Skip to main content

Dionne Lomax and Kelly Graf Take a Look at Privacy and Cybersecurity Issues for 2021 — Podcast Transcript

By 05/20/2021June 2nd, 2021Podcast Transcript

Dionne Lomax and Kelly Graf Take a Look at
Privacy and Cybersecurity Issues for 2021

Kelly Graf:

In March 2020, there was an excuse for having less than perfect protocols for how  your employees work from home. It’s 2021. So it’s time to get remote working standards up to date.

Intro:

Hello, and welcome to Integrity Through Compliance: AMI’s Business Success Series. This podcast was created by seasoned compliance experts at Affiliated Monitors to speak practically to your business needs. During this series you will hear from AMI’s experts who will provide their observations on industry trends, geared to raise your awareness and to protect your brand. So grab a cup of coffee and join us as we guide you and your business to integrity through compliance.

Dionne Lomax

Well, hello everyone. I am Dionne Lomax. I am the Managing Director of Antitrust and Trade Regulation at Affiliated Monitors, Inc. and it is my pleasure to welcome everyone here today for our podcast featuring Kelly Graf, who is a Senior Managing Associate and a member of Denton’s litigation and dispute resolution practice. Kelly defends companies in consumer class actions, complex litigation and related regulatory actions. She has consistently achieved successful results for clients in high stakes disputes in a variety of fields, including insurance and financial services industries. She has extensive experience in life and disability insurance litigation. Her practice includes defense of bad faith claims, consumer claims regarding loss of insurance, sales practice, and cost of insurance and agent misconduct claims. If that’s not enough, she is also experienced in white collar litigation on a variety of topics ranging from securities fraud to environmental violations. She leverages that experience in civil cases where there may be criminal or regulatory implications. And if that’s not enough, she’s also an expert in privacy and cybersecurity issues, which is why she has agreed to join our podcast today, so Kelly, welcome.

Kelly Graf

Thank you. I’m so excited to be here. I love it. Yeah.

Dionne Lomax

Well this is great too, because we were connected by a former colleague of mine, and it turns out that Kelly and I have actually worked at the same law firm at different times — well, we overlapped for a little bit at Mintz Levin and so it’s just been a pleasure to get to know her and to see just how small the world is.

Kelly Graf

Yeah, who knew I would move to Los Angeles and I meet somebody back on the other side of the country who was at Mintz Levin at the same time, and we can chat about all our overlapping contacts.

Dionne Lomax

Absolutely, absolutely. So let’s just jump right in. Tell us a little bit about privacy. We hear about privacy and cybersecurity all the time — and especially lately — when you hear about security breaches and these types of things, but for those of us who may not have much familiarity with privacy and security issues from a legal standpoint, can you give us the layman’s definition of what privacy law entails?

Kelly Graf

It’s a huge topic, I can try. It makes sense that this is such a huge topic, right? Because privacy touches so many aspects of our lives. We generate, store, use information every moment of every day, it seems — both in our personal lives and in our work lives — so laws applying to privacy can concern any type of entity. You know, you think of you personally, private companies, the government, or they can be super targeted as to the type of information. I’ll say health information is a very classic example of what people think of as private, but there’s also educational information, or information relating to your finances, so it’s a huge topic. My definition, and my understanding of it, comes from the fact that I’m a litigator, so if I’m involved, unfortunately something has probably gone wrong and a company’s getting sued.

I do try to also help clients mitigate risk on the front end. There is a lot you can do. And there’s also some unpredictability that comes with litigation risk, especially if you’re a company with a lot of consumer traffic on your website where you’re handling a lot of really sensitive information. You know, privacy is a really hot topic, as you say, and plaintiff’s lawyers, this is what they do. This is how they make their money is to come up with new and creative ideas for suing companies in class actions.

Dionne Lomax

Like the Target situation, for example. That hit, we all got noticed if we shopped at Target and used our cards. So what you’re saying is, then these private class actions would come in and sue them for violating privacy laws, basically.

Kelly Graf

They can, yeah. There are a lot of laws that get violated with a data breach. There are a lot of state privacy laws that concern data breaches, although one really great way to mitigate risk when it comes to state privacy laws and data breaches is, for example, the California new privacy law only gives you a private cause of action — only gives plaintiffs a private cause of action against a company — if the data that’s been breached was not encrypted. So if you encrypt your data and have a breach (unfortunately), you’ve really mitigated a lot of your risks on the backend because there’s still reputational harm. There are business risks that you’re facing, but as far as having some class action plaintiff’s lawyers come after you, you’re a little more buttoned up.

Dionne Lomax

What kind of trends are you seeing in terms of cyber attacks, generally? Are they focused on particular industries?  Are they targeting certain demographic regions?

Kelly Graf

You know, this probably isn’t going to surprise you, but cyber attacks — cyber crime — it’s on the rise, because it’s lucrative. It makes people money. I’ve seen estimates from companies saying that it costs literally trillions of dollars a year. I read a statistic that in 2015 cyber security attacks cost companies something like $3 trillion, and they’re expected to cost $10 trillion in 2025 — just exploding in economic cost for businesses. And you know, it’s not just creating potential liability — that number is bigger. It’s long-term costs in the form of loss to data — data has value — your business being disrupted. You’re doing what your business does, and suddenly you lose a week of productivity because of a ransomware attack; you have system downtime. If you need to upgrade your systems or, if you’re a victim of a ransomware attack, costs of notifying people that their information has been breached is significant.

And then you have ongoing harm to the brand’s reputation — you know, you mentioned Target.  Everybody remembers Target’s data breach. I love target, but I’m still never going to forget about that happening; now it’s associated with the brand, which — that’s a problem.

Dionne Lomax

That is a problem, absolutely. You’re right.

Kelly Graf

You asked about particular industries or geographies. It’s so ubiquitous, and the trends are more that perhaps larger businesses are now being targeted whereas before, ransomware and phishing attacks were more targeted to small and mid-sized businesses. I think ransomware, coming into 2021, is the most common form of cyber attack. Europol, the EU’s law enforcement agency, has said that they regard it as the most prominent cyber crime threat. The reason is because they make money. They’re targeting larger and larger businesses that can pay bigger ransoms. Five years ago, you’d have a ransom that was $20,000, whereas last summer I read about a company paying a $10 million ransomware demand.

Dionne Lomax

Is there something to be about — you know how in other contexts it’s like, “we don’t pay for kidnapping, or we’re never going to pay,” you know?

Kelly Graf

Yeah. It’s like negotiating with terrorists.

Dionne Lomax

Exactly! That’s it! Negotiating with terrorists. So is there something to be said for businesses just not paying to get their data back, or does that sound crazy?

Kelly Graf

Well, you know, it’s interesting. Other businesses have cropped up related to ransomware attacks, including insurance companies providing products for cyber insurance, where if you have a ransomware attack, it can be paid through your insurance — through your cyber insurance. And on the one hand, that’s great for companies, because now you can get your data back quickly, but you have to ask, is this encouraging more ransomware attacks?

Dionne Lomax

Right. They’re going to do it as long as they know somebody’s going to pay, right?

Kelly Graf

Totally. And, I saw a report (I think it’s a few years old now, maybe from 2019) about cyber insurance, saying that insurers paid out $1.8 trillion in covered cyber risks — that’s just the part that’s covered by insurance that they’re paying for. But you’re creating a market for these bad actors to create problems. You know, whenever there’s money, you’re gonna have folks trying to get that money, and in this case it’s through some really terrible means.

Dionne Lomax

Let me ask something related to what we’re all still going through, and that’s COVID. How, if at all, has COVID impacted data privacy and security issues for companies?

Kelly Graf

COVID has been such a huge driver of cybersecurity risks and, in a lot of ways, exposed vulnerabilities that we already had. Basically, cyber criminals and folks who are trying to get that ransom money — among other things — are taking advantage of the fact that we all started working from home without the proper preparedness. We didn’t have the right software, the right hardware for working from home in a secure way. The security standards that might have been really tight had to be lowered. You had to, to be able to continue to function, so that puts security at these companies under new levels of stress. And I think one other aspect of the pandemic that has been interesting from a cybersecurity perspective, is that it really highlights the human element of security. You think about — well, I used to, at least — think about a person in a dark room, hacking away at some company’s systems and then suddenly yelling, “I’m in!”

Dionne Lomax

That’s what you see on TV all the time! So I think that’s how I’ve thought about it as well. [laughter]

Kelly Graf

Totally! It’s very cinematic. What’s not cinematic is the fact that something like 80 or 90% of breaches of data security at companies comes from just phishing attacks, or social engineering attacks. So it’s human error. It’s human vulnerabilities, and I think the pandemic put that into a spotlight, because you’re more vulnerable when you’re under stress.You’re more likely to make a mistake and — you know, it’s not the Nigerian prince who’s emailing, full of typos, saying that you have an inheritance. It’s not that jokey situation anymore. The reality is that these are super sophisticated players who know how to exploit human psychology. Imagine the first month of the pandemic when you’re working from home: you’re scared. Maybe you’re scared you’re going to get sick; you’re worried your family’s going to get sick. High stress. You’ve seen news about layoffs, so you could be worried about your job, and then you get an email from your boss first thing in the morning, before you’ve had your coffee, and it looks like your boss is asking you to send her some information. Maybe it looks a little off, or there’s something not quite right about it, but if you’re stressed out or vulnerable, people will ignore red flags and try to be helpful. It’s very human nature that people want to help.

Dionne Lomax

Right, so true. Yes.

Kelly Graf

Totally. You know, so you get that email off, and  you just sent private data to a scammer.

Dionne Lomax

Well, you know, it’s so funny because I’m real sensitive to it now, too. I know that our IT person at AMI sent an email — basically a survey of employees — to ask us our thoughts about how comfortable we feel about coming back into the office, and when, and under what circumstances, and it wanted me to click on a SurveyMonkey link. And I was so paranoid. I was like, wait a minute, let me check. I emailed him separately, and he’s like, “Yes, Dionne, it’s real. You can click on it.” [laughter] But you know, I didn’t know, right?. And I don’t know how to tell the difference between something that’s legit and not legit.

Kelly Graf

Yeah, and it’s always better to be cautious and email, and just make sure that something is legit, and confirm. But that’s also because you’re empowered with a lot of knowledge about how sophisticated some of these scams can be, whereas a lot of day-to-day employees (especially this time last year) didn’t have that background knowledge of what to be looking out for, and what to be suspicious of.

Dionne Lomax

So now we are four months into a new administration, and I’m imagining some of our listeners are wondering, what can we expect regarding data privacy from a regulatory perspective, in light of the new administration? Do you have any thoughts in that area?

Kelly Graf

I think going forward, from a regulatory perspective, we’re going to be seeing a lot more enforcement actions from the FTC on a statute. It’s called the Children’s Online Privacy Protection Act — a mouthful, I’ll call it COPPA, it’s easier. But essentially, COPPA applies to online collection of data for children under the age of 13. And it’s one of those very uncontroversial data privacy statutes, where I think we can all agree that that type of data for our children is very concerning, and we want a lot of regulation in that space. And it also includes children from outside of the U S, which is interesting. If it’s a US company, or US-based company, these privacy terms apply. It doesn’t matter where the kids are, and it requires verifiable consent from parents regarding collection of data. There are also some amendments that have been proposed to that statute that would prohibit advertising to children directly using apps. So the important thing about COPPA is that the FTC is the enforcement arm for that statute. There isn’t a private right of action, so the FTC is basically all we’ve got, and they’ve signaled that they are getting serious about violations of these statutes. We’ve seen some really big penalties in the past few years that we’re expecting are just going to be continuing. There are going to be more enforcement actions, particularly because prior enforcement actions have been successful. I’m trying to think of one of the more recent large penalties. There was a $4 million penalty against a mobile game developer for this really cute animal-themed game called BunnyBuns and Kleptocats —

Dionne Lomax

Bunny bun and techno cats?

Kelly Graf

Klepto-cats [both laugh] and Kleptocats 2, I think. [laughter]

Dionne Lomax

That sounds fun!

Kelly Graf

It sounds like a really fun game, but the FTC claimed that the developer of these games was allowing advertisers to collect childrens’ personal information using the apps. And obviously, while Kleptocats and BunnyBuns sound super fun to me, they are clearly targeted towards children — and young children at that — so, ultimately they were able to settle for $4 million. I think there may have been additional negotiation and  it may have ended up being less.

Dionne Lomax

So Kelly, as we look forward into 2021, what are some of the key privacy considerations that you think companies need to be aware of? And then, in particular, what are some practical tips for companies?

Kelly Graf

Well, on the side of protecting company data (or customer data, if your company is entrusted with that), really being aware of that human element that we were talking about before. Get your company employees trained to empower them with the knowledge and understanding of how these types of attacks work. That’s really your best defense to a lot of these security attacks. You know, ultimately there’s only so much you can do, because people are individuals, and people make mistakes. But if you get really good training, that can really button up a lot of security issues. Also, getting remote working standards up to date — in March, 2020 there was an excuse for having less than perfect protocols for how your employees work from home. It’s 2021, so it’s time to get people trained. Make sure they have the right hardware and software. Make sure you have adequate network segmentation. Network segmentation is where you have both personal networks and business networks being used on the same computer, and you have to make sure that the business portion is completely separate from the personal portion. You can do that — most people use VPNs. But just, making sure that business data is kept in control of the business (and personal data is kept separate) is a huge way to mitigate risk in that way. And you know, on the litigation side, I think, going forward we’re going to continue to see class actions related to privacy — and creative ones, at that. In the past year or two, we’ve seen a lot of class actions concerning the Federal Wiretap Act, and the California Invasion of Privacy Act. Those are two really old statutes — they’re definitely older than I am — And they’re concerned with telephone eavesdropping. But in 2020, plaintiffs are using these broadly worded statutes for new causes of action related to how companies are using data online, like with plugins, or cookies, or click monitoring technologies. So if your organization is using some of these technologies, it can be worth a look from your inside counsel, or outside counsel, to see how the use of those technologies is communicated to consumers. If there’s a way to communicate it differently, that would mitigate some risk if a creative plaintiff’s lawyer came across your website and decided to bring a claim.

Dionne Lomax

Okay, well Kelly, this is all so fascinating, and I really want to thank you for taking some time out of what I am sure is a very busy day to share some of your expertise with us in the area of privacy and cyber security. Thank you once again and have a great day.

Kelly Graf
Thank you for having me.

Outro

Thank you for joining Affiliated Monitors’ podcast, Integrity Through Compliance: AMI’s Business Success Series. Today’s segment is just a sample of the subject matter expertise captured by AMI’s compliance professionals. Go to our website at www.affiliatedmonitors.com to view the comprehensive list of industry and in-house talent AMI has available to enhance professional and business integrity programs and controls. Also, connect with us on LinkedIn to receive updates and trends in the areas of enforcement and compliance. If you have any questions about today’s podcast or would like to learn more, please contact us at podcast@affiliatedmonitors.com. Our Affiliated Monitors podcast production team of Deloris Saad, our compliance associate, and Dan Barton, our editor and podcast music composer, look forward to you joining us again for our next installment of Integrity Through Compliance: AMI’s Business Success Series.