How secure is our nation's critical infrastructure? One recent event serves as a cautionary tale. In this episode, we tackle this pressing question in the context of cybersecurity. We'll address President Biden's recent National Security Memorandum on Critical Infrastructure Security and Resilience, and its implications for sectors like energy, water, and transportation.
Our guest, Elizabeth Burgin Waller, from Virginia's WoodsRogers law firm, brings her extensive knowledge in privacy and cybersecurity law to the discussion.
Join us as we discuss ransomware as a service, shedding light on its franchise-like model and the significant challenges in tracking and prosecuting these cybercriminals, especially those hiding in countries like Russia. We discuss the recent takedown of the LockBit ransomware gang under Operation Kronos, and the persistent and growing complications of IoT security.
CrowdStrike's recent software glitch, while not a malicious attack, serves as a stark reminder of the importance of testing and transparency around cyber incidents, and the vulnerability of the systems that drive critical industries. Tune in for expert insights and reflections on the evolving regulatory landscape and what it means for mitigating risk in the Digital Age.
Beth is Principal and Cybersecurity & Data Privacy Practice Chair at WoodsRogers. In addition to a J.D. from William and Mary School of Law, she is certified as a Privacy Law Specialist by the International Association of Privacy Professionals (IAPP), which is accredited by the American Bar Association, a Certified Information Privacy Professional with expertise in both U.S. and European law (CIPP/US & CIPP/E), and a Certified Information Privacy Manager (CIPM), also from the IAPP. Beth also graduated magna cum laude with a B.A. in creative writing, so maybe I should have let her write the show notes.
*******
This podcast is the audio companion to the Journal of Emerging Issues in Litigation. The Journal is a collaborative project between HB Litigation, a brand of Critical Legal Content (a custom legal content service for law firms and service providers) and the vLex Fastcase legal research family, which includes Full Court Press, Law Street Media, and Docket Alarm.
If you have comments, ideas, or wish to participate, please drop me a note at Editor@LitigationConferences.com.
Tom Hagy
Litigation Enthusiast and
Host of the Emerging Litigation Podcast
Home Page
Follow us on LinkedIn
Subscribe on your favorite platform.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Tom (00:01):
Welcome to the Emerging Litigation Podcast.
This is a group project drivenby HB Litigation, now part of
Critical Legal Content and VLEXCompany's Fastc ase and Law
Street Media.
I'm your host, Tom Hagy,longtime litigation news editor
and publisher and currentlitigation enthusiast.
If you wish to reach me, pleasecheck the appropriate links in
(00:23):
the show notes.
This podcast is also acompanion to the Journal of
Emerging Issues and Litigation,for which I serve as
editor-in-chief, published byFastcase Full Court Press.
And now here's today's episode.
If you like what you hear,please give us a rating.
President Biden you've heard ofhim.
He's been in the news a lotrecently After a pretty big move
(00:47):
that's got a lot of peopletalking, and, of course, I'm
referring to his recent NationalSecurity Memorandum, which
underscores the importance ofcybersecurity to protect the
nation's infrastructure.
Did I trick you at all there?
The memorandum highlightsescalating threats facing
critical sectors like energy,water and transportation,
(01:07):
emphasizing the need for robustdefenses and coordinated
responses to protect againstmalicious activities.
Foreshadowing the memorandumenhances the role of the
(01:28):
Cybersecurity and InfrastructureSecurity Agency CISA in
overseeing and strengtheningresilience against cyber threats
nationwide.
And, although not a cyberattack, the recent CrowdStrike
blue screen of death takedownthat affected airlines, banks,
supermarkets, hospitals andother businesses is a cautionary
tale.
(01:48):
The effects of a softwareglitch something bad in the
software certainly felt to thoseaffected like a malware attack
or something malicious.
You know, mal being Latin forbad and where you know from
software.
I think I've over explainedthat.
According to reports, partiesare considering legal action
(02:10):
against crowd strike.
It's the worldwide leader inendpoint security.
They're considering going afterthem for costs incurred from
the disruptions or for potentialviolations of federal
securities laws, investorshaving experienced a drop in
stock value after the incident.
There could be other customerlawsuits, regulatory fines.
There'll be increasedoperational costs and potential
(02:34):
loss of business as some clientsmay migrate to other service
providers.
So there's plenty of blame andfinger-pointing.
A Microsoft spokesperson toldthe Wall Street Journal that it
was forced by the EuropeanCommission in 2009 to open up
Windows to third-party securitycompanies like CrowdStrike,
(02:54):
giving them the same level ofaccess to Windows that it gets
itself.
He suggests the takedown can betraced all the way back to that
decision.
Questions are going to be askedabout whether the company took
all the proper precautions, liketesting and staggering rollouts
and having rollback mechanismsand using enhanced monitoring
systems, all of which thecompany may have done.
(03:15):
You know, they're a wildlypopular company around the world
and, as far as I know, a prettyimpressive track record to get
to where they are.
So did they just have a bad day?
We all have those.
Their legal department andoutside counsel, either way, are
certain to have their handsfull as plaintiff attorneys
circle in the aftermath.
So let's dive into all of thiswith updates on ransomware,
(03:37):
supply chain vulnerabilities,critical infrastructure attacks,
nation-state attacks and thegood old internet of things,
what we can learn aboutPresident Biden's national
security memorandum and what wecan learn from CrowdStrike's
very bad day.
My guest, as I artfullyforeshadowed, is Elizabeth
Bergen-Waller at the WoodsRogers Law Firm.
(03:58):
In addition to a JD fromWilliam and Mary School of Law,
she is certified as a privacylaw specialist by the
International Association ofPrivacy Professionals, which is
accredited by the American BarAssociation, and a certified
information privacy professionalwith expertise in both US and
European law.
She's also a certifiedinformation privacy manager from
(04:19):
the IAPP and, something dear tomy heart she graduated magna
cum laude with a BA in creativewriting.
Who doesn't love that?
I know IAPP.
And something dear to my heart,she graduated magna cum laude
with a BA in creative writing.
Who doesn't love that I know Ido, so here's my interview with
Elizabeth Bergen-Waller.
Can I call you Beth of WoodsRogers in Virginia.
I hope you enjoy it.
Beth Bergen-Waller, thank youvery much for talking to me
(04:40):
today.
Beth (04:41):
Thank you, it's a pleasure to be here.
Tom (04:42):
Today we're going to talk about critical infrastructure
risks in the cyber securitycontext, and so there are a
couple of big items that we'releading into with this.
One is President Biden's recentnational security memorandum,
and then we had more of a recentevent that wasn't while not an
attack, it was certainly atakedown, and we're going to
(05:03):
talk about CrowdStrike, too.
Why don't we kick off withransomware attacks?
I haven't tracked them lately.
I know for a while they werelike the biggest thing and, oh
my gosh, everybody was scared todeath of them.
But are they?
Do ransomware attacks continueto increase?
Have they changed at all?
Beth (05:21):
Ransomware attacks have continued to increase, really in
terms of their breadth andscope.
Maybe they're not as prevalentas we see them in terms of
little minor ones popping up onthe regular, but they have
started to increase again.
There was a period of time,especially right after the
Russian invasion of Ukraine,where there was a little bit of
a quiet period of time.
(05:42):
Now we've started to see themincrease and really, in terms of
their sophistication, they'vegotten much more damaging over
the course of the last few years.
Tom (05:52):
Nothing exposed the supply chain vulnerabilities, I think,
like COVID did when car partsand medicines and everything
else were suddenly held up.
So what can you tell us aboutthose vulnerabilities?
Beth (06:06):
Well, I think increasingly businesses are supported by a
wide range of differentsuppliers.
We see that across.
You know.
It could be a mom and popthat's helping a manufacturing
company keep a certain piece ofequipment online.
It could be a large-scalesoftware system that is keeping
the entire operation going froman enterprise level.
But increasingly, supply chainrisk is critical and you
(06:30):
actually see that beingreflected also with the
Securities Exchange Commission.
Recently they've issued someguidance that says that public
companies need to address intheir disclosures, in their risk
disclosures they need to besharing.
How is it that they are lookingat third-party supply chain
risk and how are they managingthat so that investors can have
an understanding of publiccompanies and how they're
(06:52):
managing these types of concernsand considerations?
So when I look at this, for alot of my clients, what we tend
to look at is you know, how arewe assessing these vendors?
That is, how are we bringingthem in the door?
Are we looking at theirsecurity posture?
Are we examining it?
And then also, from acontractual standpoint, how are
we addressing the risk that theypresent?
So are we putting out contractssimilar to security contracts,
(07:16):
or addendums or data privacyaddendums associated with the
engagements that we have withthese third-party suppliers so
that we're really protectingagainst the risks that they may
present, and a lot of times inthese agreements that we're
putting forward, we're havingthem step up in terms of this is
the type of security that we'regoing to maintain while we're
providing services or productsto you.
(07:38):
This is the type of cyberinsurance that we're going to
maintain while we're providingservices to you.
In other words, we're going tokeep at least $5 million in
cyber insurance coverage outthere.
If I'm a vendor, or require thatof my vendors, and then also if
the vendor experiences a breachand this is really critical how
are they going to make you as abusiness whole?
How is it that they are goingto come and provide both
(08:00):
information about the incident?
Do they have to provide you anotice within a period of hours
or days or immediately you know,quote unquote.
I'm using scare quotes, butimmediately you know.
But the idea being that youknow, you know what are we
requiring of our vendors and howare we making sure that they
tell us about the issue thatthey're facing?
How are we making sure thatthey stand up and provide
(08:21):
notifications to our customersor employees if they've
experienced a breach, and thenthe other thing that we're
building into these provisionsis also indemnification for
things like attorney's fees.
So let's say that I representcompany A, who has a vendor
that's experienced a big breachand we've lost all of the social
security numbers of our 10,000plus employees, right?
(08:43):
Well, company A is hiring me asoutside counsel to represent
them, to look at the vendor'sissues, and so they are
incurring costs associated withoutside counsel fees.
What we're really trying tomake sure we have in place in
these contracts is the abilityto recoup those costs.
So what we're building intothese security supplements is
the idea that not only are yougoing to provide the breach
notice to my employees, butyou're now also going to provide
(09:05):
my attorney's fees for havingto deal with the headache that
you caused, and so theseagreements are really critical
to making sure that we shore upsome of this supply chain risk.
Tom (09:15):
Yeah, you know what and I'm going to come back to
critical infrastructure becausewe'll see if that's appropriate,
but I want to come back to thatin a minute.
Okay, nation-state threats howis that going?
I mean, we certainly will heara lot of it, I guess in the well
, I don't know when it's notpolitical season but leading up
to elections and things.
But what can you tell us aboutnation state threats?
(09:37):
Are they persistent?
Are they increasing?
What?
What should we tell peopleabout those?
Beth (09:43):
They are persistent and, I think, increasing and, and what
is a little bit scary is thatthey they with nation states.
They're not, you know, bangingaround making a lot of noise
that they're there right.
The idea being what we've seen,for example, in the water
critical infrastructure space,is that there is a lot of
concern that there are what wecall, in the industry, advanced
(10:04):
persistent threats or APTs, orthe idea that they're in hiding,
lying in wait.
For example, china, you know,dug in deep with the idea being
that, if they did decide to takean offensive action against
Taiwan, that they would be ableto utilize this as a distraction
to our national security byimpacting something like our
(10:26):
water or, for example, the powergrid or things of that nature,
in order to again distract fromwhat they may be doing abroad.
So nation states are absolutelyactive and in the field, it's a
little bit more difficult toascertain that someone is, you
know, associated with them, butthey're absolutely out there.
You do, a lot of times, thechallenges in terms of trying to
(10:49):
go after some of these nationstates.
That's really a US governmentrelated issue versus a private
entity or a local government,for example, in the national
critical infrastructure space,but you do occasionally see the
takedown of threat actors.
It's not common because whatwe're dealing with is a criminal
underworld and so a lot oftimes they're masking their
location through IP maskingservices or kind of like hiding
(11:13):
your phone number, right.
They try to show up as ifthey're coming from a different
location than they actually are.
But you do occasionally see thetakedown of some of these threat
actors.
We saw it most recently withthe takedown of LockBit.
Now, these ransomware gangs allhave kind of nonsense names,
and LockBit was one of them.
But in Operation Kronos, whichwas the project name from the,
(11:33):
it was across FBI, uk you know,us UK law enforcement takedown
of one of these big ransomwaregangs.
They were able to take down theransomware threat actors
website.
They were able to also do anunmasking, as they called it, of
LockBit SUP, which like thesupervisor, so LockBit S-U-P-P,
(11:54):
and they were able to identifyhim as a man named Dmitry
Krovoshev.
Of course they sanctioned him,but he was based in Russia.
So the concern is a lot ofthese folks live in places where
we can't really extradite themor get them here on US soil to
be prosecuted, and so insteadwe're really left with things
(12:14):
like sanctions or public shaming, if you will, to share that.
This is who they are and whatthey're about.
Tom (12:21):
Yeah, that'll get them, that's right.
It seems like naming thesedifferent groups must be the
most fun.
The rest of it, that's right,that's right?
Beth (12:32):
Well, a lot of times they have wild names like Royal or,
like I said, Lockbit, or, youknow, Akira, which I always
think of.
It has almost like an Atariinterface on their website.
And most of the time, they havethese names A lot of times too.
(12:52):
It's now developed not just askind of one gang, but they've
developed what we callransomware as a service.
It's almost like software as aservice or like a Chick-fil-A
franchise.
So it's like, hey, I'm going togo get me a LockBit franchise
and I'm going to go out thereand say that I'm part of LockBit
and I just send back to themothership much like in
franchisee kind of scenario Isend back a taste and I get to
use their mark and theirmaterials to say that I'm
(13:14):
associated with this, and sothat's really what's caused kind
of ransomware to spread alittle bit like the octopus
tendons everywhere is you've gotyou know people all over the
place.
It could be two dudes in abasement sitting in Baltimore,
or it could be you know a nationstate like North Korea.
You just don't know.
Tom (13:30):
I don't know if the franchise model, if there's any
history for that in crime, if Ithought about it for a bit, I
mean, did the mafia have that?
Beth (13:37):
I suppose To some extent maybe.
Tom (13:39):
Yeah, they did, that's right.
Yeah, maybe like if you were aNew York mob, maybe you were out
and like you had the Toledofranchise, right.
Beth (13:47):
Well, the challenge too, with you know.
People often ask me, knowingthat I'm a cybersecurity
attorney, they say, ok, well,would you pay a ransom or do you
suggest paying a ransom?
Or they kind of assume aposition on ransom payments.
And what I tell people is again, when you think about it, it is
like the mob family or like youknow, tony Soprano.
If you're making a payment to,if you watch the Sopranos, you
know you're saying you're makinga payment to Tony.
(14:09):
That doesn't mean thatChristopher Moltisanti or some
other member of the family isnot going to come along right
and ask for a taste as well.
So you have to understandyou're dealing with criminals
and so, yes, they're going tomake promises, but are they
promises they intend to keep?
Who knows?
And so that's why we oftenrecommend not making a ransom
payment, if you can help it.
Tom (14:28):
You obviously did watch the Sopranos.
You know only the first name,but the last name of Christopher
et cetera, that's right Firstname, but the last name of
Christopher etc.
Beth (14:35):
That's right.
That's right.
I'm a big Sopranos fan.
That's right.
Tom (14:36):
I get tired of having them in my living room.
I loved it, but after a whileI'm like you know I hate
everybody here.
Beth (14:41):
I don't even like the kids .
Tom (14:43):
I didn't like the FBI, I didn't like the kids, I didn't
like the priest.
Beth (14:49):
That's right that Check that out yeah.
Tom (14:52):
If you're a Sopranos fan.
They are charming and funny andbecause they really bonded as
kids on that show and they talkabout how James Gandolfini was
really protective of them andnow they are so sweet and funny.
It's just, it's cool.
So the Internet of Things thatwas really hip and vogue for a
(15:14):
while.
Everybody talking about that,but is that still an issue?
Beth (15:19):
Absolutely.
I think we see more and moreconnected devices everywhere you
turn.
I mean right now, your fridge,your refrigerator might even
have an IP address associatedwith it and will tell you when
it's out of milk.
I most recently was driving mycar and it sent me a text
message telling me that it's hada low tire.
You know so it is.
(15:41):
You know, the internet of thingsis really everywhere at this
stage, and so one of theconcerns especially if you're
representing businesses or evenwithin a law firm or otherwise,
you know one of the concerns isthinking about okay, you know,
this is a connected device,which means it's connected to
something and it's potentiallyon our network.
Is it a doorway in, is it a wayfor somebody to gain a foothold
, as we call it, into ourenvironment, and how do we
protect against that?
And it goes back to some of thecontract issues that we talked
(16:03):
about before.
Whether it's direct access intoyour network with a VPN or
whether it's just this teenylittle device that's connecting
in, each of them can have thesame level of risk, and so you
need to be thinking of that andreally contracting around that
risk.
Tom (16:17):
I didn't mean to ask the question as though I'm some rube
who didn't know the Internet ofThings was still a thing.
I was just you know.
Beth (16:22):
I like it.
Tom (16:23):
Just so people know that I ask questions as if I don't
know anything and in some casesI really don't.
But I am familiar with that andalso I'm a very satisfied CPAP
machine user.
You know, sometimes I will wakeup with a hose around my neck,
but mostly I think it's fine.
But I will get texts saying Idid get, oh, I got a call from
(16:44):
my general practitioner sayingwe see, you're really only
breathing.
You know you're not breathingnearly this many oh.
And then they sent somethingabout my heart and so I had to
go get my heart checked.
Beth (16:55):
Right.
Well, there's benefits withconnected devices, like you say,
and I think that from puttingmy privacy attorney hat on for a
second, because I practice inprivacy and cybersecurity you
have both the security concerns,but you also have the privacy
related concerns, especiallywith these health related
devices where they are learningsuch intimate information about
you.
I mean here, you know, sittinghere with my Fitbit on and it's
(17:17):
tracking my emotion, you know,it's tracking me as well, you
know, and so that is a trade-offhere as a consumer right In
terms of what it is, I'm willingto share in order to get that
convenience, and a lot of timesI think we see people really
opting for hey, I want my doctorto give me that call and tell
me I have the potential heartissue.
And I tell businesses all thetime, in terms of privacy policy
(17:41):
drafting, it's not a questionof can we collect this
information under the laws?
It really is a question of havewe disclosed to people what it
is that we are collecting andare we properly sharing that
information with people, thatthis is what we may learn about
you?
Are you okay with it?
Then, yes, continue using ourproduct.
Tom (17:58):
Yeah, no, it was.
Yeah, it was certainly welcomenews.
I mean, anyway, one thing ledto another, but we don't need to
talk about my health, I'mhealthy.
Thank you for asking.
But I want to get toCrowdStrike and then talk about
critical infrastructure, becauseI feel like some of the things
that were impacted noteverything, but some of the
(18:19):
things that had to do withcritical infrastructure because
a cyber attack can affect energy, like you said, water, health
care and then, in the case ofCrowdStrike, travel.
I don't know if financialsystems were affected.
I feel like they might havebeen, but I can't.
Anyway, financial systemsobviously would be a big thing
(18:39):
to shut down and businessoperations for some companies
let's talk about CrowdStrike.
So we kind of kicked it off andI said correct me if I'm wrong,
but it seems like CrowdStrike is, while it wasn't an attack,
it's certainly the ramificationsof it, the effects of it were
very similar to a serious attack.
(19:00):
So what can you tell us aboutthe CrowdStrike?
For people who, speaking of funnames, what I was reading about
it was it was an outage causedby CrowdStrike was due to a
faulty update in their Falconsensor software which is a fun
name, which led to thewidespread blue screen of death,
which is a fun name, which ledto the widespread blue screen of
death, which is actually a termof art.
(19:20):
But anyway, why don't you tellus about what happened there?
Sure, and then what was theimpact?
Beth (19:24):
So absolutely Well, crowdstrike, if you're not
familiar, is a cybersecuritysoftware company.
So what is kind of interestingabout this, as you said, is you
know, here we have the impact,if you will, of a wide-scale
ransomware event without themalicious intent.
We had people crippled down, ittook time to go door-to-door to
get things fixed.
That's a lot like a ransomwareevent but wasn't a ransomware
(19:46):
event.
Crowdstrike provided, as younoted, this Falcon software and
has sensors, essentially ondevices that are supposed to
alert to a cybersecurity-relatedevent.
So they provide what's calledan EDR or an endpoint detection
response tool or software tool,and they're really, in terms of
market share, I would saythey're seen as one of the top
(20:07):
three providers in this space,and so you see them everywhere
and they really are, at leastprior to this incident, were
known as being in the goldstandard in terms of what it is
you could get for an endpointdetection response tool or
partner.
But what happened, or what weare learning has happened, is
that they essentially pushed outa software update and they have
(20:30):
conducted their own internalinvestigation or have been
reporting on the fact thatthey've conducted their own
internal investigation, and itappears that normally when they
push out a software update, itwould run through kind of a
series of tests or some sort ofmechanism to make sure it wasn't
going to break the Internet, tomake sure it wasn't going to
break the internet and instead,unfortunately, they ran it
through and they did not run itthrough that process or that
(20:50):
process did not go through theway that it was supposed to go
through.
So, essentially, what we haveis a glitch, and I think there's
going to be a lot of questionsaround the lead up in terms of
what was CrowdStrike doing tomake sure that its software was
properly updated and run in anon-negligent to use a legal
term fashion, and then also whatwas the impact of that to
(21:12):
businesses that were customersof CrowdStrike?
Obviously, we saw the bluescreen of death, as you saw it
popping up, at least a lot ofreporting around it popping up
in airlines, right.
So you saw Delta apparently as amajor CrowdStrike customer and
you saw pictures of blue screensof death across a lot of
boarding gates, right so you sawDelta apparently as a major
CrowdStrike customer and you sawpictures of blue screens of
death across a lot of boardinggates, right, because what ended
(21:33):
up needing to happen in orderto fix it and this was the big
problem was that it wasn'tsomething that you could fix
with what we call like a grouppolicy push out or like a big,
you know a single push from theIT administrators of that of
Delta, for example, out the door.
Instead, the only workaround wasto go door to door and to fix
it manually, so you had to goand touch each device that had
(21:55):
been impacted to get around thatblue screen of death.
So that's what really causedthe widespread concern.
Businesses that hadsophisticated IT departments or
a lot of boots on the ground, orperhaps who were creative in
terms of how they were trying toget operational you saw them
really resolve the issue quickly.
But other businesses whereperhaps they had a lot of
(22:16):
devices spread out over a lot ofdifferent places, that
obviously took a lot more timeto go door to door, and so I
think you will see a lot ofbusinesses experience downtime,
because it really did criticallyimpact a lot of businesses
across not only the UnitedStates but abroad, and I think
that we're going to see claimsbeing made against CrowdStrike
(22:37):
for that, for those relatedconcerns.
Tom (22:39):
Yeah, that's where I wanted to end up is what is the
potential liability?
I saw talk of you know somebodyeither thinking of lawsuits,
and then I saw so what is theliability?
And then a lot of it had to do,going back to your previous
comments around what's in thecontract.
So there's some discussion incontract versus tort law.
(23:00):
Well, talk to me about theliabilities.
Beth (23:03):
Sure, talk to me about the liabilities.
Sure, well, one of the firstthings that I, when I woke up
that morning and was hearingabout kind of widespread doom
and gloom, one of the firstthings that I thought of was
well, let me go look at theterms and conditions, because,
being a software company, a lotof times terms and conditions
are published online, right, orthey're standard terms and
conditions.
So we do have available theCrowdStrike terms and conditions
(23:24):
.
Their standard terms are postedonline.
Now, for most businesses thatmay not have had a lot of
leverage in the negotiationprocess, they're probably going
to be limited to those standardterms and conditions.
For others, maybe again I keepcoming back to Delta Airlines as
my example here maybe they hadsomething different where they
were able to navigate ornegotiate around some of those
(23:44):
types of terms or the standardterms.
They were able to navigate ornegotiate around some of those
types of terms or the standardterms, but, as you see, in these
you know types, it's a verystandard software contract right
.
You have a limitation ofliability clause in it.
You have, you know, disclaimersof consequential damages, which
would include things like lostprofits and downtime, and then
that limitation of liabilitydoes state that neither party
(24:09):
and I'm quoting shall be liablefor more than quote an amount
that exceeds the total fees paidor payable to CrowdStrike for
the relevant offering duringthat offering subscription slash
order, and so end quote.
So again, the idea being thatyou are limited to fees paid,
even if you can get around theconsequential damages disclaimer
.
But the terms are governed byCalifornia law.
(24:30):
So I think it's going to be aquestion and venue is in
California.
So I think we may see somelawsuits pop up under California
courts and we'll have to seewhat the courts do with these
terms and conditions and whatthey say those terms mean we are
also seeing.
So you have kind of claims,business against business
against CrowdStrike so I thinkthat could occur.
You also have shareholderclaims that have already started
(24:52):
popping up.
Within the first 24 hours yousaw advertisements for
shareholder class actionlawsuits against CrowdStrike.
You also saw some other classactions being potentially thrown
around, the idea of maybe otherbusinesses joining in
potentially into a class.
Then, of course, there's alsothe bucket of impacted.
You know, let's say that I am abusiness that was impacted.
(25:15):
There are also possible claimsagainst cyber insurers as well.
So the idea and this is reallywhere, from a geeky lawyer
standpoint, where I'm interestedto see what happens Because, as
you said, this is not amalicious software event.
This is potentially a negligentpush out of a software update.
Again, I say potentiallybecause again some court is
going to have to make thatdetermination but we have a
(25:37):
software impact or glitch thatessentially caused this impact.
But a lot of cyber insurance has, or several.
There are cyber insurancepolicies that have basically
business interruption clauses inthem, and so we are seeing
claims being made under thosepolicies, and so we'll have to
see what the insurance carriersreally do with that and whether
(25:57):
those types of matters end upinto the courts as well.
The idea being, what does thisterm mean under the insurance
policy?
I think we're going to see thathappen.
I will say I think I saw thatat least one major carrier had
its public filing you know,financial disclosure within the
last few days and it had notupdated its guidance suggesting
that it thought it was going tohave widespread losses from this
(26:19):
.
So they may be feeling prettyconfident about the language
that they've used, the idea thatit's got to be a malicious
software or a malicious eventthat triggers this.
But I think we're going to seethis play out in the courts, and
I think the cyber insuranceindustry is also going to be
really watching it closely.
Tom (26:34):
They end up paying or not paying for a lot of things, and
then when they don't, obviouslythen there's massive litigation.
You talked about geeking outabout insurance law when I told
you earlier about how I all Idid for years and years was
write about law.
For many years, all I wroteabout was the pollution
exclusion in insurance contracts, exactly yeah.
(26:56):
So boring, right.
No one wanted to talk to meabout that, but I was.
I became like so interested tome.
That's when law to to me became.
Beth (27:06):
It's like a philosophical argument that has a big impact,
a real world impact it's notjust you know what do you think
in any way, so I appreciate thegeekiness well, I really think
that that pollution exclusionthat you're talking about it's
the same kind of it's the samething you were wrestling with
back in the day on on thatparticular exclusion, the same
(27:27):
kind of concerns are going toemerge related to this dependent
business interruption and allthis jazz, those types of
provisions, and we saw this alsohappen with cyber war
exclusions a couple of years agotoo.
Even if it's not reflected inthe courts, I certainly think
it's going to be reflected inpolicy drafts and specimens that
(27:48):
we see in the next few years,that it's going to be absolutely
crystal clear that this relatesto a malicious event.
It's not a whoops,whoopsie-daisy.
You know the intern hit thewrong button on a Friday
afternoon and sent down theinternet, or took down the
internet.
I think it's going to be youknow much.
It's going to be spelled out alot clearer if there is
ambiguity currently in thosepolicies.
Tom (28:08):
Yeah, no, I mean there was an original draft of the
pollution exclusion where theyactually had the word, the
phrase whoopsie daisy in it it'sa legal term.
Well, it had to do with suddenand accidental accidental is
whoopsie daisy, I'll just askyou this question generally.
How a company reacts when anevent like this happens has to
(28:28):
have a huge impact on theirliability or their insurance
coverage, right.
Beth (28:33):
Absolutely.
Tom (28:35):
So did you observe anything here that, or would you
have general like what maybe acompany should do when this
happens?
Beth (28:41):
Well, I will say that I think you have to be.
It depends on what, in terms ofif you're thinking of it from
if I was representing somebodywho had the whoopsie daisy that
occurred.
I think that there arecertainly things that they did
right from out the gate, whichis, you know, within something
like 78 minutes, they had madethe determination as to what it
was that had broken and they hadgotten the fix out.
(29:02):
The problem was, the fix wassuch a manual fix that nobody
could fix it fast enough, and soyou know, I think being
transparent is a really goodthing.
I will say that there, when youlook at where they are from a
Securities Exchange Commissionfiling standpoint, that's where
I think it's getting veryinteresting.
And again, from a geekystandpoint, interesting because
(29:23):
they filed an 8K.
They did not file it under theand I won't go down too deep in
the weeds under securities laws,but they went down a different
path than the cybersecuritymaterial incident path.
They made a disclosure, it wasvery brief and they said hey,
this is an evolving situation.
We continue to evaluate theimpact of the event on our
(29:45):
business and operations, butthey didn't describe it as a
material event, and so I thinkthat's going to be interesting
to watch.
Maybe pop some popcorn and seewhat happens with the SEC and
the courts and shareholders inthe future about was this an
appropriate disclosure of whatit is that they faced?
They didn't say a lot of ourcustomers are mad at us.
They didn't say we were beingcalled to testify before
(30:07):
Congress.
They didn't say some of of ourcustomers are mad at us.
They didn't say we were beingcalled to testify before
Congress.
Like they didn't say some ofthose issues.
Maybe they don't need to saythem right away, but I think
again, much in the same way thatinsurance policies tend to
catch up after something likethis, we could see also
regulations catch up after thisand say, ok, technically you're
right, ok, we'll play the game.
This may not be a cybersecurityincident, but you still had a
(30:28):
requirement to tell yourinvestors or your shareholders
that this was a severe event.
And did you meet the letter ofthe law question mark?
We don't know.
Tom (30:40):
I'll say this it was a cyber event.
You know what I mean.
Beth (30:44):
Right, I think it's interesting because what think
it's it's interesting becausewhat also happened and again to
geek out briefly is that therewas another major incident that
affected another softwarecompany within the last few
years that had a lawsuit fromthe Securities Exchange
Commission.
That's SolarWinds.
Solarwinds, the SecuritiesExchange Commission sued the
SolarWinds software company andthey also sued the chief
(31:04):
information security officer,tim Brown, and the, and the
industry, in particular myindustry was really watching
what was happening with thatparticular lawsuit because it
was the first time really that aCISO chief information security
officer, had been named to bebasically personally liable for
something like this.
And what was wild is the daybefore the CrowdStrike incident
you have SolarWinds.
(31:26):
The district court issued itsopinion in the motion to dismiss
related to the SecuritiesExchange Commission filing or
the really large complaint filedagainst the CISO and SolarWinds
, and the court really guttedthat particular lawsuit by the
SEC and said look, solarwindswas transparent with its
shareholders.
(31:47):
Said, look, solarwinds wastransparent with its
shareholders, you know, becausethey were really relying on
pre-incident securities exchangecommission filings and
post-incident securitiesexchange commission filings.
The SEC was in its complaintand the court cut a lot of that
out and said listen, you don'tneed to get into like maximal
specificity around theseincidents and what has occurred,
but you do need to convey theseverity of the situation.
So you know, in the the dustsettling around solar winds, bam
(32:09):
, here comes CrowdStrike andsays evolving situation.
You will let you know.
So we'll see again what's goingto happen from a regulation
standpoint in terms of are theregoing to be, is there
additional guidance that's goingto come out to companies about
these types of issues that likelook, you need to really get
into sharing with people theimpact this can have on the
brand and on the finances of thecompany.
Tom (32:32):
Yeah, yeah, what companies say publicly what they say in
SEC.
And it's like, if you want tofeel bad for companies sometimes
I do it's like, well, if weapologize, does that mean
something?
Were you admitting something?
And then what they say that'llaffect their stock value.
That can just be wildly like.
It doesn't take.
(32:52):
Somebody sneezes and suddenlyeverybody wants to sell.
And I do remember when I firststarted covering anything to do
with the SEC and reading this,reading these their five company
filings, I was always impressedwith the disclaimer that, by
the way, everything here mightbe wrong.
I don't know, I'm paraphrasing,but I feel like there's a
disclaimer like that, it's like.
this is forward-looking.
Beth (33:12):
Forward-looking, like we don't know.
We don't know, we don't have amagic eight ball right Exactly,
but I do think that you do knowsomething and so I think you
have a duty to share something.
Sure, but, like you said, inthe immediate aftermath and back
(33:38):
to kind of ransomware concerns,you know, being one of the
first people called to the scene, almost like the fire truck,
you know, my concern isimmediately about privilege, and
it is about what is it thatwe're saying in the first few
moments, because class actionlawsuits can occur, can occur.
There is a chessboard thatimmediately starts to emerge,
where everything we're doing inthe immediate aftermath could be
used, can and will likely beused against us in future
litigation.
So, trying to be bothtransparent with your
constituents and be open andupfront about things, but then
(34:00):
also, to your point, be verycareful about do you say you're
sorry, yes or no, you know?
Do you admit some sort ofliability?
Hopefully not, you know.
So the goal is to really it's afine line and really it's a
very difficult needle to thread.
Tom (34:15):
So, beth, thank you very much for talking to me today.
This was fun.
Beth (34:18):
Thank you.
It was great to be here and togeek out with you.
Tom (34:24):
That concludes this episode of the Emerging
Litigation Podcast, aco-production of HB Litigation,
critical Legal Content, vlexFastc ase and our friends at Law
Street Media.
I'm Tom Hagy, your host, whichwould explain why I'm talking.
Please feel free to reach outto me if you have ideas for a
future episode and don'thesitate to share this with
(34:45):
clients, colleagues, friends,animals you may have left at
home, teenagers youirresponsibly left unsupervised,
and certain classifications offruits and vegetables.
And if you feel so moved,please give us a rating.
Those always help.
Thank you for listening.
Welcome to the Emerging Litigation Podcast.
This is a group project drivenby HB Litigation, now part of
Critical Legal Content and VLEXCompany's Fastc ase and Law
Street Media.
I'm your host, Tom Hagy,longtime litigation news editor
and publisher and currentlitigation enthusiast.
If you wish to reach me, pleasecheck the appropriate links in
(00:23):
the show notes.
This podcast is also acompanion to the Journal of
Emerging Issues and Litigation,for which I serve as
editor-in-chief, published byFastcase Full Court Press.
And now here's today's episode.
If you like what you hear,please give us a rating.
President Biden you've heard ofhim.
He's been in the news a lotrecently After a pretty big move
(00:47):
that's got a lot of peopletalking, and, of course, I'm
referring to his recent NationalSecurity Memorandum, which
underscores the importance ofcybersecurity to protect the
nation's infrastructure.
Did I trick you at all there?
The memorandum highlightsescalating threats facing
critical sectors like energy,water and transportation,
(01:07):
emphasizing the need for robustdefenses and coordinated
responses to protect againstmalicious activities.
Foreshadowing the memorandumenhances the role of the
(01:28):
Cybersecurity and InfrastructureSecurity Agency CISA in
overseeing and strengtheningresilience against cyber threats
nationwide.
And, although not a cyberattack, the recent CrowdStrike
blue screen of death takedownthat affected airlines, banks,
supermarkets, hospitals andother businesses is a cautionary
tale.
(01:48):
The effects of a softwareglitch something bad in the
software certainly felt to thoseaffected like a malware attack
or something malicious.
You know, mal being Latin forbad and where you know from
software.
I think I've over explainedthat.
According to reports, partiesare considering legal action
(02:10):
against crowd strike.
It's the worldwide leader inendpoint security.
They're considering going afterthem for costs incurred from
the disruptions or for potentialviolations of federal
securities laws, investorshaving experienced a drop in
stock value after the incident.
There could be other customerlawsuits, regulatory fines.
There'll be increasedoperational costs and potential
(02:34):
loss of business as some clientsmay migrate to other service
providers.
So there's plenty of blame andfinger-pointing.
A Microsoft spokesperson toldthe Wall Street Journal that it
was forced by the EuropeanCommission in 2009 to open up
Windows to third-party securitycompanies like CrowdStrike,
(02:54):
giving them the same level ofaccess to Windows that it gets
itself.
He suggests the takedown can betraced all the way back to that
decision.
Questions are going to be askedabout whether the company took
all the proper precautions, liketesting and staggering rollouts
and having rollback mechanismsand using enhanced monitoring
systems, all of which thecompany may have done.
(03:15):
You know, they're a wildlypopular company around the world
and, as far as I know, a prettyimpressive track record to get
to where they are.
So did they just have a bad day?
We all have those.
Their legal department andoutside counsel, either way, are
certain to have their handsfull as plaintiff attorneys
circle in the aftermath.
So let's dive into all of thiswith updates on ransomware,
(03:37):
supply chain vulnerabilities,critical infrastructure attacks,
nation-state attacks and thegood old internet of things,
what we can learn aboutPresident Biden's national
security memorandum and what wecan learn from CrowdStrike's
very bad day.
My guest, as I artfullyforeshadowed, is Elizabeth
Bergen-Waller at the WoodsRogers Law Firm.
(03:58):
In addition to a JD fromWilliam and Mary School of Law,
she is certified as a privacylaw specialist by the
International Association ofPrivacy Professionals, which is
accredited by the American BarAssociation, and a certified
information privacy professionalwith expertise in both US and
European law.
She's also a certifiedinformation privacy manager from
(04:19):
the IAPP and, something dear tomy heart she graduated magna
cum laude with a BA in creativewriting.
Who doesn't love that?
I know IAPP.
And something dear to my heart,she graduated magna cum laude
with a BA in creative writing.
Who doesn't love that I know Ido, so here's my interview with
Elizabeth Bergen-Waller.
Can I call you Beth of WoodsRogers in Virginia.
I hope you enjoy it.
Beth Bergen-Waller, thank youvery much for talking to me
(04:40):
today.
Beth (04:41):
Thank you, it's a pleasure to be here.
Tom (04:42):
Today we're going to talk about critical infrastructure
risks in the cyber securitycontext, and so there are a
couple of big items that we'releading into with this.
One is President Biden's recentnational security memorandum,
and then we had more of a recentevent that wasn't while not an
attack, it was certainly atakedown, and we're going to
(05:03):
talk about CrowdStrike, too.
Why don't we kick off withransomware attacks?
I haven't tracked them lately.
I know for a while they werelike the biggest thing and, oh
my gosh, everybody was scared todeath of them.
But are they?
Do ransomware attacks continueto increase?
Have they changed at all?
Beth (05:21):
Ransomware attacks have continued to increase, really in
terms of their breadth andscope.
Maybe they're not as prevalentas we see them in terms of
little minor ones popping up onthe regular, but they have
started to increase again.
There was a period of time,especially right after the
Russian invasion of Ukraine,where there was a little bit of
a quiet period of time.
(05:42):
Now we've started to see themincrease and really, in terms of
their sophistication, they'vegotten much more damaging over
the course of the last few years.
Tom (05:52):
Nothing exposed the supply chain vulnerabilities, I think,
like COVID did when car partsand medicines and everything
else were suddenly held up.
So what can you tell us aboutthose vulnerabilities?
Beth (06:06):
Well, I think increasingly businesses are supported by a
wide range of differentsuppliers.
We see that across.
You know.
It could be a mom and popthat's helping a manufacturing
company keep a certain piece ofequipment online.
It could be a large-scalesoftware system that is keeping
the entire operation going froman enterprise level.
But increasingly, supply chainrisk is critical and you
(06:30):
actually see that beingreflected also with the
Securities Exchange Commission.
Recently they've issued someguidance that says that public
companies need to address intheir disclosures, in their risk
disclosures they need to besharing.
How is it that they are lookingat third-party supply chain
risk and how are they managingthat so that investors can have
an understanding of publiccompanies and how they're
(06:52):
managing these types of concernsand considerations?
So when I look at this, for alot of my clients, what we tend
to look at is you know, how arewe assessing these vendors?
That is, how are we bringingthem in the door?
Are we looking at theirsecurity posture?
Are we examining it?
And then also, from acontractual standpoint, how are
we addressing the risk that theypresent?
So are we putting out contractssimilar to security contracts,
(07:16):
or addendums or data privacyaddendums associated with the
engagements that we have withthese third-party suppliers so
that we're really protectingagainst the risks that they may
present, and a lot of times inthese agreements that we're
putting forward, we're havingthem step up in terms of this is
the type of security that we'regoing to maintain while we're
providing services or productsto you.
(07:38):
This is the type of cyberinsurance that we're going to
maintain while we're providingservices to you.
In other words, we're going tokeep at least $5 million in
cyber insurance coverage outthere.
If I'm a vendor, or require thatof my vendors, and then also if
the vendor experiences a breachand this is really critical how
are they going to make you as abusiness whole?
How is it that they are goingto come and provide both
(08:00):
information about the incident?
Do they have to provide you anotice within a period of hours
or days or immediately you know,quote unquote.
I'm using scare quotes, butimmediately you know.
But the idea being that youknow, you know what are we
requiring of our vendors and howare we making sure that they
tell us about the issue thatthey're facing?
How are we making sure thatthey stand up and provide
(08:21):
notifications to our customersor employees if they've
experienced a breach, and thenthe other thing that we're
building into these provisionsis also indemnification for
things like attorney's fees.
So let's say that I representcompany A, who has a vendor
that's experienced a big breachand we've lost all of the social
security numbers of our 10,000plus employees, right?
(08:43):
Well, company A is hiring me asoutside counsel to represent
them, to look at the vendor'sissues, and so they are
incurring costs associated withoutside counsel fees.
What we're really trying tomake sure we have in place in
these contracts is the abilityto recoup those costs.
So what we're building intothese security supplements is
the idea that not only are yougoing to provide the breach
notice to my employees, butyou're now also going to provide
(09:05):
my attorney's fees for havingto deal with the headache that
you caused, and so theseagreements are really critical
to making sure that we shore upsome of this supply chain risk.
Tom (09:15):
Yeah, you know what and I'm going to come back to
critical infrastructure becausewe'll see if that's appropriate,
but I want to come back to thatin a minute.
Okay, nation-state threats howis that going?
I mean, we certainly will heara lot of it, I guess in the well
, I don't know when it's notpolitical season but leading up
to elections and things.
But what can you tell us aboutnation state threats?
(09:37):
Are they persistent?
Are they increasing?
What?
What should we tell peopleabout those?
Beth (09:43):
They are persistent and, I think, increasing and, and what
is a little bit scary is thatthey they with nation states.
They're not, you know, bangingaround making a lot of noise
that they're there right.
The idea being what we've seen,for example, in the water
critical infrastructure space,is that there is a lot of
concern that there are what wecall, in the industry, advanced
(10:04):
persistent threats or APTs, orthe idea that they're in hiding,
lying in wait.
For example, china, you know,dug in deep with the idea being
that, if they did decide to takean offensive action against
Taiwan, that they would be ableto utilize this as a distraction
to our national security byimpacting something like our
(10:26):
water or, for example, the powergrid or things of that nature,
in order to again distract fromwhat they may be doing abroad.
So nation states are absolutelyactive and in the field, it's a
little bit more difficult toascertain that someone is, you
know, associated with them, butthey're absolutely out there.
You do, a lot of times, thechallenges in terms of trying to
(10:49):
go after some of these nationstates.
That's really a US governmentrelated issue versus a private
entity or a local government,for example, in the national
critical infrastructure space,but you do occasionally see the
takedown of threat actors.
It's not common because whatwe're dealing with is a criminal
underworld and so a lot oftimes they're masking their
location through IP maskingservices or kind of like hiding
(11:13):
your phone number, right.
They try to show up as ifthey're coming from a different
location than they actually are.
But you do occasionally see thetakedown of some of these threat
actors.
We saw it most recently withthe takedown of LockBit.
Now, these ransomware gangs allhave kind of nonsense names,
and LockBit was one of them.
But in Operation Kronos, whichwas the project name from the,
(11:33):
it was across FBI, uk you know,us UK law enforcement takedown
of one of these big ransomwaregangs.
They were able to take down theransomware threat actors
website.
They were able to also do anunmasking, as they called it, of
LockBit SUP, which like thesupervisor, so LockBit S-U-P-P,
(11:54):
and they were able to identifyhim as a man named Dmitry
Krovoshev.
Of course they sanctioned him,but he was based in Russia.
So the concern is a lot ofthese folks live in places where
we can't really extradite themor get them here on US soil to
be prosecuted, and so insteadwe're really left with things
(12:14):
like sanctions or public shaming, if you will, to share that.
This is who they are and whatthey're about.
Tom (12:21):
Yeah, that'll get them, that's right.
It seems like naming thesedifferent groups must be the
most fun.
The rest of it, that's right,that's right?
Beth (12:32):
Well, a lot of times they have wild names like Royal or,
like I said, Lockbit, or, youknow, Akira, which I always
think of.
It has almost like an Atariinterface on their website.
And most of the time, they havethese names A lot of times too.
(12:52):
It's now developed not just askind of one gang, but they've
developed what we callransomware as a service.
It's almost like software as aservice or like a Chick-fil-A
franchise.
So it's like, hey, I'm going togo get me a LockBit franchise
and I'm going to go out thereand say that I'm part of LockBit
and I just send back to themothership much like in
franchisee kind of scenario Isend back a taste and I get to
use their mark and theirmaterials to say that I'm
(13:14):
associated with this, and sothat's really what's caused kind
of ransomware to spread alittle bit like the octopus
tendons everywhere is you've gotyou know people all over the
place.
It could be two dudes in abasement sitting in Baltimore,
or it could be you know a nationstate like North Korea.
You just don't know.
Tom (13:30):
I don't know if the franchise model, if there's any
history for that in crime, if Ithought about it for a bit, I
mean, did the mafia have that?
Beth (13:37):
I suppose To some extent maybe.
Tom (13:39):
Yeah, they did, that's right.
Yeah, maybe like if you were aNew York mob, maybe you were out
and like you had the Toledofranchise, right.
Beth (13:47):
Well, the challenge too, with you know.
People often ask me, knowingthat I'm a cybersecurity
attorney, they say, ok, well,would you pay a ransom or do you
suggest paying a ransom?
Or they kind of assume aposition on ransom payments.
And what I tell people is again, when you think about it, it is
like the mob family or like youknow, tony Soprano.
If you're making a payment to,if you watch the Sopranos, you
know you're saying you're makinga payment to Tony.
(14:09):
That doesn't mean thatChristopher Moltisanti or some
other member of the family isnot going to come along right
and ask for a taste as well.
So you have to understandyou're dealing with criminals
and so, yes, they're going tomake promises, but are they
promises they intend to keep?
Who knows?
And so that's why we oftenrecommend not making a ransom
payment, if you can help it.
Tom (14:28):
You obviously did watch the Sopranos.
You know only the first name,but the last name of Christopher
et cetera, that's right Firstname, but the last name of
Christopher etc.
Beth (14:35):
That's right.
That's right.
I'm a big Sopranos fan.
That's right.
Tom (14:36):
I get tired of having them in my living room.
I loved it, but after a whileI'm like you know I hate
everybody here.
Beth (14:41):
I don't even like the kids .
Tom (14:43):
I didn't like the FBI, I didn't like the kids, I didn't
like the priest.
Beth (14:49):
That's right that Check that out yeah.
Tom (14:52):
If you're a Sopranos fan.
They are charming and funny andbecause they really bonded as
kids on that show and they talkabout how James Gandolfini was
really protective of them andnow they are so sweet and funny.
It's just, it's cool.
So the Internet of Things thatwas really hip and vogue for a
(15:14):
while.
Everybody talking about that,but is that still an issue?
Beth (15:19):
Absolutely.
I think we see more and moreconnected devices everywhere you
turn.
I mean right now, your fridge,your refrigerator might even
have an IP address associatedwith it and will tell you when
it's out of milk.
I most recently was driving mycar and it sent me a text
message telling me that it's hada low tire.
You know so it is.
(15:41):
You know, the internet of thingsis really everywhere at this
stage, and so one of theconcerns especially if you're
representing businesses or evenwithin a law firm or otherwise,
you know one of the concerns isthinking about okay, you know,
this is a connected device,which means it's connected to
something and it's potentiallyon our network.
Is it a doorway in, is it a wayfor somebody to gain a foothold
, as we call it, into ourenvironment, and how do we
protect against that?
And it goes back to some of thecontract issues that we talked
(16:03):
about before.
Whether it's direct access intoyour network with a VPN or
whether it's just this teenylittle device that's connecting
in, each of them can have thesame level of risk, and so you
need to be thinking of that andreally contracting around that
risk.
Tom (16:17):
I didn't mean to ask the question as though I'm some rube
who didn't know the Internet ofThings was still a thing.
I was just you know.
Beth (16:22):
I like it.
Tom (16:23):
Just so people know that I ask questions as if I don't
know anything and in some casesI really don't.
But I am familiar with that andalso I'm a very satisfied CPAP
machine user.
You know, sometimes I will wakeup with a hose around my neck,
but mostly I think it's fine.
But I will get texts saying Idid get, oh, I got a call from
(16:44):
my general practitioner sayingwe see, you're really only
breathing.
You know you're not breathingnearly this many oh.
And then they sent somethingabout my heart and so I had to
go get my heart checked.
Beth (16:55):
Right.
Well, there's benefits withconnected devices, like you say,
and I think that from puttingmy privacy attorney hat on for a
second, because I practice inprivacy and cybersecurity you
have both the security concerns,but you also have the privacy
related concerns, especiallywith these health related
devices where they are learningsuch intimate information about
you.
I mean here, you know, sittinghere with my Fitbit on and it's
(17:17):
tracking my emotion, you know,it's tracking me as well, you
know, and so that is a trade-offhere as a consumer right In
terms of what it is, I'm willingto share in order to get that
convenience, and a lot of timesI think we see people really
opting for hey, I want my doctorto give me that call and tell
me I have the potential heartissue.
And I tell businesses all thetime, in terms of privacy policy
(17:41):
drafting, it's not a questionof can we collect this
information under the laws?
It really is a question of havewe disclosed to people what it
is that we are collecting andare we properly sharing that
information with people, thatthis is what we may learn about
you?
Are you okay with it?
Then, yes, continue using ourproduct.
Tom (17:58):
Yeah, no, it was.
Yeah, it was certainly welcomenews.
I mean, anyway, one thing ledto another, but we don't need to
talk about my health, I'mhealthy.
Thank you for asking.
But I want to get toCrowdStrike and then talk about
critical infrastructure, becauseI feel like some of the things
that were impacted noteverything, but some of the
(18:19):
things that had to do withcritical infrastructure because
a cyber attack can affect energy, like you said, water, health
care and then, in the case ofCrowdStrike, travel.
I don't know if financialsystems were affected.
I feel like they might havebeen, but I can't.
Anyway, financial systemsobviously would be a big thing
(18:39):
to shut down and businessoperations for some companies
let's talk about CrowdStrike.
So we kind of kicked it off andI said correct me if I'm wrong,
but it seems like CrowdStrike is, while it wasn't an attack,
it's certainly the ramificationsof it, the effects of it were
very similar to a serious attack.
(19:00):
So what can you tell us aboutthe CrowdStrike?
For people who, speaking of funnames, what I was reading about
it was it was an outage causedby CrowdStrike was due to a
faulty update in their Falconsensor software which is a fun
name, which led to thewidespread blue screen of death,
which is a fun name, which ledto the widespread blue screen of
death, which is actually a termof art.
(19:20):
But anyway, why don't you tellus about what happened there?
Sure, and then what was theimpact?
Beth (19:24):
So absolutely Well, crowdstrike, if you're not
familiar, is a cybersecuritysoftware company.
So what is kind of interestingabout this, as you said, is you
know, here we have the impact,if you will, of a wide-scale
ransomware event without themalicious intent.
We had people crippled down, ittook time to go door-to-door to
get things fixed.
That's a lot like a ransomwareevent but wasn't a ransomware
(19:46):
event.
Crowdstrike provided, as younoted, this Falcon software and
has sensors, essentially ondevices that are supposed to
alert to a cybersecurity-relatedevent.
So they provide what's calledan EDR or an endpoint detection
response tool or software tool,and they're really, in terms of
market share, I would saythey're seen as one of the top
(20:07):
three providers in this space,and so you see them everywhere
and they really are, at leastprior to this incident, were
known as being in the goldstandard in terms of what it is
you could get for an endpointdetection response tool or
partner.
But what happened, or what weare learning has happened, is
that they essentially pushed outa software update and they have
(20:30):
conducted their own internalinvestigation or have been
reporting on the fact thatthey've conducted their own
internal investigation, and itappears that normally when they
push out a software update, itwould run through kind of a
series of tests or some sort ofmechanism to make sure it wasn't
going to break the Internet, tomake sure it wasn't going to
break the internet and instead,unfortunately, they ran it
through and they did not run itthrough that process or that
(20:50):
process did not go through theway that it was supposed to go
through.
So, essentially, what we haveis a glitch, and I think there's
going to be a lot of questionsaround the lead up in terms of
what was CrowdStrike doing tomake sure that its software was
properly updated and run in anon-negligent to use a legal
term fashion, and then also whatwas the impact of that to
(21:12):
businesses that were customersof CrowdStrike?
Obviously, we saw the bluescreen of death, as you saw it
popping up, at least a lot ofreporting around it popping up
in airlines, right.
So you saw Delta apparently as amajor CrowdStrike customer and
you saw pictures of blue screensof death across a lot of
boarding gates, right so you sawDelta apparently as a major
CrowdStrike customer and you sawpictures of blue screens of
death across a lot of boardinggates, right, because what ended
(21:33):
up needing to happen in orderto fix it and this was the big
problem was that it wasn'tsomething that you could fix
with what we call like a grouppolicy push out or like a big,
you know a single push from theIT administrators of that of
Delta, for example, out the door.
Instead, the only workaround wasto go door to door and to fix
it manually, so you had to goand touch each device that had
(21:55):
been impacted to get around thatblue screen of death.
So that's what really causedthe widespread concern.
Businesses that hadsophisticated IT departments or
a lot of boots on the ground, orperhaps who were creative in
terms of how they were trying toget operational you saw them
really resolve the issue quickly.
But other businesses whereperhaps they had a lot of
(22:16):
devices spread out over a lot ofdifferent places, that
obviously took a lot more timeto go door to door, and so I
think you will see a lot ofbusinesses experience downtime,
because it really did criticallyimpact a lot of businesses
across not only the UnitedStates but abroad, and I think
that we're going to see claimsbeing made against CrowdStrike
(22:37):
for that, for those relatedconcerns.
Tom (22:39):
Yeah, that's where I wanted to end up is what is the
potential liability?
I saw talk of you know somebodyeither thinking of lawsuits,
and then I saw so what is theliability?
And then a lot of it had to do,going back to your previous
comments around what's in thecontract.
So there's some discussion incontract versus tort law.
(23:00):
Well, talk to me about theliabilities.
Beth (23:03):
Sure, talk to me about the liabilities.
Sure, well, one of the firstthings that I, when I woke up
that morning and was hearingabout kind of widespread doom
and gloom, one of the firstthings that I thought of was
well, let me go look at theterms and conditions, because,
being a software company, a lotof times terms and conditions
are published online, right, orthey're standard terms and
conditions.
So we do have available theCrowdStrike terms and conditions
(23:24):
.
Their standard terms are postedonline.
Now, for most businesses thatmay not have had a lot of
leverage in the negotiationprocess, they're probably going
to be limited to those standardterms and conditions.
For others, maybe again I keepcoming back to Delta Airlines as
my example here maybe they hadsomething different where they
were able to navigate ornegotiate around some of those
(23:44):
types of terms or the standardterms.
They were able to navigate ornegotiate around some of those
types of terms or the standardterms, but, as you see, in these
you know types, it's a verystandard software contract right
.
You have a limitation ofliability clause in it.
You have, you know, disclaimersof consequential damages, which
would include things like lostprofits and downtime, and then
that limitation of liabilitydoes state that neither party
(24:09):
and I'm quoting shall be liablefor more than quote an amount
that exceeds the total fees paidor payable to CrowdStrike for
the relevant offering duringthat offering subscription slash
order, and so end quote.
So again, the idea being thatyou are limited to fees paid,
even if you can get around theconsequential damages disclaimer
.
But the terms are governed byCalifornia law.
(24:30):
So I think it's going to be aquestion and venue is in
California.
So I think we may see somelawsuits pop up under California
courts and we'll have to seewhat the courts do with these
terms and conditions and whatthey say those terms mean we are
also seeing.
So you have kind of claims,business against business
against CrowdStrike so I thinkthat could occur.
You also have shareholderclaims that have already started
(24:52):
popping up.
Within the first 24 hours yousaw advertisements for
shareholder class actionlawsuits against CrowdStrike.
You also saw some other classactions being potentially thrown
around, the idea of maybe otherbusinesses joining in
potentially into a class.
Then, of course, there's alsothe bucket of impacted.
You know, let's say that I am abusiness that was impacted.
(25:15):
There are also possible claimsagainst cyber insurers as well.
So the idea and this is reallywhere, from a geeky lawyer
standpoint, where I'm interestedto see what happens Because, as
you said, this is not amalicious software event.
This is potentially a negligentpush out of a software update.
Again, I say potentiallybecause again some court is
going to have to make thatdetermination but we have a
(25:37):
software impact or glitch thatessentially caused this impact.
But a lot of cyber insurance has, or several.
There are cyber insurancepolicies that have basically
business interruption clauses inthem, and so we are seeing
claims being made under thosepolicies, and so we'll have to
see what the insurance carriersreally do with that and whether
(25:57):
those types of matters end upinto the courts as well.
The idea being, what does thisterm mean under the insurance
policy?
I think we're going to see thathappen.
I will say I think I saw thatat least one major carrier had
its public filing you know,financial disclosure within the
last few days and it had notupdated its guidance suggesting
that it thought it was going tohave widespread losses from this
(26:19):
.
So they may be feeling prettyconfident about the language
that they've used, the idea thatit's got to be a malicious
software or a malicious eventthat triggers this.
But I think we're going to seethis play out in the courts, and
I think the cyber insuranceindustry is also going to be
really watching it closely.
Tom (26:34):
They end up paying or not paying for a lot of things, and
then when they don't, obviouslythen there's massive litigation.
You talked about geeking outabout insurance law when I told
you earlier about how I all Idid for years and years was
write about law.
For many years, all I wroteabout was the pollution
exclusion in insurance contracts, exactly yeah.
(26:56):
So boring, right.
No one wanted to talk to meabout that, but I was.
I became like so interested tome.
That's when law to to me became.
Beth (27:06):
It's like a philosophical argument that has a big impact,
a real world impact it's notjust you know what do you think
in any way, so I appreciate thegeekiness well, I really think
that that pollution exclusionthat you're talking about it's
the same kind of it's the samething you were wrestling with
back in the day on on thatparticular exclusion, the same
(27:27):
kind of concerns are going toemerge related to this dependent
business interruption and allthis jazz, those types of
provisions, and we saw this alsohappen with cyber war
exclusions a couple of years agotoo.
Even if it's not reflected inthe courts, I certainly think
it's going to be reflected inpolicy drafts and specimens that
(27:48):
we see in the next few years,that it's going to be absolutely
crystal clear that this relatesto a malicious event.
It's not a whoops,whoopsie-daisy.
You know the intern hit thewrong button on a Friday
afternoon and sent down theinternet, or took down the
internet.
I think it's going to be youknow much.
It's going to be spelled out alot clearer if there is
ambiguity currently in thosepolicies.
Tom (28:08):
Yeah, no, I mean there was an original draft of the
pollution exclusion where theyactually had the word, the
phrase whoopsie daisy in it it'sa legal term.
Well, it had to do with suddenand accidental accidental is
whoopsie daisy, I'll just askyou this question generally.
How a company reacts when anevent like this happens has to
(28:28):
have a huge impact on theirliability or their insurance
coverage, right.
Beth (28:33):
Absolutely.
Tom (28:35):
So did you observe anything here that, or would you
have general like what maybe acompany should do when this
happens?
Beth (28:41):
Well, I will say that I think you have to be.
It depends on what, in terms ofif you're thinking of it from
if I was representing somebodywho had the whoopsie daisy that
occurred.
I think that there arecertainly things that they did
right from out the gate, whichis, you know, within something
like 78 minutes, they had madethe determination as to what it
was that had broken and they hadgotten the fix out.
(29:02):
The problem was, the fix wassuch a manual fix that nobody
could fix it fast enough, and soyou know, I think being
transparent is a really goodthing.
I will say that there, when youlook at where they are from a
Securities Exchange Commissionfiling standpoint, that's where
I think it's getting veryinteresting.
And again, from a geekystandpoint, interesting because
(29:23):
they filed an 8K.
They did not file it under theand I won't go down too deep in
the weeds under securities laws,but they went down a different
path than the cybersecuritymaterial incident path.
They made a disclosure, it wasvery brief and they said hey,
this is an evolving situation.
We continue to evaluate theimpact of the event on our
(29:45):
business and operations, butthey didn't describe it as a
material event, and so I thinkthat's going to be interesting
to watch.
Maybe pop some popcorn and seewhat happens with the SEC and
the courts and shareholders inthe future about was this an
appropriate disclosure of whatit is that they faced?
They didn't say a lot of ourcustomers are mad at us.
They didn't say we were beingcalled to testify before
(30:07):
Congress.
They didn't say some of of ourcustomers are mad at us.
They didn't say we were beingcalled to testify before
Congress.
Like they didn't say some ofthose issues.
Maybe they don't need to saythem right away, but I think
again, much in the same way thatinsurance policies tend to
catch up after something likethis, we could see also
regulations catch up after thisand say, ok, technically you're
right, ok, we'll play the game.
This may not be a cybersecurityincident, but you still had a
(30:28):
requirement to tell yourinvestors or your shareholders
that this was a severe event.
And did you meet the letter ofthe law question mark?
We don't know.
Tom (30:40):
I'll say this it was a cyber event.
You know what I mean.
Beth (30:44):
Right, I think it's interesting because what think
it's it's interesting becausewhat also happened and again to
geek out briefly is that therewas another major incident that
affected another softwarecompany within the last few
years that had a lawsuit fromthe Securities Exchange
Commission.
That's SolarWinds.
Solarwinds, the SecuritiesExchange Commission sued the
SolarWinds software company andthey also sued the chief
(31:04):
information security officer,tim Brown, and the, and the
industry, in particular myindustry was really watching
what was happening with thatparticular lawsuit because it
was the first time really that aCISO chief information security
officer, had been named to bebasically personally liable for
something like this.
And what was wild is the daybefore the CrowdStrike incident
you have SolarWinds.
(31:26):
The district court issued itsopinion in the motion to dismiss
related to the SecuritiesExchange Commission filing or
the really large complaint filedagainst the CISO and SolarWinds
, and the court really guttedthat particular lawsuit by the
SEC and said look, solarwindswas transparent with its
shareholders.
(31:47):
Said, look, solarwinds wastransparent with its
shareholders, you know, becausethey were really relying on
pre-incident securities exchangecommission filings and
post-incident securitiesexchange commission filings.
The SEC was in its complaintand the court cut a lot of that
out and said listen, you don'tneed to get into like maximal
specificity around theseincidents and what has occurred,
but you do need to convey theseverity of the situation.
So you know, in the the dustsettling around solar winds, bam
(32:09):
, here comes CrowdStrike andsays evolving situation.
You will let you know.
So we'll see again what's goingto happen from a regulation
standpoint in terms of are theregoing to be, is there
additional guidance that's goingto come out to companies about
these types of issues that likelook, you need to really get
into sharing with people theimpact this can have on the
brand and on the finances of thecompany.
Tom (32:32):
Yeah, yeah, what companies say publicly what they say in
SEC.
And it's like, if you want tofeel bad for companies sometimes
I do it's like, well, if weapologize, does that mean
something?
Were you admitting something?
And then what they say that'llaffect their stock value.
That can just be wildly like.
It doesn't take.
(32:52):
Somebody sneezes and suddenlyeverybody wants to sell.
And I do remember when I firststarted covering anything to do
with the SEC and reading this,reading these their five company
filings, I was always impressedwith the disclaimer that, by
the way, everything here mightbe wrong.
I don't know, I'm paraphrasing,but I feel like there's a
disclaimer like that, it's like.
this is forward-looking.
Beth (33:12):
Forward-looking, like we don't know.
We don't know, we don't have amagic eight ball right Exactly,
but I do think that you do knowsomething and so I think you
have a duty to share something.
Sure, but, like you said, inthe immediate aftermath and back
(33:38):
to kind of ransomware concerns,you know, being one of the
first people called to the scene, almost like the fire truck,
you know, my concern isimmediately about privilege, and
it is about what is it thatwe're saying in the first few
moments, because class actionlawsuits can occur, can occur.
There is a chessboard thatimmediately starts to emerge,
where everything we're doing inthe immediate aftermath could be
used, can and will likely beused against us in future
litigation.
So, trying to be bothtransparent with your
constituents and be open andupfront about things, but then
(34:00):
also, to your point, be verycareful about do you say you're
sorry, yes or no, you know?
Do you admit some sort ofliability?
Hopefully not, you know.
So the goal is to really it's afine line and really it's a
very difficult needle to thread.
Tom (34:15):
So, beth, thank you very much for talking to me today.
This was fun.
Beth (34:18):
Thank you.
It was great to be here and togeek out with you.
Tom (34:24):
That concludes this episode of the Emerging
Litigation Podcast, aco-production of HB Litigation,
critical Legal Content, vlexFastc ase and our friends at Law
Street Media.
I'm Tom Hagy, your host, whichwould explain why I'm talking.
Please feel free to reach outto me if you have ideas for a
future episode and don'thesitate to share this with
(34:45):
clients, colleagues, friends,animals you may have left at
home, teenagers youirresponsibly left unsupervised,
and certain classifications offruits and vegetables.
And if you feel so moved,please give us a rating.
Those always help.
Thank you for listening.
Popular Podcasts
Fudd Around And Find Out
UConn basketball star Azzi Fudd brings her championship swag to iHeart Women’s Sports with Fudd Around and Find Out, a weekly podcast that takes fans along for the ride as Azzi spends her final year of college trying to reclaim the National Championship and prepare to be a first round WNBA draft pick. Ever wonder what it’s like to be a world-class athlete in the public spotlight while still managing schoolwork, friendships and family time? It’s time to Fudd Around and Find Out!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!