Jamey Davidson, Partner at international law firm O’Hagan Meyer (https://ohaganmeyer.com). Jamey concentrates on top ways to reduce risk in cyber breach litigation, defending businesses in cyber breach class-action law suits and how to build defenses to reduce cyber breach liability.
We discuss:
· How Cyber Breach Litigation Works
· Why Security Layers Help Defend Against Law Suits
· How Cyber Breach Liability Can Destroy Business
· How To Reduce Your Cyber Breach Liability
Try KiteWorks today at www.KiteWorks.com
Don't Miss our Video on this Exciting KiteWorks Offer!
Try KiteWorks today at www.KiteWorks.com
Don't miss this Video on it!
The Most Secure Managed File Transfer System.
Jamey Davidson, Partner at international law firm O’Hagan Meyer (https://ohaganmeyer.com). Jamey concentrates on top ways to reduce risk in cyber breach litigation, defending businesses in cyber breach class-action law suits and how to build defenses to reduce cyber breach liability.
We discuss:
· How Cyber Breach Litigation Works
· Why Security Layers Help Defend Against Law Suits
· How Cyber Breach Liability Can Destroy Business
· How To Reduce Your Cyber Breach Liability
Try KiteWorks today at www.KiteWorks.com
Don't Miss our Video on this Exciting KiteWorks Offer!
Try KiteWorks today at www.KiteWorks.com
Don't miss this Video on it!
The Most Secure Managed File Transfer System.
Top Ways to Reduce Risk in Cyber Breach Litigation
Jamey Davidson, Partner at international law firm O’Hagan Meyer (https://ohaganmeyer.com). Jamey concentrates on top ways to reduce risk in cyber breach litigation, defending businesses in cyber breach class-action law suits and how to build defenses to reduce cyber breach liability.
We discuss:
• How Cyber Breach Litigation Works
• Why Security Layers Help Defend Against Law Suits
• How Cyber Breach Liability Can Destroy Business
• How To Reduce Your Cyber Breach Liability
TAGS:
top ways to reduce risk in cyber breach litigation, how to build defenses to reduce cyber breach liability, how cyber breach liability can destroy business, how cyber breach litigation works, why security layers help defend against law suits, how to reduce cyber breach liability,
how cyber breach liability works, how to lower risk from cyber breach liability , , how law suits follow after cyber attacks, how law suits follow after data breaches, types of law suits following data breaches, types of law suits that come from data breaches, why law suits happen after data breaches, how legal system works after data breaches, why security prevention helps you defend against data breach law suits,
cyber breach litigation discovery process , new ways to reduce your cyber breach liability, how to reduce your cyber breach liability, new ways to build defenses to reduce cyber breach liability , law suits from cyber attacks, understanding law suits after data breach, how lawsuits follow after cyber attacks ways to defend against data breach law suits, how to defend against data breach law suits
Chapters
00:00 The Legal Consequences of Cyber Attacks
08:11 Ransomware and Business Email Compromises
16:26 The Role of Cyber Insurance Carriers
31:17 The Fight Lies in Negligence
38:33 Investigation and Remediation of Data Breaches
45:21 Importance of Employee Training
52:59 Real-Time Detection of Threats
59:41 Dino Mauro's Journey into Cybersecurity Law
Dino Mauro (00:01.646)
Have you ever wondered what happens after a cyber attack? When plaintiff lawyers release their attack dogs against you and your organization, it doesn't matter where you are, how small your organization is or what industry you're in. The lawsuits are coming. Did you ever consider who's going to defend your organization in court at trial? Ever consider what is going to be needed from you to show your affirmative defenses.
to demonstrate that your organization didn't violate any statutes or regulations or even mere negligence. Ever wonder who arranges to negotiate with foreign cyber crime gangs or negotiate a ransom and those demands so that you can get back online and get back to work. It's extremely emotional. It affects people's mental and physical health, not to mention their long -term and short -term financial status. Today, we sit down with Jamie Davidson, a partner with the international law firm O 'Hagan Meyer.
Jamie and his team focus exclusively on defending organizations and leaders when they suffer cyber attacks. He explains how lawsuits are brought. He shows how auditors, technical teams, and law enforcement are engaged. He describes for you the inner workings of a lawsuit life cycle, like the intense depositions, investigations, and all the effort made to keep your organization's reputation from being destroyed. This is the story of Jamie Davidson and top ways to reduce risk.
in cyber breach litigation. Come join us as we dive deeper behind the scenes of security and cyber crime today, interviewing top technology leaders from around the world and sharing true cyber crime stories to raise awareness from the creators of Vigilance, the newest global technology newsletter, translating cyber news into business language we all understand.
So please help us keep this going by subscribing for free to our YouTube channel and downloading our podcast episodes on Apple and Spotify so we can continue to bring you more of what matters. This is Cybercrime Junkies, and now the show.
Dino Mauro (02:20.238)
Welcome everybody to cyber crime junkies. I am your host David Morrow and in this studio today is my fantabulous positive cohost, Mark Mosher. Mark, how are you, sir?
I'm doing wonderful, David. Thank you for that illustrious introduction. It is from my new app. It's the insincere things to say to coworkers. You know, I may need to get that on a loop so I can do that on every Zoom meeting I get on and just have myself introduced to the group. It's going to work, man. Well, David, we've got a great episode today. We've got an exciting guest with us. Tell us who's in the studio today. Yes, clearly we're not going to be the smartest ones in the room, which is...
rate as usual. It's always the way it is. Usually always the way it is. So we're joined by Jimmy Davidson. He's a cybersecurity attorney. He's a partner with the Chicago office of O 'Hagan Meyer and is chair of the firm's data privacy and cybersecurity practice. He serves as breach counsel to companies of all sizes. And he's really seen it all. When you think of data security incidents, network intrusions, data theft events,
fraudulent funds transfers and theft. We talk about this stuff all the time on the podcast. Ransomware attacks. We've heard of those. Jamie, welcome sir. Thank you so much for spending time with us today. Yeah, thanks for having me. It's great. Now we're really excited. So one of the things I, we have a whole host of things, topics that we want to get to. But one of the things I found really interesting, your firm has a phenomenal reputation in this, in this field.
Um, one of the, one of the cutting edge firms, uh, what, you know, you guys actually have a 24 seven, like incident response hotline. Um, can you just share with us, like, when did you guys first roll that out and, and, and how does that work? Yeah. So we had that hotline for seven or eight years now. And the way that we, the way it first started is, um, for some cyber risk insurance products, our firm became.
Dino Mauro (04:26.958)
we decided to have a little different model. The insurance company puts this on how to roll different model there instead of getting an actual claims handler from inside an insurance company that they wanted an attorney answering the phone. So you could, you know, cause sometimes the triage advice, those first few seconds are important to, you know, if the house is on fire, at least put it out before the investigation starts. Right. And so that's kind of how we got started with that. And then we just kept the hotline is our practice expanded.
and to actually be, you know, breach coach and privacy counsel. We continue to operate the hotline that way. And just that way that people know, you know, we become part of their incident response plan. And they know that as soon as something is, they see something suspicious or something's happened, they know where to call. And, and we always have it, always have the phone on one of the members of our team 24 seven. And we, you know, as you know,
criminals love the weekend and after hours. So that's why it's important. Yeah. And holidays, right? Holidays. It's always like holidays. 100%. Yeah. So - Going back seven or eight years, that's really leading edge. That's kind of forward thinking. If you think back then, these conversations weren't really taking place that much. So the fact you guys came out with the hotline that far back, I think that's - Right. We were dealing with -
$2 ,500 ransom demands and some of that back in what now we would call the good old days. Right. And so yeah, from the beginning, I think everyone kind of knows that when it really turned from that to something different for us anyway was the pandemic. Yeah, absolutely. And that hotline just started lighting up.
Unbelievable. So you used a couple of phrases I want to dig a little deeper, like breach coach. You mentioned breach coach and then privacy counsel. Could you elaborate on what do you mean by breach coach? I use those terms sometimes sort of interchangeably. A lot of times, I think sometimes the advice that we get spans both legal and practical. A lot of times clients, especially when something
Dino Mauro (06:43.534)
has occurred, whether it be an email compromise or ants more attack, one of the first things that they want to do is tell everyone or tell someone or who should we tell? What should we do? And so one of our, one of the biggest things that I think, you know, that we pride ourselves on is getting everyone to kind of take a step back. And so we, you know, our legal role is to tell them, you know, do they have notice obligations? You know, who, who must they tell the States, the individuals? And we also maintain the attorney client privilege.
And we'll go out and hire other professionals. You know, you know so well, the forensic IT firms, public relations firms. And so, you know, one of the reasons why I like the term coach sometimes or, you know, almost like the quarterback is you're not just being the attorney or you're kind of spearheading the response team. And so everyone's reporting to you on those aspects and putting the team together from the internal IT to the external forensics.
And so I think that's why the term coach has kind of gotten a lot of, I've gotten a lot of play in the last few years. Yeah, that's very fitting. Yeah. It really makes sense. So the types of cyber attacks that you and your team see, can you just from a high level explain kind of what you're seeing on a regular basis? I mean, I think, you know,
The everyone wants to talk about ransomware and we see plenty of ransomware attacks. And, you know, as you probably talked about this on your, on your pod before, you know, that, that ransomware, the, the concerns have sort of changed over the years. Originally, everyone thought of ransomware as just locking down and encrypting your files so you can't access it. Well, now it seems that the bigger concern, you know, really sort of transform a few years ago.
was not just the attempted encryption. Some of the criminals don't even attempt that anymore. It's using the tool to steal and as we call it, exfiltrate data. Yeah. Yeah. I mean, several people have used the phrase extortion as a service. Like leveraging a ransomware tool set, but it's really extortion as a service. Yeah, exactly. And so we see...
Dino Mauro (09:09.742)
deal with that obviously a lot. Business email compromises are always going to be a continuing issue. And you know, they're multiple. Yeah. Let me talk about that. Just for some of the listeners, may not tell. That's really common. That's really common and it's very effective. We see that a lot. Really common. So, you know, for a business email compromise, someone, a criminal finds a way into your email account. You know, most of the time, Office 365, and we say business because it's usually business, not your personal Yahoo account.
And the reason, you know, there's many reasons for that. Again, you have the data theft that's taking out of the data from that inbox. But another thing too, I mean, one of the leading reasons for that is, you know, a secondary scheme, such as a fraudulent funds transfer, right? They'll try and manipulate contacts that you have to wire money, you know, making them think it's you or making you think someone is emailing you that you owe money to.
And so the business email compromises has a lot to it, not just the, you know, okay, what's in there? Is there confidential information in there? Is there personal health information is there, is there that I have to tell people about, but also why is the access gained in the first place? And that might be to try to leverage fraudulent funds transfers. Right? Yep. Absolutely. We we've seen it in situations too, where someone in leadership at an organization is say, speaking at a large convention and it's coming up and that's all over social media.
Well, they know that. And if they're able to compromise that account, right, they might've been, they might've compromised the economy and have just been spying on it. And they know they see them going. And then while they're there, they'll be like, Hey, I'm over here just about to go on, you know, Oh, you know, I've, I've forgot to get this vendor paid. Could you please do this? I'll circle back with you tomorrow using the language that they'll do. It's a pretty effective social engineering tactic. It's really effective. And.
You know, I've had a lot of clients and a lot of people I've consulted in the past say, well, how did they, how did they know this information? You know, this had to come from within. And I was like, well, I'm on your LinkedIn page right now. And it tells me you're speaking in North Carolina, right today. So, you know, it doesn't have to, you know, that information is publicly available, you know, whatever you put out on your social media, your whereabouts, your role, your title in the company. It's, it's available on, on, on basic websites.
Dino Mauro (11:39.246)
You know, that's such a case now. And it's almost, we refer to it and I'm seeing more and more people refer to it in what to do in case of an event, right? It's not just the ransomware anymore. David, you and I spoke to that regional bank about two weeks ago. Unfortunately, it was right on boom. It was post -event, but they went in, they went straight to the active directory. They found HR. They went in and found one of the least tenured individuals,
in the accounting department and did a fraudulent wire transfer request and she didn't know the process and so she did it and it started out, it was seven figures. They were able to recover a lot, but that was within a 90 minute window. Like they didn't plan on ransom wearing anybody. They weren't even gonna exfiltrate. They knew exactly what to do, where to go and how to do it. So yeah, it's amazing the speed at which they operate now too. Yeah, you know, it's professionals, you know, that's what their profession is.
and they're oftentimes supported by powerful governments or in other entities. And that's their job is to pull these off. And it's, it can, it really, I think one of the ear points is going to be on this podcast. It can really happen to anyone, any size of business, large, small across various and every instance and every profession. Yep.
Well, in the legal context too, the way I like to, the way I'm evolving and looking at this is it's going to happen. And when it does, they're not all created the same. Like the, like the, the ramifications of a data breach or an event, some like it's going to shine a light on your organization or what your organization is doing. And it's either going to show.
And tell me what you think about this, but it's either going to show, look, they were doing best practices and this group was just persistent and they got through, but they triaged and they handled it. They were prepared and yeah, it's going to hurt, but they're going to recover as opposed to it shines a light on it. And they really were negligent. They really were not doing the best practices you get. It exposes all of these issues. What is, is that something?
Dino Mauro (13:59.246)
Like, are you seeing kind of both ends of the spectrum there? Definitely. And one of the reasons why, you know, that I always think of her like this is that I think of prevention and response as a whole. Right. Because like you said, you can use every preventative measure that you can and someone can still pull off a pretty major security event. And so when you look at prevention and response,
and mitigation as one package, right? You know, and one of the best ways that I can put it is that you can take all the steps you want to prevent a ransomware attack. And, you know, a criminal, we call them threat actors can still get into your network. Well, what we're seeing a lot more now than we saw four or five years ago is we oftentimes don't have the need to pay for that encryption tool because companies have learned,
about better backup solutions, right? AirGap cloud -based backup. So the event still occurred, but the fallout was not nearly as great. And those companies that maybe have an endpoint detection, right? That detect the movement quicker in the network, maybe they can stop it before the data is pulled out. And so when you look at all these,
preventative tools, whether it be education of employees, whether it be, you know, a biannual look under the hood of your IT practices, whatever those practices are that you're employing, you know, you're putting together your incident response plan, making sure you know who the contacts are, looking at it as, okay, we're not just trying to prevent this, but in the event that something happens, we're gonna make the ramifications and the fallout, you know, as manageable.
and is least harmful to our business and our clients as possible. And so we look at it from preventing all the way through rectifying an event that occurs. Right. Yeah. Absolutely. And then the consequences of it, how severe it is depends on how much you focus on prevention. Yeah. You know what? I also think it's really interesting. You know, because of my role,
Dino Mauro (16:26.99)
Obviously cyber risk insurance and cyber insurance is something that is sort of near and dear to me and in my practice that, you know, they have to think about daily. But I think that this industry has put more effort into preventative, like, you know, most of the times, all right, you get an insurance policy, let's just, you know, if something bad happens, we gotcha. But the insurance carriers and, and the, their, their companies have taken much more.
of a proactive role. It's like a healthcare company paying for wellness business, or a healthcare company paying for a gym membership. Great analogy. And these carriers have woken up and said, look, in the end, we're going to focus more than any other type of industry on preventing and making again that holistic approach, right? Prevention and if something happens, mitigating. Yeah. So,
It's been really interesting to see over the last few years how that involvement has occurred and how much resources companies like that have put into helping people prevent the event in the first place. Amazing. Look at the applications. I mean, years ago it was one page. It's really a best practice in industry standards and cybersecurity practices that you've got to be able to check each box just to get that application process right. I work with a company that
through their underwriting process, they use a technology vendor and what they do is they go through and they not only, hey, do you have multifactor authentication? They test it. And if they don't test it and if it doesn't pass muster, then they don't get that checkbox. And so they can still get the insurance, but it's going to be more because they have that problem. Right. Or lower limits or something like that. Yeah. But.
will help you fix it, right? And then the limits are gonna go up and the premium is gonna go down. And so again, that is just the whole idea of this industry taking the whole concept that it's not just about, all right, remitting a breach and responding to a breach. It's about what steps can you take to prevent it? What steps can you take in advance to make the fallout?
Dino Mauro (18:49.998)
you know, as little as possible on the outside. And so it's a perfect example, Mark. What can you tell us about the threat actors? One thing that always seems to surprise people is that it's generally not illegal in the regions of the world where they live, or it's at least not prosecuted, meaning like, let's say ransomware group is located in a portion of Russia, so long as they don't attack.
CIS countries, right, then no one's going to bother them generally. What can you share with us about in your investigations, what you're seeing about who these groups are, who these people are? Well, I think one of the things to understand is it's not just that it's not potentially illegal where they're operating, is that, you know, our government has worked diligently to find out that they're being funded in Harvard. Right. Yeah.
by countries. And, you know, my attitude over this these last few years of it's a form of warfare, right? Absolutely. You attack infrastructure, you attack healthcare, right? These aren't, these industries aren't by accident, right? I was at a conference last month and a statistic was put to me that at a hospital, the mortality rate
six months, six weeks after a ransomware attack, it's a 30 % higher mortality rate. Wow. Right? Because they can't access data. Yeah, they can't access data. It used to be the nurse or the doctor would have everything on a physical chart and be able to go, well, we can't prescribe this medication because it would counteract with what they're taking. When someone's unconscious or they don't remember or they don't know the dosage they're on or whatever, right? And they can't access that prior data, there's issues.
Then also one small example, right? Well, also you have situations where if, depending upon what machines are affected, you can't take somebody to emergency room and depending on where you're at, you are in the country, the next one might be 30 minutes away. Right. Exactly. And so we've seen that. Yeah. Right. And so I, I, that my best comment on the threat actor groups, what I can say is, is that going beyond it, not being illegal, like,
Dino Mauro (21:15.63)
countries, nation states, like harboring and probably taking the profits, right? Getting a monetary kickback, right? To allow this to occur and getting protection during investigations. And you know, we have, we have the OFAC sanctions list here. I was just about to say, doesn't that tie to the issue of what if they are, if, if the investigation ties them to a country that we are not allowed to pay, right? Like,
So do you guys get involved in evaluating whether OFAC could potentially be involved or risk involved there? There's been a few instances where the OFAC sanctions list and there are also other sanctions lists that are European, British that we'll look at as well. But the governments have identified
certain groups that either one are essentially a nation state or two are operating, are either being funded by or being sheltered by countries or groups that we consider to be terrorists. And it's...
highly frowned upon to the point of maybe being called illegal, right? To make the payments. And then if you do make a payment, you know, you can, and the Department of Justice finds out about it, you're probably going to hear from them. Right? Well, I mean, we just saw that at, uh, isn't it at Caesar's? I think it was Caesar's where the Department of Justice is now combing through that because Caesar's compared to MGM, MGM didn't pay, they fought them and,
Unfortunately for them, like during the time when they were down, you literally had thousands of people with iPhones walking, walking around videotaping. Like that's a PR nightmare, but they recovered and they stand by their decision. And in hindsight, they did the right thing. It was the hard thing, but they did it. Um, Caesar's, you know, they paid and they didn't suffer that business interruption, but now they've got the department, at least some reports indicate that the department of justice is.
Dino Mauro (23:25.134)
Like looking into that because they're like, well, who did you pay? What happened? Where'd the money go? Right? We've had those, you know, I've been involved in those types of discussions. Yeah, that's tough. Yeah. It is. And, you know. Yeah, please, please share with us your work, your returning client privilege, if anything. Yeah, yeah. Yeah, please just like, let's talk about that story. No, I'm just kidding. Right. But, you know, those just anecdotally, those can be the types of decisions that.
companies have to make. Oh yeah. It's tough. Well, let's talk about that a little. So, well, first let's, you know, we hear a lot about these, the class actions that, that spawn, you know, whenever there's tragedy, there's always some legal event that can occur on it for various reasons, right? Right. Discovery of rights that are violated, compensation that's needed for victims. There's, there's a,
bunch of very valid reasons. What are some of the legal grounds that some of the class actions are generally brought on? Good question. I mean, can they tie Rico into it for this? Is it negligence? What are some of the grounds? In my practice, I put the types of privacy class actions that I have into a few different buckets.
and how they come about. We talked about ransomware, right? Ransomware or data exfiltration. So the way that these come about in that situation is that once it's determined where the threat actor was in the network and maybe what they took out of the network, right? If there's personally identifiable information, PII or PHI in that information, you have, depending upon various laws and states, you have the responsibility to tell, you know,
government agencies, but also the individuals, right? So when these notifications go to this, whether it be attorney, the AG of a state or the Health and Human Services, and they get posted publicly, right? Plaintiffs class action firms will post on their website, if you were a member, if you receive notice of this breach, come out, talk to us, and we'll, you might be entitled to compensation, basically. And so then the,
Dino Mauro (25:48.43)
then the lawsuit is filed as a class action for that individual and for all the people who receive notices of it. Right. And, you know, we've been involved in situations where it's a seven figure notice, right. You give notice to several million people or even if you give notice to 50 ,000 people. Right. It's a big deal. And then we also do the victim company. It's got to be huge. Even if there's no lawsuit, if you're going to just offer
credit monitoring for a million people. That's right. Right. And so, well, and finding out who those million people are. Yeah. And sending out the notice, the actual cards that go out, the communications, calibrating all of that, the logistics. Mining that data, depending on how large it is, can be hundreds of thousands, if not more than a million dollars. That alone.
Just finding that out. That's before you ever get to a class section, right? Right. Before you give notice. So and then what I've also been doing a lot lately are sort of the data tracking or pixel litigation, right? So when you go to a website and there, you know, people almost expect it now that you're, you know, you'll go to a store's website and maybe you're looking to buy a new chair and all of a sudden you go to your email account and there's a banner with a bunch of new chairs that look like the one you just.
No, that never happens. That never happens. So I do a lot of the data tracking litigation as well. So there's a couple of different things that I always have to talk about. One is the various types of litigation. Those are, what is your outward facing website like? And what data are you taking? Who are you sending it to? And did you tell the people?
did you tell the individuals who visit your website you were doing? Right. So there was a couple of things. When they accept cookies, right? They just click that accept cookies. It's all good. Nobody reads the 50 pages that were written by an intelligent attorney. That's not a plate of chocolate chip coming to your front door. Right. That's right. You just gave away everything. So one of the reasons why I gave that background is to talk about some of the causes of action as claims we're seeing.
Dino Mauro (28:14.062)
So in the, you know, sort of the ransomware where you give notice to the business email compromise, where you give notice to a lot of people, good old fashioned negligence is really a lot of times what it boils down to. Really? So there's a valid cause of action just on the, because negligence is fairly easy to prove as opposed to fraud and the inducement or anything like that. So negligence around the country, you know, it's
These, one of the things about some of these lawsuits is laws still being made virtually every day. Yeah. And so negligence, so the negligence theory is that.
by either some sort of statute or by the common law, you have a duty to those people that you require them to give you their personal information or that you assume a duty once you accept it and store it and that you breach that duty. And so those lawsuits always comes down as you take reasonable steps to protect their data. Which makes it really complicated because there is no
standard necessarily, right? There is no clear delineation of a company with 100 to 500 employees, local mortgage company needs to do these 10 steps. And then you could say, ah, you didn't do eight of them. You were negligent. If there's no clear cut rules, I mean, there's best practices, there's things that people recommend, but it all kind of depends on the risk appetite. Kind of the scary part of it, David, is that,
that no matter what you do, when somebody looks at something in hindsight, always 2020, well, okay, here are the 300 things you could have did if you did 299, you should have done this one too. And so, as with anything, size of business matters, nature of business matters. If you're in the business of handling healthcare information, if you're in the business of,
Dino Mauro (30:18.958)
You know, financial industry, if you have certain compliance regulations. Yeah. Right. So if you're in, if you're in regulated industries that, you know, that have statutes talking about protecting the data, like, you know, that could be different than, than in a, in a state that's not like a manufacturing company. Exactly. But, and so that's why you look at the nature of the business, the size of the business, uh, you know, even the revenues make a big deal, right? A company that has $5 million in revenues.
can't spend $7 million in Internet security. A company that has 4 billion in revenues can spend lots of money to protect their network. And so, it's always that, in the legal field, the question of fact. And some expert will be paid to get up there and say that, no, this was deficient in these ways, and this is what you should have done. And had you done this, it would have prevented this. And then there's...
the contrary position. Like, no, you look at this, this is a regional health facility, right? You know, that has a million in revenues, it's government funded, and they're doing everything they can to help patients within 80 miles of their location. Right? They can't, you couldn't operate if they were required to do all this, this and this. And so that's, that's where the fight lies in the negligence. We see breach of contracts a lot. And we think, how can there be a contract? Yeah.
Is it like a social contract that we have? There's a couple, there's a couple of different things, a couple of theories out there that have, uh, that have sometimes passed muster again, depending upon the state, right? Where you're at. Um, but a lot of companies put, uh, internet privacy policies, right? Or, or, or they'll put, or they'll hand you policies when you, you know, somewhere or another, when you, um,
either when you do business with them. It's often over the internet, it can be commercial. And some privacy policies will say, we do not share your data. We do not do this, this and this. When in fact, you do share my data. Right. Which a lot of consumers look for before they'll do business with you. And when they see that, that's the contingent, the condition proceeding for them to do business with you. And then all of a sudden you're like, I bet you're sharing my data.
Dino Mauro (32:43.246)
Yeah, before I buy that coat online. Exactly. There's also a theory that implied contract is that you require me to give you my PII to stay at your hotel casino. I must give this information in order to stay there. And part of that deal has to be that I'm paying for you to protect my information. Right. And so, or I would have paid less had I known you weren't going to.
Well, I wouldn't have stayed at your hotel. Right. I would have gone somewhere else. Like nobody wants to do business with somebody that's going to lose your stuff. Like I don't want to fly in an airlines that's going to lose my, my luggage. I don't want to give you my credit card if I know it's going to be sold. Yeah. You're not doing it to protect information. Yeah. And then state, you know, state consumer deceptive practices act claims. Yeah. That's what I'm curious about. Yeah. Every state has like, you know,
most states anyway have a consumer fraud and deceptive practices act or whatnot that really, and even though it doesn't fit in there - That's harder to prove though, isn't it? I mean, that seems harder to prove. I think I would, as a trial lawyer, I would probably just want to go the basic negligence route. You've got a question of fact, you can get past summary judgment and get to a trial. Some deceptive practices act claims applying negligence standard.
Oh, really? Oh, yeah. Okay. Right? Because like they might be based upon negligent misrepresentations, right? We are the industry leader in data privacy and security. Yeah, exactly. And oh, I wouldn't have used you as my cloud server. I know you really aren't. That's where the marketing department needs to talk to legal upfront, right? The marketing department needs to talk to legal upfront.
Yeah. And then we also see a lot of times invasion of privacy. And, you know, when you think old school invasion of privacy, someone came into my home. Someone's looking through my window. Somebody told three million people that I have this medical condition. But now that these attorneys are trying to talk about, you know, it doesn't have to be a physical space, right?
Dino Mauro (35:09.422)
You know, you invaded this computer system that has my personal sensitive data, and now my privacy has been invaded by the fact that my private information is no longer private. And, you know, it's what's again, state to state, federal court to federal court, you might get a different answer on some of these questions. And there can be varied nuances, you know, to every jurisdiction.
You know, I have class action lawsuits from literally from New York to California and pretty much everywhere in between. And you can get a different answer on exact same set of facts. Wow. Unbelievable. Wow. A different answer down the hall. Yeah. Right. Wow. You are in Chicago. So like it's all going to be different and different sections. There's no consistency here. No, not at all. Let me ask you this. So from the human side,
What, what happens after a breach? Like what are the different entities that have to get involved? Um, how much does a, does a business owner personally have to get involved? Like when all their, we've interviewed people that have gone through attacks and you know, all of their icons turn white. There's, there's a lovely note from Russia that says, get on a tox channel. And they're like, I don't even know what that is. Right. And so who does that?
Like, can you walk us through just high level? Sure. You know, um, when we use ransomware as an example, like the first thing that's going to happen is, is someone's going to find out about it. It's going to be probably, it's either your in -house IT or your man services provider, IT company, or somebody's going to try and open up their log in and they just can't, can't everything's down. And so once that occurs and once, you know, it's usually.
confirmed by again, some sort of local IT professional. Then, and it's reported, the first people that get hired are, are an attorney, which we call privacy attorney or breach coach that they get hired one to make sure that everything to the extent that can be about the investigations privileged, right? The outset, the attorney's work, the work really is maintaining that privilege, right? That this investigation is going to be
Dino Mauro (37:37.838)
for now and hopefully later, private and privileged. And we always say to just to keep them out of the news, right? That's the whole, that's really the benefit. If you can keep it just a technical issue that can be resolved and it could still be expensive, but at least it's not reputation damaging long -term. Sure. Yeah. You know, forensic IT companies generally brought in and they'll work together with
the boots on the ground IT. So the forensics are coming in to see if there's a back door. Yeah. If they left the back door, they get back in. Yeah. Whole bunch of things. Right. Yeah. So these things kind of happen on dual tracks, the investigation of what happened, trying to remediate it. And first off, turn the harm out, make sure there's no ongoing harm. Find out how it happened, how you can prevent it in the future. While at the same time,
those usually remediation efforts going on so that the company can get to the extent it can be operational during this investigation. And then depending upon what's found, if a lot of data is at issue and you have to find out every individual's information who's involved, it's called data mining. You hire companies to find ways to get to that data and get those answers.
You'll have to give notice to these people. So you hire a company that provides notice. And generally along with that notice is an offer of credit monitoring. And those people, and we usually have a call center put up so that someone has can call in and ask and answer questions. If it is a really reported media event and you know, for certain public relations firms can get hired to put up messaging. Especially in the bigger ones where companies everyone knows about.
Um, public relations firms to usually involve the outside. And then this is all just responding to the incident itself. That's the initial triage. That's the initial triage. Yeah. And then, and then in this event, you cross your fingers and hope that one of the people that you sent the letter to doesn't find a class action lawyer and file a lawsuit. Well, there's not that many lawyers in the United States. So good. Amazing how they risk is low.
Dino Mauro (39:59.278)
It's amazing how it's the same ones all the time. Well, of course. Yes. Every time I get a, yeah, that's not even like every time I get an offer of credit monitoring, it is followed by multiple calls from trial attorneys, postcards, everything else. It's like a traffic accident, right? You just get a million. Like, I have no idea how you found me, but you found me. You found me. Yeah.
But you know, from the owner's perspective, let's say from the victim, the victim organization, some of the leaders there, like then the litigation begins, right. And then there's depositions. There's there's I mean, there's an emotional toll. Like I've we've talked to some like immediate breach respond responder to technical resources. And they said they've been on Zoom meetings with business owners that have.
They've broken down. Yeah. They've broken down crying. They've passed out. They're like, it's very emotional, isn't it? It's extremely emotional and especially depending on the type of business you're in. But you know, the way that I always think about it like this, you know, we just went through some of the things that will occur and
You have one, the emotional toll of maybe your business is not being able to operate. And I have a couple of healthcare matters going on right now for small companies, small health. And the owner was crying because they couldn't provide service. And she's like, these people need the care, right? So there can be that, or I can't let this client down. They need this by this date and I can't produce it, right? They've been my client for 30 years and I can't do it for them.
So there was that. And then you start thinking about the cost, right? And if you're a, you know, you start thinking about the cost of some of the things that I've went through, right? And you might have, say you have a million dollars in insurance coverage, something like that. That goes pretty quick, right? And most people don't realize that. Most people don't realize that. Yeah.
Dino Mauro (42:13.742)
Data mining, like I was talking about data mining, that can be a half million dollars if it's bulk data. Right. And that comes right off the coverage of that million dollars. Legal counsel, the initial triage of the technical resources, all that comes right off the top. Right. And if you're a business that does several million dollars in revenue and revenue is not profit, right? That's just right. Right.
And once these things start getting explained to you long before you ever thought of a class action, your viability as a business flashes before your eyes. Everything I've worked for, right? You know, is it going to be gone? Right. And so when I was talking about being a, you know, a breach coach, right. And it's not just all about legal advice in those I've had.
hundreds of those conversations with business owners. And, you know, hey, we're going to get you through this. And, you know, you find yourself, you know, our law firm says attorneys and counselors, and you find yourself being a counselor in that situation. And that's, you know, and people think, well, I am only a few million in revenue or 10 million, whatever it might be. It's not, I'm not who they're after. And day in and day out, it proves not to be the case.
Yeah.
It just goes to show that everybody can and is the target. And whenever you get online, you enter that world, you enter their world. There's no rules. Yeah. There is not. I mean, you know, some, some, sure. Some entities are, are some, uh, types of businesses are more prone to attack than others. We admit finance, health, law, this type of things. Um, but manufacturing, it's all, all of it.
Dino Mauro (44:11.854)
There's no one who's really immune from it. Because of some of the insurance programs that we work on where we act as the first point of contact, we've taken...
1200 calls. Wow. Yeah. And you've seen it all. And so there's nothing that can be surprising and submit. Well, it's not going to happen to this type of business. It's not going to happen. The answer is no one's. It just hasn't happened yet. Right. It hasn't happened yet. Right. Well, Jamie, thank you so much. I mean, before we wrap up, like what based on what what you've seen and like what.
types of defenses can CEOs and leaders and organizations of small mid -sized businesses, any size, like what can they think about and, and make sure that they're doing better, um, in light of what you've seen, like what are some of the best practices that somebody from your perspective? I mean, we tell them all the time and, but.
but sometimes it falls on deaf ears because they're like, oh, you're just trying to provide a security layer for them. And we're like, well, yeah, but you need this. If you don't be able to mitigate your risk, will you go with us or somebody else? Like, please do this. The way that I look at it is there's, cause people think, you know, they're business owners. Oh, I don't know anything about all this IT stuff.
I don't even understand it. I always think it's an IT problem. It's an IT problem. We've got a firewall. We're good. Yeah. Well, you know, that firewall might be good, but if your employee opens up an email and buys their credentials. Right. It's Mrs. Buttermaker over in the third floor cubicle who is an educated and great employee by the way, but she's going to let them in around all of those systems that you've invested in.
Dino Mauro (46:14.222)
Right. Always equated to the deadbolt on the front door, right? Like you've got this top of the line Stanley deadbolt and nobody can get through it. But yeah, if your crazy uncle Larry just goes and opens a door for anybody who knocks and lets them in, it doesn't matter what deadbolt you have. Doesn't matter. You know, so I look at it from my look at it. Or if you hear that every Wednesday morning, there's break -ins in your neighborhood through the
window in the laundry rooms of all these homes, but you've got this really steel Stanley door locked front door. What good is that going to do? Right. Because the MO, the modus operandi of these, of the threat actor right now is this. And so that's why you have to know about what they're doing. I look at it from a couple different ways. I, a big part of it, so that like we talked about prevention, we've talked about responding.
Right. I look at it holistically one, the, the training of the employee is just extremely important because no matter all of these technical, all these advancements in cybersecurity that you can get from an IT standpoint, endpoint monitoring, all this and that, again, it doesn't matter if, if you're let in the door, right. And common mistakes being made by employees. So we, you know, we do,
my law firm sends out test emails like that test phishing emails. We'll report back 15 % of you provided your credentials. That's what we do. That's what our operations center does. And, and statistically it's even higher than that. It's crazy. What's funny too is so many organizations, when I talk to leaders at, you know,
I like, let's just say decision maker or a leader in that type of organization. You talk to them and they're like, eh, we know how to spot a fish. We know, we understand social engineering. We got this. Like we don't need that training. We had that training for an hour a year ago. So we're good. Right. And you're like, Oh my gosh. Like, no, like it's, it's, it's, it has to be part of like almost like professional development. It has to be ongoing job embedding. You know,
Dino Mauro (48:36.558)
You're right. And what I've likened it to is that, you know, like sexual harassment training. Like when you walk in the door, any employer, you go through and training and then you sign that you went through this training. And here where I'm at in Illinois, in my law firm, every December before the end of the year, we must complete that training.
which is like four hours long. Right. Online. You get like 20 minutes of cyber training. Right. Exactly. So I've told companies, I was like, why don't you treat your cybersecurity training like you treat that training? Right. Cause we're not saying don't do the four hours of the harassment training because that's needed. We're not saying that, but we're saying is can we even the scale out? Because the consequence of a violation economically and reputationally to your organization.
is just as severe, if not more severe. Yeah. And, you know, we talked about fraudulent funds transfers a little bit. 95, maybe more percent could be prevented if the person picked up the phone, made a phone call and said, Hey, these are your wire instructions. Right. Yeah. And that's just a policy, right? If you just create a policy and then it's very low cost, you know, it's like, it's very, it's just a very practical.
practical thing to do. That's what we tell people, be politely paranoid, trust, but verify. Right. And you know, even at a company, a firm that's got 20 something offices like mine, and it's a big business, you know, on certain dollar levels, we have one person that can push the button. And if that person's not available, that money's just not going out. It's not going anywhere. Right. It's not going anywhere. And, you know, and so I think that employee training,
on these issues is paramount even for the greatest, even for the companies that spend a lot of money in the IT security. And then on the IT security issues, this is what I would say, I would put the people to the test, right? On a couple of issues. I really think that there's even me, a lawyer that I can understand, okay, if everything was shut down, how is it backed up? Where is it at?
Dino Mauro (51:02.126)
Yeah. And figuring out that solution because if your backup is in any way tied to your system, right. Consider it wiped out. Yeah. Because thread actors are not dumb at all. And they're very good at what they do. They'll go in and do that because what people don't understand is they're inside the network undetected for a long time before something happens. So by the time something happens, trust me,
you know, running to get your backups. Like they were already there. They were there before the super bowl. And now, right? I mean, exactly. I don't understand how this solution was, but one company that I represented, they're like, I, there's, there's no way they could have done this because we run, we, we back up every Friday and then take it off site. And I was like, they were in there for two months. They know you do that on Friday.
and took them home with you every Friday. Right. And that's when they executed. They were across the telescope, they're across the street with a telescope and a box of donuts watching you take the thing home every Friday. Exactly. They just zapped your backup while you thought you were backing up. So like understanding your backup solution, like I talked about earlier, how we, you know, paying for it.
decryption tools has gone so far down, at least in my experience, and that the number one thing is because people have an effective backup solution. Yeah. Really, really important. Well, and the importance of real -time detection, right? Like if they can catch them, if they can lessen the amount of time that they are inside the network, otherwise undetected, right? I mean, doesn't that help? Like if they're able to... Yeah, of course.
Yeah. I mean, if they're able to find them in real time, moving around the network, spotting those anomalies, I would think that is, is critical. Instead of finding out six months later. Well, instead of waiting until after it's launched and then, right. Six months later and then trying to triage or stop it and restore. Like that's very powerful. But, but if we could have caught them earlier.
Dino Mauro (53:25.902)
Wouldn't that make more sense? Yeah. I mean, solid endpoint protection and monitoring and system monitoring has saved a lot of companies and you know, the malware gets quarantined real quick. Yeah. It's still an event. It's still going to cost some money, but you know, but there's a difference between being in the news and it just being a, an incident that needs to be remedy. Right. Exactly. And so yeah, for sure. Amazing. Yeah. But so it's, it's a combination of the employee training and then under just,
the basic understanding of your IT, you know, backups, multifactor. How do you access your system remotely? Right? Do you need remote access? And if so, you know, really good point, really good point about the access. Yeah. So, I mean, you know, people have gotten a lot better remote desktop protocol over the pandemic. It was the wild West and that's why you saw this huge spike. Now, um,
much more secure and safe because we've caught up to it as well. So understanding those basics and then also a policy and understanding on how you store data, right? Yeah. You and I spoke about that before the podcast. Yeah. Like there's so many organizations that will save data themselves. They'll email things to themselves or they'll email things internally. And once that is compromised, all of that stuff can be great.
I mean, you know, when an email account gets compromised, we'll try our best to like narrow it down. But I'll say consider everything in your outlook to have been compromised. Right. And you saved every email that you've received since 2012. Right. All that's a powerful statement. If you think about that for a minute, that's really powerful for an end user, because nobody really thinks like that. But consider everything in your outlook has been compromised. Yeah. Yeah.
I mean, I just see eyes just open like, whoa. And so, you know, and so what's your policy on, on, you know, quarantining or archiving emails, second level of protection for old emails that you have to save, you know, well, we don't have any of this data. Well, this server has been in your, has been in your environment since 2012 and it's everything you saved on it has now been compromised.
Dino Mauro (55:50.638)
People were like, I didn't even know we had that data. Yep. Right. You know? Yeah. Think about that. Well, think about this too. By the time some end version of work product reaches somebody in leadership, it's been passed back and forth repeatedly. Repeatedly. Via email internally between teams. And you're like, there are so many processes.
policies that can be put in place or platforms where you can just keep things encrypted and secure and work from there as a like to silo it as opposed to sharing it via email. Right? And so it doesn't help again getting back to that user training. It doesn't help that we always reuse passwords. So and that's what's protecting our email, right? Like I've got a great password. I'm going to use it on. I use it on everything, right?
I hear that all the time. And we have forced password resets here. I think every day, every day I have to reset. Yeah. You know, and it's, it's, it's also, it's about diligence. You've got to stay diligent because the people that are trying to get into your network and steal your data and steal your money, they're diligent. Yeah. Jamie, thank you so much. That this was really eyeopening. This was really good. Um,
unbelievable, unbelievable what it's, it's like the wild west. And then it always kind of winds up in lawyers hands. And I'm glad you're involved at least because you, you get it. So that's, that's really good. What, what, what do you have coming up? What's on your horizon? Are you doing any public speaking? You go into trial soon, anything you could share? Spring break.
Well, I'll just tell you, you know, we talked about the class actions and they're coming in seemingly daily and unbelievable all across the country. And so that's and so, you know, like it's really interesting for me is that our law firm does have 22 offices, I think. So I probably more than anyone, our Chicago office, I get to work with a lot of the attorneys in our other offices because, you know, we need our New York attorney on this case, California offices involved, George offices involved in this one.
Dino Mauro (58:13.678)
And so I've really enjoyed getting to know some of my partners and associates in other offices because it's all over the country and we're trying to speak with a consistent voice on how we respond to these. And so, you know, and then I'll be in that diligence in May. So, fair. Unbelievable. Hey, well, thank you so much for your time and thank you for all you do. I appreciate you having me on. It was a lot of fun. Oh, yeah. Absolutely.
Absolutely fascinating. We didn't ask and I want to end with this, but like when you were younger and you were thinking of what you were going to grow up, I was like, I'm going to be Batman in the courtroom, dad. Like what, what did you, what did you, like, how did you eventually migrate into? Because when we were younger, at least when Mark and I were younger, like data breaches didn't exist. This, like, this wasn't a thing. The crime did in the same type of acts did extortion did.
stealing of funds, wire transfers, all that still existed, but it wasn't at scale like it is today. What led you into this field? Early in my career as a lawyer, I've been practicing from the 20s, 23, 20 something years. Early in my career, I did for a while almost exclusively legal malpractice. So legal malpractice and legal ethics. And so I represented a lot of lawyers.
And, you know, that's kind of a different skill in itself, having a lawyer as a client. And so one of the programs that we first got tied into, that our firm first got asked to be the breach response council, the coordination council for the breach response, the program was called Safe Law. And so it was for only a law firm program. And I was approached saying, hey, you've long...
had lawyers as clients, we think you have the bedside manner to deal with these law firms when they're going through breaches. And I said, sure. And, you know, for a while, you know, it was maybe 10 % of my practice when it first started that way. Oh, this was when law firms were being breached. Okay. Yeah. So one of the, one of the, one of the programs that I worked for was called Safe Law. Yeah, that makes sense. It's a program designed for checking law firms. Yeah. And so I got, you know, like, you know,
Dino Mauro (01:00:38.094)
We started the hotline for that. It was like, okay, it's going to be lawyers calling. We think you would be good at this because, or at least, you know, settling everyone down on the initial triage call because you routinely represent words. And it just grew so much that now it's essentially the entirety of my practice. Wow. That's really cool. Yeah. I used to stumble upon something, right? And it's kind of changed my life. Yeah. I like that. That's really cool.
makes total sense. Well, I think business is going to be up crimes up cyber crimes up. So now I'm telling you guys quite a while something that's going to go away. This is just a blip on the radar. It's just a trend. It's just going to go away. Crime has always gone away throughout the history of our world. Yeah. Crime always goes away and technology clearly goes away. It's not like there's any advancements. There's there's no advancements in technology.
Yeah, AI and deep fake won't be anything that we'll have to worry about in the next couple of years. Oh, right. Just scratching the surface. That's a whole other episode. I know. All right, guys, take care. I hope the audience likes it, too. Thank you so much, Sid. Yeah.
Dino Mauro (01:01:52.206)
Well, that wraps this up. Thanks for joining everybody. Hope you got value out of digging deeper behind the scenes of security and cybercrime today. Please don't forget to help keep this going by subscribing free to our YouTube channel at Cybercrime Junkies podcast and download and enjoy all of our past episodes on Apple and Spotify podcasts so we can continue to bring you more of what matters. This is Cybercrime Junkies and we thank you for joining us.