In this episode, we hear from Linn Freedman, the Chair of the Privacy and Cyber Security Team at Robinson+Cole. She's a top attorney and an expert on data privacy law, cyber security and complex litigation.
Let’s explore what the connection is between privacy law and cyber security together.
Find out what the two newest privacy laws, GDPR and CCPA, mean for you. How can you keep your business more secure and out of legal hot water?
I'm really looking forward to our discussion today around privacy regulations and how they are impacting security, privacy and people's investment in the space and understanding of the space.
Thank you again for joining me.
I'm looking forward to it.
Let's set the stage for the discussion today. Our listeners might not all be very familiar with how the law is impacting security and privacy and what the regulations are.
Can you give us an overview of what you think the relationship between regulation and privacy and security is today?
The law moves slowly compared to technology. The law is trying to catch up with technological advancements. And it's a little bit behind.
On the other hand, it's leading the way and making sure that companies are thinking about privacy and security when they are collecting and using data.
So there are some new regulations, and they change very quickly. We have both federal and state laws around data privacy and security. And they change rapidly, so it's hard for companies to keep up with them.
There is one in particular that companies are really taking note of and that's the California Consumer Privacy Act (CCPA), which just went into effect on January 1, 2020.
That law is really leading the way for companies to be thinking in a different way about data privacy and security.
Can you tell us more about what CCPA is?
The CCPA, the California Consumer Privacy Act, is a law that applies only to California residents.
They're super special and additional states are coming along behind California, but it applies right now only to California residents.
It's a privacy law that gives California residents specific rights around their personal information. Things like, name, address, date of birth, social security number, and actually for the first time ever, this law applies to IP addresses and to tracking history that technology companies have on consumers.
So you have the right to access your personal information and find out what companies have.
Also, you have the right to delete your information. And you have the right to say, “I don't want you to sell my information.”
And there are always exceptions under the law. That’s CCPA in a nutshell.
Well, it sounds simple, but from the perspective of the technology company, that could actually be pretty complicated.
It's very complicated, and there are very specific rules that they have to follow.
The California Attorney General has also issued regulations on how companies must comply. And I think that the thing that companies really need to understand about this law is for the first time ever, there's a private right of action.
What that means is that if you have a data breach and your security measures are not up to snuff, basically, with notice, individuals can sue the company for a violation of CCPA.
And that is getting a lot of companies attention, because it's the first time we've ever seen that you can have a right to sue the company directly, without showing any damages for the mere fact that there's a data breach.
So that's a big deal.
I've heard CCPA referred to almost as a mini GDPR.
That’s a good way to look at it.
So, GDPR is the European data privacy law for European citizens. CCPA is similar. I call it GDPR-esque, and it has similar provisions.
We're going to see, in addition, they're not the same. So if you're GDPR compliant, you still have to look to see if you need to tweak some things for CCPA compliance.
I would not recommend that you automatically assume that you comply, if you have a GDPR compliance program in place.
There are some differences. But if you are GDPR compliant, you're definitely on the way there. I think you just would have to look to see if there are other things that you need to do.
One of the things that comes up a lot in conversations that I'm having is that compliance and security are the same. Compliance is conflated with security quite a bit. What are your thoughts on that?
I view compliance and security very differently.
In general, companies need to be thinking about data security in a more wholesome and overarching way than just for compliance.
Because you can comply with the law and still be the victim of a cyber intrusion, a data breach, a ransomware attack, a man in the middle attack, or an island hopping attack, etc.
All these different attacks have nothing to do with compliance. So, when you're thinking about data security, I think the better way to think about it is; one, how are we doing the best we can in collecting, maintaining and, and retaining data.
I'm in the middle of a case right now, where it's a ransomware attack and the attackers are requesting a ransom, not for the encryption keys or the decryption keys, but for a certificate of destruction.
And some of the data involved goes back to the early 2000s. So, companies need to be thinking about data security not according to the data retention schedule, because that's part of compliance. But why do you need to keep data that long when in fact, it could be something that puts you at risk in the future.
Data security needs to be looked at and viewed in a more holistic way from a risk management perspective, rather than saying, “I'm going to comply with the Massachusetts data security regulations. I'm going to comply with the with the department Financial Services cybersecurity regulations, which are all data security regulations.”
I think that's part of it. And if you have a good data security program, compliance will be much easier. It’s really the back end instead of the front end from my perspective.
Linn, how did you get into working in the field of cyber security and security law?
I helped start one of the first statewide health information exchanges back in 1999. I hate to admit it and think about where we were back in 1999.
I've been involved in data privacy and security since 1999. And the laws have and sophistication has changed. So, I've really watched the whole industry change dramatically.
What are some examples of the ways things have changed and really the biggest impacts?
From my perspective, the biggest impact to companies today is that the intrusions are getting more frequent and more sophisticated.
And although we've been talking about the same things for 20 years, in fact, we've really been static, and they (the bad guys, the intruders) have become way more sophisticated.
They're using behavioral analytics so that they know what our employees will or will not click on or do.
They are using more sophisticated technology, more sophisticated ways to get through a firewall or the perimeter, so I'm finding that significant intrusions are putting companies to their knees.
Intrusions are happening much more frequently. Really ransomware more than anything else.
Employees are not keeping up with the sophistication of these intrusions and companies are not investing as much as they need to in behavioral ways that to help their employees protect the data, and I'm finding that employees are continuing to be not educated and very unsuccessful. cated around cyber attacks.
I've seen in the data that these attacks are increasingly focused on smaller and medium businesses, which seem particularly unprepared to handle it. What have you been seeing?S
Small to medium sized businesses and, and really government entities and municipalities, are getting slammed. Many of them end up going out of business because they can't pay the ransom.
We don't want to pay the ransom but many times that’s the less expensive way to go.
They don't have insurance to assist them with a cyber intrusion, and they don't have a sophisticated Incident Response Plan.
The small and medium businesses are trying to just do business and do it in a in a way that is very profitable. They're not putting the appropriate amount of resources into protecting themselves.
The hackers and the intruders, the threat actors, they know that small to medium businesses are a weak link. Municipalities, frankly, are the weakest link.
And, so why not go after the weakest link? That’s what they're doing.
You mentioned that employees are driving a lot of the ability of these hackers to be successful. Can you talk more to that?
It continues to puzzle me that employees don't understand how crucial they are to an intrusion.
Nine times out of ten when I'm assisting a company with an intrusion, it's because of a phishing attack, a spear phishing attack, or sometimes a brute force attack.
A lot of times, it's the employee who either clicked on something because they weren't thinking, or they were going too fast.
Or a lot of times now we're seeing employees send very confidential information to their personal email accounts thinking that no one will find out. That's called insider threat.
We're seeing more and more insider threats than I've ever seen in my entire career. Employees are clicking on something or downloading something that is malicious and very sophisticated, or sending highly confidential information outside the company.
Those two things are that are what I deal with every day, and those are both employee insider threats.
So, if you have appropriate security measures in place like a firewall, then employee error or intentional employee malicious behavior is the number one risk that I'm seeing every day.
When we think about how difficult it is to get all of your employees trained and make sure they're all doing the right things, and then you put that into perspective of all of this new regulation like CCPA and GDPR, I'm wondering if the regulation doesn't confuse the business owners about where to focus?
So that's a great question.
Interestingly, several data security regulations and now CCPA requires companies to train their employees.
Now, CCPA doesn't require training specifically for data security, but it does require training for being able to respond to an individual's request to exercise their rights.
What I'm saying to companies is that you have to train to comply; you have to show that you've trained those employees.
Why don't you also train them on basic cyber hygiene? And gosh, I've been saying this for years, but investing in basic cyber hygiene for your employees is the biggest bang you can ever get for your buck.
And there are very simple and cost effective ways to do that. I find that face to face education is the best way, but don't call it training. Everyone hates to be trained.
When I provide education, I find that people don't even know the basic things about their smartphones. They don't know about the microphone; they don't know about the camera; they don't know about the apps they're downloading.
So, you can really hook them in by telling them about their own privacy, and then dovetailing to the company and how important they are to the company's privacy and security.
I find that to be very, very efficient and effective. And, get some pizzas. Do some education, give them some pizza, do multiple sessions.
There are lots of things you can do, but not doing anything is the worst strategy ever. Your employees really don't know anything about cybersecurity or data security. Assume they know nothing.
Well, tell us now what should we know about our microphone and our camera?
I think one of the things that's so interesting that people don't understand is how these microphones work. They buy Alexas, and they buy Echoes. They’ve got them all over their house.
You have to understand that these devices are recording you and that people are listening.
So, if you have children, and you've got an Alexa in your home, your child's biometric information is now being recorded. People only have one voice.
It’s really interesting to me that, particularly in the business world, people are downloading lots of apps that also allow access to microphones. And that means that when your phone is on your desk, an app could be recording you.
For lawyers, this is super important. I don't have any apps, obviously, that have access to my microphone, and I turn on my microphone if I need to.
But everything that you say is being listened to and recorded, potentially recorded by that app developer.
Anytime your phone is on your table or next to your bed, or wherever it is, and anytime you have your microphone on, it's streaming. I'm surprised that people don't understand that especially in business, where a lot of confidential information is talked about, all of that information is being disclosed.
I think that's important for people to understand. And, microphones can be hacked.
Not very many people are talking about that. I'm starting to hear more about Alexa recently and this idea of these personal devices that are listening to everything you do.
I don't think enough people are talking about the fact that all these apps are listening to you, and you take your phone everywhere.
Right. I think from a personal standpoint, when you go into a technology store and you buy your new smartphone, they give it to you without one piece of information about it. It's all in the fine print.
And so people have this very sophisticated computer - more sophisticated than the Apollo module, right? And they're not being given one piece of education about it.
They’re not going to read the insert. They don't know anything about it.
Then companies need to understand that in order to protect themselves, they need to assist their employees with understanding how to protect themselves as well.
It's not about, “you can do this or you can't do that.”
It's more about understanding, so you can make an educated choice about what apps you're downloading and what you're doing, not only personally, but in your company. I think that resonates.
This seems like a common misconception that people have about their phone. They just trust their technology.
What are some other common misconceptions that you've run into, and you think would be beneficial for our listeners to hear?
That question dovetails off our conversation of CCPA.
CCPA is the first US law that is intended to protect consumers with their online behavior. When you go online and you are hitting different websites, or you're downloading apps, or you're interfacing with companies digitally, they're tracking everything that you do.
They want to see what you're doing and what you're interested in. Not only to provide better services and make it easier for you to navigate their website and their products and services, but also to sell your information to others.
Your data can all be aggregated to really know a lot about you and really understand you almost better than you know yourself.
So, Katelyn, you and I were at a conference together where one of the speakers said, you know, Amazon is working on a product right now, that will send you things before you know you want them.
And that's what I'm finding that both consumers and their employers don't understand. These tech companies are using your personal information in ways you know nothing about.
I think that we're finding is that CCPA is allowing California residents, and hopefully the rest of us someday, to say, “I don't want you to sell my data.”
I think consumers are starting to say, especially after Facebook and Cambridge Analytica, “I want to have more control of my data; I want to decide when I sell my data; I want to get a piece of that action.”
I think we're going to start seeing more and more consumers get a little more educated about, “why am I allowing everybody else to make money off my data; I'm going to start deciding myself.”
I think that's going to be a new trend that we're going to see.
I would be kind of cool to be able to make money off of your own data.
Yeah, and then you have an educated decision about how you share your data. For instance, you could say, “If you give me a coupon here, I'll give you my data,” like a lot of supermarket chains and pharmacy chains do.
People aren't having to opt in to get these coupons. Actually, they're getting coupons specifically on the things that the companies know you buy. It's a little creepy, but it would be nice to be able to have the choice to say, “Yes, I will give you that data, but I want something in return.”
You can't just monetize it. I think we're going to start seeing more and more regulations but also more and more consumers understanding that they have a choice and demanding these choices.
I know you've been representing a lot of different clients with many privacy and security situations. I would love to hear what some of your crazy stories are.
I have a lot of crazy stories.
Right now, I would say that all of my crazy stories are about ransomware attacks. These ransomware attacks are more frequent, and they are more sophisticated.
As you know, I live in the northeast.
So, this is how brilliant these guys are. In the northeast, we like Dunkin Donuts. We love our Dunkin Donuts, and Dunkin Donuts are on every corner.
And around the holidays, a really smart hacker went around and sent phishing emails to lots of companies. And the phishing email said, "Happy holidays - Click here for your free Dunkin Donuts.”
It was shocking how many people clicked on that link and introduced malware into their company's system.
All because hackers know we love our Dunkin Donuts, and they know we love free stuff.
That’s the kind of thing that companies need to understand. I kept saying to clients, “Don't you give your employees coffee?” Why are they clicking? And they say, “We do! There's a Keurig in the in the kitchen; we give them free coffee.”
It's all about behavioral and sociological knowledge. They know we're going to click on something that's for free at one of our favorite coffee places. Those are the things that employees need to be trained on. They need to be, as I say, wicked paranoid, because that was a really easy and effective intrusion that's just one of those stories that make you say, “Wow, so smart.”
It's one of those things that people aren't expecting even though they should be. People don't seem to look at who sent emails they receive.
Where is this email from? Who was actually the sender, even though the name might say Dunkin Donuts? Instead of being more cautious, people just click.
We have to really hone in on these simple phishing attempts. Almost all of the most sophisticated attacks are that simple. They go straight to what people want.
And that's why they're so effective. Employees think they're smarter than they really are.
You tell all these crazy stories and employees say, “I would never do that.” But, they do. And they give themselves more credit than they should.
I think you've got to combat that in different ways with different strategies.
So, if you could reshape things and have it exactly how you wanted with the law and behavior, what would you do?
I would just take the internet down for about two weeks. Just take it down and fix it. Because unfortunately, when the internet started, it was really cool. It was open information; it was allowing everybody to find out things that we never had access to before.
But unfortunately, no one was thinking about the bad guys and how it was going to be used in terrible ways. So, if I had my druthers, I would just take it down for two weeks and put all of the security measures in place that we need to put in.
Use different technologies that we know work, like embedding encryption. There are so many things we could do if we started over, but we can't. I mean we could, but everyone thinks I'm crazy.
People would freak out everywhere.
How did we live without it? I don't know. How did we live without the internet or our smartphones? I think that we're playing catch up, and I think we're going to continue to play catch up.
I think that we're never going to catch up to the sophistication of the hackers and the threat actors. They're always going to be ahead of us because that's their job.
They're doing that eight to 12 hours a day when we're working and making a living in a legal way.
So, I think that there are things that companies can do. The first is to make sure that cyber security is a high priority and more and more companies, usually after an incident, are making it a priority.
I want to see businesses provide resources for cyber security before they are responding to an incident, which I'm starting to see.
Second, education employees is crucial.
Those two things would just go so far and are really big bang for the buck.
Unfortunately, I still see many, many companies, small, medium and large, just not thinking about or strategizing about cyber security. It needs to be a top priority.
And unfortunately, it ends up being a top priority after an attack, and we've got to start making sure that it's a priority before the attack.
So as we wrap up our conversation, Linn, I would love to hear from you what advice you would give a company that thinks they might be having a breach or have gotten ransomware. What do they do?
I'm not allowed to give advice, but there are some tips I would offer.
Okay, this is not legal advice, but here are some tips.
I think that some of the most important things that companies can do prior to, during or immediately after an attack are to have appropriate backup systems in place and to test them.
In all of the ransomware attacks that we have been involved in, the companies that had a robust backup system recovered better, quicker, and in real time.
If you don't have a backup system, that would be one of the first things you need to do, because I still think ransomware is going to continue to increase dramatically.
I've already seen an increase dramatically in ransomware over the last two years.
The second thing is to make sure that you have an incident response plan and that you've tested it.
So, people are always telling me that they have an incident response plan. When I see it, it's like 65 pages long.
You're not going to look at a 65 page plan while you're in the middle of an incident.
So, when you are thinking about implementing a plan, there are lots of consultants out there that will do it for you.
I would suggest that you sit down and try to think about what you would do first in an incident. Write down who are the most important people that need to be involved, and who's going to do what. Answer questions like, where are we going to meet?
Get everybody to understand what the playbook is. It doesn't have to be 65 pages; it can be three pages.
Put in your plan details like who you are going to call. Also, remember that everything that is said or emailed during an incident is potentially discoverable in court.
So, I have found that during incidents, internal personnel like to email a lot. Make sure you are not calling a data breach “a data breach” in writing until it’s been defined that way by applicable law.
I don't recommend that people use the word data breach. It's really a security incident.
Everyone needs to understand that during an incident, they need to be very careful about the terminology they’re using. Be careful about emails flying around when you don't know what's happening; don't make premature conclusions.
Again, everything in a security incident has a life cycle. And during that life cycle, you want to understand who has what role. You want to make sure that you know who you're calling.
Legal Counsel should be one of the first calls. The attorney client privilege is important.
The companies that test their plan do much better when the real thing happens, and you should assume that you will get hit. You will. No one is immune.
Thank you so much, Linn. I've loved having you on the show, and I've learned a lot from you today.
Thank you, Katelyn. As always, it's great to see you. My pleasure.
And that's a wrap. Thank you for joining us for this episode of Security Economy. See you next time.