Caveat 7.22.20
Ep 38 | 7.22.20
The power of the pen.
Transcript

Scott Godes: And I see more phishing attempts on a daily basis than I had ever seen before. And so criminals, apparently, are not going away.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's law and policy podcast. I'm Dave Bittner. And joining me is my co-host Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hi, Ben. 

Ben Yelin: Hi, Dave. 

Dave Bittner: On this week's show, Ben has the story of the Secret Service investigating ransomware. I've got a story of police buying hacked data. And later in the show, my interview with Scott Godes. He's a partner with Barnes & Thornburg. We're going to be talking about how companies who are affected with data breaches should approach their insurance recovery. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, why don't you kick things off for us this week? What do you have for us? 

Ben Yelin: So, actually, both of our stories this week come from Motherboard from VICE, so I guess a shoutout to them for having some hot content this week for us. My story is about the Seattle, Wash., police department trying to unmask a ransomware attacker by deploying its own hack, sending this hacker basically a booby trap to get them to reveal him or herself, and they do so using a network investigative technique. 

Ben Yelin: So there are a couple interesting elements to the story. For one, we know that law enforcement has used these NITs consistently, especially around users who are using a Tor network. But previously, it was sort of believed that the only agency at the federal level engaging in these techniques was the FBI. 

Ben Yelin: This story is about how, in this case, it was the United States Secret Service that is using the network investigative technique, which is interesting and counterintuitive. The Seattle Police Department's official who instigated this network investigative technique was working in their capacity as a task force officer for the U.S. Secret Service. And part of the reason they were doing that is this all emanated from a ransomware attack on a correctional facility in the state of Washington. 

Dave Bittner: (Laughter) So now it's personal. 

Ben Yelin: Now it's personal, yeah. 

Dave Bittner: (Laughter) Right, OK. 

Ben Yelin: I already see the makings of a fantastic movie here. 

Dave Bittner: Right (laughter). 

Ben Yelin: Maybe you and I can do some writing after this is over. 

Ben Yelin: So it was back in 2016. This correctional facility in Washington state found ransomware on its network, and it was a really bad ransomware attack. It took down their network for a significant period of time. Obviously, the files were locked. And this investigator, who is part of this task force, works for the Secret Service, hatched this idea to send a bunch of files to the alleged perpetrator of this attack basically saying, I would like to pay you the ransom, and I would like to unlock these encrypted files, but I'm having trouble with one of them. Can you help me out? Here's the one that I'm having trouble with. Embedded in that file is a booby trap that will allow the perpetrator of this attack to open that document, and that potentially could reveal relevant information like that person's IP address, even though the attacker was using Tor. 

Ben Yelin: So unfortunately for law enforcement and for the Secret Service, the deployment of this technique was not successful. They did not actually seize any evidence. But I think there are a couple broader lessons here. One is that we now know for the first time that different government agencies besides the FBI have both the legal authority and the capability to engage in these network investigative techniques, which are, you know, pretty intrusive - things that we would not approve of if they were being done by cybercriminals. 

Ben Yelin: And it also is a reflection of a court decision I think we've talked about on this podcast where - or at least maybe not a court decision. I believe it was a regulation at the federal level saying that magistrate judges can now authorize the use of these techniques outside of their area of jurisdiction. So that's critically important because, obviously, people who are using Tor could be anywhere in the world, or people who are engaging in cyberattacks could be anywhere in the world. And so in order to give any law enforcement agency the ability and the authority to go after these cybercriminals, they need to expand their jurisdictional reach. And this story I just thought was a good example of some of these concepts coming into play when we're talking about NITs. 

Dave Bittner: Does any of this give you pause? Are you having concerns here? 

Ben Yelin: I'm always concerned when the United States government is using tools that are potentially this intrusive and could be co-opted by cybercriminals. So, you know, when we're talking about unmasking the identity of cybercriminals, that's obviously a good thing that law enforcement would want to have. But, you know, like with any sort of malware, it could potentially get - these techniques could get into the wrong hands or they could be exploited for political purposes. And so just the fact that we now have multiple agencies who have the authority to use these techniques I think should give us at least a sense of concern for potential abuse. 

Ben Yelin: And it is becoming more ubiquitous (ph). We know that law enforcement, namely the FBI, has been using NITs in cases that involve Tor networks or other anonymous systems. You know, they've used NITs to solve some pretty serious crimes, particularly related to child predators, child pornography, but also crimes related to bomb threats, financial cybercriminals. So they know, you know, despite the fact that this particular booby trap was not successful, the techniques themselves can be successful. 

Ben Yelin: But there are concerns based on the fact that these tools could be abused, like I said, and that the orders granting law enforcement the authority to use these tools could be overbroad. Motherboard had an article they wrote previously that the FBI used an NIT to hack over 8,000 computers based in 120 countries around the world. And they did that all with a single warrant. So now that we know that not just the FBI but potentially other federal agencies and secret services under the auspices of the Department of Homeland Security might have the power to execute these very broad cross-jurisdictional warrants. And, you know, I don't think that necessarily sits well with people who are concerned about these sort of techniques. 

Dave Bittner: Coincidentally, my article this week is also, as you say, from Motherboard and VICE and written by Joseph Cox, which yours was also (laughter). For our listeners... 

Ben Yelin: Joseph Cox, this is your episode, yeah. 

Dave Bittner: (Laughter) Right. For our listeners, Ben and I both independently choose the stories we want to talk about. So it's a coincidence that we both came back with stories from Joseph Cox this week. But I guess tip of the hat to him that he's writing stuff that's right up our alley. 

Ben Yelin: Absolutely. Yeah. You've done your job well, Mr. Cox. 

Dave Bittner: (Laughter) So my story this week is titled "Police are Buying Access to Hacked Website Data." And the crux of this story is that police are engaging with a company that calls themselves SpyCloud. And this company, SpyCloud, goes out and gathers up data that's been put out into the public via data breaches. So we all hear these stories about the big data breaches that happen. A lot of that data gets sold online in the dark web, other underground markets. This company gathers that information up, and then they make it available for a fee to law enforcement to be able to go through that data, to be able to search through that data to help law enforcement with the types of things that they want to do, similar to what you were talking about. You can associate email addresses with IP addresses. You can connect all sorts of different information that comes up in these data breaches. 

Dave Bittner: What is evidently concerning here, and what I'm looking forward to getting your take on, is that this is a bit of an end-around for law enforcement to not have to go through the usual processes that they're required to when they're out there gathering data about you and me and everybody else. 

Ben Yelin: Yeah. I mean, there are a lot of problems I have with this particular story. You are correct that this is an end-around. They don't have to obtain any sort of legal subpoena to get this information if they are simply purchasing it and giving it to law enforcement. So that's one potential problem I have with this. The way they brand this exercise - and this was revealed as part of a webinar, so be careful what slides you put up on your webinars, people. They could be leaked to Mr. Cox at Motherboard. 

Dave Bittner: (Laughter). 

Ben Yelin: But the way they're branding this is, well, we're using criminals' data against them. So they've stolen the data, but now we're repurposing that data to help law enforcement. I think that's a really misleading way to characterize this because, as the article notes, 99.9% of the data that has been breached here does not belong to cybercriminals. It belongs to all of us, people like me and you. And so, yeah, I would say the combination of the fact that the branding of this is misleading and the fact that there is no legal process to obtain this information and law enforcement will now have this information at its fingertips to conduct searches and potentially initiate prosecutions is certainly a disturbing element to this. 

Dave Bittner: Could law enforcement run into issues? In other words, if they went in front of a judge with this information that they'd gotten through this SpyCloud company, is it possible that the judge could come back or the defense for the person being accused could come back and say you're not allowed to gather data this way? 

Ben Yelin: That - so far, we really haven't seen any legal cases where data obtained this way, data that's been purchased and used by law enforcement, has been suppressed at trials. I mean, unless the evidence was obtained illegally - and it is not illegal to purchase this data and it's not illegal for SpyCloud, once they have purchased this data, to share it with law enforcement - you know, then the fruit of the poisonous tree doctrine does not apply, and that evidence is going to be admissible at trial. 

Ben Yelin: But it is sort of ironic that some people are going to be convicted based on information that was stolen as part of a cybercrime. And, you know, I've just been thinking about trying to analogize this to the physical world. So let's say the police officers conduct a raid - or I guess if we're going to have a true metaphor here, let's say some sort of private organization comes across a criminal compound and steals all the guns and gives them to law enforcement and says, here, you know, we're turning the criminals against them. Here are all these guns that we found. Now you can use them. I feel like wouldn't we have ethical problems with that, or am I misinterpreting things here? 

Dave Bittner: Yeah, that's interesting. You know, the thing it reminded me of - and this isn't a precise analogy, but I guess part of why I was going down that line of questioning is I know, for example, you know, some of my friends who have security clearances, they can run into these strange situations where, for example, with the Edward Snowden leaks where even though Snowden leaked that stuff and it was printed in The Wall Street Journal or The New York Times and all over the place, people with security clearances weren't allowed to read that stuff because technically it was still classified. Even though it was out in public - right? - they were restricted from looking at it because that would be a violation of their clearance to look at information they were not cleared to look at. 

Ben Yelin: Yeah. I mean, unfortunately, those same types of protections don't apply to data that's been stolen as part of a breach just because it doesn't have any sort of classification level attached to it. Now, it's possible that classified information could be breached or classified under, like, our federal classification system. And then, you know, you might run into those same issues. But for things like personally identifiable information, you don't encounter some of those national security concerns that motivate I think what was happening to information security professionals during the Snowden disclosures. 

Dave Bittner: Yeah. It's interesting. So do you not have Fourth Amendment rights to privacy about some of your personal information if someone else got to that information first? The cat's out of the bag. The horse is out of the barn (laughter). 

Ben Yelin: Yeah, I mean, it's a very interesting question. So the Fourth Amendment is supposed to be a tool to protect you against law enforcement. It's to be free from government searches and seizures. There is no Fourth Amendment right as it applies to criminals because, you know, that's not who the Fourth Amendment is intending to protect you from. It gets interesting when the government is making use of these stolen data, but I don't think it invokes Fourth Amendment protection just because, you know, when we look at Fourth Amendment jurisprudence, it's all about whether the evidence was obtained legally. And so in most cases, depending on the type of information that's sought and the source of information, you're going to have to go through some sort of judicial process in order to obtain that evidence legally. 

Ben Yelin: Purchasing breached data, at this point, is not something that is illegal. It is information that's publicly available. It's valuable information. So getting it into the hands of law enforcement does not invoke any sort of legal concerns at this point. Now, Congress could make a decision - or any state legislator, for that matter, can make a decision to change that. But the way things are now, it just does not invoke Fourth Amendment protection, which I think is somewhat problematic because we have kind of a perverse incentive structure here. The more cybercriminals we have, the more data that gets revealed, the better off law enforcement are in terms of, you know, the ability to track IP addresses and match them to email addresses and so forth. And so you never want to get into a situation where more crime ends up being good for law enforcement. 

Dave Bittner: (Laughter). 

Ben Yelin: And that's sort of the incentive structure you're developing here. So I think that's one thing that really kind of stuck out at me when it comes to this story. 

Dave Bittner: Yeah, yeah, interesting. Well, again, thanks to Joseph Cox for writing... 

Ben Yelin: Our whole podcast this week. 

Dave Bittner: (Laughter) Exactly, for being the source for so much good stuff to talk about this week over on Motherboard. We do appreciate it. Those are our stories. It is time to move on to our Listener on the Line. 

(SOUNDBITE OF PHONE DIALING) 

Dave Bittner: Our Listener on the Line this week is a friend of the show. His name is Bennett (ph), and he sent in a couple of questions. Here is our listener on the line, Bennett. 

Bennett: Hi, guys. I have a couple questions for you. When I visit websites, I'm often presented with a pop-up box that's asking me to click acceptance of cookies or a privacy policy or some other seemingly regulatory required thing. Usually it has a yes, a no or a little X in the corner that I can just click it to close. And I'm wondering, does what I click there really matter? Does it create any obligations for me, or does it create any obligations for the company? It doesn't seem like it changes the user experience at all, no matter what I click. 

Bennett: My other question is, after listening to your interview with Hilary Wandall, it made me think of an experience I had with a fine dining restaurant in Baltimore recently. Upon entering the establishment, they take your temperature and have you fill out a form that includes your name, your phone number, your email address, and then they write that temperature down on that form. And I'm wondering if that then puts a requirement on them to comply with HIPAA regulations, since they are collecting not only personally identifiable data but medical data. Thanks for the show. 

Dave Bittner: All right, Ben, a couple of good questions. What do you think? 

Ben Yelin: So great questions, I will go through them in turn. On the cookies issue, you've identified something that a lot of cyber scholars have also noticed, that whether you click yes or no or simply X out of that warning that says this website is collecting cookies on you, it doesn't really have much legal significance. In fact, the warnings themselves seem to me and to other scholars as a CYA effort on the part of websites and technology companies so that they don't potentially run afoul of mostly European regulations, so GDPR and other cyber regulations coming out of Europe. There haven't been any enforcement actions on this, but I think it's safer and easier to put up these warnings that sites are collecting cookies than it is to expose yourself to potential liability. 

Ben Yelin: So I think one thing Bennett mentioned is that even if you click no, you can get access to the site, that's true for a lot of sites. It's not true for all sites. Sometimes you really do need to accept cookies in order to access the site. But it is true that a lot of sites don't do that. I think they're largely putting up those warnings to protect - to shield themselves from legal liability should it arise, even though it most likely will not arise and has not arisen so far. That's not exactly great for the consumer because most of us simply click through. You know, I want to read my news article. I don't care if they're collecting my cookies - X, X, X, you know? I guess that's the wrong use of X, X, X. 

Dave Bittner: (Laughter) Especially online. 

Ben Yelin: Yeah, exactly. So, you know, most of us just click out of that. Nobody reads the actual policies. Usually you have to click on the link to find the policies, and nobody does that. So you could say there are some transparency benefits, and there are. At least you know that they're collecting cookies. But how transparent is it really if nobody is going to go and read the fine print that's in indecipherable legalese? So a great question. 

Ben Yelin: On the second question, some of us are, indeed, going back to dining establishments - not me, but other people are going to indoor dining establishments where they're doing things like taking your temperature. Some restaurants or other facilities are asking customers if they've tested positive for COVID. This is an acceptable action on the part of restaurants because they are not covered entities under HIPAA. So I think, as we've talked about, HIPAA only applies to covered entities. Generally, that's going to be health systems, hospitals, certain government agencies, but restaurants are not part of the covered entities under that statute, meaning there are no restrictions on what they can do once you enter their premises. They can take your temperature. They can ask if you've tested positive for COVID, and they are welcome to share that information without facing a HIPAA violation. 

Ben Yelin: Now, what you can do as a consumer is say, no, I'm not going to eat at your restaurant if you do that. And, you know, at this point, depending on what state you're in, obviously, you can just walk out of the restaurant. But if you do want to eat there, they might actually compel you to give that information. But they are not covered entities under HIPAA, so they would not run into any HIPAA difficulties. 

Dave Bittner: Do you suppose this is also kind of a CYA thing on the part of the restaurant to say, look; we're making a good faith attempt; if someone gets sick at our restaurant, look at all these things that we did to try to protect ourselves, our employees, our customers, everybody? 

Ben Yelin: Yeah. So there's certainly an element of that. So much of this is security theater just because there are a lot of asymptomatic people. So just by taking temperatures, you're not going to capture a lot of people who potentially could be COVID-positive. The liability issue is really interesting. You know, one of the things that certain members of Congress are doing is trying to create a liability shield as it comes to COVID so that customers and employers cannot sue a company if that company inadvertently exposed individuals to COVID. So at this point, yes, they are probably covering all of their bases just like any organization that wants to cover their you-know-whats (ph). 

Dave Bittner: Well, who can blame them, you know? 

Ben Yelin: Absolutely. 

Dave Bittner: Yeah. 

Ben Yelin: Everybody wants to avoid litigation. That's the last thing these businesses need, especially... 

Dave Bittner: Right, right. 

Ben Yelin: ...Since many of them are in dire financial straits. Even if they have been reopened, there are far fewer customers than there were prior to this pandemic. And, you know, we're now seeing a major uptick of cases across the country. Some states have actually - some states that had reopened restaurants, like California, have actually decided to close them again. So you're already facing this very significant financial hardship. The last thing you want to do is expose yourself to litigation. So anything that you can do to try to protect yourself from that threat, I think, might be valuable. So... 

Dave Bittner: Yeah. 

Ben Yelin: There's that, and then a lot of it is pure security theater. 

Dave Bittner: Sure. All right. Well, our thanks to our listener Bennett for sending in those good questions. We would love to hear from you. We have a call-in number. It's 410-618-3720. You can call and leave us a message there. We may use it on the air. You can also send us an email. It's caveat@thecyberwire.com. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Scott Godes. He's a partner at Barnes & Thornburg, and our discussion centered on how companies who've been affected by data breaches should approach their recovery from an insurance point of view. Here's my conversation with Scott Godes. 

Scott Godes: I help companies with insurance problems, and I help companies that are finding themselves in a spot where an insurance carrier has refused to pay a claim or an insurance carrier has said that there's limited coverage available as well as helping companies understand the scope of coverage under their policies more generally. And so when there's been a cyberattack, a data breach, ransomware, business email compromise and wire fraud and the insurance carriers have decided that they don't need to pay or don't need to pay a claim in full, then I come in to help convince them otherwise, whether it be by discussions with the carrier directly or going to court and having a court tell the carriers they need to pay. 

Dave Bittner: When you have a disagreement here, what are the things that come up? 

Scott Godes: It's a real range. Early on, when I started working in this space in 2008, the disagreements really arose in connection with a payment card event or, more colloquially, a credit card data breach. And in the context of those, pretty frequently a company that's been hit will be assessed by the card brands - sometimes directly, sometimes through a processor or both - saying that the retailer that was allegedly compromised has to reimburse the processor and the brands for replacing cards that were compromised for fraudulent charges. And the insurance carrier said, well, that's just simply not covered. Or if it is covered, it's only covered in a small percentage of the entire policy limits. So we had some pretty heated disagreements there in terms of how to make that work. 

Scott Godes: And then in terms of ransomware, I'm finding that there are disagreements in connection with how much should be covered dealing with the lost income and sort of getting the parties on board with the total amount of loss and the steps that were taken to get the business back online. And then for business email compromises, there's a question of whether it's covered or not and, if it is covered, how much is covered. 

Dave Bittner: How often do you find that people who have fallen victim to these sorts of things - they think that their insurance is going to cover them, but then it turns out it doesn't? 

Scott Godes: Well, most of the times I'm involved, that's how it comes around. I don't mean to be flippant about it, but the quick answer is that every time people come to me, it's because they're in a spot where the insurance carrier has - suggests that they're not going to pay or there's a threat that they're not going to pay or they want to be careful to make certain that they're dealing with the insurance carrier right away so that the carrier will pay. 

Scott Godes: So for workaday events - and there are undoubtedly many claims that the insurance carriers pay appropriately and pay in full, the types of claims that are right down the middle of the plate that - perhaps a more traditional PII event, a breach of PII or otherwise. But I get phone calls when people have questions and - or there have been indications that the carriers think that they don't have to pay or can otherwise limit coverage. Again, undoubtedly, there are many, many claims that the carriers pay either in full or relatively close. But I tend to not see those claims. 

Dave Bittner: What sort of questions do you recommend people ask their insurance carriers to get ahead of this, to make sure that, you know, you've got your I's dotted and your T's crossed before there's an incident? 

Scott Godes: So a lot of that comes down to, at the time of purchase, working with your broker. And see if you can have a conversation with the carrier at the time that you're buying your insurance program. 

Scott Godes: And it's easier said than done because there are two major hurdles. One is many policyholders are renewing their entire slate of insurance policies at the same time. They all have the same renewal date. So perhaps on June 1, a company's renewing its workers' comp, its property, its crime, its cyber insurance, its general liability insurance, its directors and officers, its errors and omissions, its kidnap, ransom, extortion and other policies all at the same time. That's quite a feat to accomplish, to renew all those policies and - at the primary layer, at the excess layer. So you could be talking dozens and dozens, if not significantly more, policies all at once. 

Scott Godes: And the insurance industry pretty frequently tells a broker the types of coverages that will be provided and sometimes limits, but they don't always provide the full set of details in terms of limits. They don't always say, well, for this policy, you'll have a $5 million policy limit overall but a $100,000 limit for this kind of cyber loss. And they don't typically provide the full policy. They don't typically provide the full set of endorsements until months after the policy period has started. 

Scott Godes: And so it's quite unlike commercial contracting, where parties can negotiate, oftentimes, the terms of a contract. You don't, as a policyholder, have the opportunity to really negotiate the terms. It's terms that are offered by the carrier that are proposed. And there may be opportunities to ask for different endorsements that the carrier writes and issues, but they hold the power of the pen, and they always are the ones that are issuing the contract. And when they do that, they, again, pretty typically don't actually issue the contract until well after the contract period has started. 

Scott Godes: So imagine any other commercial context where you go to a company and say, well, I'd like to enter into a contract with you. And they say, OK, well, here's what we have. Take it or leave it. And by here's what we have, they say, here's the kind of contract that we have, and we'll give you a copy of it two months later. 

Dave Bittner: What sorts of things are we seeing come out of the COVID-19 pandemic? What specific things are you seeing that are new here? 

Scott Godes: It's largely more of what we have been seeing. And what I mean by that is ransomware has continued. Business email compromises continue. And I see more phishing attempts on a daily basis than I had ever seen before. And so criminals, apparently, are not going away. Efforts to compromise systems aren't going away. There's reports of a state court system that was allegedly hit with ransomware. And so from that perspective, it's just - it's more, unfortunately, of the same. 

Dave Bittner: Are there particular challenges that folks are facing just from the fact that people cannot get together face-to-face? I'm imagining that it opens up for fraud if, in other words, you know, I'm taking out a policy or I'm establishing some sort of business relationship with someone and we can't actually meet face-to-face, I can't physically hand them my ID - basic things like that. 

Scott Godes: So much more work is happening remotely. So much more work, of course, is happening by email and by other connections with people that you haven't met or that you don't see regularly. 

Scott Godes: And so there are stories where - apocryphal stories and real stories, for example, in the context of a business email compromise where when I've talked about this, people say, oh, sure, we almost had that happen. We received a message saying, please wire the following amounts to this location. And just before it happened or just after it happened, I ran into this person in the hallway and said, oh, by the way, I've got your - I sent your wire or I'm about to send your wire, just FYI. And in the hallway, the person says, what are you talking about? I didn't ask for you to wire anything or do anything like that. And they manage to catch it. Well, if you're not in the office and you're not going to see people in person, you don't have that same opportunity to correct for that. That's just one example of how things are not able to correct it. 

Scott Godes: Or if you're used to doing things by phone, 'cause that's how we're operating, then - or by email, rather than by phone, because that's how things are operating, then the mindset of following up with someone to say, well, I need to see you in person, or, I need to get a phone call, is not the same. And there's going to be much more reliance on emails and other electronic communications to get things done so that the perspective of and the viewpoint of, well, you shouldn't click on email, you shouldn't do things by email - that's how the world is operating these days. 

Dave Bittner: From your perspective with the experience that you have, is there anything that you think could be done on the policy side of things or the regulatory side of things that could help smooth some of these things over, that could help prevent some of these tensions that happen between the people who have the policies and the insurance providers? 

Scott Godes: In terms of that, ultimately, the best thing for policyholders is ensuring that the insurance companies actually pay claims and cover claims and don't allow them to engage in a narrow interpretation of the language that they wrote, particularly on a post hoc basis. So that's an important thing, making sure that they live up to their contracts. 

Scott Godes: And the fact that there are cases where policyholder wins, that there are rulings that something should've been covered, that's a situation where the insurance carrier should've paid up in the first place, and it's frustrating that the policyholder has to go to court, but that's the reality. So from that perspective, that's one easy fix - is when a policyholder buys a policy, to make certain that the carrier actually pays the claims underneath them. 

Dave Bittner: You know, I suppose this is kind of like asking a barber if I need a haircut, but... 

Scott Godes: (Laughter). 

Dave Bittner: ...I'm curious. You know, in terms of someone investing in someone like you, someone who does the type of work that you do, before you sign on the bottom line for that insurance policy, to have a third party look it over, it strikes me that could be a good investment. 

Scott Godes: Well, recognizing that I would be patting myself on the back, to your analogy, I agree with that. And part of the rationale for it is that cyber insurance policies and crime insurance policies vary from carrier to carrier pretty frequently, and they seem to not be well understood - not be well understood by the people that buy them, and they seem to not necessarily even be well understood by the people that adjust the claims under them or sometimes even underwrite them. 

Scott Godes: And as cyber risks evolve, for purposes of the policyholder, have a conversation with someone who's seen these things and explain, here's where carriers will try and use this term or these conditions as a trapdoor, and explain to them where the differentials are and why a handful of terms can be a significant difference and why, for example, just one word can be a challenge for a policyholder. 

Scott Godes: I had a case a little while ago where I was telling a federal court of appeals the meaning of the word direct. And it turns out that courts have actually interpreted direct three separate ways, whether it be a third-party versus first-party liability, whether it be a question of how much time has passed or whether it be an idea of kind of a but-for cause or approximate cause that had this not happened or when this happened, that's why you ultimately lost the money that you lost. 

Scott Godes: So that sort of thing wouldn't jump off the page at most commercial insurance buyers. How many people would think that the word direct has led to dozens of cases in court disputing the scope of it, or other provisions that are buried within there? So it can be very helpful to sit down and talk to someone about, here's what the industry has done. Here's how they interpret it. And here's how they've either covered or told policyholders that they didn't mean to cover. 

Dave Bittner: All right, Ben, interesting stuff. 

Ben Yelin: Yes. I have a story for you, Dave. 

Dave Bittner: All right. 

Ben Yelin: Something that just happened to me recently. 

Dave Bittner: OK. 

Ben Yelin: So I have a home warranty policy. I swear this is getting somewhere related to the interview... 

Dave Bittner: OK. 

Ben Yelin: ...You just gave. 

Dave Bittner: Yeah. 

Ben Yelin: And my garage door broke. And it took me a while to figure out exactly what happened. It turns out that the spring snapped, so the door won't open. So I went to the website of my home warranty company and filed a claim, and it pointed to a tiny subsection of their 200-page policy manual saying that they don't cover defective springs. 

Dave Bittner: (Laughter) OK. 

Ben Yelin: Now, you're never going to anticipate what single thing inside your household is going to be the thing that breaks that, you know, causes your garage door or any other appliance, for that matter, to malfunction. 

Dave Bittner: There are countless springs throughout our homes (laughter). 

Ben Yelin: Yes. There are countless springs, and there are countless other things that I'm sure if I actually took the time to read that giant policy manual, I'd be like, wait; this isn't covered? 

Dave Bittner: Right (laughter). 

Ben Yelin: So that's really what this invoked when I heard this interview. Insurance companies have... 

Dave Bittner: I don't mean to laugh. 

Ben Yelin: No, I welcome you to laugh at my misfortune. 

Dave Bittner: (Laughter) Right, right. 

Ben Yelin: Hopefully I can get this fixed without paying an arm and leg. So if any of our listeners are garage repair professionals, I would love to hear your advice on this. 

Ben Yelin: But, you know, the larger point is insurance companies will do everything they can to not cover a claim. 

Dave Bittner: Right. 

Ben Yelin: That's what they do to protect their bottom line. I mean, they have to cover enough so that you're willing to purchase their insurance product. But... 

Dave Bittner: Yeah. 

Ben Yelin: ...You know, they are going to try and limit what they cover. And I think what came out in the interview is it's very hard to anticipate what the next breach is going to be and whether that's going to be covered by one's insurance policy. And it's very difficult for a layperson or someone, you know, who's not well-versed in these issues to actually read the fine print of these policies and figure out if it meets a company's needs. 

Ben Yelin: I know - you know, you were saying in the interview you didn't want to make this an advertisement, but I think it really is incumbent upon businesses to consult professionals, see if the policy that you're intending to purchase really encompasses the variety of threats that have been presented. 

Dave Bittner: Yeah, I think that was the big take-home for me as well - that with something as important as your cyber breach insurance, it's worth the investment to have a third party - someone who has no real skin in the game, you know, and understands all the legal aspects - to just read through the policy so they can tell you, OK, here's what's covered and here's what's not. So if you want those things covered, you need to go back to them and say, hey, how - why - you know, where are we with this? And let's get that in writing so that you know you're good to go. 

Ben Yelin: Yeah. I mean, most of us are just not capable of negotiating the terms of these types of contracts. And that uneven relationship between consumers or businesses and the insurance companies exists really in every realm. I mean, I'm in no position to negotiate with my auto insurance company on their policies because... 

Dave Bittner: Right. 

Ben Yelin: ...Even though I'm a lawyer, there's no way I'm reading through, you know, exactly what they cover. 

Dave Bittner: Right (laughter). 

Ben Yelin: So it is one of those instances where because the impact of a breach could be so incredibly severe - we've seen it happen to companies in the private sector; we've seen it happen in the public sector - I think it's worth that investment to get somebody who knows how to read these documents to look them over for you. 

Dave Bittner: You know what cars are full of, Ben? 

Ben Yelin: I dare say I do not know. 

Dave Bittner: Springs. 

Ben Yelin: Oh, gosh. 

Dave Bittner: Springs (laughter). Lots of - there's springs. Lots of springs in cars (laughter). 

Ben Yelin: All right, I'm opening up my Geico policy and seeing if it covers the springs. 

Dave Bittner: (Laughter) That's right. That's right. All right, well, again, our thanks to Scott Godes for joining us. Really interesting information. We appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. 

Dave Bittner: The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producers are Kelsea Bond and Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.