Introduction

In episode 3, Angeline Chen and Bodo Meseke provide insights on responding to cyber breaches.

Topics discussed include, among other things:

  • What cyber breaches are
  • The different types of cyber breaches
  • A cyber breach case study
  • Suggestions for lawyers and company executives


____________________________________________________________________

Flyers and Resources

Disclaimer

Thanks for checking out our additional content! Additional content was written/prepared by the Host or present/past Georgetown Law team members.

Our Articles may contain references to, or short excerpts from, specific statements in the Compliance & Legal Risk podcast episodes. Please note, to benefit the Article format, in many instances, statements referenced or quoted in an Article may have been edited or shortened, may only focus on one portion of a speaker’s answer to a question or commentary on an issue, or may have had certain interim questions/statements removed. We also repeat certain phraseology in all or many of our articles to aid listeners in comparing articles across episodes and to ensure our listeners have easy access to helpful episode information. For additional context and complete speaker answers, we always encourage you to listen to the full relevant podcast episode!

____________________________________________________________________

Why I’m Excited About This Episode

“This is an extremely important area, especially given all the recent discussions and allegations in the news of cyber attacks. And I can only imagine how many more cyber attacks there probably are that never get reported or that we never even hear about. You may also recall that back in Episode 2 on privacy, we discussed privacy’s importance in the face of increased remote work, and cyber breach would seem to be equally important for the same reason.”

 

 

____________________________________________________________________

Meet Our Guest Speakers

I asked our guests to “tell us a little bit about themselves, what they do and how they got there.”

Angeline Chen

“I’ve been a lawyer for just shy of three decades, the vast majority of that time, over 22 years, I spent in-house including as a General Counsel and Chief Compliance Officer for two midsize U.S. government contractors, and two decades of my career I’ve spent in the aerospace and defense industry. I’ve also served on several boards as a director and taught a course in technology, national security, and terrorism law at George Mason University Law School for 15 years.

Currently, I’m of counsel with DLA Piper based in their Washington, DC office. My foray into the world of cyber really started from my baby steps as a litigator, where I always had a heavy interest in emergent technology into eDiscovery and then evolved into full scale cybersecurity and cyber defense while I was at Lockheed Martin, in the early days of when the defense industrial base group was being formed to combat the advanced persistent threat.”

Bodo Meseke

“I’m a partner at EY, responsible for forensic technologies within GSA. But today is all about cyber response. And how did I come to this? So I started my career in the IT area within the German Federal Criminal Police Office, where I was part of the cybercrime unit. And as I always have been very interested in computer technology, for sure this was the right place for me to be. So, in the criminal police office, we did several investigations, and so IT security always was part of it. And I left the Federal Criminal Police Office after some years, did some work as a general IT security consultant, but then came back to the roots because I’m an IT forensics guy. It’s about analyzing digital evidence and finding out what happened, what crime was committed by using an IT device. Then I founded my own company, was different expert witnesses, a lot of work we did for law enforcement. But then I joined EY, as the whole team. And now as I said, I’m responsible for the forensic technologies, which means eDiscovery, forensic data analytics and cyber response. And for cyber response, I’m globally heading this for EY, coordinating the teams across the world helping our clients in case of a cyber breach.”

____________________________________________________________________

Defining Cyber Breach and Various Types

I asked our guests “What exactly is cyber breach and what are the different kinds of cyber breaches?

Bodo Meseke

“So maybe I‘ll start with the technical part, as I’m a quite technical guy. And so the term cyber breach is related to data breach. Data breach means an incident where secure private or confidential information gets transferred to an untrusted environment. This might be intentional or unintentional.

The root cause might be different, but the problem always is the same: sensitive data is suddenly somewhere else where you don’t want to have it. And data breaches are distinguished in physical, electronic, and skimming. So this means with the cyber breach, we refer to the electronic data breach types. This is, beside attacks that lead to breaches, phishing, password cracking, and others that can create huge damage. So there are some attacks that lead to breaches immediately, like phishing or password cracking. But there are some more cyber attacks that are also very prominent and can create huge damage, but not necessarily lead to a breach like ransomware. Their data is encrypted. We will hear more about this later. Or distributed denial of service when you just want to stop computers from working. This is not necessarily a breach but a cyber attack. So in a nutshell, cyber breach means loss of data by electronic means. And I’m pretty sure that there are a lot of legal aspects.”

____________________________________________________________________

Suggestions for Small Businesses When Company Experiences Breach

I asked our guests “What exactly is cyber breach and what are the different kinds of cyber breaches?

After we discussed what a lawyer or executive should do if their company experienced a breach, I asked our guests whether their advice would change at all if they “were dealing with a smaller company, say like a 10 person company that didn’t have the amount of resources that maybe a global multinational might have?”

Angeline Chen

“Yeah, some of the basics we mentioned already are pretty much the same, regardless of the size of the company.  Even small businesses and midsize businesses can and should have a plan.  And in some respects, it can be a little less complex because you probably have a more contained information system, or fewer employees and therefore a higher degree of ease and training or educating them or having a sense of what’s happening.

But it’s a great point to make that small businesses certainly don’t see their ability to conduct business on an ongoing basis as any less critical to their well-being and profitability than large businesses.  And in fact, cyber breaches can in many instances completely wipe out a small business, which by definition has fewer resources and less margin for accommodating disruption.  So I think the key for small and even midsize businesses, frankly, is to prioritize smartly.  You still have to plan and prepare, at least have a plan of what you’re going to do.  And if you can’t afford or may not feel you need to hire an external consultant to help advise you, say, on creating that incident response plan or even where to start, there are frankly a lot of free resources that are geared not just to creating cyber breach response plans on a general term, but specifically focused on small businesses.  As an example, the U.S. Small Business Administration has a significant amount of resources on cybersecurity that are geared towards helping small businesses understand and prepare for cybersecurity issues and incidents.  The Chamber of Commerce also has a lot of materials, some of which are publicly accessible, to help guide small and midsize businesses as well.  Partnering with other businesses and service providers that also carry a mindset of cybersecurity and smart cyber hygiene also helps and making sure that you have a workforce, particularly if it’s a smaller workforce, where they are at least cognizant of basics of cyber hygiene and discipline and why it’s so important.  And making them feel that they have a vested interest in the company being successful on this front and this is a core part of their responsibility.”

____________________________________________________________________

Actionable Takeaways

I asked our guests for one “actionable, monetizable takeaway” for our listeners.

Angeline Chen

“Build your trusted network. Cybersecurity and cyber defense is a team sport. There is no one person in the world that can basically have the solution that’s going to basically be the best or optimized for an organization, regardless of what the attack vector might actually be. So build that trusted network, go out, be smart, be curious. It is a constantly evolving and living area, and lawyers have a really key role to play because it is also one of the most complex areas from a legal and regulatory standpoint.”

Bodo Meseke

“From my point of view, I can only say, prepare for a breach.  That should be the takeaway.  You have heard how important preparation is.  Don’t think you won’t be a target.  Don’t think your company’s not important enough or the business you do, whatever.  Prepare for a breach.  Train your team.  That is the most important thing that I can mention.”

____________________________________________________________________

Advice for Starting out

I asked our guests if “a student or someone more junior would like to do what you do or get into your area, what advice would you give them?”

Bodo Meseke

“We have some lawyers already that have technical knowledge. But the other way around, it is much more complicated to find deep dive technical people that also have an understanding of the legal aspects related to their work, or related to an accident that they don’t just act in a technical way and do not respect what are the legal constraints or whatever.

So if you really want to get really deep into this business, if you want to get in the area that I’m representing today, you really need to ramp up technical skills because digital forensics and deep understanding of what is going on in cyber tech is far beyond user level IT knowledge. You need to know what is a registry in Windows, how does it work? What do I find there? How is the file system working? How can the files be hidden into this file system? How is my web working? Do I need to reverse engineer, software code, or whatever? So you really need to do a deep dive into the technical part. This can be done, and it’s not too difficult if you have quite good technical understanding and technical interest, but it needs some time to come there, to have this really deep understanding that you can bring all the aspects together that you need for a cyber investigation from a technical perspective. But you can look for dedicated studies, trainings, join a team maybe on a basis of participation for some months or whatever, and find out if this is the right way for you. I would very much appreciate it because, as I said, meanwhile, there are very, very good lawyers with good technical understanding, but we are still lacking very, very good technical people with the right legal understanding.

Angeline Chen

“You should do what you’re interested in. If you’re interested in cybersecurity, and you’re a lawyer, as an example, what you need to do is, one, get through law school, learn your trade. Going to law school itself does not tell you how to practice law. But if you’re interested in cybersecurity, or in things from a technological standpoint, you can pull the thread through some of the conversations that we had earlier, in that you need to learn how to at least talk to people who are IT experts, who are doing this as their trade and their profession. You need to know some of the basics. You need to know when someone says, know your information systems architecture, what that means. When someone talks about a hot backup, you need to know what that means. When someone starts talking about areas and issues that are specific to cybersecurity or cyber defense, you need to understand what ransomware is, you need to know what a business email compromise attack might be, you need to know what phishing and spear phishing and social engineering is. You also need to be technologically savvy. That doesn’t mean you have to be the first to adopt gadgets in the latest effort and stuff like that. But you need to be following what’s happening in this area as it pertains to data management, data protection, and cyber. I have had a very, very odd career path. And so I kind of would like to think that I fell into this area by accident, but it really wasn’t because looking back over time, my interest in emergent technology as an example, was there from the very beginning when I started in litigation. So figure out what is your actual passion, or your areas of interest, and then go and talk to people. If not mentors, find people that are willing to sit down and talk to you about their career paths and try to get a sense of whether or not what they’re doing really is something that would be something you’d be willing and happy to wake up every day and actually practice by way of a legal career or profession.”

____________________________________________________________________

Suggested Resources

I asked our guests to “recommend an article, book, blog, website, talk, or other resource” for our listeners.

Angeline Chen

“Well, there’s a lot of resources that are out there. I mentioned a couple of the U.S. government resources, certainly the FTC, the Small Business Association, and the SEC have a lot of information that’s out there, as do other organizations like NIST, the National Institute of Standards and Technologies, which actually has publicized a number of standards for cybersecurity.

Some of my go-to resources include Krebs on Security. I would also add Schneier on Security. National security. And one of my personal favorites CSO Perspectives and CyberWire, which is run by the former CSO of Palo Alto Networks, who used to run the circuit a lot and is incredibly insightful and warm. And another resource that I’d like to add as well, a little bit of self-promotion, I apologize for that. But the ABA has put out a cybersecurity handbook. And I am proud and privileged to have been the author of one of the chapters that specifically focuses on in-house counsel, and what in-house counsel should think about and should consider with respect to cybersecurity in this moving field. And we’re actually going into our second edition. So I would keep an eye out for that. And that could possibly be a good resource for folks as well, if they’re interested.”

Bodo Meseke

“Yeah, as my book, unfortunately, is only available in German, there’s not much to add from my side. For sure you have these governmental agencies and varied resources in other geographies as well. A quick Google search should help tell you which are the most prominent ones that you can use and you will find a lot of very good information about all these topics that we discussed today.”

I responded to Bodo that:

“I’m sure we have some German speakers listening, so they can definitely check out your book.”

____________________________________________________________________

Thought Leader Spotlight Series

 

Angeline Chen and another on Cybersecurity and the False Claims Act

Angeline Chen co-authored a piece with a DLA Piper colleague in May 2019 entitled “Court finds that failure to comply with cybersecurity obligations can create False Claims Act liability”. The piece discusses a court decision and states, among other takeaways:

“Cybersecurity compliance requires a multi-disciplinary team with clearly defined roles and responsibilities. At a minimum, this team should include personnel from IT, Legal, Contracts, and Program Operations. You should also evaluate whether there are other parts of your organization that would benefit from a basic understanding of the requirements and the potential consequences for noncompliance. For example, your company’s Business Development and Human Resources personnel may apply this information when evaluating new contract opportunities or recruiting and managing IT or Contracts personnel. In addition, senior management should assess how best to keep the board of directors apprised of cybersecurity compliance issues.”

Bodo Meseke and others on Cross-Boundary Cyber Threats

Bodo Meseke co-authored a piece with EY colleagues in June 2021 entitled “How do you see more clearly when cyber threats cross boundaries?”. The piece states, among other things:

“From a resourcing perspective, CISOs [Chief Information Security Officers] who can articulate the business case for allocating increased budget to cybersecurity will find it easier to secure the support they need. From a compliance viewpoint, cybersecurity will meet localized requirements through closer engagement across the enterprise. Most crucially of all, CISOs seeking to become strategic enablers and value drivers will succeed if they lead a cybersecurity function that is seen to be working to facilitate business transformation.”

It also offers multiple suggestions, including “[r]eposition[ing] the cybersecurity function as an enabler of transformation, innovation and business growth.”

Bodo Meseke on Managing Cybersecurity Risk

Bodo Meseke authored a piece in May 2020 entitled “How to go beyond a preventive mindset to manage cybersecurity risk”. The piece states, among other things:

“AI tools can be programmed to block threats automatically or outmaneuver them by sending false signals as they gather information. When a new type of malware appears, AI tools compare it to previous forms in their databases and decide if it should be automatically blocked. Machine learning can evolve to recognize ransomware before it encrypts data and can determine whether a website navigates to a malicious domain.”

It also suggests that the “most effective type of threat detection incorporates both AI and humans.”

Angeline Chen and another on Cybersecurity and the False Claims Act

Angeline Chen co-authored a piece with a DLA Piper colleague in May 2019 entitled “Court finds that failure to comply with cybersecurity obligations can create False Claims Act liability”. The piece discusses a court decision and states, among other takeaways:

“Cybersecurity compliance requires a multi-disciplinary team with clearly defined roles and responsibilities. At a minimum, this team should include personnel from IT, Legal, Contracts, and Program Operations. You should also evaluate whether there are other parts of your organization that would benefit from a basic understanding of the requirements and the potential consequences for noncompliance. For example, your company’s Business Development and Human Resources personnel may apply this information when evaluating new contract opportunities or recruiting and managing IT or Contracts personnel. In addition, senior management should assess how best to keep the board of directors apprised of cybersecurity compliance issues."

DLA Piper on Boards, Executives, and Cyber Considerations

DLA Piper put out a piece in August 2021 entitled “Cybersecurity considerations for executives and boards of directors: How recent cyberattack trends and developments inform strategies for reducing cyber-risk”. The piece states, among other things:

“As the costs and sophistication of cyberattacks continue to rise, and as businesses continue to seek ways to streamline operations in response to the evolving COVID-19 pandemic, organizations should continue to monitor cyberattack trends and develop data governance programs. Other cyber-risk management strategies include reviewing organizational controls, developing and improving incident response plans, conducting internal and external security assessments, and training employees on incident prevention and response. ”