Regulators enlist corporate lawyers in joint response to cyberattacks
Lucia Ziobro (left) and Matt Van Hise speak Thursday at the ABA National Institute on Cybersecurity Law in Chicago.
Responding quickly to an identity theft, ransomware or other computer attack means having a plan in place. And as participants in the National Institute on Cybersecurity Law learned, that includes a plan to send in the feds.
“Figure out if you have to report that breach to my office or other regulators, state and federal,” was the advice from Iliana Peters, who’s responsible for health care data privacy at the U.S. Department of Health and Human Services.
Peters was on a panel of six current and former regulators assembled by the ABA Section of Litigation on Thursday in Chicago.
“We want to be sure that entities are prepared to implement these kind of response plans,” Peters said. “As it’s happening is not the time to be doing that, to be figuring out how you’re going to respond.”
Reporting an incident can bring in experts to evict cyber squatters, said Lucia Ziobro, the head of an FBI internet crime unit.
One company’s general counsel turned FBI agents away after a security breach, she recalled. For the next week, the lawyer traded messages online with the chief executive and technology executives about what to do next. Meanwhile, hackers monitored the discussion, and covered their tracks. When the feds returned, Ziobro said, “all the evidence we could have collected was gone.”
“Come up with a different way to communicate once you know you’re infected,” she advised.
Regulators, for their part, are more focused on prevention than prosecution. But they don’t like surprises. “If we see a news report and we don’t have a breach report from you, it is very likely that we will open an investigation proactively,” Peters said.
Travis LeBlanc, a former chief enforcer for the Federal Communications Commission and the high-tech crime unit of the California Attorney General’s Office, stressed that there’s little downside to calling in federal or state regulators, who are constrained by law in what information they can share.
“So often we hear from companies that they are afraid to report to the FBI or to the Secret Service or the eCrime unit in California,” LeBlanc said. “Not one time did we ever on the civil side receive information about a criminal incident from a criminal law authority that resulted in an investigation.
“It’s very important that when a company is a victim of a crime, it should feel that it can go to the appropriate governmental authority without being chilled by the possibility of regulatory action.”
Panelists said assessing and attending to security risks beforehand will show a company’s good faith efforts at compliance. “We’re talking about things like passwords and encryption,” said Susan Schroeder, acting head of enforcement for the Financial Industry Regulatory Authority, the securities broker-dealer watchdog. Broker disciplinary actions are likely to trigger closer scrutiny.
Corporate bad actors are those who “failed to address the basics,” said James A. Trilling, a Federal Trade Commission attorney.
“When you see an organization that’s done nothing upfront–hasn’t trained, doesn’t have policies in place, isn’t managing their vendors–those are they ones that are typically the low-hanging fruit,” Trilling said.
Ransomware attacks such as last month’s global WannaCry attack pose difficult choices. “One in four victims of ransomware who pay don’t actually see their data unlocked, or it’s exposed after the fact,” said LeBlanc, now a Boies Schiller Flexner partner.
Law enforcement agencies advise victims not to pay the ransom. Even so, LeBlanc said, “When you’re the company that has your data being held hostage, and it is your most sensitive data possible, people’s lives may be in jeopardy, and someone is telling you that paying $300–or $600, I think that was the amount in WannaCry–and you have the possibility of avoiding it, it is very tough to say we’re not going to pay that $600.”
Privacy guardians see a looming threat in the security of health data as wearable devices become hacker targets.
“We are grossly underprepared for how these devices that are interconnected in our lives handle information,” said Matt Van Hise, the Illinois Attorney General’s privacy counsel. “The intelligence and genius that goes behind them anticipates what the device is intended to do, not what the device can and will do and where the information will go.
“We can anticipate that a smart device that’s controlling your blood insulin can be hacked and changed and possibly affect your insulin levels,” Van Hise said, “or a pacemaker could be shut off and unfortunately kill you.”