Episode Transcript
Speaker 0 00:00:00 Well, hello everyone. I am Deon Lomax. I am the managing director of antitrust and trait regulation at affiliated monitors, Inc. And it is my pleasure to welcome everyone here today for our podcast featuring Kelly Grof, who is a senior managing associate and a member of Denton's litigation and dispute resolution practice, Kelly defense companies, and consumer class actions, complex litigation and related regulatory actions. She has consistently achieved successful results for clients in high stakes dispute in a variety of fields, including insurance and financial services industries. She has extensive experience in life and disability insurance litigation. Her practice includes defense of bad faith claims, consumer claims regarding loss of insurance sales practices and cost of insurance and agent misconduct claims. If that's not enough, she is also experienced in white collar litigation on a variety of topics ranging from securities fraud to environmental violations. She leverages that experience in civil cases where they, there may be criminal or regulatory implications. And if that's not enough, she's also an expert in privacy and cybersecurity issues, which is why she had thank
Speaker 1 00:01:24 You. I'm so excited to be here. I love it. Yeah.
Speaker 0 00:01:32 Well this is great too, because we were connected by a former colleague of mine and it turns out that Kelly and I have actually worked at the same law firm at different times. Well, we overlapped for a little bit at Mintz Levin and so it's just been a pleasure. Yeah.
Speaker 1 00:01:48 I moved to Los Angeles and I meet somebody back on the other side of the country who was admin's lab and at the same time, and we can chat about all our overlapping contacts.
Speaker 0 00:02:05 Absolutely, absolutely. So let's just jump right in. Tell us a little bit about privacy. We hear about privacy and cybersecurity all the time. And especially lately, when you heard about security breaches and these types of things, but for those of us who may not have much familiarity with privacy and security issues from a legal standpoint, can you, it's a huge
Speaker 1 00:02:28 Topic I can try. It makes sense that this is such a huge topic, right? Because privacy touches so many aspects of our lives. We generate store use, uh, information every moment of every day. It seems both in our personal lives and in our work lives. So laws applying to privacy can concern any type of entity. You know, you think of you personally, private companies, the government, or, you know, they can be super targeted as to the type of information. I'll say information is a very classic example of what people think of as private, but you know, there's also, you get educational information or information, um, relating to your finances. Uh, so it's a huge top pick my definition and my understanding of it comes from the fact that I'm a litigator. So if I'm involved, unfortunately something has probably gone wrong and a company's getting sued.
Speaker 1 00:03:42 I do try to also help clients mitigate risk on the front end. There is a lot you can do. And there's also some unpredictability that comes with, you know, litigation risk, especially if you're a company with a lot of consumer traffic on your website, you know, where you're handling a lot of really sensitive information. You know, privacy is a really hot topic, as you say, and, uh, plaintiff's lawyers, this is, this is what they do. This is how they make their money is come up with new and creative ideas for suing companies in class actions. Yeah,
Speaker 0 00:04:30 The target situation. For example, that hit, we all got noticed. We shopped at target and used our cards. So what you're saying is then these private class actions would come in and
Speaker 1 00:04:42 <inaudible> dilated with a data breach. There are a lot of state privacy laws that concern data breaches, although one really great way to mitigate risk when it comes to state privacy laws and data breaches is for example, the California new privacy law only gives you a private cause of action, or it gives plaintiffs a private cause of action against a company. If the data that's been breached was not encrypted. So if you encrypt your data and have a breach, unfortunately you've really mitigated a lot of your risks on the backend because there's still reputational harm. There are business risks that you're facing, but as far as having some class action plaintiff's lawyers come after you, you're, you're a little more buttoned up
Speaker 0 00:05:48 Trends. Are you seeing in terms of cyber attacks, generally, are they focused on particular? Probably isn't
Speaker 1 00:05:54 Going to surprise you cyber cyber crime. It's on the rise because it's lucrative. It makes people money that I've seen estimates from companies saying that it costs literally trillions of dollars a year. I read a statistic that in 2015 cyber security attacks costs companies, something like $3 trillion and they're expected to cost 10 trillion in 2025, just exploding in economic cost for businesses. And you know, it's not just creating potential liability. And you know, that number is bigger. It's long-term costs in the form of loss to data. You know, data has value your business being disrupted. You're doing what your business does. And suddenly you lose a week of productivity because of a ransomware attack. You know, you have system downtime. If you need to upgrade your systems or, you know, if you're a victim of a ransomware attack costs of notifying people that their information has been breached is significant.
Speaker 1 00:07:14 And then you have ongoing harm to the brand's reputation. You know, you mentioned target, everybody remembers are against data breach. Yeah, I love target. And, but, and I'm still never going to forget about that happening. You know, now it's like associated with the brand, which is that's a problem last about particular industries or geographies it's so ubiquitous and the trends are more that perhaps larger businesses are now being targeted. Whereas before ransomware and phishing attacks were more targeted to small and mid-sized businesses, you know, I think ransomware in coming into 2021 is the most common form of cyber attack Euro poll. The use, uh, law enforcement agency, uh, has said that they regard it as the most prominent cyber crime threat. The reason is because they make money. Um, you know, they're, they're targeting larger and larger businesses that can pay bigger ransoms five years ago, you'd have a ransom that was $20,000. Whereas last summer I read about a company paying a $10 million ransomware to me.
Speaker 0 00:08:53 Is there something to be about, you know, how in other contexts it's like, we don't pay for kidnapping or we're never going to pay, you
Speaker 1 00:09:02 Know? Yeah. It's like negotiating with terrorists. Exactly. That's it. And negotiate
Speaker 0 00:09:07 What's here. So is there something to be said for businesses just not paying to get their data back or does, does that sound crazy?
Speaker 1 00:09:15 Well, you know, it's interesting other businesses have cropped up related to ransomware attacks, including, um, insurance companies, providing products, um, for cyber insurance, where if you have a ransomware attack, it can be paid through your insurance, through your cyber insurance. And on the one hand, that's great for companies because you know, now you, you can get your data back quickly, but you have to ask, is this encouraging more? <inaudible> right.
Speaker 0 00:09:52 They're going to do it as long as they know somebody's going to pay. Right.
Speaker 1 00:09:56 Totally. And, you know, I saw a report, I think it's a few years old now, maybe from 2019 about cyber insurance saying that insurers paid out $1.8 trillion in covered cyber risks. That's just the part that's covered by insurance that they're paying for, but you're creating a market for these bad actors to create problems. You know, whenever there's money, you're gonna have folks trying to get that money. And in this case, it's through some really terrible means.
Speaker 0 00:10:37 Let me ask something related to what we're all still going through. And that's COVID right. How, if at all, has COVID impacted data privacy and security issues for companies
Speaker 1 00:10:49 COVID has been such a huge driver of, uh, cybersecurity risks. And in a lot of ways exposed vulnerabilities that we already had basically cyber criminals and folks who are trying to get that ransom money among other things are taking advantage of the fact that, you know, we all started working from home without the proper preparedness. We didn't have the right software, the right hardware for working from home in a secure way, the security standards that might have been really tight had to be lower. They just, you had to, to be able to continue to function. So that puts security at these companies under new levels of stress. And I think one other aspect of the pandemic that has been interesting from a cybersecurity perspective is that it really highlights the human element of security. You know, you think about, well, I used to at least think about a person in a dark room, you know, hacking away at some companies systems and then, you know, suddenly yelling I'm in, that's what you see
Speaker 0 00:12:15 On TV all the time. So I think that's how I've thought about it as well. Totally.
Speaker 1 00:12:20 It's very cinematic. What's not cinematic is the fact that, you know, something like 80 or 90% of breaches data security at companies comes from just phishing attacks or social engineering attacks. So it's a human error, it's human vulnerabilities. And I think the pandemic put that into a spotlight because you're more vulnerable when you're under stress. You know, you're more likely to make a mistake and you know, it's just, it's not the Nigerian prince who's emailing full, full of typos saying that you have, uh, an inheritance it's, you know, it's not that jokey situation anymore. The reality is that these are super sophisticated players who, you know, know how to exploit human psychology. Imagine the first month of the pandemic, when you're working from home, you're scared, maybe, uh, you know, you're scared, you're going to get sick. You're worried your family's going to get sick.
Speaker 1 00:13:35 You know, high stress, you know, you've seen news about layoffs, so you could be worried about your job. And then you get an email from your boss, first thing in the morning before you've had your coffee. And you know, it looks like your boss is asking you to send her some information. You know, maybe it looks a little off or there's something not quite right about it, but it's, you know, if you're stressed out or vulnerable, people will ignore red flags and try to be helpful. It's also your very human nature that people want to help. Right. Totally. You know, so you get that email off and, you know, you just sent private data to risk Yammer. Well,
Speaker 0 00:14:23 You know, it's, it's so funny because, you know, I don't real sensitive to it now, too. I know that our it person at AMI sent an email, basically a survey of employees to ask us our thoughts about how comfortable we feel about coming back into the office and when, and under what circumstances. And it wanted me to click on a survey monkey link and I was so paranoid. I was like, wait a minute, let me check. I emailed him separately. And he's like, yes, Deon, it's real. You can click on it. But you know, I didn't know right now. And I don't know how to tell the difference between something that's legit and not legit.
Speaker 1 00:15:01 So yeah. And it's, it's always better to be cautious and, you know, email and just make sure that something is legit and confirm. But you know, that's also because you're empowered with a lot of knowledge about how sophisticated some of these scams can be. Whereas a lot of day to day employees, especially this time last year, didn't have that background knowledge of what to be looking out for and what to be suspicious of. So
Speaker 0 00:15:33 Now we are four months into a new administration and I'm imagining some of our listeners are wondering, Hey, well, what can we expect regarding data privacy from a regulatory perspective in light of the new administration? Do you have any thoughts in that area?
Speaker 1 00:15:51 I think going forward, um, from a regulatory perspective, we're going to be seeing a lot more enforcement actions from the FTC on, um, a statute it's called the children's online privacy protection act, come mouthful. I'll just, I'll call it. Copa is easier, but you know, essentially COPPA applies to online collection of data for children under the age of 13. And it's, it's one of those very uncontroversial data privacy statutes, where I think, you know, we can all agree that that type of data for our, for our children is very concerning. And we want a lot of, of regulation in that space, you know, and it also includes children from outside of the U S, which is interesting. Uh, if it's a us company or, you know, US-based company, these privacy terms apply, it doesn't matter where the kids are. And it requires verifiable consent from parents regarding collection of data.
Speaker 1 00:17:06 There are also some amendments that have been proposed to that statute, uh, that would prohibit advertising to children directly using your apps. So the important thing about Copa is that the FTC is the enforcement arm for that statute. There isn't a private right of action. So the FTC is basically all we've got and they've signaled that they are getting serious about violations of these statutes. Um, we've seen some really big penalties in the past few years that we're expecting are just going to continuing. They're going to be more, um, enforcement actions, particularly because prior enforcement actions have been successful in trying to think of the Mo one of the more recent large penalties. There was a $4 million penalty against a mobile game developer, um, for this really cute animal themed game called, um, bunny button and cleft outcasts, but
Speaker 0 00:18:14 Bunny bun and techno klepto cats. And it's up to the cats too. I think
Speaker 2 00:18:25 That sounds fun. It sounds like a really
Speaker 1 00:18:29 Fun game. Um, but you know, the FTC claimed that the developer of these games was allowing advertisers to collect children's personal information using the apps. And, you know, obviously while klepto cats and bunny button sound super fun to me, um, they are clearly targeted towards children and young children at that. Um, so, you know, ultimately they were able to sat all for $4 million. Um, and, uh, I think there may have been additional, uh, negotiation and, uh, it may have ended up being less. So,
Speaker 0 00:19:16 So Kelly, as we look forward into 2021, right, what are some of the key privacy considerations that you think companies need to be aware of? And then in particular, what are some practical tips for
Speaker 1 00:19:30 Company? Oh, well on the side of protecting company data or customer data, if your company is entrusted with that, um, really being aware of that human element that we were talking about before, get your company employees trained, to empower them with the knowledge and understanding of how these types of attacks work. That's really your best defense to a lot of these security attacks. You know, ultimately there's only so much you can do because people are individuals and people make mistakes, but if you get really good training on that, um, that can really button up a lot of security issues. Also getting remote working standards up to date in March, 2020, there was an excuse for having less than perfect protocols for how your employees work from home. It's 2021. So it's time to get people trained, make sure they have the right hardware and software, make sure you have adequate network segmentation.
Speaker 1 00:20:55 Um, network segmentation is where you have both personal networks and business networks being used on the same computer. And you're, you have to make sure that the business portion is completely separate from the personal portion you can do that. You know, most people use VPNs, but just making sure that business data is captain control of the business and personal data is kept separate, is a huge way to mitigate risk in that way. And you know, on the litigation side, I think, you know, going forward, we're going to continue to see class actions related to privacy and creative ones at that in the past year or two, we've seen a lot of class actions concerning the federal wiretap act and the California invasion of privacy act. Those are two really old statutes. They're, they're definitely older than, than I am. And, you know, they're concerned with telephone eavesdropping, but you know, in 2020 that plaintiffs are using these broadly worded statutes for new causes of action related to how companies are using data online, like with plugins or cookies or click monitoring technologies. So if your organization is using some of these technologies, it can be worth a look from, you know, your inside counsel or outside counsel to see how the use of those technologies is communicated to consumers. If there's a way to communicate it differently, that would mitigate some, some risk, if a creative plaintiff's lawyer came across your website and, and decided to, uh, bring a claim.
Speaker 0 00:23:15 Okay, well, well, Kelly, this is all so fascinating and I really want to thank you for taking some time out of what I am sure is a very busy day to share some of your expertise with us in the area of privacy and cyber security. Thank you once again and have a great
Speaker 1 00:23:35 Day. Thank you for having me.
