Christian Auty, partner, Bryan Cave Leighton Paisner, and leader of BCLP’s U.S. Global Data Privacy and Security Team, joins Peggy to talk about data security and data privacy and looking to the future issues. He also explains the attack surface is vast and there are 50 different data breach laws in the United States—one for each state. He also explains the likelihood of a federal law for cybersecurity coming to the United States and the ways to you protect yourself and mitigate your liability—actual defense and everything else like the regulator after the fact, potential class action, angry customers, and more.
Below is an excerpt from the interview. To hear the entire interview on The Peggy Smedley Show, visit www.peggysmedleyshow.com, and select 03/23/2021 from the archives.
Peggy Smedley: Christian, I’m really excited because any time I can talk about security, I want to do it because, I think, personally from my perspective, and I’m sure some of my listeners might not agree, but I’m going to say it anyway, I do not believe we spend enough time on security. I think, we spend a lot of time on a whole lot of other things, but, I think, especially with what just happened in the past 12 months, security was an afterthought… It wasn’t a forethought… What’s your opinion? Let’s just start with that question.
Christian Auty: It’s a great question. I think, in the data security realm first, and we should divide data security and data privacy, at least for these purposes, but in the data security realm, I think, there is a significantly greater amount of awareness and sophistication, but there’s a lot more sophistication, unfortunately, on both sides, right on the offensive and on the defensive, on the bad guys and on the good guys. And, as a consequence, what we are seeing is both more sophisticated attacks, more sophisticated attack factors. What we’re also seeing is more awareness in the marketplace regarding these events. Whereas, five or 10 years ago, these things were happening a little bit more quietly and behind the scenes. Now they’re very public. They’re at the forefront. They’re being discussed in Congress. They’re being discussed in state legislatures. They’re being discussed among regulators. And so, I think, that there’s more awareness, but I’m not sure that that overall security footing has necessarily improved.
Smedley: So, the more these attacks are, the more vigilant that they have to go after them. Instead of always saying the nefarious characters I choose to describe them, I’m now saying the evil doers, because they keep going after the perimeter. They want to keep trying after it. And now it’s just not one person, they’re using sophisticated systems to keep doing it. I mean, they’ve gotten smarter… So, in your mind, if that’s happening and we know it’s happening, and now they’re getting into our critical infrastructure, which can create great harm and we’ve seen the attacks across the world that’s happening. Do we understand our personal information’s out there, but they can create harm to us in ways that in some cases, I don’t think we understand? Sometimes, as businesses, we’re seeing what’s happening with Microsoft right now, we’ve seen what’s happening with our water systems. Somebody catches it. But if they don’t, we’ve got some really big problems…not now, but it could happen down the road. What we don’t even know when things have already been leaked.
Auty: Absolutely, and the attack surface is vast. Whereas folks were going after companies individually. Now you see things like, for example, with the solar winds hack, where you have one critical vendor and then escalating to that vendors, clients in different areas. There’s lots of different targets and how do we react to that as a society is, I think, really important. Right now, there are 50 different data breach laws in the United States, one for each state. And, those data breach laws are focused on controllers, not vendors, the entity that owns that. It is not necessarily the entity that’s holding the data. Those laws are focused on personal information. And so, there are gaps. There are the situations you described where we’re not necessarily attacking personal information, but we’re taking something very vital. Will water supply or something else? How do we coordinate? How do we talk about that?
Among vendors, among businesses, in a way that’s going to make sense, in a way that’s going to incentivize those entities, to actually report, to actually coordinate, to actually figure out what’s going on and mitigate the situation. They’re talking about that in Congress right now. They’ve been talking about that in Congress for some time. Hopefully, there’s going to be a solution here that allows us from a legislative standpoint, from a safe harbor standpoint, from a liability standpoint, that allows us to coordinate better as a society and allows businesses to coordinate better.
Smedley: Is it really fair to say that based on security, no state can be completely secure based on what we have right now? I mean, if we were trying to resolve conflicts, but we can’t be, based on the way we wage war or whatever we’re looking at? I mean, that’s what I keep trying to understand here. I think, when we look at our federal laws or privacy, I guess, I want to understand this. Take me through the bigger picture because, I think, it’s such a complex problem. I think, that’s where I don’t think we understand. And, are we any closer to a federal law or data privacy or data security law or whatever we’re talking about? I know we’re talking about it right now, but what do we have to look at? Because, you just said, it’s now the client’s client that has to worry about what’s happening, but right now, they don’t even know stuff out there. Their information’s out there. How do you remedy anything that’s happening right now? The inefficiencies, the problems that exist in, I guess, from the bigger picture, there seems to be so many vulnerabilities, there’s a lot of things at risk.
Auty: There’s no question. I mean, to take a step back when we’re talking about a federal data security law. What we’re talking about really is more than, well, not necessarily more than, but we’re also talking about how do we harmonize all of these notification regimes? The way data security law is structured right now, you suffer a breach of data that you own. You report this breach to individuals that were affected consumers. And you report it sometimes to regulators and it depends on the type of data that you’re dealing with. Then, there’s an evaluation. The way most of these laws are structured is, there is an evaluation about … It’s not that you had a breach it’s whether you were negligent or unreasonable, or you ran afoul of traditional principles in tort, under the law in protecting your data.
But this is unfortunately litigated after the fact. So, the law will say, for example, be reasonable, have reasonable measures in place. But then you find yourself discussing how reasonable your measures were in federal court, because you’re getting sued in a class action or in discussions with a regulator. It’s been a very consumer protectionist sort of approach thus far. And so, that’s challenging for companies because on the one hand, we want to protect consumers. But, on the other hand, we are never going to achieve perfect security.
Smedley: So that leads me then… I’m the company now. How do you protect or insulate the company from potential liability? Because that’s what I’m thinking. I’m sitting there, I thought I was doing everything I could do and the bad guy gets in and takes my customer’s data. Now, I’m liable because some guy hacked me and I didn’t know I did anything wrong.
Auty: Yeah. And you probably were. And then, we insulate yourself from liability. First of all, I can’t really insulate yourself from liability.
Smedley: Yeah, exactly. That’s what you just said. I mean, you’re vulnerable and that bad guy is really smart, and they’re really good. Those hackers are really good because they keep at it. They got nothing better to do. They just said, and in the wee-hours of the night, and just keep going at it. And it’s crazy because they’ve gotten into government information.
Auty: They’ve got a lot of technology at their hands. Some of them are very smart and they only have to be right. And they only have to get it right once.
Smedley: That’s disturbing. I’m sorry. I keep interrupting you and I apologize, but it’s disturbing to hear that. I mean, we are the victims. If we think about a business as the victim because these hackers are brilliant. Some of them are the smartest people. They know what they’re doing. And as a small business or medium-sized business, or even a large business who somebody, some employee clicked on something that looked so real. I mean, we’ll get to that in a minute because I want you to answer the potential liability. They didn’t know what they didn’t know. They didn’t know that they were the victim of a potential hacker. Really gone. “Ha ha! Got you now.” And that’s the problem.
So now, let’s go back to my original question because I interrupted you. I’m sorry. But I want to know how do you insulate yourself from potential liability when an employee then, and we’ll answer two-pronged question here. You said you can’t, but now I’m sitting there thinking I own this company and now I’m at the mercy of some crazy nefarious nut?
Auty: right. How do you insulate? How do you protect yourself and mitigate your liability? There’s two different areas you want to think about here. The first is the actual defense against the hacker and the problem of the hacker, the problem of the exfiltration of the data or ransomware, the other bucket is everything else because it’s not just a hacker you have to deal with. You have to deal with the regulator after the fact. You have to deal with a potential class action after the fact. You have to deal with notifications, angry customers, reputational damage, all of these things associated with consequential of, but not the hacker, right? It’s because of the hacker. So, I’m the first one. What do you do? Well, you make sure that you have your reasonable security in place. You consult your experts.
You make sure you’re monitoring your network. You make sure you’re doing all of the blocking and tackling that your technical people will tell you that you need to do. And, and that’s different for everybody. That’s a different spend. That’s a different risk tolerance for everybody. But that’s something where you’re working with technical people, whether in-house or externally to put yourself on the best footing possible. And that certainly includes employee training because as you point out with spear fishing with your spear fishing example, Peggy, your employees really do remain your most significant vulnerability as an organization.
Smedley: So, now, I’m going to go back at that. The spear phishing, we know the CEOs of companies have become the victims of this. Even they get fooled. So, I’m not picking on the CEOs, but they can become victims of their own owner tax. So, when I hear your blocking and tackling, that’s a great one for this whole risk tolerance idea because the first thing that comes to mind is I think about when you file your taxes. You think, “Hey, I can file my taxes.” It’s easy. But then at the same time, when you get audited, you go, “Well, why didn’t I use a tax accountant because they could have made sure that I didn’t do something wrong?”
So the same thing then comes to mind here, are we better off? Because you said, “Look, you need to do the right thing.” Then, I’m thinking about, should we be using the right companies to help us? Should we be going more remote tools? So, we’d be putting things in the cloud and they’re protecting everything. Should we be using the right technology she just described? I mean, is that then if something happens, you could say, “Look, I was using the right technologies and tools.” And, are they the defense or no, you’re still liable for the bad guys coming in.
Auty: So, they are part of the defense. Right. And my job is this other part of it. The attorneys don’t really give technical advice. I mean, I think, my area of law is fast moving, my God. Is it fast moving in cybersecurity to cybersecurity. Right?
Smedley: You’re a busy guy.
Auty: Yeah. You can’t just be the dumb lawyer anymore. You got to really be smart on this technical stuff. So, from that standpoint, it really does depend not only on your risk tolerance, but your size, your ability to afford infrastructure, your ability to employ outside experts. It’s different for everybody. I’m not saying that a small business needs to go out and hire IBM or Carbon Black to do their security.
That’s not really realistic or reasonable. And it underscores why these laws are sort of general as to what security controls you need to have in place. But, what I can do as a lawyer is prepare you on the other side of reasonableness. So, preparing you for the regular regulatory conversation, preparing you for the, perhaps, inevitable class action. And how do we do that? We do that by having good documentation and good procedures in place, documentation of training, documentation of risk assessments, documentation of our incident response plan. And then, we follow that incident response plan to the latter so that we are able to say to the regulator, “Look, we did everything we could to prevent this. It happened not withstanding and here’s our procedures and here’s how we followed those procedures, by, in, through and under the advice of counsel.” So, that’s the other part of it. And certainly part of my practice is helping companies sort of navigate those issues pre and post breach.
Smedley: Some of that has to do with, and we’ve seen some companies survive really bad attacks by having a good lawyer, having a good PR response, because that’s what I think on the other end of this. If you don’t have a good strategy in case it happens because we all know at some point we’re all going to face some form of attack. I don’t want to say all, but it just seems like those bad guys want to do something. But if you don’t know how to respond to your customers, understand you care, you’re going to find yourself on the other end of some angry people because, I mean, we’ve all gotten a letter saying, “Well, your information is out there. I just recently got a notice your information is out there again. I think I’ve had it so many times I’m getting tired.”
Auty: The fatigue is setting in, right?
Smedley: Exactly. So, you need to, as the CEO, respond. I mean, that leads me to the question I want to ask then. In this time of COVID that I started this, we all got thrown and this is I’ve asked every security expert that’s come on the show. In this past year, we all got thrown into remote working. We never even had a chance to secure anything. Those who were doing remote work and kind of knew, but we would have never had done the things we did with health security kind of things like we did in COVID. We were more concerned about saving personal health lives. And we did some things in those challenges of COVID that I’d never seen in the 30 years I’ve been covering IT and technology. And it’s kind of interesting. Are we going to see some interesting things come out that we didn’t even know? That we didn’t anticipate? We don’t know, I mean, because I think there’s going to be some challenges. Companies hadn’t even anticipated down the road that we didn’t know what we don’t know.
Auty: Oh yeah. I mean, I think, if there’s one thing that is a common theme and that is a guarantee in this industry, data privacy and data security, it’s that there’s going to be a new development that was completely unanticipated. And, in our current situation, improving as it may be now, I regard, certainly, from my firm’s perspective, and I can only speak to this myopically in the sense that there’s a definite increase in activity, definite increase in data breaches over the last year and a half. I don’t know how related that is to work from home. Or, is it just zero day exploits that have come up or its folks are getting just more aggressive or they’re splintering within hacker groups. There’s a sort of whole society over there.
It’s hard to attribute that to one cause. But, I think, the COVID has placed a stress on networking remotely. And we, as a firm at least have passed that test, and, I think, the information part of the society has done fairly well with it. I think, it’s been very challenging for other aspects or horrible for other aspects of society. But I don’t think we’re going to really be able to fully evaluate the consequences of code impacts on how we do business for another year. Until we’re presented with the opportunity to come back and are then confronted with well, what does that mean for us as an office? What does that mean for us as a firm? What does that mean for us as a society? Do we want to go back to offices five days a week? Do we want to go back to this, to that world? Or do we want to do what we’re doing now? Or do we want to have a half measure?
Smedley: But, Christian, here’s what I think is the other challenge that’s going to face a lot of companies, whether they go out and find partners that are the tech industry that they have to do. We’re shifting our world right now. And, and this is maybe the bigger question. We want to be greener. We want to focus on kind of restoring the ecosystem that we’ve destroyed by this make-take-waste society. Everybody knows. I wrote the book, Sustainable in the Circular World because I’ve said we’ve seen this whole thing that’s happening right now. So now, if we think about that and we start saying, we have to focus on being more green. So, we’re going back from COVID now but we’re going back with less employees where we have to upskill these employees, we have to train them.
So now, in COVID, not everyone’s going back to the office. We’re going to do these remote, kind of environments, part-time. There’s going to be less people, less eyeballs on the systems that there were. So, a lot of pressure, lot of things happening in the next few years. Maybe I’m wrong, but there’s a lot of issues at play. There’s a lot of pieces on the chess board moving all at once because we have to figure out how do we change our failing infrastructure. And to me, I’ve been saying, that’s where the bad guys are. If they want to go after something, not only critical, but our general infrastructure, our roads, our bridges, all those things that are failing, they have an opportunity. And I don’t want to say an opportunity, but they know what’s out there.
So, I guess the question now, with all these issues and privacy, I think, we’ve got to look at what’s going on because manufacturer supply chain, there’s just so much going on that you can’t keep your eyes on all the moving pieces. What do companies need to focus on right now to make this all work, so we are a functioning society that gets it right?
Auty: Yeah. I mean, you raise a good point and of course, you’re right. As we spread out, as we deal with this post-COVID society, we are going to be presenting an even wider attack surface than we are immediately. And, we haven’t even talked about data privacy. We haven’t even talked about how we treat our data on a day-to-day basis as sort of a lived experience with our data, which is a whole separate issue that companies are confronting and it’s a compliance issue. But even what you’re talking about in terms of stresses on infrastructure, in terms of stresses on communication, this is a big issue, and it requires a coordinated effort in an area where things have been a little bit, not a little bit, a lot siloed.
It’s my data, and then it’s your data, and then it’s their data. And, we’re going to have a contractual agreement about how we protect it and indemnifications and so on. But there’s not a lot in there about communication. There’s not a lot in there about incentives around communication. We said it’s contractual liability, right? And, maybe, that’s one of these things that needs to change. There needs to be better communication. And there needs to be perhaps less liability associated with that communication in order to incentivize it.
Smedley: So, is it going to be privacy that’s going to be the biggest issue or is it going to be security that’s going to be the biggest issue? Because it sounds like we’ve got two really vexing issues that as a world, not only the United States, but the world is going to be struggling with.
Auty: Yeah. I mean, I think it really is both. I think it really is both a security for all the reasons that we’ve talked about, privacy because of the renewed focus among individuals and among legislatures on how we’re treating the consumer and how we’re treating the consumer’s information. I mean, there was GDPR in 2018, now there’s the California Law, CCPA in California is effectively legislating for the entire country in the area of privacy. Right now, there’s a Brazilian Law. There’s a Turkish Law, there’s a South Korea. We’re seeing these pop up now more and more. There’s a law in Virginia going into effect in 2023. There’s going to be a renewed focus on what I call using it. I always divide data privacy and data security. I say, data security is losing it and data privacy is using it. There’s a renewed, big focus right now on using it and a lot of developments in this area right now.
Smedley: We’ve got a couple of minutes left. When we look at the California Law, how pressing is that going to influence the rest of the country?
Auty: It’s a spectacular question. I think, it’s going to have a lot of influence. The California Law is getting modified by something called CPRA, a ballot initiative passed in November of last year. And it’s moving closer toward a GDPR-like structure. But I think that between that the new ballot initiative CPRA and GDPR, you have the structure of what the privacy law in the United States is going to look like. You’re not going to have too many deviations from that, because imagine if you did, Peggy. Imagine if you had to follow one set of laws for California data and another completely divergent set of laws for New York data. Nobody structures their data that way. It’s really going to be a very difficult task to have to comply with two completely separate regimes simultaneously on a day-to-day basis. Forget about data breaches. This is every day, all day. So, I think, the California Law, with some tweaks, is setting a standard. And the only way you could do something completely different is if you had a federal law that essentially preempted or overruled the California Law in its entirety.
Smedley: Where is it in getting some kind of passage or acceptance?
Auty: I’ve given up speculating on that. There are a number of bills in the works that have some currency with either the Senate or the House. It’s unclear when we’re going to get a federal privacy law. I do think that a federal privacy law is inevitable though, because of the issue that I’m articulating. If you have different states doing different things, eventually it gets to be too much. Eventually it gets to be … There becomes a need for a federal-type privacy law on how we use data.