Cybersecurity conference hosted by law firm in Troy

By Thomas Franz
BridgeTower Media Newswires

DETROIT - With cybersecurity issues continuing to be on the forefront of many minds in business and law, Warner, Norcross, & Judd LLP held its Data Solutions Spring Symposium April 18 in Troy.

Attorneys and cyber law specialists from the firm spoke on a variety of topics in the cyber field to educate others on the dangers and solutions to navigating these issues.

In one session, Warner Norcross attorneys Brian P. Lennon and Clint W. Westbrook provided an overview of data breaches and they discussed the ethics of buying back stolen data in addition to why it's in the interest of corporations to do so.

In terms of which industries are being breached, Lennon said roughly 28 percent of breaches occurred in the health care field in 2017, while 50.8 percent of breaches attacked businesses and 8.7 percent impacted education systems.

As for who's committing these breaches, 51 percent of attacks were done by organized criminal groups and 81 percent of the attacks involved using stolen or leveraged passwords. Those groups then look to profit from their findings.

"The freshness of the data generally drives the cost. The good stuff, the authentication credentials, military and government addresses, addresses for large corporations, that's the prime stuff that's out there and available at the highest cost," Lennon said.

One group that the hackers sell this data to is the corporations they stole from originally. Such transactions typically occur on the dark web.

"We're seeing this new practice where the companies that got breached are going and buying back their own data," Westbrook said. "Companies normally use a third party to retrieve the data and figure out what happened."

There are many ethical and legal issues involved with this practice, Westbrook said. One issue is that buying back data incentivizes hackers to continue hacking.

"To go buy my data back, I've now paid the bad guy for my data. It creates an incentive for what we're trying to stop," Westbrook said.

Lennon addressed many legal questions surrounding this field, including who owns the data, if a company can steal something back and who has authority to take it back.

"Our recommendation is always to use a third-party vendor (to get data back)," Lennon said. "We recommend that because there have been instances when companies reach out to people on the dark web and then they're hacked during that reaching-out period."

Data breach lawsuits

In a separate session, attorneys Katherine L. Pullen and Brian D. Wassom discussed the intricacies of lawsuits following data breaches.

Pullen opened her portion of the discussion by giving an overview of these types of lawsuits. Typical plaintiffs in these cases are government regulators such as the Federal Trade Commission, Federal Communications Commission and the U.S. Securities and Exchange Commission. Consumers, financial institutions and shareholders are also frequent plaintiffs.

Those plaintiffs typically go after the companies that were breached, plus their directors and officers.

"Usually, the claims against the directors and officers are breach of fiduciary duty, but those claims have largely been unsuccessful," Pullen said.

Negligence is the most common type of suit brought. The plaintiffs work to show the defendants failed to exercise reasonable care to protect the plaintiffs' data, and they also misstated the safety of plaintiffs' financial information and failed to disclose material information about data security, Wassom explained.

On the other side, the primary defense used in these cases is standing, and a key component to standing is determining if a plaintiff has actually suffered a concrete injury.

"This happens especially in federal court, where those are of limited jurisdiction, you can't just walk into federal court and make any claim you want," Wassom said.

For resolving these cases, Pullen said don't expect to head to trial.

"What people don't realize is that more than 95 percent of civil cases are resolved or settled before they get to a jury," Pullen said. "Jury verdicts are simply unheard of."

Preventing breaches

Speakers from both sessions also provided advice for any type of business to use to prevent data breaches.

Pullen and Wassom's presentation discussed how a little bit of prevention is worth much more than a cure.

They explained that a comprehensive information security program is key, and having clearly written policies and procedures will help protect a business.

File integrity monitoring, network segmentation, encrypting data, and keeping software updated were other key areas identified by Wassom.

Lennon and Westbrook shared a similar philosophy in that up-front investing is crucial.

"Those written protocols are key to develop for if it happens, here's what we have to do," Westbrook said. "We're able to say, here's the state law, here's what you have to do immediately afterwards. It's important to not have the idea that it couldn't happen to me, it happens to big-box stores and small companies too. To have those protocols in place beforehand is huge."

Published: Fri, May 04, 2018