Peter A Halprin: The benefit of cyber insurance, theoretically, is that, you know, there's going to be money and resources available to the victim of one of these attacks and that, hopefully, it'll help them kind of get quickly back on their feet.
Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's law and policy podcast. I'm Dave Bittner, and joining me is my co-host Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben.
Ben Yelin: Hi, Dave.
Dave Bittner: On this week's show, Ben wonders why law enforcement are often cagey when it comes to revealing the electronic surveillance tools they make use of. I share a story of a judge requiring an insurance company to help a small business clean up after a ransomware attack. And later in the show, I speak with Peter A. Halprin. He's a partner in Pasiche LLP's New York office. We're going to be discussing ransomware, and he's going to give us his insights on potential future privacy statutes. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. We'll be right back after a word from our sponsors.
Dave Bittner: And now a few words from our sponsors at KnowBe4. You know, compliance isn't the same thing as security, right? How many times have we all heard that? It's true, too - having checked the legal and regulatory boxes won't necessarily keep the bad actors out. They're out-of-the-check-box kinds of thinkers. But what about compliance itself? You've heard of legal exposure and regulatory risk. And trust us, friend - they're not pretty. So, again, what about compliance? We'll hear more on this from KnowBe4 later in the show. It's not a trick question, either.
Dave Bittner: And we are back. Ben, why don't you start things off for us this week?
Ben Yelin: Sure. So this article comes from Recode, which is a page on the Vox family of websites. And it's about how police departments are often cagey and unwilling to share information about police surveillance technology. This particular writer tried to get information through a Freedom of Information request to the New York Police Department and was pretty much denied at every turn. She talks about how she knows, based on public reporting, that there are a lot of artificial intelligence and algorithm-based technologies that the NYPD uses. But we just don't have enough information on the extent to which these surveillance methods are used and how these algorithms are developed.
Ben Yelin: So she went through her own history in requesting this information. She first filed a request for public records. She wanted documents related to contracts that the city had signed with a bunch of security companies. And one of the types of surveillance technologies she was interested in - and this was the subject of her request - was what's called gun detection software. It uses AI to notify a law enforcement person when a gun appears in, like, a closed-circuit camera feed. But her entire request was rejected. NYPD said the documents would reveal nonroutine techniques and procedures, which is sort of a catchall way of issuing this denial. So she appealed that denial, and her appeal was denied for another reason. It said that if these methods were revealed, then these companies might have their trade secrets made public, and that would put them at a competitive disadvantage.
Ben Yelin: And she's not the only one who's had trouble making these requests. She talks about a lot of larger players - the ACLU, the Brennan Center for Security - who have tried to get the NYPD to be more transparent about technology that they've used. There was an article about how the New York Police Department had been using predictive policing tools, where they send police officers to areas based on data they've collected on past crime that have taken place in those areas, and we know that such data can be prone to algorithmic bias. So a lot of entities have tried to get information on, you know, what the inputs are for that data, and the New York Police Department has pretty much denied every single request, and they've largely been able to get away with it.
Ben Yelin: So that sort of leads us to - what avenues do we have to make the New York Police Department become more transparent? There's the legal avenue, and we have seen some lawsuits against NYPD for transparency purposes. But then there's also a proposed piece of legislation which is called the Public Oversight of Surveillance Technology Act. This is a bill that's been proposed in the New York City Council, which would force the police department to disclose particular information about the types of surveillance technology that it uses. So this is a pretty widespread problem; it's not just the New York Police Department, but according to this article, they seem to be the main culprit. They compared data from public information requests from this police department to other big cities, like Chicago, and New York Police Department is even more reserved in terms of the data that it's willing to release.
Ben Yelin: So you know, it's concerning. I think a lot of us, as a democratic society, we would be fine granting law enforcement access to these surveillance tools if, you know, we knew how they were being used and the extent to which they were being used, and at least we could have some democratic say in the matter. But because of the lack of transparency, we don't really have full information. People who are New York voters don't have complete information as to make informed decisions about these things, and I think that's concerning.
Dave Bittner: With government in general, are these sorts of purchasing processes or are they generally open to public scrutiny? In other words, the parks and rec department, if they're buying tractors to mow lawns and things like that, generally you can get that sort of information, right?
Ben Yelin: Yeah, through Freedom of Information requests. Now, that's limited by the amount of interest in these purchasing processes. So I don't know why somebody would request data as to which tractors, you know, unless you're doing an expose on corruption or something. But yeah...
Dave Bittner: Right. Right.
Ben Yelin: That data generally is available, but there are a lot of exceptions. Public safety - and I don't know exactly how the New York specific law works. But public safety, including revealing modes and methods of surveillance, is oftentimes a proper justification, although it's almost certainly overused. And you know, the other one that was used in this case, revealing trade secrets, is one that I know the federal government uses all the time to deny Freedom of Information Act requests. So oftentimes, the burden ends up being on the journalist requesting that information to try and figure out how you can structure a request so that it doesn't fall under one of those exceptions because, you know, as soon as whomever is answering the public records request, as soon as they see that keyword, they can say, OK, we can turn this down because it has trade secrets.
Ben Yelin: So you want to create a situation where they're not able to use one of those exceptions. And if you think that, you know, they're using those exceptions in bad faith, then you can try to get it enforced in court, and that's what a lot of entities have done.
Dave Bittner: So I guess part of the point here is that if you're a citizen of New York, for example, and you want to know that your police department, on your behalf, using your tax dollars, that the data they're putting into these systems, the technologies they're using into these systems are legitimate. The way things are running right now, you have no way to even investigate that. To use an absurd example that came to my mind, it would be like if you were trying to figure out how the police were tracking things down and they say, you know, we can't tell you, and you investigate, and you investigate it, and it turns out they're using, like, psychics or something. You know, like, so...
Ben Yelin: Yes.
Dave Bittner: Right. And...
Ben Yelin: The police are just one giant medium to the other world.
Dave Bittner: (Laughter) Well, the reason I bring that up is - I mean, it's - like you said, it's admittedly absurd. But we know that some of these algorithms have biases towards certain groups of people that...
Ben Yelin: Absolutely. They're racially biased.
Dave Bittner: Yeah.
Ben Yelin: Yeah. Socioeconomics certainly play a factor as well. And you know, the New York Police Department has been willing to go to extremes to deny this data. We previously talked on this podcast about a case where they used the so-called Glomar response. They were asked about phone surveillance and social media surveillance of protesters.
Dave Bittner: Right.
Ben Yelin: And they said, we can neither confirm nor deny that allegation. That's what the CIA says in scary movies.
Dave Bittner: (Laughter).
Ben Yelin: It's not something we generally see from, you know, a large city police department. And a New York District Court, a state court, said you can't do that this time; you know, we're going to force you to reveal some information. But another thing I know we've talked about is how the legal system always sort of trails the real world. So by the time a case can get resolved about a previous type of surveillance technology that's being used, I'm sure the New York Police Department and other police departments have moved on to some other type of technology.
Dave Bittner: Yeah.
Ben Yelin: So that's why I think this proposed New York City statute could be the solution. If they are forced to reveal a certain level of information publicly about their surveillance methods, then that does give the public an avenue to weigh in on. I'm sure that the entire police department from top to bottom will lobby intently against that bill...
Dave Bittner: Yeah.
Ben Yelin: ...And for legitimate reasons.
Dave Bittner: Yeah.
Ben Yelin: But it's still a very interesting proposal.
Dave Bittner: Yeah, it makes me think about the Freedom of Information Act itself, how things - what the world must have been like before journalists and other people had that tool at their disposal to make organizations reveal things.
Ben Yelin: Absolutely. And most government attorneys really strongly dislike the Freedom of Information Act statute. But it's been a very important way that we hold our public officials accountable. And we've decided, as a federal government, and New York has decided that they want to give the public that right to seek this information. And so, you know, I think that is certainly something that's in the public interest.
Dave Bittner: Yeah. All right. Well, it's an interesting story. My story this week comes from CyberScoop, and the title is "Judge Forces Insurer to Help Small Businesses to Clean Up After a Crippling Ransomware Attack." This is written by Jeff Stone. So the story follows a small business here in our state of Maryland, which is an embroidery company. They make, you know, T-shirts or - you know, shirts, logos, designs - that sort of stuff. They got hit by ransomware back in 2016 and to the point where it kept them from doing their business. Some of their computers slowed down.
Dave Bittner: But these business folks were smart enough that they had purchased insurance. And so they went to their insurance company, and they said, we're making a claim here, and the insurance company tried to deny their claim. They said that, basically, the things that they were suffering did not amount to direct physical loss or damage to their computer systems in a way where they should be reimbursed. But they got in front of a judge, and a judge decided differently. So what did the judge say here, Ben?
Ben Yelin: So I'll start by saying that there's - this area of the law is still new and very murky. So, you know, there have been a lot of conflicting opinions on this. One of the precedent cases that the insurance company tried to use on this was a case from 2003 in a different court system, and it came out entirely differently than the case here. So I think courts are still trying to figure out what the meaning of this term is - direct physical loss of or damage to a computer system. And I think another thing worth noting is insurance companies have a strong incentive, for a couple of reasons, to get these claims denied. Obviously, it's saving them money if they don't have to pay out the claim.
Dave Bittner: Right.
Ben Yelin: But they also want them or maybe their subsidiaries to force entities, whether they be businesses or local governments, to specifically purchase cyber insurance, which we are increasingly seeing as an entirely separate form of insurance in the event of a ransomware attack.
Ben Yelin: So as it relates to the case here, the insurance company agreed to cover direct physical loss or damage, and part of that policy said that they would cover the loss of stored media files. What the insurance company argues here is there was not any direct physical loss and damage because the entire computer system of this small business wasn't completely destroyed, that there wasn't actually this direct and physical loss because the computer system didn't cease functioning entirely. And what the court says is, that is not a prerequisite for the insurance company to provide coverage.
Ben Yelin: The way the case law works and the way Maryland statutes work, there is no prerequisite that the entire system be destroyed in order for the insurance company to have to cover the loss of data. In fact, you can really glean a lot from the language in the insurance policy itself, which says that they will cover loss of data. That's one of the things that's included. And you know, if the insurance company really wanted to protect themselves in these circumstances, they would clarify in their insurance statement that they will only cover physical loss if, you know, you have to rebuild the entire computer system from scratch...
Dave Bittner: Right.
Ben Yelin: ...Which was not the case here. They did not include that language in the policy. So according to the prevailing case law, this does count as a physical loss or damage.
Dave Bittner: Yeah.
Ben Yelin: And so the upshot of this is in this particular case, the small business is going to get compensated by their insurance company based on this ransomware attack. And you know, I think this is something where we're going to see a lot of case law going forward as ransomware attacks become more prevalent and as insurance companies realize that it's going to cause a hit to their bottom line, they're - might end up having to either adjust their policies or figure out better arguments in court to claim that certain types of losses don't qualify as this type of damage.
Dave Bittner: Yeah. It's interesting to me that this ransomware infection took place in late 2016. And as you and I discuss over and over again, the wheels of justice spin very slowly (laughter). So...
Ben Yelin: They're more like a horse-drawn buggy than an automobile.
Dave Bittner: Right, like molasses. And it strikes me that that would have been more toward the leading edge of where ransomware itself was really becoming front and center and the focus of things. And so the notion of having insurance policies that specifically called out ransomware, it's quite likely that that wasn't on anybody's radar back in 2016, certainly not the way it is today. Absolutely not. Yeah. And I've heard many stories these days where the insurance companies have sat up and taken notice that the deductibles are higher, the coverage is lower, the policies are more expensive - they've adjusted.
Ben Yelin: Right, as they always do. I mean, they have risk analysts who are trying to figure out, you know, where they're getting the most new claims.
Dave Bittner: Right.
Ben Yelin: And this is an area where we're now seeing a lot of claims. And we've seen a lot of high-profile cases, so it's, you know, certainly gotten into the media ecosystem. You know, having lived in Baltimore City during their ransomware attack, you realize how big of a problem this is and how long and arduous the recovery process is. So, yeah, I do think this is something we're going to see and more and more. You know, on your point about how long it took this case to come to court, there were a lot of competing motions here. Both sides filed for a motion for summary judgment, which, again, that's boring legalese, but what it really means is I want the judge to decide the decision in our favor based on the facts she already has without this going to trial.
Dave Bittner: OK.
Ben Yelin: And that's what she did. But filing those motions can take a long time. Filing answers to allegations can take a long time. We're just lucky that this particular business wasn't so crippled that they went out of business by the time that they were compensated by the insurance company. I think, you know, we're going to see instances where that does happen, you know. So that's something that we're going to have to watch going forward.
Dave Bittner: Yeah. I'm just imagining a small embroidery business - $300,000, that's a big sum for any business, but for a small business in particular, that could make or break them potentially.
Ben Yelin: Right. Absolutely. So not only do they have to pay the ransom - and even after they paid the initial ransom, they were still extorted for more money.
Dave Bittner: Yeah.
Ben Yelin: But they lost all their data. This is an ink and stitch company, so they lost, you know, a lot of their art or whatever it is they do. So they had to hire an outside firm to clean up the mess. So that's a lot of costs incurred.
Dave Bittner: Downtime, all that stuff.
Ben Yelin: Oh, yeah. The opportunity cost of not being able to conduct business. So you can see how this would be completely crippling on that business. And to have to wait three years to get any sort of resolution in the courts, it's something that a lot of small businesses would not be able to to sustain.
Dave Bittner: Yeah. Yeah. All right. Well, interesting development. And that is the one that continues to move its way through the courts as things get decided. Of course, we'll keep an eye on all that stuff. Coming up next - my conversation with Peter A. Halprin. He's a partner at Pasich, LLP, in their New York office. We're going to be discussing ransomware. We're going to get his insights on potential future privacy statutes.
Dave Bittner: But first, a word from our sponsors. And now back to that question we asked earlier about compliance. You know, compliance isn't security, but complying does bring a security all its own. Consider this - we've all heard of GDPR whether we're in Europe or not. We all know HIPAA, especially if we're involved in health care. Federal contractors know about FedRAMP. And what are they up to in California with the Consumer Privacy Act? You may not be interested in Sacramento, but Sacramento is interested in you. It's a lot to keep track of no matter how small or how large your organization is. And if you run afoul of the wrong requirement, well, it's not pretty. Regulatory risk can be like being gobbled to pieces by wolves or nibbled to death by ducks. Neither is a good way to go. KnowBe4's KCM platform has a compliance module that addresses in a nicely automated way the many requirements every organization has to address. And KCM enables you to do it at half the cost in half the time. So don't throw yourselves to the wolves and don't be nibbled to death by ducks. Check out KnowBe4's KCM platform. Go to kb4.com/kcm. Check it out. That's kb4.com/kcm. And we thank KnowBe4 for sponsoring our show.
Dave Bittner: And we are back. Ben, I recently had the pleasure of speaking with Peter A. Halprin. He is a partner in Pasich, LLP's New York office. And we had an interesting conversation touching on ransomware, as well as his thoughts on where we stand in terms of potential future privacy statutes. Here's my conversation with Peter Halprin.
Peter A Halprin: I guess I would say that it's terrifying to think that ransomware is becoming more and more abundant. And it seems that the targets are ever-shifting and growing and that at some point seem like it was was targeted and focused now is everywhere. There was a great article - I think it was from Fortune magazine - over the weekend about RaaS - ransomware as a service.
Peter A Halprin: And essentially, people on the dark web, for better or worse - and sometimes these are snake oil salesmen and sales women who are just trying to make a quick buck off of other schemers - but people who are essentially offering ransomware platforms with technical support and customer satisfaction so that anyone who has the means can purchase access to these tools and then use them for their own nonsense or their own misdeeds.
Dave Bittner: Now, I know one of your areas of expertise is insurance. And I'm curious what insights you can share as to how the insurance companies themselves have been adjusting to this new reality.
Peter A Halprin: It's very interesting. I mean, I am an insurance lawyer, but I represent companies and individuals who have insurance questions, who have insurance issues and generally who have to litigate, arbitrate or mediate with their insurer because their insurer hasn't paid the claim. And in the last couple of years, I've seen kind of an explosion in cybercrime, cyber incidents and, I guess as a result, cyber claims where our clients are bringing their claims to the insurers and hoping to get paid. I think the industry initially saw cyber insurance as a huge growth opportunity, a huge market because it's ubiquitous. As I said, the threats are coming everywhere and to everyone. And so everyone's going to need it, and, therefore, everyone's going to pay for it. And I think as of last year, there were something like 530 companies that were in this market. But because the risk is so high, so many entities have been hit with these kinds of attacks and other kinds of attacks. And as a result, the insurers are faced with having to pay those claims.
Peter A Halprin: So one trend that I've seen with kind of traditional insurers is that they have moved very quickly to develop expertise in cyber insurance and to bring other entities that work in cyber insurance under their umbrella. So, for example, if you go with certain insurers, they will say to you as part of their program, you know, that they have cybersecurity companies on call that will assist you. And specifically, when it comes to ransomware, they have companies on payroll or they know of companies that actually are specialists in bitcoin ransomware negotiations. And these guys, they're sole business is negotiating with ransomware criminals. And you know, it's funny because for a long time, there was kidnap and ransom insurance. And one of the benefits under the policies is that the insurers had relationships with, you know, essentially hostage negotiators who would help try to get their people or the clients' people out and who would help try to negotiate the ransom and pay the ransom. And it would be kind of these - you would imagine these gruff, you know, ex-special forces folks going back into, you know, the Congo or South America or the Niger Delta or wherever it may be to negotiate and try to get people out. And now you're seeing that again. I guess I would imagine they're less gruff, although we don't necessarily know that, but still, I think people who know, you know, how to make these payments and what, you know, a fair price would be to get people's systems back.
Peter A Halprin: As I said earlier, that what's changed is that it seems like the targets are everyone and everything. Another good article recently came out about North Korea and how North Korea has been able to beat the U.S. sanctions regime because they've essentially created a criminal computing enterprise whose sole purpose is to go out there and conduct things like ransomware attacks and bring back cryptocurrency money or foreign currency money to the regime through, you know, untraceable means. And you know, the story that I hate to tell but that resonates a lot with me is I was told that there was a ransomware attack on a dental practice somewhere in the Midwest, and it may be that it just happened to spread there, that it wasn't necessarily targeting them. I certainly don't think it would. But the attack hit these two older dentists - I think they were in their 60s. They were close to retirement anyway - and locked them out of their files. And they didn't know what to do. And they had no access their schedules, so they didn't know when patients were supposed to show up. They didn't have access to people's medical records. They didn't know what maladies or what issues patients previously had. They couldn't conduct billing because they couldn't access those payment systems. They couldn't see who paid and who hadn't. You know, couldn't even figure out things like who in the office was supposed to be on schedule that day. And so as a result, they kind of faced reality, and they said, you know, we could pay this ransom, we could try to restore our systems or we can just call it quits. And they folded up their office and said, to hell with it. We don't need to be dentists anymore. So it's really scary because it shows that, you know, everyone's potentially at risk. And there isn't necessarily a good solution.
Peter A Halprin: I mean, for, you know, large municipalities who don't have cyber insurance - and I'm thinking of Baltimore and I know Atlanta had an incident, although I'm not sure if they had cyber insurance but, you know, allegedly payments may or may not have been made. And that's true of some entities in Florida, generally by the insurers. But even then, you can't be certain that the threat has dissipated because sometimes the attackers leave malicious code or they leave themselves a door or a way back in. Or they've corrupted your data. They give you your data back. They give you the tools to uncorrupt your data, but it doesn't always work and so you still lose something. So, you know, it's really a tragic situation, and the benefit of cyber insurance, theoretically, is that, you know, there's going to be money and resources available to the victim of one of these attacks and that hopefully it'll help them kind of get quickly back on their feet.
Dave Bittner: You know, one of the things that my co-host and I have discussed on our show is this sort of progress of settling on definitions of things that - between the insurance companies and the folks they're insuring, that - it seemed like, for a while, there was this evolution of both sides figuring out in this process - so what is covered, what is not, how do we define this, how do we define that? Are we far enough along now that those definitions have pretty much been settled on and that ambiguity is starting to fade?
Peter A Halprin: No, I think we're far from it. And you know, one of the problems is - going back to what I said of the 500-plus entrance into the market - I mean, there are certain companies that dominate and have a huge market share. But then you have all these other entities. And unlike more established forms of insurance, we don't really have standard language for a lot of key provisions. And that's good for my clients because that means that they can work to negotiate better terms in many cases. But it's bad for lawyers like myself because it's hard to give guidance to our clients. And that's because, for many terms, you know, there's just so much uncertainty; we don't know exactly what it means.
Peter A Halprin: And so I think that, you know, the market will consolidate. I think that as you have a big criminal events - ransomware events that go throughout the country or throughout a certain industry, it may make some insurers wary of kind of continuing to be in the business. There's also some mergers and acquisitions. And then there's also insurtech.
Peter A Halprin: And one of the big things that you're seeing out of insurtech is there are entities that are kind of like Lemonade in the homeowner space, where they're trying to come up with these new cybersecurity solutions that are paired with the policies. So the idea is, in some ways, the insurers are betting on themselves and saying, you know, we'll give you this comprehensive coverage at a decent rate, but you have to accept, you know, using our cybersecurity consultants. And so they're essentially hoping that their methods and their people and their processes are so good that they won't ever have to pay the claim because there won't be a claim.
Peter A Halprin: I think the one last thing I'd want to add on ransomware and insurance is what may be the future battlefield and what may be an area of particular concern going forward is going to be business income insurance and business interruption insurance and the idea that, you know, if a company is knocked offline for a period of time in the same way, you know, that they would be if there was a flood or a storm that affected their physical facilities, that there is going to be coverage available for those clients so that they can recover the lost business income of being offline or of being unable to access their data.
Peter A Halprin: And there hasn't been a ton of litigation. As I've said, we don't have a lot of guidance on a lot of the key terms. But you know, we do have years and years and decades and decades of business income litigation from 9/11 and Sandy and Katrina and all these other terrible property, natural disasters that helps kind of inform us a bit about how this might all function.
Dave Bittner: Yeah.
Peter A Halprin: And there was recently a decision out of Maryland actually - I think about two weeks ago - where a court said that following a ransomware attack, the company - a company called National Ink - was entitled to be paid under a property insurance policy - not a cyber policy, a property insurance policy - for the costs of recovering their systems and getting them back online.
Peter A Halprin: So I think kind of two quick takeaways on ransomware - one is clients definitely want to make sure that they have business interruption or business income loss coverage because that may be the biggest cost. You know, if you pay a ransom and you get your system back up and running, the cost of the ransom may only be a few bitcoin, but to actually get back into business and to get back to where you were could be far more expensive.
Peter A Halprin: And two is that, you know, the search for coverage shouldn't be limited to cyber policies. There's going to be a lot of other places - crime policies, property policies, even kidnap and ransom policies - where there may be coverage. So I always try to tell my clients to take a broad view. And I think - you know, I'm adding a third kind of bonus trend. But the industry is concerned about this. And as a result, Lloyd's recently announced that they are making their membership definitively say whether or not cyber is covered under insurance policies. And property insurance, I believe, is where they're starting.
Peter A Halprin: So their fear is that clients are looking for coverage under policies where they argue coverage wasn't intended. And so they're hoping to eliminate what they refer to as silent cyber. And that's going to take the form of language, probably on the front of a policy, which expressly states, this policy does not cover cyber pursuant to X exclusion in the policy or this policy does cover cyber pursuant to X endorsement to the policy. So they're working to clarify that.
Peter A Halprin: But my own view is I think silent cyber is a misnomer. I mean, you know, insurance companies generally write these policies. As I said, in some instances, clients are able to negotiate some of the terms. But generally, the insurer controls all the levers there and really runs with the language that they have determined, with their underwriting team and their actuaries, is appropriate for the risks.
Peter A Halprin: So because it's hard for clients to negotiate, you know, the insurers are generally in the driver's seat. And as a result, the insurers are able to dictate what exclusions will apply to a policy. So if the insurers say upfront in your property policy, there will be no cyber coverage, I would say, in most cases, that would be the rule. That would be the language of the contract, and that would be what would be enforceable. You know, the idea that the insurers have granted silent cyber coverage, as they suggest, is a misnomer because if they wanted to exclude it, they could do so quite easily.
Dave Bittner: I want to shift gears a little bit and get your perspective on some of the privacy statutes that we've seen. I mean, certainly GDPR has been in effect for a little while now. We've got CCPA coming online. I'm wondering if you have any insights for the reactions that you're seeing with the people that you work with and also what you might see coming at us in the future - if there's any hope or prospect of there being anything at the federal level.
Peter A Halprin: On CCPA, I think what we're seeing is you've got this explosion of privacy statutes going back to, you know, in the U.S. at least, Illinois in 2008. You've got GDPR. And you've got CCPA, which came online January 1. You've got the New York SHIELD Act coming out in March. I understand Ohio and some others have legislation on the way.
Peter A Halprin: At the federal level, I think there are essentially two competing visions of what a U.S. GDPR might look like. And from generally the Republican side of the aisle, it looks like it would be something which would try to avoid too high of a bar. And it would essentially preempt a lot of state laws, including California's, which I guess Republicans and some of their contributors think are too onerous.
Peter A Halprin: And then on the other hand, from the Democratic side, my understanding is that there's been legislation introduced which would create a federal privacy act. But the federal privacy act would say that it would cede to state standards. So you've got this federalism argument by - on the Democratic side that the state should make these determinations. And then on the other side, it seems like there's a push for - to undermine those state standards which are viewed as onerous and to create kind of a lesser federal standard, if you will.
Peter A Halprin: From an insurance perspective, you know, the challenge is making sure that clients have policies that really accurately reflect the risk associated with these regimes. So I saw Facebook recently paid a $500 settlement - sorry, 500, they wish - a $500 million settlement to satisfy claims that arose under Illinois' privacy act. You know, that's not small potatoes. Under GDPR, I've seen fines - I think there's one of about 200 million pounds, or at least it's being considered now.
Peter A Halprin: So you've got these massive, massive statutory damages that are arising. And you know, it is important for clients to make sure that they have that coverage as expressly as possible. And then beyond that, you know, there are all kinds of other things that may come with these statutes. And I think it's driven primarily by whether or not there is a private cause of action, meaning - do individual plaintiffs have the ability to pursue remedies against these companies, or does it need to be government-driven?
Dave Bittner: All right. Interesting conversation with Mr. Halprin. These issues continue to sort of churn their way in with the evolution of ransomware, how it's really come front and center with a lot of organizations in terms of something they have to pay attention to.
Ben Yelin: Absolutely. And we're seeing policymakers take notice as well. I mean, last year the United States Senate stepped in. They passed a piece of legislation that demanded the federal government ramp up its support for organizations hit by ransomware. So we're seeing, you know, some reactions at the federal level. I know in tracking state legislation here in Maryland, there's a lot of interest in innovative ways to counter ransomware attacks - whether you have, for example, a cyber response unit within your state militia or, you know, you have some sort of state entity set up that will help localities that are affected by ransomware attacks or, you know, require training for public employees.
Dave Bittner: Right.
Ben Yelin: And you see regulations being developed to aid the private sector as well. So I think this is something that's come into the public consciousness. I think because that's happened, lawmakers at both the federal and state level have taken notice and, you know, we're treating this like any other emergency, which is what it is. You know, it's going to have to become part of general emergency preparedness efforts because it's as much of a threat now as things like, you know, terrorist attacks and public health crises.
Dave Bittner: Yeah. I found Peter Halprin's insights on the potential for future privacy statutes interesting and, you know, where he came down on the possibility of us having a federal statute. Where do you stand on that these days? Do you think there's any hope there that we'll see anything in the near term? Or do we absolutely - nothing going to happen till after this year's election?
Ben Yelin: I mean, that's the general rule. We are paralyzed, and we are polarized. Congress has just limited bandwidth to do anything. You know, one thing that does give me hope is I think there's a groundswell in both parties, based on these large-scale data breaches, to do something about data privacy. I think whether that happens this year is more of an open question.
Ben Yelin: You know, one major factor is not only did the CCPA in California just go into effect at the beginning of this year but there have been some implementation problems, suggestions that the language of that statute could have been refined. So it might be that the federal government wants to see how states are applying these statutes, what mistakes states are making before they wade into their own - come up with their own privacy and data protection laws and regulations.
Dave Bittner: Right. States are the laboratories, right?
Ben Yelin: They are the laboratories of democracy.
Dave Bittner: (Laughter) That's right.
Ben Yelin: But you know, I don't think this is a problem that federal lawmakers can ignore forever, specifically since, you know, our counterparts in the European Union have already taken action. And U.S. companies have already had to, you now, comply with GDPR...
Dave Bittner: Right.
Ben Yelin: ...So they sort of know where this area of the law is going in the future. And you know, the U.S. wants to stay ahead of the curve on this topic.
Dave Bittner: Yeah. Well, our thanks to Peter Halprin for joining us. Again, he's a partner at Pasich LLP in their New York office.
Dave Bittner: That is our show. We want to thank you all for listening. And of course, we want to thank this week's sponsor KnowBe4. If you go to kb4.com/kcm, you can check out their innovative GRC platform. That's kb4.com/kcm. Request a demo and see how you can get audits done at half the cost in half the time. Our thanks to the University of Maryland Center for Health and Homeland Security for their participation. You can learn more at mdchhs.com.
Dave Bittner: The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producers are Kelsea Bond and Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Ben Yelin: And I'm Ben Yelin.
Dave Bittner: Thanks for listening.