Data breaches are a regrettably routine occurrence in our increasingly digital economy. Yet, many companies are still woefully underprepared to respond to a breach of their own data. At this years Annual Convention of the Florida Bar, host Laurence Colletti hears from Chris Dix and Ryan Bilbrey about who is at risk (everyone), how much a breach costs (more than you think), and the first steps to recovery (hint: don’t keep your digital breach incident plan only on your computer). Tune in to learn how to protect yourself, your business, and your clients.
Ryan Bilbrey is the founder of Reckoning Consulting Partners.
Chris Dix is a technology-focused lawyer and CPA working at Smith Hulsey & Busey
The Florida Bar Podcast
Florida Bar Annual Convention 2019: Data Breach Update with Chris Dix and Ryan Bilbrey
Intro: Welcome to The Florida Bar Podcast, where we highlight the latest trends in law office and legal practice management to help you run your firm, brought to you by The Florida Bar’s Practice Resource Center. You are listening to Legal Talk Network.
Laurence Colletti: Hello and welcome to The Florida Bar Podcast, recorded from the 2019 Florida Bar Annual Convention in Boca Raton, Florida. I am Lawrence Colletti and I am the host for today’s show. I’m stepping in here for Christine Bilbrey and Karla Eckardt, your regular hosts and I have a couple of guests joining me. I just sat in their session it was awesome, Chris Dix and Ryan Bilbrey, welcome to the show gentlemen.
Chris Dix: Thanks so much. Thanks for having us.
Ryan Bilbrey: Thank you and happy to be here.
Laurence Colletti: Well before we get into your topic that you presented today, let’s get to know you just a little bit better, where do you work, what do you do, who wants to volunteer. Who wants to go first?
Chris Dix: I’ll go first. Chris Dix, attorney at Smith Hulsey & Busey in Jacksonville, litigator but also lots of other kind of unique things all related to data. So that’s data breaches, e-discovery, cyber security, privacy and do some sports corruption work as well.
Laurence Colletti: Excellent, excellent. And Ryan.
Ryan Bilbrey: Thanks. Ryan Bilbrey I run my own practice up in New York City called Reckoning Consulting Partners, a long time been my entire career in the disputes investigation, litigation consulting industry, including about almost 20 years of electronic discovery and most recently cyber related work.
Laurence Colletti: Awesome. Now, you guys your presentation was titled Data Breach Discovery: Regain Control and Save your Reputation. So obviously we want to do a 50,000 foot on what it’s about, so who wants to just give us the general synopsis and then we’ll get into the details.
Chris Dix: I’ll start. I think what we started off of talking about was what is a breach and that gets tricky because there’s 50 different states in this country and then there’s the United States government with a bunch of regulatory agencies and everybody kind of has a different variation on what a breach is.
So we talked about things like ransomware, is a ransomware a breach, and then we also mentioned the fact that it may depend on what your cyber insurance company says a breach is. If they don’t consider it a breach, then you’re not covered and you might be in a different scenario. So lots of different things to think about and that’s why you need to have a process when you’re doing the data breach discovery to figure out what you’ve got and who you need to tell.
Ryan Bilbrey: Right, a general probably general overarching explanation or description of what data breach is, is the unauthorized use or access of data but within that definition there is, like Chris just said, 50 different sub definitions plus that actually when it comes down to actually what are you going to do about it.
Laurence Colletti: Yeah I was surprised at the nuance. I mean in addition to the State, other things that came up that would further define it I guess and correct me if I’m wrong, the customer location. So if you’re a law firm you’d be a client and if the client is located somewhere else that adds to the definition. So how about that? What is the definition within that?
Ryan Bilbrey: Well I’d go, it’s even further than that it’s not where your client is, it’s where the people whose information exposed. So if your client is a company and that company has customers in all 50 states, you are dealing with the data breach regulations from all 50 states, not where the company is located.
Chris Dix: Yeah and we see that pretty regularly, people think oh I’m just a Florida business and I don’t do business in other states. So I don’t need to worry about California’s new data privacy law. Well, do you have any customers that live in California because if you do now you are subject to California data privacy laws when you’re dealing with their data.
Laurence Colletti: Well there were some notion about an internal breach versus an external breach which further put more spin on it so how does that work?
Ryan Bilbrey: It’s really what we’re trying to describe what are the sources of data breaches and it’s all over. There’s external bad actors. We got into a little bit kind of the nation-state hacking that you read about in the news or hear about on a daily basis. But one of the main ways these happen are from internal parties, employees that either accidentally exposed data or sometimes it’s intentional, sometimes there’s a bad actor within the company.
Chris Dix: Yeah you hear a lot about the dark web sometimes. There are actually places on the dark web where people can go and get jobs at their companies to go steal data. So you get people that are in a bad financial situation, they’re having some family members to have medical bills, they’ve got high incentives to go and take a job and connect with people on the dark web and then go take information from the companies they work for. So people get targeted in that way.
Ryan Bilbrey: One of the most common ways this happens is a phishing scam, sure people have heard about these, fake websites, you get an email, it looks legit, they oftentimes will spoof something that looks like it’s a legitimate internal email, you click on that link and as soon as you click on that link you’re in trouble. Sometimes it will take you to a page where you put in a username and password and now, you’ve exposed your username and password for the company. Other times just the simple fact of clicking on it will expose information and that’s a really, really difficult thing for a company to address.
Laurence Colletti: I was alarmed at the cost, I mean the average cost that was shocking to me let’s share that with the listeners as well.
Ryan Bilbrey: So that the average cost for 2018 typical data breach costs several million dollars, 3.86 million.
Laurence Colletti: Wow.
Chris Dix: Now sometimes, it’s higher, sometimes, it’s lower depending on what the volume of data is but the reality is you’ve got your remediation folks coming in and trying to fix the problem for you. Then you’ve got the attorneys that you’re having to hire, maybe you’re notifying people, you’re setting up a call center, you’re sending out just sending out the mail outs for all the people that need to get notified, can be expensive.
And then at the end, the tail of this entire process, you get something called a corrective action plan and that sounds like your homework but what that means is that someone’s going be watching over your shoulder for the next couple of years and there are costs every time those regulators come in, just let them come in and look around and not prepare for it, and not have your attorneys there and not do what you’re supposed to do. And so there’s a lot of hidden costs that come even after your incident is over and that all adds up to multi-million dollar expense.
Ryan Bilbrey: Right and that’s just direct cost that we’re talking about that is not covering indirect cost, that is not covering loss of sales due to reputational damage or anything like that, that’s just literally what the company or their insurance provider will spend on dealing with the breach.
Chris Dix: And one last thing too. What Ryan does, it can be one of the most expensive things and that is you’ve got your data, you know what was breached, now you got to go find out what it is in there and where those people are located and did they have medical information, do they have personal information, do they have Social Security numbers, birthdays, photographs, lots of different things.
And there’s some computer-assisted part of that but a lot of it is just human review and that gets expensive, especially if you’re dealing with people that are professionals that do a good job at it.
Laurence Colletti: So raw costs like dollar cost, time cost, loss of opportunity cost but also loss of reputation cost.
Chris Dix: Yeah so one thing to think about I feel like we’re at a point now where there’s been so many breaches that the average customer out there might not switch their bank or they might keep going to Target right. Target had a big breach, no one doesn’t go to Target because of the Target breach.
But where you really see it making a huge difference is for business to business. Okay if I’m at Wells Fargo for example and Wells Fargo has a breach, I am probably not switching from Wells Fargo because of that. But if Wells Fargo has a problem with one of their vendors, with one of the people they use, you got hundreds or thousands of other people that want to do that the same exact work for that same company for Wells Fargo.
Wells Fargo is going to make a switch and at that company with their biggest client was Wells Fargo and then Wells Fargo is not there, they’re done, they’re bankrupt, they’re gone.
Laurence Colletti: Let’s talk about the typical law firm or typical business that finds themselves the victim of a cyber breach.
Ryan Bilbrey: Honestly there is no profile, estimated 50% of data breaches occur at small business. It happens with law firms, it happens with financial institutions. Obviously, once you hear about are the mega companies because those are ones that are in the news. Financial services institutions tend to be a target because they have financial related information that can be directly monetized but I’ve worked on all manner of cases for companies or organizations.
I did one data breach response project for a township in New Jersey, whose police station had been hacked and there was personal information, there was health information in that data. So I would almost definitively say that there is no company, no organization, no government agency or municipality that is not a potential target for data breach.
Chris Dix: I will say though that health information tends to be the jackpot. The thing that bad actors are after the most because you think about what’s in health information but you’ve got information first of all that you can’t change, right. You can’t change your DNA, you can’t change whether you have some kind of serious disease or problem or a tumor but you also — you pay healthcare companies. So you got financial information in there. You’ve got information about your relatives in there.
And so it’s really the mother lode of data that people are after, they know that hospitals and medical providers typically are funded enough and have insurance enough that there’ll be a source of initial revenue but then they take that data and sell it on the dark web. Now they’re making money more than one time on the same set of data.
Ryan Bilbrey: It’s also the most difficult type of project to do because the definitions of personal health information is so broad that if you get into that kind of a dataset, you are pretty much planning on putting human eyeballs on every document, every piece of data that’s in there.
Laurence Colletti: Let’s transition to cyber insurance and so Chris you said, you’re recommending that people get all of. Well let’s break that down a little bit obviously, there’s probably going to be some different riders and there’s going to be some different policies to handle different aspects of it but just in terms of let’s start with like maybe like a small or like tiny firm or solo out there, what do you recommend, what type of policies should they be looking at?
Chris Dix: It truly is all of it, and it doesn’t really to me usually matter, whether it’s a small company or a large company. You want coverage that covers the initial incident response, right. You want coverage for attorneys, you want coverage for dealing with a regulatory inquiry, you want coverage for Ryan’s company to come in and figure out who you need to notify and how many people you need to notify. You want coverage for — if you have to pay fines to regulators you want that, you want coverage for the corrective action plan that comes afterward.
But one thing that’s hard to define and hard to get coverage for, is that loss of the business relationship, and sometimes that’s the most valuable thing at all that you can’t insure is losing that big client if you’ve got one big client.
So there what I tell people is you pay for that cost by doing the right things upfront to make sure that you haven’t had an incident or that you minimize the incident.
Laurence Colletti: Do you guys have any preferred carriers that you like to work with?
Ryan Bilbrey: Almost all the insurance companies are now moving in this direction. There are some dedicated cyber insurance carriers. Almost every major carrier is doing this now. So –
Laurence Colletti: Even GEICO with the lizard guy?
Chris Dix: I don’t know the answer of that question. I haven’t worked with them.
Laurence Colletti: Okay.
Chris Dix: Yeah. I don’t know.
Laurence Colletti: Well, we are getting to the near the end of our time together, but before we do that I want to transition into okay, we’ve had a data breach, now what? So what are our first steps? We start to notice some funny things going on, we get suspicious and you guys were saying that sometimes it’s not always easy to tell if you’ve been breached, but once you become suspicious, once you start checking and they’re like, I’m not sure what are your next steps?
Chris Dix: Yeah, so I mean your first call is to find someone that can help you remediate this. Your second call is to your attorney to make sure that your attorney is driving the process. Your third call is to your insurance company because it may be that your insurance company has particular ways that they want to do it, they want to be involved.
If you’ve done the planning upfront, you know who those people are and the people that you’re calling first and second, the attorney and the forensic people, they are on the list that the insurance company has approved.
So you want to have that list printed out too. We mentioned that today. A lot of people have these incident response plans and they’re sitting on their computer somewhere when they get ransomware, you can’t get to your incident response plan. So print that out, put it somewhere safe.
Ryan Bilbrey: And that’s really key is have the plan, have it vetted, have it on the shelf so that if this happens you pull the binder down, you open it to page one and those three phone numbers are sitting right there and maybe it’s not called one, two, three, maybe it’s three people making those calls at the same time, but those are absolutely crucial calls to make as soon as possible.
Chris Dix: Well one other call to make and another cost that I didn’t mention earlier was PR, right. If you’ve got an incident that people start hearing about, knowing about, that you can’t underestimate the value of someone that knows how to help describe to the general public and internally what’s going on, what are we doing about it and how are we going to fix it.
So those PR — you don’t want someone that that did your press release for the last transaction that you had, these are specialized people that are very good at what they do. You want to have that person already lined up ready to go in case you have a problem.
Laurence Colletti: So from breach to back on track, what’s the timeline typical that you are seeing?
Chris Dix: Ryan, do you want to cover that?
Ryan Bilbrey: Sure. It’s not really back on track, because I mean if it’s ransomware certainly it’s disrupting your business. If it’s any other kind of breach and business continues, but I mean the timeline from identifying that a breach happened to getting that notification letter out, it can be sometimes there’s statutory requirements where you have to get it out within 30 days.
Realistically on a big breach, it can be anywhere from two to four months, sometimes longer. There’s the big ones that were in the news like Equifax, I mean to get through that many records and to get that notification out the door and sometimes you’re dealing with it up to a year.
The important thing is to be have all the different parties, all the stakeholders within the company that are related to this thing working together on the same page and communicating to kind of be moving toward a common goal.
Laurence Colletti: Yeah, I think that helps to kind of know what you’re up against it’s like, it should be a year, so let’s, let’s get through it, but I think having that in the front of your mind helps people not get overwhelmed when something like that happens.
Ryan Bilbrey: And it is overwhelming. I mean I’ve seen these things. You get people, different people have different priorities. Chris mentioned that the PR firm well even internally, the people marketing wants to do one thing, the C-suite wants to do something else, legal wants to do something else and IT wants to do something else. You’ve all these competing priorities but if you’ve got the plan, you’ve got the organization and you have a leader, there’s someone that is ultimately responsible for making decisions where is this going to go, how are we going to address this, that’s crucially important and really is contributing factors to success.
Laurence Colletti: Well Chris, Ryan, thank you so much for joining us today. Before we wrap it up, do you guys want to leave some contact information for our listeners if they want to reach out, ask some questions, how can they find you?
Chris Dix: Sure. I’m on LinkedIn pretty regularly. I try not to get on most of the other social media sites unless I’m collecting information from them, but my email is [email protected].
Ryan Bilbrey: Same with me for LinkedIn. I’m looking at that every day and email is always the best way to get me. It’s my name [email protected].
Laurence Colletti: Well, that’s all the time we have for this episode of The Florida Bar Podcast. Thank you to our listeners for tuning in.
And if you like what you heard, please rate and review us in Apple Podcasts, Google Podcasts, Spotify or best yet, your favorite podcasting app. I am Laurence Colletti, until next time, thank you for listening.
Outro: Thanks for listening to The Florida Bar Podcast, brought to you by The Florida Bar’s Practice Resource Center and produced by the broadcast professionals at Legal Talk Network.
If you would like more information about today’s show, please visit legaltalknetwork.com. Subscribe via iTunes, Google Podcasts, Spotify and RSS. Find The Florida Bar, LegalFuel, The Florida Bar’s Practice Resource Center and Legal Talk Network on Twitter, Facebook, Instagram and LinkedIn, or download the free app from Legal Talk Network in Google Play and iTunes.
The views expressed by the participants of this program are their own and do not represent the views of, nor are they endorsed by Legal Talk Network, its officers, directors, employees, agents, representatives, shareholders, and subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.