Lliam: Welcome, everybody. Thank you for joining us again.
We have Spencer Pollock, who is a member of the National Data Privacy and Cybersecurity Team at McDonald Hopkins. He specializes in incident response and privacy consulting. He has handled hundreds of cyber incidents and data breaches, as well as providing strategic guidance to clients around data privacy and cybersecurity.
He hosts a podcast himself called Cyber Law Revolution. And you guys should look that up, and feel free to follow Spencer.
Spencer, welcome.
Spencer: Thank you, Lliam. I really appreciate it and thanks for having me.
Lliam: So maybe we could start right at the beginning and just really understand what is a breach coach? What do you do?
Spencer: That’s a great question. My family doesn’t even know what I do, and I’ve been doing it for about eight years. Think about a quarterback for a cyber incident on the legal and compliance side.
We’re the ones who come in, and we bring in all the pertinent parties to really help navigate these stressful events. So, to start, we’ll bring in a digital forensic incident response firm. Those are the cybersecurity specialists that will go through the forensic evaluation to work with the people like from MIS to make sure everybody’s buttoned up and secure. And then from there, perform their forensic analysis because that really aids us in determining a legal analysis. Beyond that, if needed, we’ll help with communications. We are pseudo like crisis communications individuals.
Now we’ll bring a PR firm in, if necessary, then from there we’ll – after the investigation is done and if there’s a certain subset of data that was impacted either access or obtained – bring another company in to go through all that data to really cull it out and figure out what was sensitive and what was not.
And then finally we bring another company in to do the notifications, right? Send out all the mailings, do a call center, credit monitoring, all that kind of jazz. And then after that, we represent you if there’s a lawsuit that’s filed. We represent you if there’s a regulatory investigation that’s filed.
I tell people we’re here to remove as much stress from you as we can and take on as much burden as we can from you in an incident.
Lliam: So, you guys don’t actually do the thing, right? You’re not the forensics experts, but you’re the quarterback that wrangles all of these different teams and talent to make sure that the customer’s protected.
And then I guess like the name implies: coach. You’re taking all that information and really providing strategic direction to the client around what do they do with this information and potentially, how they respond to some of the questions and those kinds of things. Does that sound right?
Spencer: Yeah, that was a perfect explanation, right? We’re the ones who are gathering the pertinent parties. We’re working with the qualified people like you who are already on the ground. We’re moving that ball forward because we need to get them restored if necessary. We don’t do any of the technical. I’m very transparent about this.
I’m not technical; I’m not security. That’s people like you, Lliam. People like MIS and other firms that we’ll bring in are laser-focused on that. We are laser-focused on legal compliance and communication.
Lliam: I guess the one question that kind of comes to top of mind as we are talking our way through this is who does a breach coach represent in the middle of a cyber event? Is it the insurance company? Is it you know, people like MIS or who? Who would your customer be? Who do you represent?
Spencer: I’ve never had a referral from MIS because you all do such a good job. But if something did happen and you called me, I wouldn’t represent MIS. I would represent the client.
If an insurance company calls me because one of their insureds is having an event, I would represent the client. So, the client retains me directly. I only care about their best interests in these incidents. If it’s from the insurance company, we obviously cooperate with the insurance company, provide status updates, but we never will tell an insurance company anything that we know is adverse to a coverage position.
I’ll use a really silly example. Let’s just say a client tells me that they’re working with the hacker or a criminal to extort money from an insurance company. One, I would stop representing them, but, knock on wood, that’s never happened. But I wouldn’t tell the insurance company, right?
Let’s just say they misrepresented something on their application that’s a little bit more realistic and then they figure that out. Say that they thought it was a thousand records that they put on an application, but it’s a million. I don’t get involved in that. Now they have to cooperate with the insurance company, but I don’t weigh in on that. I only really care about the client and getting them through the data breach.
Lliam: From my perspective, in being in this field alongside you, Spencer, is, you know when a customer goes through a breach, we all have or at least we should have, cyber insurance right? But the reality of it is, this is a really stressful time for any company, right?
And there are a lot of questions that come up, right? And to me, when you look at the role of breach coach, it is somebody who you can turn to as a customer, as a non-technical person, and start to assess what happened; what’s the risk to your business? Do you have any legal obligations or compliance obligations?
You need somebody in your corner who is an expert in this field who can help you far beyond the bits and bytes.
Spencer: It’s a very intimate conversation. That is why I tell people in that first call you’re going to have to basically be unpeeling all the layers of your company to me right now so I can give you proper advice, but it’s all protected under privilege.
The three most intimidating individuals to speak to, in my mind professionally, are technical security like you, lawyers like me, and doctors, in no particular order. Because we all speak different languages, right? So, then a client naturally is uncomfortable.
And so having someone like you in their corner that can help break down what’s going on. Having someone like me in their corner to help parse through to help them understand the process is so crucial. Because unfortunately, you get a lot of people on the tech side or my side who talk down to clients, talk over them, and it creates a really bad experience especially when you’re having an incident.
So, I think having good people in your corner is so crucial.
Like me and Lliam and the client, we’re all on the same team here, and it’s Lliam saying to the client, “Yes, Spencer’s got your back and I got your back.” Versus them in the client’s ear being like don’t trust what they’re saying. So, it’s that relationship aspect and having that mutual respect and synergy.
Lliam: When should a company bring in a breach coach? When do they engage with one?
Spencer: If you contact me for the first time when you’re having an incident, your house is literally on fire. You’re asking me to come sit down with you at the kitchen table and start parsing through where the most important things are going on while your house is burning down around you.
So, you don’t want that because you are going to have to really, I’m going to walk you through your whole network environment. I’m going to walk you through all the information you collect. I’m going to walk you through all the regulatory aspects all the people that you’re going to have to contact all the communications.
So, rather than doing it at that point, you want to meet me beforehand because then we’re going to establish that rapport.
A lot of people are selling snake oil, saying that they can handle this. So vetting someone beforehand is very important.
Lliam: You and I have both been on these calls where a client has something that happens, they have cyber insurance, and so they file a claim, and gosh, really quickly, you are on the phone with 10 or 12 or 15 people, right? And it is really intimidating
Spencer: Right? And it’s so scary. I couldn’t imagine being on the other end and having…Obviously, they know you, but then you are there with your team, and I’m there with my team. The DFIR is there, and the forensics people are there with their team. The insurance company might be there and it’s literally 15 people. And from a client perspective, unfortunately, if you don’t meet us beforehand, that’s the experience you’re going to get.
Ninety percent of the clients I have I’m unfortunately meeting during an incident. But we have a good process for it. But the 10% that I’ve had that have unfortunately gone through this, it’s a much better experience for them.
Lliam: What would I look for in a breach coach?
Spencer: For me I would want to know how many of these you’ve handled, how many incidents have I handled? Because if you say 15 that’s usually not going to be sufficient because as you know Lliam, just on the technical and security side, the threats are moving so fast.
The law the legal side is moving so fast. Every state is different every law is different every regulator’s different. So, you need to be able to have been going through this enough. So you want a large amount of incidents that you’ve dealt with. You also want to know what industries you’ve worked with.
Some people are really good at healthcare, but they don’t look at the finance side. Some people are good at financial, but they don’t look at education. Some people go to education so on and so forth. You want someone who can handle across the board or at least has the bench to bring in.
Now I think the more panels you’re on the more vetting you’ve gone through.
So naturally they feel comfortable having a financial… insurance companies have a financial stake in these events, right? They feel comfortable putting their money on the line with people like us. That usually will indicate that we have gone through an independent vetting process for them.
And as everyone knows, insurance companies are sticklers and they’re pretty intense about their background. There’s about eight firms that are on predominantly all the panels out there.
So beyond that those are the three things right? And as you and I discussed though with the panel aspect and the experience aspect it is delicate right?
The first thing is how many of these have you handled right? How many of these have you taken to notification? How many have you taken to regulatory investigations? How many of you taken to class actions?
Because at that point you’re seeing the whole life cycle.
I would say over a three-year span, I would want an attorney that’s handled at least over 150. That’s about 50 a year. That’s a good amount of work. And when I say 50 a year, I would want at least half of those to be going to notifications.
Spencer: You get a lot of lawyers out there. Cyber’s sexy. Data breaches are sexy because it’s new. And you don’t want to be on the forefront of a regulatory investigation with someone who hasn’t been living and breathing that. Because if you have 15 incidents then the question is how many went to notification then? How many went to regulatory? Probably one or two.
But honestly the big part is, too, feeling comfortable. You might have somebody who’s done 20 breaches over two years that you can still feel comfortable because of how they’re presenting their background and how they’re going to assist you. Just acknowledging that some things might take a little longer for them to figure out but lawyers are very capable but you just have to be careful because this is a very unique field.
Lliam:. An insurance panel, as the name suggests, are panels put together by the insurance companies where they vet you so that if they have insureds that find themselves in trouble that they can refer you. And so the question I have as I think about that is do you think that potentially could serve as a conflict of interest for you?
Spencer: No, because where the big part is my duty of loyalty is to the client right? It is not to the insurance carrier and I don’t get involved in coverage problems.
Any lawyer that takes it on can’t split themselves, right?
So, from the panel side there is no conflict because once again I represent a client directly. Let’s just say they went and got an outside counsel. One, they would have to get approved through the insurance company at that point. So, we’ve basically just been approved in the same way. The insurance company’s going to then end up paying them.
If they’re not getting paid by the insurance company, then there’s no relationship at that point. It’s called the tripartite relationship. It basically creates privilege and allows information sharing through all the parties.
Lliam: Like when you wreck your car and you call the insurance company like, “Hey I wrecked my car,” and they give you three body shops you could take your car to right? Those are three body shops that that particular insurance company has vetted. They’re on their list, they know they do good work, and that you could take your car to one of those places. And you have some assurance that they’re a vetted body shop and the insurance company has some insurance or assurance that they’re a quality shop as well.
It sounds like being on a panel for an insurance company as a breach coach, to me it sounds very similar to that although it may be simplistic.
Spencer: The top end for a breach? Tens of millions. So, they have a vested interest to make sure that who they’re assigning or who they’re giving, Lliam, the ability of “you can choose my firm or another firm that whatever.” It’s that all three firms have gone through this vetting process where they feel comfortable enough to say we feel good putting our money on the line with them representing you.
They get very nervous when somebody brings in Uncle Joe from down the street. And that’s where they get, understandably, they get very tense about that because they don’t… It’s not somebody who they vetted, right? You could be getting that person who’s never done this before and is now having an educational experience and then leaving someone on a ledge.
But the body shop is a good example. They’ve basically gone through…they trust who they’re working with and the insured should trust it as well because, once again, the insurance company naturally has a financially vested interest to make sure I know what I’m doing.
I am so steadfast about this that I believe a good MSP is the difference between a catastrophe and a minimal impact loss.
The reason for that is one, if I go in and I’m working with someone like MIS who understands the environment, who’s cultivated a really good trust with the client and has their best interest, and can have honest conversations – some of those come to Jesus conversations – about what needs to be done and can vouch for someone like me, it makes the process so much easier.
I could give you hours upon hours of horror stories where it was not reputable MSPs who became instantly defensive, who thought they were going to get sued, who refused to give admin credentials, who refused to help us collect logs, who wiped and restored. And it’s problematic, right?
The first thing you need as a client is a good MSP, right? Because if you don’t have a good MSP when I get involved, it’s going to be we’re already in a horrible situation, and now we’re going to have a side war going on between the MSP versus me and the forensic firm. And that never goes well.
Lliam: One of the things I think makes MIS a bit unique is that we have a lot of security expertise on staff who are certified in that cyber space. I’d be curious to see your perspective, your take on when you are involved in a breach and you’re working with an MSP to find out that all of the true expertise around that security has been outsourced to a third party. Has that caused you problems? Or do you find that to be okay?
Spencer: So, what makes you all very unique beyond your security aspect is how close you are with your clients. So, to me that’s so important and I worry about it getting outsourced. I’m sure there’s quality outsource, don’t get me wrong, but I think it devalues the personal aspect and then coupling that with the security side, I think is a huge benefit and value add for clients.
Lliam: While we’re on that topic, would you share what you think maybe are the top one or two or maybe three biggest mistakes that you see businesses make after something has happened after a cyber incident?
Spencer: The technical side is immediately wiping, restoring, and removing all the forensic evidence because that puts us in a really bad spot if we need to prove things were not taken or touched.
The second part on the legal compliance side is talking too much. It’s very important not to call something a data breach unless it is. It’s a legal term of art right? We’ve got events. Events lead to incidents. Incidents could lead to breaches, right? All breaches start with events that could become an incident, could become a breach. But when we start calling things a breach, that triggers time clocks where regulators will pull communications that are not privileged. Obviously, if you put out to the public or your employees or your clients that we had a data breach, the regulator’s going to be like, “You knew you had a data breach on this day. Why didn’t you notify people 10 days later?”
The second part of that would be not having an incident response plan in place and then basically not being prepared for this, because when you’re not prepared then once again when I come in it takes me a lot longer to get everybody on board. I’ll add one more: Not having vendor contracts – customer contracts with triggering provisions saying Spencer’s widget shop needs to be notified if Lliam has a breach involving my information. That’s rampant right now.
I put it in all my contracts. We do a lot of the pre-incident work, privacy work. I put that in all my contracts and if I don’t have those contracts when an incident happens, then I don’t know who I need to notify. So, I would say the communication aspect, not having a plan, not having your vendor contracts, and then the technical side wiping and restoring.
Lliam: I’ve always seen this: it’s like, again, when you have a car accident right before they clear the wreck off the road what happens? The cops come and they create a sketch of what happened, where they look for skid marks. Now it’s really inconvenient because the cars are piling up. No one can get through. Everybody has to wait. Everybody’s trying to get to work, but before all the evidence is destroyed and they pull the wreckage off the road, there’s only one time that you can get all of that information, because if you don’t, everything after that becomes hearsay. Who thought they saw what?
When you first have a breach, there is a point in time where – you gotta get to the point you call it a breach – but then there comes a point where the first question isn’t how fast can we restore right?
The first question really needs to be what happened and can we preserve the evidence so that, as we take this forward, we all have something that we can look at and trust, present to the insurance company, and all of those things because rushing to restore may in fact void your insurance plan.
Spencer: I think the car wreck example is really good in terms of preserving the evidence and not getting rid of it because if not then it’s all hearsay. It’s all speculation and could cause a lot of problems.
What I tell clients is here’s the biggest way to avoid these problems. Everybody take a deep breath, right? Take a deep breath. Do not push the red button. Just step back, engage the right people, and we will get you through it. We’re not going to make rash decisions.
But this goes to the preparation point – having a good incident response plan and understanding that if you have a plan in place, then you’re able to effectuate it. And then when you practice it, because when it actually happens, then you know the steps to take.
Lliam: you used an acronym twice and I want to make sure that everyone knows what it is: DFIR. Do you want to talk a little bit about what that acronym means?
Spencer: Digital Forensic Incident Response. So, it’s basically a specialized firm that comes in under me.
So, I protect privilege when I retain a firm like this. They come in and they help deploy tools, if necessary, to secure a system. They’ll work with MIS to get people restored safely, and then they’re the ones who collect the evidence and go through all that evidence through the digital forensics to help us determine what, if anything, was potentially taken or accessed.
Lliam: But sometimes it’s much more difficult to determine what was taken.
And you can restore from backup, but you may not know what financial records, or what healthcare records, or intellectual property may have been removed from the network. And that may represent significant risk to you further down the road that you haven’t even thought about. You were really just focused on trying to restore and get yourself back in business.
What kind of attacks do you see from your side that are most often right now? What trends do you think are things that may surprise you or might surprise somebody listening to this?
Spencer: So one thing we saw recently, which was pretty ingenious and new, was a group claiming to be a ransomware group. Which we did figure out it wasn’t associated with a ransomware group, sent letters like actual letters to companies just random companies to executives saying we have your data, nothing you can do, we’re not negotiating. Here’s the Bitcoin wallet. Pay us, I don’t know, $500,000. We got like six of those that came in. It was proven that nothing had happened, but out of six, I have no idea how many letters actually went out. So that was an interesting tactic to me. That’s such a low-cost effort to do it.
And they’re so smart. Like they’re so smart. I hate to admit that, but they’re smarter than us because this is all they do. They’re little terminators. They’re not smarter than us, but they’re terminators. Let’s go with that.
I don’t want to admit that part, but I don’t know if I would’ve thought about that tactic. That was pretty good.
The other tactic that we’re seeing more and more is less encryption, because I think most of them are starting to see that people have good backups. So why waste time with that? And more smash and grab?
So there’s something out there that says their dwell time is 180 days or something like that. A lot of that is the access brokers. An access broker is somebody who gets in and gets credentials, gets your username and password, to allow someone to access, and then they go sell that to people.
The next step is the harassment campaign. So, a lot of it’s triple extortion, right? A lot of times, they’ll lock you up, hope you don’t have good backup. They’ll take your data and then they’ll start harassing your employees and your clients, families, at times. They’ll go pretty far to try to get you to pay.
The last one is the use of AI in wire fraud and phishing attacks that I am highly scared of. This is not like when you got the email from that Nigerian prince like 15 years ago being like, “Gimme your bank account. We’re going to give you $5 million.” This is like hyper, hyper ingenious in terms of they’re able to sit in your Office 365. They’re able to watch, and then they’re able to spoof you based on…Lliam and I are conversing, Lliam’s on another company asking for payment for service they provided. The hacker then goes out, spoofs it, creates a fake Lliam, and mimics Lliam’s language to the extent that, unless you have double verification in place, these wire frauds are getting more…our wire fraud team has more work than they know how to deal with.
I think AI is going to be a big problem for us moving forward.
Lliam: What do you think one piece of advice would be that you would give a small to medium-sized business to be able to prepare for or maybe even to respond to a breach?
Spencer: Call me. I’m kidding. No, I’m just joking. I’m joking.
Lliam: And call you before it happens.
Spencer: Call me before it happens, but I’m joking.
One, going back. Have an MIS in your corner. That will greatly reduce the chances that you will end up calling me when you have a breach.
Not saying MIS wouldn’t call me or refer, but it reduces the likelihood that you’re going to have a full-blown breach. Meet somebody like me. Truthfully. It doesn’t have to be me. Vet and know who you’re going to work with and then build the plan and test it with someone like me, with MIS, because MIS will be directly involved in an incident, so you understand.
An average breach, and I’ll finish with my nerding out by adding data, an average breach costs about $4.2 million. I think that was two years ago. It’s higher now – I think $4.3. Companies that have a plan, a team, and test it, save around $2.7, scale up or down.
It’s significant savings. So get an MIS in your corner, or somebody as good as MIS. Know a breach coach like me. Have a plan and test it. Those would be the three low-hanging fruit that are easy to get.
Lliam: Spencer, I truly appreciate all of the expertise that you bring to the community and helping all of us navigate what can be a really stressful time for any business.
Spencer: Appreciate Lliam, thanks for having me. And I appreciate you and all. You all do.
Lliam: Anytime.
Share:
