Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle, and your virtual cybersecurity council is Jake Bernstein. Visit them at cyberriskopportunities.com and focallaw.com.

Jake Bernstein: So Kip, what are we going to talk about today?

Kip Boyle: Hey, Jake. Today we're going to talk about something that I think our listeners is going to find really interesting, because there's a balance of power that's shifting and in the privacy world, and it's going to affect our cyber risk managers. This is about systems administrators and the multimillion dollar privacy violations they will cause.

Jake Bernstein: We were just talking about this with one of our joint customers. So let's... I think this is important information to share.

Kip Boyle: Yeah. And I was really pleased by how strongly this resonated with our customer. And so, yeah, I agree. I think our audience is going to be really interested to know about this.

Jake Bernstein: So this of course is related to the CCPA or California Consumer Privacy Act for those who don't live and breathe this stuff, isn't it?

Kip Boyle: Yes, absolutely. So yeah, it's sort of the collision between the growing power related to the protection of privacy information here in the United States. The growing power of the state laws and regulations, but it's also about how organized cyber criminals and the underground digital economy work on the dark web. It's actually kind of a collision of those two things. And what I'm seeing is systems administrators are at the dead center of this. So would you set up the episode by summarizing the penalty provisions in CCPA?

Jake Bernstein: CCPA splits the kind of consequences into two large buckets. One is the private cause of action, which is limited to the failure to adopt basically reasonable security measures, which we have talked about more than a couple of times. That's kind of one of our focal points of this podcast. And essentially what California has done is they say, okay, if a company loses your information, your being a consumer, a California consumer, then the California consumer can bring a lawsuit which will ultimately become a class action lawsuit, seeking either actual damages or up to $750 kind of per record slash individual. It's a little unclear. And that's going to be a massive litigation battleground that I think will really change the landscape for this. We'll have to see what happens.

The second bucket is California attorney general enforcement and the California AIG can enforce any of the provisions of the CCPA. And so the CCPA is primarily a privacy statute and it creates privacy rights. And it's interesting that individuals can't enforce failures to comply with the privacy sections, but the California AGO can, and presumably will do so. The formal there is up to $7,500 per intentional violation and up to $2,500 for unintentional violations. And that's interesting because the statute builds in a 30 day right to cure. Which means that after that right to cure period, it's going to be fairly easy for the California AGO to argue that that most violations are, quote intentional in order to get access to that higher figure, that higher penalty figure.

Kip Boyle: So, one thing that's really interesting about CCPA that I've heard you talk about before is, in the past there's been a real difficulty for private citizens to be successful in a lawsuit around a data breach because they had a hard time proving harm. And so this sort of changes that dynamic, right? Am I getting that right?

Jake Bernstein: Or it completely changes it. So there have been a lot of data breaches, but not an equal number of successful class action lawsuits. And the big reason for that is that in the federal courts, you have to be able to show particular harm and it cannot be what the courts call speculative, which means that if you say, Oh, my data has been leaked by this data breach. You have to also be able to show some direct harm or even reasonably indirect harm from the data breach to you. And a lot of the times that's not possible, and it's not possible for many reasons. Sometimes it's the second or third date of breach that has put that information out there. How are you supposed to prove that it was that data breach that caused your harm. Or maybe you just haven't suffered any specific harm? And it's more of the potential harm that you're worried about.

So what California does is bypass that analysis by creating statutory damages. And it kind of just takes that part out so that it will create significantly easier class action lawsuits going forward.

Kip Boyle: Right. Right. And that's one of the reasons why this balance of power is shifting. So that that's a great relief to people who have had their personal information mishandled. Okay. For the purposes of illustrating the point that we want to make on this episode, I want to restate the penalties that you just reviewed in as more simple formulas, just to make this easier for everybody. So if you have a data breach of personal information and the California plaintiff's bar comes after you. Then your penalty be the number of breached personal information records, times $750. And if the California attorney general comes after you instead, then your penalty is the number of violations, times $7,500. I mean, are you okay with that for this episode?

Jake Bernstein: Yeah. It works. All of that is subject to court oversight. And oftentimes at least in my experience, when you have an up to figure. You don't generally get the maximum on every single violation. If they are small, I've seen courts award differing amounts, for different types of violations. And so the actual violation, the actual penalty for failure to update your privacy policy might be a little different than a penalty for losing sensitive personal data. And that goes to the more to the California AGO version, but it works for this podcast.

Kip Boyle: Okay. Okay. Great. So thanks for indulging me. Again, I'm not the lawyer, right?

Jake Bernstein: Yeah.

Kip Boyle: But I want to bring a couple of examples forward. So here's the first example. This is kind of a big example on December 14th, 2019. So that's pretty recent as of the recording date of this episode, there was a security researcher who was scanning for any cloud based data shares that were publicly available. And he was doing this using automated tools and he found a whole bunch of records. In fact, 267 million Facebook users had their information exposed. It was a massive data breach and it received a lot of news coverage of CBS and other major news outlets, covered this. And it turns out that this database was left open for nearly two weeks. And we're talking about names, phone numbers, Facebook user IDs were exposed and available to anybody who knew how to find it.

So now this didn't happen under the period... Well, this happened before CCPA enforcement was set to begin. So this is just a hypothetical, but we're probably going to see more of these things anyway. So if we take the simple formula of California plaintiff's bar, then the penalty can be calculated as the number of breached PI records, times $750. And when you're talking about 267 million Facebook users, now we're talking about a penalty of $200 billion. Now I feel like I'm Dr. Evil trying to ransom the world, but that's an enormous penalty. And I don't know that anybody would ever pay something like that, but Jake doesn't really give a ton of leverage and power over to the bringers of the lawsuit.

Jake Bernstein: It does. Yeah. And I mean, really because the vast majority of lawsuits settle at least in the civil context, the goal is always to generate that kind of leverage, particularly when you're looking for a monetary settlement. So if you can threaten just astronomical numbers, then that means that you can start doing things like, look, even if I gave you a 50% reduction in penalties, it's still a hundred billion dollars. So I'm going to offer you two... I'm going to offer a settlement of two billion, which is what? A percent, 2%. And so that gives you a leverage that, that you otherwise just don't have. And it's going to be interesting how this plays out, because there are legal principles that can be used to limit penalties if they are excessive. And it's going to be interesting to see what happens here. And I think that it won't take long and I say that, but in legal speak, that's a couple of years for us to kind of see how this begins to work.

Kip Boyle: Right. Okay. And so I hope that this example is helping listeners understand just how tremendously the power shift actually is. And maybe you're not surprised. Maybe you already did the calculation in your head when we were first talking about this. And you said, gosh, a hundred million record data breach would add up to a lot. But let's take a look at another example, let's suppose that there's a different data breach. And this one's hypothetical here. The one that I'm about to dive into. So let's suppose that there's a company that had a website and they were running some kind of promotional contest, right? Some kind of a marketing effort to spread the word about what they do and that people should become their customers. And so they're running a big promotion and they gave away prizes, major prizes to let's say, 10 people.

And so then it turns out that there's a spreadsheet containing the personal information of those 10 winners. And just like in the previous example, it was discovered on a server open on the internet. And how was it discovered? Well, again one of these white hat security researchers did it and then publicized it. But it could have just as easily been a black hat, criminal looking for personal information could find it and then silently make off with it. And it could be both actually. I mean, there's no reason to think that a white hat and a black hat couldn't find this stuff at the same time or more or less at the same time.

Jake Bernstein: Well, I think you have to assume that for every white hat looking, there's at least two or three black hats looking.

Kip Boyle: Maybe 10.

Jake Bernstein: Maybe 10. And again, as we often point out when we say looking, it's not like people are sitting at a keyboard typing in random URLs. They both have highly sophisticated tools. Usually same tools to do this on an automated basis.

Kip Boyle: Right. Except one sitting in a country with no extradition treaty to the United States.

Jake Bernstein: Yes, that's right.

Kip Boyle: And the other one is looking to issue a press release to get a lot of visibility for their work so they can get more customers. It's really interesting how this goes, but anyway, let's pretend that those 10 winners had their personal information stored on a server open to the internet. It was discovered. And now this company that was running a promotion now has a data breach. And let's say these 10 winners are all residents of the state of California. So that's the setup. Now, some people might be saying, well, it's just 10 records, right? So that's 10 times $750. Oh, that's not much. Okay. But here's the point that we want to make is, let's say the California attorney general decides that they're going to take this and they're going to pursue you.

So let's revisit the simplistic formula that I made, which is your penalty would be the number of violations times $7,500. So it's not the number of records, it's the number of violations. And so let's start counting violations. And again, hypothetical here, but let's say that in addition to the 10 records, let's say that you failed to respond to a thousand requests from consumers in the 45 day time period. And why did this happen? Well, because news of the data breach got out and a lot of people said, Oh my gosh, I entered that contest. Was my data, one of the ones that was... I know I didn't win a major prize, but what else is going on here, is there more to come? And let's say that at the same time, your privacy policy on your websites, let's say you got three of them is stale, right? So it's retrieved and analyzed by the attorney general. And they go, no, this isn't cutting. It's insufficient under CCPA.

And then let's say you didn't do adequate notification to 5,000 consumers following the data breach. And so you start to add up all these violations and I count just over 6,000 individual violations. Now, if we run that through my simplistic formula, you're looking at a $45 million penalty for 10 records. Do you think I got that right, Jake?

Jake Bernstein: Yeah. And that's exactly what can happen. And again, the same point I made earlier applies here is that the California AG, has just as much of an incentive... I actually, I take that back. The offices are... They exist to litigate. So they don't necessarily care about avoiding litigation at all costs. However, it is always much more convenient and resource efficient for them to settle. And that type of calculation gives them immense bargaining power, immense leverage.

Kip Boyle: Right, right. Exactly. So even though the hypothetical company in question may not actually pay a $45 million penalty, they're adding-

Jake Bernstein: For 10 records.

Kip Boyle: For 10 records. So at a distinct disadvantage in terms of the conversation that they're about to have with these regulators. And so I would imagine that they would be willing to gladly come to the table and discuss terms of surrender. I mean, settlement. So, it's going to change the trajectory of your company as a result of this. I think about the FTC settlements where companies have to spend 20 years under the close personal supervision of the FTC with respect to their information security programs. So that's not a monetary penalty but I mean, you're kind of getting handcuffed to the government on all that you're doing. And that doesn't sound like fun to me.

Jake Bernstein: And keep in mind too, that there are hidden costs here, even taking the $45 million penalty. Let's say the office is feeling generous and is willing to settle for half a million dollars, $500,000. For 10 records, that's an expensive mistake. It's not going to put you under but that's certainly could... it will severely impact your profitability, your budget. And on top of that, you're going to have to find him pay council. You're going to have lost productivity in terms of effort spent responding. I know having seen it that it's often a very stressful period for the business owners. I mean, nobody wants to be investigated by an office, particularly not when there's a $45 million, I was going to say stick, but it's just more like a tree hanging over you.

And there's just a lot of additional costs there. And I think that, this episode is being recorded in mid February and will be released a couple months from now. But the CCPA doesn't become enforceable until July 1st, 2020. And so we just don't know what it's going to actually look like after that date. This is a likely outcome. It could be worse. It could be that the California office just starts going after everyone for a breach, because frankly it costs them nothing to start sending demand letters.

Kip Boyle: Right. So we're speculating a little bit here, but we don't think we're that far off the mark. So people should start thinking about this. Now, when we opened up the episode we said, well, this is really about systems administrators being at kind of the Nexis of this change of balance of power. And I want to come back and close the loop on that. So we hear in our work, a lot of people saying things like, "Hey, we're in the cloud. So we're secure." Right? That that kind of absolves us of a lot of security burden. And since our data is in the cloud, we can sleep well at night knowing that Amazon, Microsoft Dropbox box, you name it and the list goes on and on that our data is safe and sound.

Now that's a major mistake. And that's one thing that in both of these cases that we've reviewed should come out to our listeners is that both of these cases, what happened was personal information was stored in the cloud but it wasn't secured properly. And because it was in the cloud and not on your local area network, you have global visibility potentially to that data based the scanning that's being done. It's so, so easy to scan, looking for open data shares in cloud providers as compared to the effort that it would take to do a similar thing if your data was still located in a local area network. So you've got this massive global potential visibility. And you know what? When you go in and look at the cloud providers, they'll all tell you that after you've bought your way in that there's a shared responsibility model for security. They're going to do some things, but you're going to do a lot.

And what we notice is that a lot of people forget about the part that they need to do, or they just don't even realize that there's a part that they have to play. And so it comes back to systems administrators. It's the systems administrators who are storing the data in the cloud, and they're the ones that have to set the correct permissions. And if they just drop all the permissions, because it's just going to make their life easier. Well, that's kind of the raw ingredients for some of these problems that we're seeing

Jake Bernstein: It is. And I think that there has been an awful lot of, I would say it's been the wild West in the cloud for quite some time. And I think that that time period is just coming to an end. I don't think it's going to be feasible for companies to kind of be nonchalant about how this works. You'll need to... We've talked about the need to monitor your service providers. These examples are why. Even if it's not your fault, quote unquote directly, if it's your data and you collected it and you hired someone who didn't take care of it as well as you would have. You're still going to be on the hook for it. And yeah, you might be able to go after that provider, but how many of those providers are going to be able to pay? They're also going to want to settle. It's just going to get messy.

Kip Boyle: It's going to get very messy. And I want to make the point that in the first example, the real world example we gave about the Facebook data breach in December of 2019. That was in fact caused not just by a systems administrator, but also by a third party. And when you read the reporting on that episode, nobody really talks about the third party providers of Facebook as being responsible for what happened. They talk about Facebook as being responsible. So their name gets dragged through the mud, right? So you've still got to deal with all of the press. And we know from the studies that have been published, that when you suffer a data breach, you also experienced what's called an abnormal churn in your customer base. In other words, you lose more customers than you otherwise would simply because of the bad press.

And now you've got to work even harder. You have to replace the normal amount of customers that leave every year. But now you've got to replace the abnormal churn on top of it. And you're doing it under the shadow of this very, very negative publicity that you just suffered. So sales teams and marketing teams have to work extra hard in those situations.

Jake Bernstein: Absolutely.

Kip Boyle: So, all right. I think that pretty much covers the point we wanted to make. Did you want to add anything else, Jake, before we wrap?

Jake Bernstein: Not on this, other than if you are still kind of waiting on CCPA compliance, I would stop and I would commence it right away.

Kip Boyle: Right. Definitely. And start training your systems administrators. And I'm not just talking about full time technical computer people, but anybody out there who has a credit card who can buy their way into a cloud service and stuff, personal records in there. That could be somebody in your marketing department, your business intelligence department, the list just goes on and on. So you really need to think about just about everybody in your company is a systems administrator of one kind or another. So that makes us even more pervasive. Okay. So on that note, that wraps up this episode of the Cyber Risk Management Podcast. And today we talked about systems administrators and the multimillion dollar privacy violations they will cause. See you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that cyber risk management is a team sport. So include your senior decision makers, legal department, HR, and IT for full effectiveness. So if you want to manage cyber is the dynamic business risk it has become, we can help. Find out more by visiting us at cyberriskopportunities.com and focallaw.com. Thanks for tuning in. See you next time.