A confusing legal landscape and ever changing technology has created a challenging environment for businesses to navigate. The Cipher Brief recently spoke to Chris Pogue, the Chief Information Security Officer at Nuix, about the nature of the problem and what needs to be done to bring government and the private sector more in sync.
The Cipher Brief: There has been a significant amount of friction between the IT industry and the federal government that has gotten particularly litigious, for example the recent Apple vs. FBI case. What are some of the most significant legal decisions that have affected the cyber security space in the last couple of years?
Chris Pogue: There are two big ones. The first is the seventh circuit court’s decision in the Nieman Marcus case, and more recently, the sixth circuit court’s decision in the Nationwide Mutual Insurance case. What happened prior to these cases was for class action law suits to proceed beyond dismissal, the plaintiffs had to satisfy what was called Article 3 standing, which means that there needs to be both injury-in-fact as well as a clear nexus between the injured and the individual or group who had caused the injury. The precedent that most class action data breach cases were compared against was established by the U.S. Supreme Court in Clapper v. Amnesty International.
Seventh circuit court Judge Diane Wood ruled in the Neiman Marcus case that a plaintiff could satisfy the injury-in-fact requirements through presumptive damages; after all, why else would hackers steal credit card numbers if not to use them fraudulently. She deemed that such presumptive damages had a clear and reasonable expectation of occurrence, and were adequate to satisfy Article 3 standing, which means that class-action lawsuits could now proceed. This decision was echoed by the sixth circuit court, as well as by a Colorado court in the case of Engl v National Grocers. With precedence now being set and utilized in multiple courts in multiple districts, the logical assumption is that any breach can now have a class-action lawsuit associated with it. Class-action lawyers all over the country are likely salivating because of this interpretation as it pertains to Article 3.
But what that has done for organizations in cybersecurity is provide an understanding of what their legal risks are and being able to establish what’s called the defensible position of reasonableness. When opposing counsel starts poking holes in your cyber security strategy, you can say, hand over heart, we were doing everything we thought was reasonable. What that definition of reasonable is, will likely have a wide range of interpretations and change from one court to another, one expert to another, one case to another. But at least starting to have that conversation, and organizations going in with their eyes wide open, will help them to better prepare their defense.
Now what that’s also done, which is kind of unique, is we’ve seen more and more organizations, who are retaining third party forensics or penetration (pen) testing firms, are doing it through legal counsel so that the end work products, (Pen test and, forensics reports), are protected under privilege. In other words, if you hire me to do a pentest, and during that test, we find a bunch of broken stuff (which we will) and you don’t fix the broken stuff, and you get breached because of the broken stuff, if the opposing counsel asks for that pentest report, you have to give it to them. Needless to say, if that happens, you’re in a world of hurt. However, if you retain pentesters through outside counsel, that report is protected under privilege; your lawyers can go fight that battle for you, instead of you just handing it saying, “here you go, please sue me.”
TCB: And what about the second case you had mentioned?
CP: The second case was in the third circuit, which made a decision in the Wyndham Worldwide case regarding the FTC having governance over interstate commerce. Basically, if an organization does business across state lines, the FTC now has jurisdiction to launch inquiries based on that organization’s inability to protect data. That just becomes another sticking point. You have 47 different breach disclosure notification laws that your attorneys have to be aware of, 14 attorneys general with investigative authority, and now the FTC can investigate if they cross a state line. That becomes another angle that you need to be aware of so that when you get breached, it’s not, “oh we thought we were doing our best,” because you are going to have either the Secret Service or FBI come knocking. You’re going to have contractual obligations, non-disclosure agreements, plus you’re going to have the FTC and likely the FCC, SEC, or even HHS joining the “party.” You can pretty much anticipate litigation.
TCB: There are 47 different state laws governing these situations. Is there anything that can be done to streamline or standardize or modernize, or is that even something people would want? From the position of the legal system, is there anything that can be or should be done to make this easier to navigate?
CP: Before I answer that, to add to the complexity, as I have said, you don’t just have the FTC. You have the FCC, the SEC, and HHS all trying to pin on the tin star saying we have authority in this area, we have authority in that area – or in a worst case scenario, multiple agencies claiming jurisdiction. That adds to the complexity.
I’m not an attorney, but in my opinion, we need to standardize and have an overarching federal piece of legislation instead of 47 different patchwork pieces of legislation. That will help organizations understand what their legal risk is and what their legal requirements are. Until that happens, hire outside counsel – not just big firms, but a firm that understands cyber security legislation and litigation, has navigated these waters hundreds if not thousands of times and can help you prepare your organization for what’s called anticipation of litigation.
All of that work that you are doing can be protected because you do not want to be in the position where you don’t have outside counsel or are trying to find someone last minute and you are compelled then, by the court, to turn over all of your documentation, including your incident response plan, any forensics examinations you’ve had, and any pentests that you’ve had. You’re going to be in a very, very bad place if those things are not squared away.
In my experience, less than five percent of organizations worldwide have that level of maturity. I am being generous with that number—it’s likely less.
TCB: It seems as though the law is always lagging behind developments in the cyber field. Can the law keep up or will most of these big decisions continue to be undertaken by judges?
CP: When legislation is put in place, we really need to have experts being part of that process. Granted, I know legislation is written by attorneys and by lawmakers on Capitol Hill, and they usually don’t ask us as practitioners or as subject matter experts what we think. If they do, it’s only a very small subset of “industry experts,” who may not have touched a keyboard in several years, which can lead to outdated, ineffective feedback. That needs to change. For the law to have that nexus to the real evolving-threat landscape, you need input from folks in the field who have been doing it for15 years and who have seen where the law has been adequate and where it has been inadequate. Until we get to that point, we are going to rely on judges who are elected, sometimes appointed, sometimes have ulterior motives, sometimes have political agendas, sometimes have any number of competing priorities that contribute to their decisions.
And there is a level of understanding. I’ve been on the stand as an expert witness and had to break down difficult technical concepts into something that a judge and jury can understand, which is challenging. To be able to explain things like routing, ARP cache poisoning, DNS spoofing, why an attack wasn’t the Chinese or the Russians, and the Trojan defense, is tremendously difficult. To other technicians, it is like, “duh, of course,” but to a jury of your “peers”, it’s not that easy, or to a judge who’s an expert in the law but not in cybersecurity, again, not so easy. So hopefully we will get more and more judges who are cyber-savvy, or you’ll start to see an influx of experts who are retained by counsel, both prosecution and defense, who are going to turn it into the battle of the experts. Who can convince not only judge and jury that they know what they are talking about, but then who can do that in a way that maintains the integrity of our profession so that we don’t become guns for hire saying, “Look, I can win this case for you,” versus maintaining our professional integrity as wanting to do the right thing. There’s a whole lot of moving parts to it.
TCB: In terms of the trends that you’ve been seeing over time about how the legal sphere has been interacting with the cyber-security sphere, is there anything that you find particularly troubling? Any trends that worry you aside from the ones that you have already pointed out?
CP: The ones that we’ve pointed out are the troubling ones. What I think is encouraging is you have the National Computer Forensics Institute in Hoover, Alabama, that does have a program to teach judges and prosecutors about cybersecurity. There is also an organization called Today’s General Counsel Institute, which gets together in Washington, New York, and San Francisco with a room full of attorneys, both inside and outside counsel, as well as a handful of cybersecurity experts to talk about trends in legislation; what’s working what’s not, how do we help shape legislation on Capitol Hill, how do we help prosecute it, how do we help defend it within our own organizations. That is tremendously helpful in not only educating attorneys about the “cyberz”, but educating cyber experts about the legal challenges they face. The troubling bits are the things that we’ve mentioned about current legislation, some of the challenges they face in the formation of that legislation. But to know that there are organizations like the EFF, TGCI, who are really trying to throw their hats in the ring and say, “Look, we can be helpful here” because honestly, right now, it’s the wild west.
Until we establish laws that match the threats, we are always going to be behind. I don’t want to be behind. I want to do the right thing, to understand the perspective of people who write pentesting tools or write exploit tools, they ‘re not the bad guys. Think of these tools the way you would a hammer. You can use a hammer to build a deck or cave in a skull; the important bit is the utilization, not the user. So just branding these pentesters and code developers as the bad guys is just flat wrong. So how do we develop laws that focus on that? That’s what folks like TCGI and EFF are really working on and where I think we can really benefit our craftsmen and our industry.
TCB: Any other point you would like to make?
CP: It’s important that you vet your experts, both your cybersecurity experts and your legal experts, because so many people now are handing out shingles saying, “I’m a cyber expert” or, “we understand cybersecurity legislation and litigation.” Push a little deeper and find out how they do that, how many cases they’ve tried, how many tests they’ve worked, how many investigations, etc., so that you really are getting true experts. At the end of the day, when you go to court, or when you are in arbitration, or when you’re in a deposition, that’s when the rubber meets the road. If you haven’t done your due diligence, you will regret it. So seriously vet your experts.