ISMG Editors: Privacy Special With Lisa SottoLockBit 3.0, New US Privacy Laws and FTC Initiatives to Watch
In the latest weekly update, Lisa Sotto of Hunton Andrews Kurth LLP joins three editors at Information Security Media Group to discuss important cybersecurity and privacy issues, including data breach preparedness, the evolution of LockBit 3.0 and the potential impact of the Cyber Incident Reporting for Critical Infrastructure Act of 2022.
The panelists - Tom Field, vice president, editorial; Anna Delaney, director, productions; Lisa Sotto, partner and chair of the global privacy and cybersecurity practice, Hunton Andrews Kurth LLP; and Mathew Schwartz, executive editor, DataBreachToday & Europe - discuss:
- The remaining gaps in data breach preparedness that organizations must address;
- The evolution of LockBit 2.0 to 3.0 and what it means for defenders;
- An overview of the recent Cyber Incident Reporting for Critical Infrastructure Act of 2022.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the July 15 edition analyzing the Predatory Sparrow attack and the July 22 edition discussing how the FBI clawed back cryptocurrency ransoms paid to North Koreans.
Anna Delaney: Hello, welcome to the ISMG Editors' Panel. I'm Anna Delaney and we have a special episode for you this week as we explore the top legal and regulatory trends in data, privacy, and cybersecurity. To do that, we are joined by the star in the legal world. That is our good friend Lisa Sotto, partner and chair, global privacy and cybersecurity practice, Hunton Andrews Kurth LLP, and Tom Field, senior vice president of Editorial, and Mathew Schwartz, executive editor of DataBreachToday and Europe. Good to see you all. And Lisa, so great to have you back with us.
Lisa Sotto: Thank you, Anna. I'm delighted to be here.
Delaney: And Lisa, where are you today? Is that an office I see?
Sotto: I'm on the 51st floor of the MetLife building in Manhattan and the view is glorious.
Delaney: We'd like to see that next time. Mathew?
Mathew Schwartz: Yes, coming at you once again, live from Scotland. I'm just in Tentsmuir forest on the east coast here. Beautiful place to get away when I have a few moments, and what a walk along the North Sea.
Delaney: He surprised me that that's Scotland. I thought we were going to see sunny California. So, that's great. Tom, back at that place?
Tom Field: It is where Chicago office separates ever further with a Billy Goat Tavern in the lower Michigan. I had a chance to return last week for the first time since COVID.
Delaney: Very good. Glad to hear that. And I am at the seaside, the South of France, thinking happy thoughts. Summer, after all. So Lisa, I know we all have a few questions for you. And I'm going to pass the baton over to Tom. Why don't you start off?
Field: Excellent. Lisa, glad to have you here. I know something you're deeply involved with is breach preparedness. I hear more organizations today that are involved in their senior management in boards in tabletop exercises upfront. To what degree do you find this is leading to better prepared organizations when the breach does strike, and what gaps do you continue to say?
Sotto: Thank you for the question, Tom. Doing tabletop exercises is music to my ears. I love it. When executives talk about the most recent tabletop they've done, I think it helps them become more conversant in how to manage these events. They understand from doing tabletops the fast pace of these events, the types of decisions that they're going to be called upon to make, and the fact patterns because the fact patterns, while they change from incident to incident, they don't take change so dramatically that you can't become accustomed to the kind of framework that we're going to have to be operating in should a real event happen. It's also important to identify gaps in the process because there are always gaps in the incident response process that can be fixed in advance. And those gaps change over time, as the threat landscape changes over time. And so, the important thing in doing tabletop exercises for executive teams is not to think of this as a one-and-done exercise. They have to be done continuously and you can exercise different aspects of the organization like you can exercise the executives and then you can start to think about comps and legal and how they all play in, and marketing and HR. So, there are many different types of tabletop exercises that can be done over the course of the year. And I would encourage the more the merrier.
Field: This is shifting gears. I want to revisit a topic we discussed in the past, which is the disparate privacy laws that are bursting throughout the United States. I believe we have six states now. Help me out here.
Sotto: It's five states. It's California, Virginia, Colorado, Utah, and Connecticut. But to say six is prognosticating in a sensible way. Because there will be more states to follow. And we're watching the landscape closely. How do we manage this real mess? It is a hodgepodge right now of laws and fragmented and hard to manage for companies that operate in multiple environments and in the United States and overseas as well. So, we have this real cacophony of privacy laws. Now, the key is to think about the basic principles, the framework, what underlies all of these data protection and privacy laws, whether in the United States or overseas, we have to think about transparency and privacy notices. We think about the choices that we want to offer to users and individuals, we think about the rights that they're now entitled to under all of these laws, access rights, deletion rights, the right to say no to marketing communications. So, there are a number of rights that are now embedded in all of these laws. How do we manage service providers? Do we need contracts to restrict how service providers will use the data that they're entrusted with? How do we think about security issues? And then, enforcement at the end of the day? Do we have a good internal audit mechanism? Do we have good checks and balances to make sure that our program is enforced?
Delaney: What a lovely time to be a privacy professional. Lisa, I appreciate your insights. I'm going to pass this off now to Mathew.
Schwartz: I love the discussion of tabletop exercises and what organizations can do to get better. Great to have you back, Lisa. Last time we were here we were talking about preparedness and what organizations can be doing. So, tabletop, love to hear it. Ransomware, however, continues to be a huge threat targeting organizations. Love that ransomware groups have gone by the wayside, but some of them have stuck around, such as LockBit. I think it's one of the more aggressive, making the most profit type of organizations, usually does health promotion, as we've seen, and they've recently gone from LockBit 2.0 to LockBit 3.0. I know you're tracking this. What does this portend for you?
Sotto: LockBit is one of the more active groups now and they have gotten more sophisticated and they are announcing to the world that they have achieved a different, a new, and a higher level of sophistication in their exploits. So, they and other groups are now charging more. They have an upcharge for Bitcoin over Mineiro, for example. They're charging separate fees for a delay in the timer, they're charging a fee for not deleting data or not posting the company's logo, and then another one for the decrypter. So, in case you don't need the decrypter, but you're sensitive about your data being posted or your logo being posted, that's okay. There's a cure for that, and you can pay to have the logo not posted. So, we are seeing real evolution and tactics. The war in Ukraine has also changed the landscape. We're seeing less from Ukraine, more from Russia. And the threat actor groups have not slowed down their game very much. There are some that have folded, but we're also seeing some of the same malware being used by the new groups. So, they're folding and then reconstituting as different groups.
Schwartz: I know tracking all of this activity is something that is of increasing importance across the legal community to cybersecurity community, and the US government has been making a move here. The FBI, among others, has said that knowing what event, when business pays a ransom, would be useful information for it. They said sometimes we can help you recover this. Also, it helps them trace the flow of Bitcoin ransom payments, identify some of these threat actor groups, maybe identify some of the individuals involved. On that front, I know the Cyber Incident Reporting for Critical Infrastructure Act of 2022 was looking at critical infrastructure sectors having a mandatory reporting requirement, if they pay a ransom. I think I've gotten that nuance right. But what do we know so far about this? How do you think this might shake out? Is this what we've been waiting for?
Sotto: I am wondering what the acronym is going to be. Are we going to be calling it CIRCIA? I'm not sure. It is critical for the government to have visibility. If they don't have visibility, there's no ability for law enforcement in the United States to connect the dots and to understand the modus operandi of the various threat actor groups. The FBI is sophisticated now in tracking these groups, and they share information rapidly with the private sector. And that's been helpful. And I do see a real uptick in private sector sharing with the government. Now, some of that is mandated, but in many cases, it's not. And it's voluntary and the fear of sharing data with the government has diminished significantly. I think that that's important. And that kind of transparency is critical to minimizing the negative impact of these groups. We do have a long way to go before the reporting obligations kick in in the Cyber Incident Reporting for Critical Infrastructure Act. There will be reporting obligations, but there are regulations that need to be issued prior to those reporting obligations coming into play, so we have a number of months to go before we see real information sharing as a result of that law.
Schwartz: Lots of efforts and initiatives to disrupt ransomware. Thank you, Lisa. I'm going to hand you over to the correspondent on the beach.
Delaney: Here I am. Thank you so much. I enjoyed listening all these answers and insights, Lisa. So, when we spoke at the end of last year, I think it was a snow scene I used. Thinking back, it was our winter special. And you said it was going to be a busy year for the FTC. What activity has been of most interest to you in this first-half of this year?
Sotto: The FTC has been active. We've talked about this. And it is fascinating to watch what the commission is doing. There are three themes that I would bring to the fore today. First, there's a focus on strengthening kids' privacy. That is true both at the FTC and in Congress. It's a reasonably non-controversial point. So, it's somewhat easier than other types of data protection to protect kids' privacy. So, we're going to see a continued focus on strengthening the privacy of children's data. I'll also note that the FTC recently came out with a statement indicating that they are essentially putting in place a de facto data breach reporting obligation at the federal level. That is a real sea change. There are no general data breach reporting obligations at the federal level there. At the state level, there are 54 data breach notification laws in the United States, which is the 50 states plus Guam, US Virgin Islands, Puerto Rico and DC. But at the federal level, we have industry-sector-specific reporting obligations, like under HIPAA and the Gramm-Leach-Bliley Act, but not a generalized breach reporting obligation. The FTC recently brought an enforcement action and then also came out with a blog post to say that in some cases, there would be a de facto breach reporting obligation. That is going to be interesting to watch to see whether they use their section five authority with respect to breach notification, where it may not be required at the state or other federal level. And then the third area to watch is that the FTC is considering a rulemaking. They would like to curb lax security practices. They also want to focus on not allowing algorithmic decision making for where it may result in unlawful discrimination. And then also focus on curbing privacy abuses. So I think those are three areas to watch and a number of others coming from the FTC now.
Delaney: And in general, in the field, are you watching anything else the rest of this year?
Sotto: What a busy time! Both the cyber and the privacy landscapes are active on the privacy front. Not only are we watching for additional state laws, but we're also watching closely to see what Congress does. There has been a bit of activity at the federal level. And we're hopeful that we can get a federal privacy law preemptive, privacy law in place this year. On the cyber front, more of the same, but stepped up activity, so it's more of the same on steroids. The ransomware is rampant, DDoS attacks also, cyber extortion without ransomware, Daxin. So we're seeing a number of exploits now. And the federal government also is stepping up its game in responding to these exploits. So, quite a landscape to watch.
Delaney: For sure, as Tom said, fun times to be in the field. But final quick question, at least we'll give you a pause for a moment. What has been a gain for privacy in 2022?
Field: I think Lisa nailed it that we have Congress now talking about a broad-based privacy law for the United States and there seems to be bipartisan support. As you know, I just came from our Government Cybersecurity Summit in DC yesterday and the one theme that came through was the belief that cybersecurity and privacy legislation are bipartisan interest and are going to survive what might happen, whether it's a Republican or Democratic Congress, going forward. So I find that encouraging.
Schwartz: I'll amplify what Tom said. When I started covering data breaches back when California brought in its pioneering state data breach notification law around 2003, I expected something to follow on the federal level quickly. My expectations have been broken so many times since then, and it probably will continue to be broken going forward somewhat. But it's heartening that we've got Congress talking about it. Does this mean we'll get much further? But the fact that we're having discussions at the level we're having, the number of people, different kinds of privacy legislation, it is profoundly different than it was two decades ago when I was young, naive and full of hope. So possibly, we'll get there.
Delaney: Don't lose that hope. I was going to mention Apple's new security feature Lockdown Mode, because it's not intended for the average user. But in the wake of state-sponsored attacks, it's been a positive move to protect against Pegasus and other spyware. So early days, but I know it's been well received by the community. So hat tip to Apple. There you go. Lisa, what's the highlight for you?
Sotto: I will add that I testified before Congress in 2006. And I told members of Congress that the cataclysmic data breach event at the federal level had occurred, that would be the tipping point to federal data breach notification legislation. My crystal ball was murky and wrong. So, despite events that have hit billions of people worldwide, we have not had whatever cataclysmic event needs to happen to have to get a federal data breach notification law. But I am equally encouraged as my colleagues with respect to a data protection law. We are out of step with the rest of the world and we're the only first-world country that does not have a comprehensive omnibus data protection law. If we can get there this year in Congress, that would be a step forward.
Delaney: Right. Well, Lisa, this has been a great pleasure to have you join us again, and hope we can do this again soon.
Sotto: Thank you very much.
Delaney: And thank you so much for watching. Until next time.