Caveat 1.13.22
Ep 108 | 1.13.22

Will privacy and security reach equilibrium?


Chris Hart: You know, I'm - I tend to be a skeptic - the idea that this area - and by this area, I mean privacy and security writ large - is going to reach equilibrium or stasis in any respect anytime soon.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance, law and policy podcast. I'm Dave Bittner. And joining me is my co-host Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Today, Ben talks about the role that attorneys play in the aftermath of a cybersecurity incident. I share calls to amend the constitution. And later in the show, my conversation with Chris Hart. He's a partner and co-chair of Foley Hoag's Privacy and Data Security practice. We're discussing ransomware and cyber insurance. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, let's dig into some stories here. Why don't you kick things off for us this week? 

Ben Yelin: Sure. So my story comes from the good folks at the Lawfare Blog. It's entitled "Do The Legal Rules Governing the Confidentiality of Cyber Incident Response Undermine Cybersecurity?" And whenever there's a question in the headline, it's awfully suggestive, isn't it? 

Dave Bittner: (Laughter). 

Ben Yelin: And it's written by three individuals - Daniel Schwarcz, Josephine Wolff and Daniel Woods. What's interesting about them is it's an interdisciplinary group of writers. So you have a law professor, public policy professor of cybersecurity policy and a postdoctoral fellow who is researching the economics of security and privacy with a focus on cyber insurance. 

Ben Yelin: They're getting at a very serious problem here. So what frequently happens when an institution, a company, a government faces some sort of cybersecurity incident, whether it's ransomware, any type of breach, the first call they make is not to their insurer. It's not to their technical experts. But rather, it's to, really, the people you would least like to be involved in this process, and that's the attorneys. 

Dave Bittner: (Laughter) OK. 

Ben Yelin: 'Cause we... 

Dave Bittner: You're telling tales out of school. OK (laughter). 

Ben Yelin: Yeah, I mean, we ruin everything. We're usually part of the problem and not part of the solution. 

Dave Bittner: (Laughter). 

Ben Yelin: There is a reason that people call their attorneys. People are very concerned about legal liability, for good reason. You don't want to have to pay the victims of the breach a ridiculous amount of damages. Legal liability is obviously very damaging for an institution, not just monetarily but reputation-wise. 

Ben Yelin: And according to long-standing legal doctrine, communications with an attorney are privileged. That means they are non-discoverable. They can't - you can't compel the discovery of communications between a lawyer and their client as part of any judicial proceeding. And that also is true as it comes to the communications from that attorney to any other consultant that that attorney is going to have a relationship with. So if the attorney hires, let's say, some sort of technical expert, consultant, those communications are privileged as well. 

Ben Yelin: So what companies are doing - and we've seen this, you know, in some high-profile breaches, specifically the Target one they mention here - is what companies do is they hire a breach coach. And that's generally an attorney who manages the entire process. And when you hire a breach coach, that means all of the communications about the incident, about the response, are going to be privileged because the attorney-client communications are privileged and the attorney-consultant communications are privileged because they're part of the work product of litigation. 

Ben Yelin: So this presents a bunch of problems because, as you might be able to guess, lawyers aren't very good at solving technical problems, and they're not going to be the type of people that you want to do, like, a - you know, the forensic research into exactly what happened. If you are solely focused on litigation, that's going to be detrimental to figuring out what the problem was and preventing the incident from happening in the future. 

Ben Yelin: And you've seen that play out in a bunch of different circumstances. The investigation is focused unduly, in my opinion and in the opinion of these authors, on litigation and not on ameliorating the problem. But that becomes a societal problem because if everybody who's the victim of a cybersecurity incident, you know, because of attorney-client privilege and avoiding liability, is talking to their lawyers and hiring breach coaches, we never get the best people in the room to try and solve these problems. 

Ben Yelin: So these three authors here don't really have a solution. I don't blame them. They're kind of introducing the problem and trying to solicit feedback from stakeholders. You know, how many people have had this happen to them? Who have you called? Have you had one of these breach coaches? Is that effective? 

Ben Yelin: But I think this could be a real avenue for policy change. Generally, courts have been reluctant to privilege information between companies and technical experts - so people are actually hired to address what happened with a cyber incident. And I think maybe that needs to change. You know, maybe we should have a legal shield to hire people who can help ameliorate the damage of the attack and, you know, help prevent that attack from happening in the future so it's not a process that's so geared towards attorneys and our preexisting doctrines around legal liability. 

Dave Bittner: You know, just this week, I was chatting with someone who's part of incident response for one of the very large cybersecurity companies. And we were talking about just this very thing, and I was asking this person if it was true what I had heard, which is that many times when there's a breach, the organization who's breached will engage with an incident response team. 

Ben Yelin: Right. 

Dave Bittner: But they will specifically request there be no written report. 

Ben Yelin: Yup. Shred the records. Yep. 

Dave Bittner: And that's - and this person confirmed that. They said basically a lot of times, what happens is you give an oral report, which made me laugh (laughter). 

Ben Yelin: Yeah. We're dependent on people's auditory learning ability. I'm not sure that that's a foolproof solution. 

Dave Bittner: So the research is done. But, you know, a report is done but done in such a way, to your point, to escape discovery. This doesn't seem to me very sporting of everyone involved. The other thing I wonder is I've seen people talk about how perhaps we could handle these breaches the way that we handle incidents with airline accidents. 

Ben Yelin: Right. 

Dave Bittner: When there's a plane crash, there is a team who comes in who's - which the federal - is it the - what... 

Ben Yelin: National Transportation Safety Board. 

Dave Bittner: Thank you very much. Yes, those guys, that gang. 

Ben Yelin: The alphabet soup of agencies, yep. 

Dave Bittner: Right. They come in, and they do a report. Do we need a similar thing for breaches of a certain size to kind of take - to neutralize exactly what you're talking about here? 

Ben Yelin: Yeah. I mean, I think that's one potential solution. It's really hard to scale that up. I mean, you'd really have to expand the agencies that we have to have that capability. And, you know, let's say there was a cutoff so we only dealt with breaches for organizations that had whatever it was - you know, 100 employees. Because of the way the cybersecurity ecosystem works, that's not going to solve the problem because sometimes it's attacks on small businesses that are detrimental to communities but might not rise to the level where you bring in a federal agency. 

Ben Yelin: But, you know, those small businesses are still going to face the same legal liability problems. They still have, you know, customers whose - maybe their information has been compromised. And, you know, if they're concerned primarily about keeping communications confidential and not by, you know, actually solving the problem, then it's really, you know - our macro-level cybersecurity posture is, you know, going to be worsened and not improved. 

Ben Yelin: So we should I think realign the incentives in whatever way that we can so that we're focused on actually solving the problem and not, you know, by having secretive oral presentations by forensic experts or, you know, a shell of a PowerPoint presentation in place of a comprehensive report where a company could actually change their cybersecurity practices. 

Ben Yelin: So this to me is just like, you know - I'm very thankful for these authors because they're identifying a real policy problem here. And if we had competent legislators - and I think we do at the state level and to some extent at the federal level - then, you know, this is the type of thing where it makes sense to change the law, you know, for the betterment of our national cybersecurity posture. 

Dave Bittner: So describe to me what that mechanism would be to make a change, and what could a potential law outline here? 

Ben Yelin: So I think it just has to do with privilege. The attorney-client privilege and the work products privilege derived from common law. So they derive from, you know, centuries of law dating back to our British legal ancestors. That's been codified, you know, in case after case. So it's something that's very well settled. 

Ben Yelin: What a legislator could do is to expand the privilege to include, you know, maybe forensic cybersecurity experts. That's - you know, some of that might be very difficult to do at the federal level for a number of reasons. You know, I think you could make a case that it's within the enumerated powers of Congress to do this since this is an interstate commerce issue. 

Ben Yelin: I think it's more likely you'd see it at the state level where, you know, you get a couple of states that say we have these preexisting common law privileges for attorneys and for the attorneys' consultants and there are a number of other privileges in our legal system. The spousal privilege is one that I'm sure people know about from their favorite police procedural shows. 

Dave Bittner: (Laughter). 

Ben Yelin: But, you know, I think we might need to have - you know, to protect the integrity of this information, having new privilege where courts are forced to recognize that, you know, forensic experts or any sort of cybersecurity technical expertise, at least for the post-cyber, you know, incident investigation, has some sort of legal privilege, and that information is not discoverable. 

Ben Yelin: Or the discovery rules, as it pertains to that information, are lessened. You know, maybe certain aspects of it are discoverable, but certain aspects are not. You know, no solution is perfect. And certainly, that solution isn't perfect, largely because that might end up hurting the people who are, you know, facing the consequences of the breach. It's going to be harder to sue a company if they have all of these privileges. 

Dave Bittner: Yeah. 

Ben Yelin: So you kind of have to weigh those conflicting values. I think - you know, in my opinion, my values would come on let's introduce this privilege, at least in a limited capacity, and just allow companies to learn from their mistakes. You know, try to - nobody wants to be the victim of a ransomware attack or a cyber incident. So give them the chance, with confidentiality and with confidence that it's not going to end up in litigation, to actually figure out what happened and what preventative measures need to be taken. So I think when you balance those interests, the answer, to me, seems relatively clear. 

Dave Bittner: All right. Well, we will have a link to that article. Again, that is over on the Lawfare Blog. Good stuff. 

Dave Bittner: My story this week actually comes from the Boston Globe, and they have an interesting project that they spun up here. It's called Editing the Constitution - small thing to do, right, Ben (laughter)? 

Ben Yelin: Yeah. It's easy. Yeah. It just takes an afternoon, right? 

Dave Bittner: Yeah. Well, just get a few folks together in a room. We'll just hammer something out in a few hours (laughter). 

Ben Yelin: I mean, that's kind of how it happened in the first place... 

Dave Bittner: Right. 

Ben Yelin: ...If you take out the few hours part. But yeah. 

Dave Bittner: (Laughter) Right. Exactly. And this project starts with the notion that the Constitution is due for some updates, that there are some things that are anachronistic. There are some things that don't make sense. There are some things in some of the amendments in particular that aren't particularly well-written, and we could use some clarification. 

Ben Yelin: Sure. 

Dave Bittner: So the one that caught my eye is talking about upgrading our right to privacy, and this topic was taken on by Evan Greer. And it discusses the Fourth Amendment and how the right of the Fourth Amendment guarantees the right of the people to be secure in their persons, houses, papers and effects, but that it is due for an update in these modern times, that the Fourth Amendment has not kept up or is not equipped to deal with the things that we're dealing with today - things like biometric surveillance, facial recognition, the massive collection of data, location tracking, all those things that you and I talk about here pretty much every week. 

Ben Yelin: Right. 

Dave Bittner: Yeah. So I wanted to come at this just from - let's start off at the top level here. Is this notion of editing the Constitution, in your opinion, first of all, at all useful? 

Ben Yelin: It's useful as an intellectual exercise. To me, it's not particularly useful if we actually want to make something happen, and I'll try to explain why. So there's only been 27 amendments to the Constitution since it was ratified in the 1780s. Ten of those amendments were codified two years after the Constitution was enacted as part of the Bill of Rights. So since then, we've only had 17 constitutional amendments. 

Ben Yelin: Amending the Constitution is really, really difficult. You need the votes of two-thirds of each house of Congress, and good luck getting two-thirds of each house of Congress to agree on anything these days. And then you need the support of three-fifths of the state legislators - state legislatures, rather. And that can be a very cumbersome process. 

Ben Yelin: You know, we've seen that with something like the Equal Rights Amendment where back in the 1970s, Congress agreed by two-thirds majorities to send to the states a ratification of the Equal Rights Amendment, guaranteeing the equal rights of individuals under the law, regardless of gender or sex. And it couldn't get the requisite 38 states to sign on in time to create that new constitutional amendment. So the process is extremely cumbersome. 

Ben Yelin: The last time we had a constitutional amendment that was ratified was 1992 - sort of a bizarre accident of history where the Founding Fathers proposed a provision to prevent lawmakers from increasing their own pay during the current session of Congress. And some doctoral student or research student in Texas discovered the records of this constitutional amendment, tried to kind of revive it and get states to ratify it. And since there was no deadline put in place by our Founding Fathers for ratification, it ended up being added to our Constitution. But that's now been about 30 years since we've had a change to our federal constitution. So it's really difficult to do so. 

Ben Yelin: I think on substance here, this person is absolutely right. I mean, many legal scholars, including a couple Supreme Court justices, have talked about how the Fourth Amendment is - and certainly aspects of Fourth Amendment jurisprudence are outdated in the age of modern technology. And there are really two things, two sort of doctrines that cause that problem most acutely. 

Ben Yelin: The first is what's called the plain view doctrine, where anything that law enforcement finds in plain view does not require a warrant. That made sense when we were literally talking about what a police officer could see right in front of them. But when we get to things like aerial surveillance or, you know, blue light cameras in neighborhoods or, you know, biometrics, things like that, artificial intelligence - you know, what's in plain view has obviously significantly changed over the past, you know, 40 years or so. 

Ben Yelin: And then there's the third-party doctrine, which says that any information you voluntarily give to a third party - that is not protected under the Fourth Amendment. And that's a real problem in the age of, you know, cloud communications, where even our private papers, in the parlance of the Fourth Amendment, are technically held by a third party on some server somewhere. And the way that the third-party doctrine is set up, at least in most circumstances, is the government doesn't need a warrant to collect that information. 

Ben Yelin: So I think, you know, the easiest solution, granting that it's almost impossible to pass a constitutional amendment, is to encourage judges to adopt a more modern understanding of the Fourth Amendment. And the theory that I and I think many legal scholars ascribe to - and this is scholars on all sides of the political spectrum - is something called the equilibrium adjustment theory, which is that as forms of technology change, we have to make sure that the law or the jurisprudence changes to restore the level of privacy that existed prior to that technology being introduced. 

Ben Yelin: So, you know, for something like - let's talk about aerial surveillance. And we've talked about the Baltimore spy plane, so... 

Dave Bittner: Pole cameras. 

Ben Yelin: Yeah, exactly. In the past, that would have required hundreds of thousands of law enforcement agents to collect that information. It would have taken manpower, money, and you still wouldn't be able to discover people's houses, persons, papers and effects, largely, you know, without going through a really cumbersome process. 

Ben Yelin: That's changed because of the technology. Now you can do that with aerial surveillance that's taking, you know, real-time photographs, images from 10,000 feet. So the law or the jurisprudence should change to give people the same privacy protection they had prior to that new technology being introduced. 

Ben Yelin: This is something my man crush Orin Kerr has written about extensively. It's one of his favorite theories. It's a theory I subscribe to as well. I think it's the easiest way to accomplish what the author is trying to do here without, you know, going through the rather hopeless process of amending the Constitution. 

Dave Bittner: So... 

Ben Yelin: Sorry, I was talking for a long time there. 

Dave Bittner: No, no, no, no. It's good stuff. I mean, but - so by what process does that get put in place? How do you get folks on board? What's the - what are the carrots and sticks that you use to get this in place? 

Ben Yelin: So first, you get to the legal academics, man. I mean, they have more power than you'd think. 

Dave Bittner: OK. 

Ben Yelin: A lot of the theories that courts come up with start in the ivory towers of universities. So something like this, I mean, when you get people like Orin Kerr or other similarly situated professors writing legal briefs, particularly in lower courts, arguing for this viewpoint, slowly, over time, this viewpoint might get adopted in cases. And those cases, because of our common law system, become part of our legal canon. I mean, it becomes binding precedent. And then eventually, it works its way up to the Supreme Court. So you get enough Supreme Court justices to subscribe to that theory. 

Ben Yelin: So, you know, we've seen that happen in a number of circumstances. I know you and I have talked about the mosaic theory - this theory that even if a discrete piece of communication isn't protected by the Fourth Amendment, when you combine it with lots of other discrete forms of surveillance or communications, it can create a very personal picture of somebody's life. And in the aggregate, that should be protected by the Fourth Amendment. That theory came from some academic institution - some law professor, you know, who is not in the courtroom who sits around all day in their office and strokes their chin and tries to think of these things. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: But eventually, it makes its way to somebody like Justice Sonia Sotomayor, who has brought up the mosaic theory in a variety of Supreme Court cases. And that theory certainly has influenced courts all across the country. 

Ben Yelin: So, you know, you - it's a process that is frustrating 'cause it happens slowly. But this is why we have people doing legal research, legal scholarship, you know, writing law journal articles to try and get judges, eventually, to think differently about these issues. So just, you know, be nice to your legal academics. They could be the - your future ticket to enhanced digital privacy. 

Dave Bittner: Well, so again, talking about fundamentals here. I mean, is it - two-part question, Counselor (laughter). Do we - is it possible that the method by which we amend the Constitution is mismatched to the velocity at which things run these days compared to how they... 

Ben Yelin: Yes. 

Dave Bittner: ...Compared to how they did when all this stuff was, you know, first come up with? So that's question - part one. Would you like to answer? 

Ben Yelin: Yeah, that one's easy. Yes. 

Dave Bittner: OK (laughter). 

Ben Yelin: It's extremely cumbersome. 

Dave Bittner: OK. Part two - is it possible to amend the Constitution to amend the way we amend the Constitution? 

Ben Yelin: Very meta question. The answer... 

Dave Bittner: (Laughter). 

Ben Yelin: The answer is yes. But you - so there's basically only one thing that at least the Founding Fathers said you cannot amend the Constitution. 

Dave Bittner: Yeah. 

Ben Yelin: And that's the equal suffrage of states in the Senate. There's some argument over that. I mean, if you're saying somebody can't change a particular thing, then you could change that provision, if that makes sense. That's still in the Constitution. 

Dave Bittner: Right. 

Ben Yelin: Yeah, you could change the rules, but to change the rules, you have to use the rules. So, you know, you'd need to get those two-thirds majorities in Congress and those three-fifths of the state legislatures. And if you have the support of those people, then you might as well try and just get the substantive amendment passed and not change... 

Dave Bittner: I see. 

Ben Yelin: ...The process... 

Dave Bittner: Right. 

Ben Yelin: ...If that makes sense. 

Dave Bittner: Sure, sure. 

Ben Yelin: There's no workaround. I mean, you know, with things like ending the filibuster in the Senate, there's like a - what's called the nuclear option, where you could theoretically do that with 50 votes. That's not possible with the Constitution. I mean, the Constitution spells out very clearly the process for amending it. So there - you know, you're going to have to follow that process. 

Dave Bittner: Yeah. All right, well, we will have a link to this story in the Boston Globe and sort of the greater project that they proposed here of editing the Constitution. It's an interesting read. There's some things to ponder in there, I think. So we'll have a link to that in the show notes. 

Ben Yelin: Absolutely. 

Dave Bittner: Yeah. All right, those are our stories this week. 

Dave Bittner: We would love to hear from you. If you have something you'd like us to cover here on "Caveat," you can send us an email. It's 

Dave Bittner: Ben, I recently had the pleasure of speaking with Chris Hart. He is a partner and co-chair of Foley Hoag's Privacy and Data Security practice. And our conversation centered on the topics of ransomware and cyber insurance - certainly hot topics these days. Here's my conversation with Chris Hart. 

Chris Hart: Everything is a mess. That's where things are at a high level from where I stand. And they're a mess for a couple of reasons. The first is that since COVID, there has been an enormous uptick in ransomware attacks across institutions around the world and in particular in the United States. And it's actually hit health care facilities the hardest. Of course, obviously, financial institutions and every other institution's also affected. But it's - there's been an enormous uptick. 

Chris Hart: And it's very, very difficult for entities to know how to deal with ransomware attacks. And unlike what I would call your garden-variety, say, data breach, which can be anything from somebody loses a laptop to there's an insider who steals a cache of information to there is a denial-of-service attack or that sort of thing, what happens with ransomware is that your data becomes inaccessible. And for institutions that have particularly sensitive information - I focus on health care facilities because it's a perfect example where if you can't access patient data, people could die. And so it's a real problem that institutions have to deal with on an alarmingly increasing level, I would say probably as close to exponential as you can get in a situation like this. 

Chris Hart: The other side of it that's a mess is the insurance market. And the thing to say about insurance is that insurers are very good, generally speaking, about figuring out how to price the risk. And so you have - as a general matter. And so you have in insurance policies well-established clauses, terms and exceptions to those terms based on what's often a market-wide understanding of how to price various risks. 

Chris Hart: Generally speaking, cyber risks are very difficult to price. Cyber insurance has been around for a long time. But so, too, has the problem of pricing the risk. And what's happened with ransomware is that because there's been an increasing spate of attacks, it's hit a bunch of different institutions in ways that can be difficult to respond to. The technology evolves, and the way in which threat actors are seeking payment or the fact that they're seeking payment, in addition to the other kinds of risks that come from attacks, makes it more difficult to price the risk. And so that has sent, as far as I can tell, the insurance markets in something of a state of chaos because premiums have spiked to the extent that insurers are willing to cover ransomware attacks in the first place. 

Chris Hart: So, you know, you add to that now what I would say government - the federal government, in particular - U.S. federal government, in particular - waking up to the fact that making ransomware payments can be a real problem. And now the government response is creating, right now, some concerns about liability risk that can come from ransomware attacks, which, of course, insurers pay attention to but that also can make the kind of response that an institution is facing either more limited or a little more difficult to (unintelligible). 

Dave Bittner: Well, let's dig into some of these elements one by one here. I mean, I - you know, I have wondered some time as I've watched insurance companies respond to the evolution of the ransomware threat, could insurance for something like ransomware or cyber insurance in general - could it end up something similar to how flood insurance is, where the private companies don't want to touch it, the federal government is the only organization willing to be a backstop here, so you kind of end up with insurance that's, you know, not particularly great, it's pretty expensive, but if you need it, that's where you can get it? Is there any sense that that may be a direction we're headed in? 

Chris Hart: It's possible. And, I mean, I guess I would separate out a few different elements to that. When a ransomware attack happens, there are a few things. One is, can the institution actually continue its business? There's the business continuity problem. There's the compliance problem. You know, how much does it cost to actually go through the process of sending the requisite notifications? And obviously the larger the institution, the larger that cost. What about litigation costs that might come from consumers or counterparties or even government entities? Those are, right off the bat, three significant costs that an insurance policy might be able to cover. 

Chris Hart: In ransomware, you've got a fourth, and that's the payment to the threat actor, which is usually some exorbitant amount in a cryptocurrency. Of course, there's also that element, which is increasing regulation around the use of cryptocurrency. 

Chris Hart: What you're saying is an interesting idea. What I would say is I don't know that moving in that direction would - that I could see markets moving in that direction in total. What I could see is the potential that when it comes to the payment itself, perhaps that's not covered because there are sanctions risks and there are all sorts of national security concerns that come with ransomware payments and that perhaps that part is left to the government - as you put it, a backstop. I think that's an interesting idea. 

Chris Hart: But there are still these other garden-variety concerns that I just mentioned - compliance, notification, litigation - that in that sense, a ransomware attack is - it might be bigger, might be more difficult, but it's not really very different in kind from other kinds of data breaches. So that might still be something that insurance markets could more easily price and exclude the payment itself. 

Dave Bittner: To what degree are the demands from the insurance companies affecting how organizations are tuning up their own security posture here? Is it - you know, if you own a building and you have sprinklers and fire escapes, you're going to get a better rate on your fire insurance. Is it a similar situation here? 

Chris Hart: Yes, as I've seen. And I would say that that is one of the more salutary effects of what's been going on right now. Insurance companies have upped their game in terms of what they are requiring from organizations that want to get coverage under any kind of cyber policy. And they want to know that you've done your requisite hygiene. 

Chris Hart: So do you have an up-to-date policy? Have you looked at your - the jurisdictions in which you do business? Do you have somebody who is a point person and is capable of dealing with both privacy, as well as security issues in the company? And they'll want to go over those elements with you to make sure that they are appropriate. 

Chris Hart: The other thing that's happening is that organizations that have experienced some kind of attack and don't have insurance then are realizing, well, gosh, this could happen again, so we really need insurance. And they're going to insurers. And what surprised me is insurers weren't saying no. They are pricing it quite high, and they are requiring quite a bit of what I'll call hygiene diligence. Again, very salutary effect in the market overall to control for the moral hazard element, but it is something that organizations are then facing and realizing that they really have to get their house in order. 

Dave Bittner: Wow. Yeah, that's interesting. Do you suppose that we have any hope of reaching equilibrium here anytime soon, or should we expect to be in a state of flux for the foreseeable future? 

Chris Hart: Well, getting out my crystal ball, I would say that - you know, I'm - I tend to be a skeptic. The idea that this area - by this area, I mean privacy and security writ large - is going to reach equilibrium or stasis in any respect anytime soon, you know, for all sorts of reasons - with insurance and ransomware, no, not for the foreseeable future for a couple of reasons. 

Chris Hart: One, I do think that there is a lot of government movement right now. So the Office of Foreign Assets Control under the Treasury Department, or OFAC, just recently issued its second annual, I guess, advisory saying, look; if you pay ransomware payments to a threat actor and they're on our sanctions list, there's a strict liability attached to it, and you could be subject to an OFAC violation. 

Chris Hart: And Congress is now looking at different ways to control entity behavior around a ransomware attack. So for example, you know, both OFAC, as well as these proposed bills, are requiring certain kind of cooperation with law enforcement in order to demonstrate diligence and reduce the risk of sanction. 

Chris Hart: But that has a lot to work through. And then there's, I would say, the international element as well. I mean, these are international actors, and they're often supported by nation-states. And that has a number of geopolitical concerns attached to it. 

Chris Hart: You know, yet, on top of that, the fact that the technology is constantly changing and the risk continues to be difficult to price, as it has been for two decades, I think it's going to take some time. So, you know, I could see it starting to calm down maybe over the next couple of years if there's clarity from the government on how ransomware attack should be treated. That's still in flux. 

Chris Hart: But my concern is saying that is - in saying that is that the threat landscape will change. I mean, that is a very difficult thing to predict, is what we're going to see with the threat landscape and how that could affect government response and then the market. So I tend to think that, for better or worse, we're going to be mostly in flux for some time. 

Dave Bittner: All right, Ben, what do you think? 

Ben Yelin: It's really a tough landscape out there for cyber insurance. I mean, we're in this really unique period where we're in a pandemic. We've seen, as he said, an increase in ransomware attacks. And it's just very difficult to evaluate risk at this point. 

Dave Bittner: Yeah. 

Ben Yelin: And that's different - that's difficult both for the insurance adjusters, but also for the entire industry because there's just so much uncertainty around what cyber insurance is going to cover, how much it can cover, you know, without the entire industry going bankrupt. But, you know, that's of no great comfort to companies who are - or, you know, other organizations - local governments, whatever - who are suffering these attacks. So, yeah, it's a really tough situation. 

Dave Bittner: Yeah. I saw just this week that - I think it was Lloyd's of London announced that they were no longer going to be covering breaches that were the result of nation-state attacks. And I think it was Kim Zetter - journalist and author Kim Zetter - who pointed out that... 

Ben Yelin: Imaginary friend of the show, yeah. 

Dave Bittner: (Laughter). 

Ben Yelin: I mean, in that I read every article she writes. 

Dave Bittner: Right. That - I think she pointed out that it was interesting because a lot of companies used to summon the name of the nation-state actors to sort of shield themselves, to say... 

Ben Yelin: Right. 

Dave Bittner: ...This was an attack by a nation-state actor that was sophisticated, and, you know, there's nothing we could've done against an attacker of this sophistication. 

Ben Yelin: Right. 

Dave Bittner: So now the insurance companies are saying, not so fast. 

Ben Yelin: Right. 

Dave Bittner: It'll be interesting if they no longer go after that as a way to shield themselves. 

Ben Yelin: Yeah, that's very interesting - kind of a Catch-22 there. 

Dave Bittner: Yeah, exactly. All right, well, our thanks to Chris Hart for joining us. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. The "Caveat" podcast is produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.