve, I can, again, see why your wife tells you not to talk about your job at these things. But hey, I will tell you what, the next party I have, I’m definitely bringing you along. But we’re going to have to work on a story. So do you have any type of story of an interesting cybersecurity breach that you can share with us?
[00:38:08] Steve Black: Absolutely. Well, let’s see. So, I had looked at the DLA Piper one. I think one of my favorites ΓÇô that’s an awful way to rephrase that, right? Here’s my favorite breach.
[00:38:20] Greg Lambert: That’s how you tell it at the party.
[00:38:22] Steve Black: In 2009, the FBI came to Coca-Cola. And Coca-Cola had been trying to acquire a Chinese beverage company for $2.4 billion, that’s a billion with a B. But their deputy president of the Pacific Group had clicked on a link in a spear phishing email. So this wasn’t just a phishing email. He was targeted. And the FBI came back later and said, you know, these are not amateur hackers that have done this. The link loaded malware, including a keylogger, which recorded all of his keystrokes. And it was just basically a recorder. And the hackers got access to everything this deputy president had. So that’s documents, emails, internal communications, timelines, schedules, travel information. The $2.4 billion deal went away. And the interesting thing about this one is that it wasn’t ΓÇô there’s money involved, but the thing that was stolen was not the information to be sold. It was that the Chinese government did not want this acquisition to happen. And so people ask me, why would they take this route? And I’m like, well, you know, I’m not a member of the Communist Party, so I’m not on the inside, so I can tell you. But there’s an interesting thing about if you stop a merger with an incident versus coming out in public and saying we’re opposed to this, you get to save face. Right. And it’s an interesting thing. It’s an interesting reminder that hackers have a lot of motivations. And there’s political actors that like to discredit people or cause them to stop running or, you know, all kinds of things can happen there. There’s revenge. And so, you know, these breaches can occur for a lot of different reasons. And if we think that, hey, I just need to protect my data because, you know, it’s valuable, I may miss the strategic reasons that I’d like my business to continue in existence.
[00:40:28] Greg Lambert: Well, Professor Black, thank you very much for talking with us today. It’s been really interesting.
[00:40:34] Marlene Gebauer: This is really eye-opening. So thank you very much, Steve.
[00:40:37] Greg Lambert: And again, I’ll take you to a party if you want.
[00:40:39] Steve Black: It’s been a lot of fun. Thank you both.
[00:40:42] Greg Lambert: All right. All right, I’m telling you, I’m taking you to the next party. What could be more interesting than listening about cybersecurity?
[00:40:54] Marlene Gebauer: You know, and if we take him to the parties that like we go to, people are going to actually love what he has to say. And they’re going to ask him all kinds of questions. He’s just going to be in his element. And I mean, he was, you know, he won me over immediately when he was like, yeah, you know, the librarians, you know, they’re kind of the tech savvy people. And I’m like, yeah. Yeah, he knows his audience. Yeah, they are. He knows, he knows, he knows. So, you know, I was actually surprised where he was saying actually automation would make us more safe. I was really expecting him to say it would make us less safe. I mean, obviously we have to know.
[00:41:24] Greg Lambert: I was ready for you to pounce.
[00:41:27] Marlene Gebauer: That was nice. But that surprised me because I, you know, I would say, but I mean, he clarified it in that if you don’t know the process or what’s going on, it can be very dangerous. And I do think that firms are really in a position where they have to pay attention to that because, I mean, you know, you don’t have like a giant team of people that’s dedicated to this. You usually have a few people that handle this type of stuff.
[00:41:57] Greg Lambert: Yeah, and it’s just a constant threat. I mean, from low level to high level. And it’s always changing. And of course, the biggest vulnerability is our people.
[00:42:08] Marlene Gebauer: Dark music.
[00:42:11] Greg Lambert: Dark music.
[00:42:13] Marlene Gebauer: Before we go, we want to remind listeners to take the time to subscribe on Apple Podcasts, Spotify, or wherever you listen to your podcasts. Rate and review us as well. If you have comments about today’s show or suggestions for a future show, you can reach us on Twitter at @GabeBauerM or @Glambert, or you can call the Geek & Review hotline at 713-487-7270 or email us at geekandreviewpodcast at gmail.com.
[00:42:43] Greg Lambert: Hey, before we go, I wanted to give a quick shout out to Joe Lytle, who is my security guy here at Jackson Walker, because he helped me ask a couple of these questions that we had. So thanks, Joel.
[00:42:55] Marlene Gebauer: And as always, the music you hear is from Jerry David DeSicca. Thanks, Jerry.
[00:42:59] Greg Lambert: Thanks, Jerry. All right, Marlene, I’m going to go check in for my flight.
[00:43:03] Marlene Gebauer: All right, safe travels, Greg.
[00:43:05] Greg Lambert: Bye. Bye.
[00:43:07] Steve Black: Don’t have to go too far. From the salt of the earth on the way to a hearse at the Devil’s Backbone Bar. Hey, hey, don’t take me away. I can walk home by the North Star. But I fail to notice that it’s still daylight at the Devil’s Backbone Bar. At the Devil’s Backbone Bar. At the Devil’s Backbone Bar. Devil’s Backbone Bar.