We hear plenty about data breaches and cyber crimes in the news, but most of us don’t know much about the day to day practice of those trusted to deal with them. Darius Davenport joins Digital Detective hosts, John Simek and Sharon Nelson, to discuss how he helps his clients deal with cybersecurity concerns and privacy matters. He shares the path that led him to this specialized practice, the kind of matters he deals with, and the advice he has for his clients and any business that needs to protect its data.
Darius Davenport is a partner and chairman of the Cybersecurity and Data Privacy Practice Group of Crenshaw, Ware & Martin.
Special thanks to our sponsor, PInow.
Data Breach Lawyers: A View from the Trenches
Intro: Welcome to Digital Detectives, reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches; not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 103rd edition of Digital Detectives. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises, a digital forensics cybersecurity and information technology firm in Fairfax, Virginia.
John W. Simek: And I am John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives our topic is, Data Breach Lawyers: A View from the Trenches.
Sharon D. Nelson: Before we get started, I would like to thank our sponsor.
We would like to thank PInow.com. If you need a private investigator you can trust, visit pinow.com to learn more.
John W. Simek: Our guest today is Darius Davenport, a Partner and Chairman of the Cybersecurity and Data Privacy Practice Group of Crenshaw, Ware & Martin. His practice focuses on data privacy laws and regulations, helping clients mitigate cyber risk, and dealing with the legal and practical problems resulting from cyber incidents. His cybersecurity counsel to businesses and municipalities includes drafting and review of incident response plans, cybersecurity employee policies, technology contracts and conducting cybersecurity and breach response exercises.
It’s great to have you with us today, Darius.
Darius K. Davenport: Well, Sharon and John, I really appreciate you all inviting me to take part in the program today.
Sharon D. Nelson: Well, we are thrilled you’re here and by way of informing the audience Darius and I have worked together on a special committee of the Virginia State Bar examining the future of law practice, and that’s how we got to know each other, and it’s been a great pleasure working with you, Darius. So, tell us if you would, a little bit about the work you are doing now on data breaches and privacy law in your law firm, and of course, please tell us how our listeners can contact you?
Darius K. Davenport: I think John’s introduction was great as far as kind of given a big picture of the work that we do here at the firm, but one of the things I’d like to say is that we provide scalable legal cybersecurity and data privacy solutions through our incident-response plans, our employee policies, tabletop exercises, and employee training.
And it’s also important to note that because they are scalable they are also cost-effective and they are accessible to every level of business; and so, if anyone has any questions, please, they can contact me at [email protected] and also because data incidents, you never know when they are going to occur. We have a cybersecurity data incident hotline on our firm and you can reach us at (757) 802-9043.
John W. Simek: Well, Darius, the last I looked we really didn’t have cybersecurity, cyber law, whatever you want to call it, especially or at least within law school, but most lawyers certainly didn’t start out, practicing that, so what kind of law did — I’m assuming you didn’t do that, but what kind of law did you practice originally and how did you move into this whole brand new world of data breach and privacy law?
Darius K. Davenport: Well, there’s probably maybe a six-step process and first and foremost I started my legal career as an Army JAG and what that did for me, I was practicing, I was a Special Assistant U.S. Attorney, I also did a lot of administrative law for the Army JAG Corps, but what it did, it allowed me to begin to practice in a secure computing environment, and even though at that time I wasn’t even really aware of it, so that gave me a little bit of a background and framework of what a secure computing environment looked like in the workplace.
But, after the JAG Corps, I began to enter private practice again. I did some maritime law and I was a Public Sector Attorney and also did some work working with a lot of our business clients here at Crenshaw, Ware & Martin.
As we kind of moved through the process I began to explore some new practice areas and looking for areas that were going to be growth in areas that could take our law firm into the future. And one of the areas where we saw growth was in the technology area, and I think a lot of times when we think of technology we think about things like patent law, but really there were areas that I found interesting when it came to areas of data privacy and security, and that meshed up well with my general love for computers.
In law school I had to build my computer during my first year of law school and I consider myself kind of a member of the DOS generation because when I began to use computers we were still typing in DOS commands, and so to kind of have that background of understanding what’s running in the background of Windows when things like breaches when they became kind of more prominent in the headlines, also kind of tying that in with the nexus of privacy and security around the same time.
We started to realize that when it comes to the modern business; the modern business, its value oftentimes is in its data. A few years ago when we transferred our IT companies for our firm I was looking at two four-terabyte hard drives and our whole law firm was basically on those two drives, and so anything that threatens our data also is a threat to business and so we started with our firm, seeing we could do to increase our cyber-hygiene, our cybersecurity, and then after we started with our firm we completed that process as far as drafting plans and employee policies and getting those things in place.
In training everyone we said this is the same kind of a service that we need to be able to provide to our clients as businesses in the local Hampton Roads area.
John W. Simek: Well, Darius, you are a man after my own heart. The next time you come up here to visit, I’m going to fire up my IBM AT model 239 — that has that 30 megabyte drive in it and we’ll practice DOS commands together.
Sharon D. Nelson: I’ll serve the beer but I am otherwise out of this little party.
Darius, a lot of times as John and I travel around, we get lawyers asking us about how to incorporate data breach law and privacy law and their practices, what suggestions do you have for them?
Darius K. Davenport: I think the major suggestion that I have first and foremost is to begin to study, and that study kind of breaks down maybe into three different buckets. The first is just kind of getting an understanding of the technology that’s in play, and that can be just basic computing. If you have clients that have certain or special computing or IT needs, just kind of getting an understanding of the technology and even the technology that’s associated with typical, traditional, modern data breaches, that’s number one.
But I think, number two is, getting a fundamental understanding of what breach response means when it equals? How does the breach response process play out? And I think there are a lot of great resources from NIST that kind of spell out these are some of the steps that you would take. If they have an incident handling guidebook that you could kind of begin to study some of those breach response techniques.
But then also there’s the law, because cybersecurity, it really grows out of privacy law and so when you look at a data breach you’re really dealing with a breach of some aspect of privacy law, and when you look at the law, there is a whole new myriad of opportunities because there’s medical, there’s education, there’s children, there’s financial, there’s online, there’s banking, there are industry specific regulations that someone may be dealing with, there’s telecom, there is workplace, there’s Internet of Things, and then there are those things that we don’t even know that are coming down the pipeline that we’re not even aware of; and so, those kind of the major three buckets of study, technology breach response, and then all the various areas of law.
Personally kind of when I got involved in it as a veteran the VA was offering an online Carnegie Mellon course, and that’s where I began to learn things about like the CIA triad of confidentiality, integrity and availability, and that’s where I picked up a lot of the NIST security framework of identity, protect, detect, respond, recover, and for those who want to add data privacy as a practice group or as a specialty. There are a lot of great conferences out there as well. The Defense Research Institute, they do an annual conference and that’s where I first met some individuals who were doing cybersecurity and data privacy work at very high levels. There’s also the advising conference which kind of brings a mix of insurance professionals who are kind of into cyber insurance marketplace and those high-end attorneys are doing some data privacy work as well as NetDiligence.
And then also kind of as I mentioned before because cybersecurity has underpinnings and privacy, there’s also IAPP, the International Association of Privacy Professionals.
So those are some really great resources for anyone who’s interested in getting their feet wet in the field of data privacy and security.
John W. Simek: Can you talk a little bit and for our listeners about the reasons that you’re most often called by potential clients and what kind of work is involved in that?
Darius K. Davenport: Sure. One of the reasons why a lot of times we get involved with some of our clients is because there an incident has taken place, some kind of data incident, whether it be a data breach or some other unspecified data incident like a ransomware attack.
And typically, the first things that we are trying to do, is to respond to that incident and then recover. One of the things that I don’t think businesses fully appreciate is that if your computer systems go down, if your data has been ransomed or if your data has been erased, you can no longer do business and the time that it takes for you to recover, that is a lot of lost productivity as far as your organization is concerned.
And so, one of the things that we try to do is to get people back up and running as soon as possible, and I think the next thing is making a legal determination as to whether a data breach has actually occurred. And I distinguish between a data incident and a data breach because a data incident could be something like a ransomware attack, where you’ve just been denied access to your data.
But a data breach by most state laws equals that personally identifiable information has been stolen from your organization and then malicious actors likely will use that information in nefarious ways. And so, if a data breach occurs then notifications need to take place.
And so, one of the things we do is work with data forensics companies to determine did data or more specifically personal information lead the organization wherein now, we need to do — notify individuals who may have been affected by that actual breach. Then I think a little later on because a lot of times these data incidents or breaches, they originate with employees, about 25% of data breaches are caused by employees.
And so, there may be some follow-on employee discipline that needs to take place and that you kind of have an employment law nexus associated with that. But then also depending on the clients’ industry, there may be some regulatory compliance issues that need to be dealt with.
I had a client not too long ago, they do some financial services work and because of a ransomware attack, several months of client data was missing when the regulators came and then we had to work with the regulators to kind of craft the right message to describe what happened and satisfy what they wanted from the organization from a regulatory perspective. Then, kind of what happens oftentimes is that once we’re able to work through the incident, then that organization says they see the light and say, hey, now we need to do some incident response planning. And that’s when we get into drafting incident response plans, drafting employee policies, tabletop exercises and alike.
Sharon D. Nelson: Thank you, that’s very helpful. Can you tell us a little bit about how you stay up with the complexities of data breach law with all the different laws in different states and the European Union, etc.? If you could just tell us briefly how you achieve that magic, that would be very helpful.
Darius K. Davenport: Well, I think one of the things I already mentioned so, the conferences; the conferences are great because oftentimes, what you’ll find, you’ll have individuals from the EU who are practicing, who will come over and they will give us the firsthand perspective of the issues related to GDPR that we need to be made aware of.
And it’s kind of tricky sometimes because it’s European, it’s in English but the language usage is a little different. And so —
Sharon D. Nelson: You think — yes, we have a lot of trouble with that.
John W. Simek: You mean it’s not scheduled.
Sharon D. Nelson: We were just teasing our friends this morning about that.
Darius K. Davenport: So when someone can kind of sit down and explain it to you, that’s very helpful, but then I think they are just — I think anything from podcasts and just doing a lot of Internet research, those are some of the things that I do to kind of stay abreast because it’s an area of the law that’s very fluid and rapidly changing. So information becomes stale quickly, so you got to constantly kind of stay on top of it.
Sharon D. Nelson: You are preaching to the choir.
John W. Simek: Well, before we move on to our next segment, let’s take a quick commercial break.
Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the U.S. and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigation, including workers’ compensation and surveillance. Find a prescreened private investigator today. Visit www.pinow.com.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is Data Breach Lawyers: A View from the Trenches. Our guest today is Darius Davenport, a Partner and Chairman of the Cybersecurity and Data Privacy Practice Group of Crenshaw, Ware & Martin.
John W. Simek: Well, Darius, I think you touched a little bit on this next question in the first part of our podcast, but we get involved as well as a forensics company and analyzing these data breaches and we know how tricky these things can get. But what kind of pointers do you give your clients about that?
Darius K. Davenport: I think the first and most important pointer is to call your data counsel first. One of the things that you want to do, you want to get a good data forensics company engaged and working on your matter, but you want that data forensics firm to be engaged by your data counsel.
One of the things that’s so important is that once your data counsel initiates that investigation, it’s then an investigation that’s cloaked by attorney-client privilege. And so that’s going to delay an organization having to turn over basically the playbook of everything that you did wrong as an institution in the event you face litigation because of that particular data incident. And so, one of the things don’t call your IT guy, call a data counsel.
Another thing when it comes to IT people, understanding that your regular IT guy is not a data forensics or a data security professional. I’ve seen situations where the IT guy has been called and the IT guy starts wiping hard drives and basically destroying evidence as far as would actually happen.
And so, that’s another reason why you want to call your data counsel first because it begins the evidence collection process because depending on what has happened, you may need to engage law enforcement in law enforcement whether it be the FBI or whoever Homeland Security, they are going to need good, well-collected evidence and IT guys with their best intentions sometimes they can begin to destroy critical evidence.
So I think it’s important to start that incident response or really that relationship with IT and your data counsel because it can be a little contentious because your IT guys sometimes a data breach or a data incident, they look at that as like a failure. Well, it’s not really a failure on their part because people are really working hard to compromise systems.
But they need to understand that, when something does happen that’s bad. They need to quickly freely and openly cooperate with data counsel as they come in to assist the situation and even the data forensics company, that’s now kind of looking over their shoulder to figure out what went wrong.
One more tip I think is just to prioritize the critical data because you want to be able to have a roadmap for that data forensics firm to say, okay, hey look, if you can save anything, this is the critical data that I need you to save, and this is the data that we need to restore first so that we can kind of either get people back to work or these are the critical projects that are pending that we need to kind of get back up and moving.
So I think those are some quick tips for responding to some of the tricky aspects of a data breach.
Sharon D. Nelson: Do you find most of the time when you deal with your clients that they are well and truly covered by cyber insurance or not so much and why do you think your findings are what they are?
Darius K. Davenport: Clients generally aren’t covered by cyber insurance. I think probably the big reason why is, one, they don’t know what their cyber insurance options are.
Oftentimes in the recovery phase of working a data incident, that’s when discussions about cyber insurance come up. A board will now require the company to get insurance and that’s when they begin to investigate cyber insurance options.
But then when they investigate those options oftentimes it’s confusing and it’s also costly as well. And so the confusion, the cost and the lack of information about just the availability of the products that are out there, I think those are some of the major challenges and even because, unlike a lot of other standard forms of insurance, when you look at cyber insurance coverage, there are no standard forms.
And so it’s very much the Wild Wild West where you have the companies that are offering products and sometimes you get what you pay for, and so it can be very challenging, and that’s one of the things we try to help our clients is navigate some of the pitfalls of purchasing cyber insurance.
John W. Simek: Well, we’ve always said that clients who have incident response plans are far better off, and I think hearing you so far today, I’m assuming you agree with that and we certainly hope so, but can you tell our listeners why having that incident response plan is a better choice upfront?
Darius K. Davenport: You are definitely far better off if you have an incident response plan, and it’s a response plan that’s going to do several things for you. So first, it’s going to identify all of the players, all the people that need to be involved in that particular incident response.
Then once all those individuals are identified, it’s going to assign responsibility. It’s so much more difficult once you have a live incident that’s taking place to round everyone up and assign responsibility to individuals. It’s just so much more challenging, and it’s also going to outline the communication plan, who needs to make what kind of communication internally? Who is going to be the spokesperson for external communication?
But also it’s going to define the different kinds of incidents as well, because you’re going to respond very differently to a data breach where information has left the organization versus a ransomware attack where information most likely didn’t leave, but your denied access to that information. So those are probably the four major reasons why incident response plans are important.
But then, when you don’t have a plan in place, you’re going to waste time. That waste of time is going to possibly increase a ransom if that ransom continues to grow as time elapses and also if you’re wasting time figuring out how to respond, it’s ultimately going to lead into a loss of productivity.
I’ve had certain clients where literally they have had to start sending employees home because they couldn’t clean their offices anymore and they couldn’t straighten up anymore, because after one, two, three weeks of being down there was just nothing else for the employees to do and then you’re paying folks that can’t work.
Definitely, incident response plans are the way to go.
Sharon D. Nelson: We certainly agree. We were asked all the time to emphasize that and to lecture on that particular topic. Tell us what you think, Darius, are some of the mistakes you see the clients who have been breached? What kind of mistakes are they making the most often? What’s the most common thing?
Darius K. Davenport: Well, I think probably two things. One, a lot of clients are not patching, so there are vulnerabilities that could be easily fixed that are left unchecked and which can lead to compromise. And I think number two probably, they are not training their employees. 50% of these incidents are caused by malicious actors, 25% roughly by system failures, but then the 25% that we can really control is employees that are causing these incidents, and they are not doing it intentionally, they are making mistakes or they are being tricked. And so, it just makes sense to train employees because that’s the one sector that you have the most control over.
John W. Simek: So, Darius, crystal ball time, any predictions that you have for the future of data breach and privacy law? And I’m sure you’re not going to say that we’re going to have a Federal data breach notification, so I’m pretty sure of that, but what are some of your predictions for the future?
Darius K. Davenport: Well, I think a federal data breach notification law, I think that’s on my wish list. A quick antidote, there was a simple incident we thought until we found this spreadsheet that had about 15-20 folks on it from various states with Social Security Numbers and driver’s license numbers. And so, something simple quickly turned into now we have to research about 20 different states, their notification laws; so that’s why that remains on my wish list.
But I think one of the things that we’ll see, we’ll probably see more state laws that will continue to modify their breach notification laws more toward the California model, which is a little bit more European, and we may even see the U.S. adopting more of a European data privacy protection mindset; whereas in the U.S. data is money, I think, but in Europe data is truly private, because they have a different history with personal information being used against the people within those various countries. And so, I think they have a different understanding of personal information and how important it is to the individual. So, I guess not as much crystal ball, but more of a wish list, I guess.
John W. Simek: Fair enough.
Sharon D. Nelson: Indeed, indeed and it’s anybody’s guess. One thing I think we can all be sure of is that in the near future, absolutely nothing will be passed as a federal law that impacts any of this. You can take that to the bank.
Darius K. Davenport: I agree with you wholeheartedly.
Sharon D. Nelson: Well, we sure want to thank you for being our guest today. It’s always fun to have one of our friends and colleagues on the show, and this was very, very helpful. I’m sure for a lot of folks who have heard from us on forensics and they’ve heard from other people on other aspects of cybersecurity, but they have not heard in general from too many cybersecurity or data breach rather lawyers.
One or two along the way and it’s been a long road, hasn’t it, John?
John W. Simek: Yes, yes.
Sharon D. Nelson: We are very happy to have you on the show. So thank you for taking the time out of your day.
Darius K. Davenport: Sharon and John, I greatly appreciate the invitation.
John W. Simek: Well, that does it for this edition of Digital Detectives. And remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com or in Apple Podcasts. And if you enjoyed our podcast, please rate us on Apple Podcasts.
Sharon D. Nelson: And you can find out more about Sensei’s digital forensics, technology, and cybersecurity services at senseient.com.
We will see you next time on Digital Detectives.
Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.