Talking to lawyers (without catching a case), or, "Counsel advises..."

in the thick of it last session of the day is this where you want to be if not get out i'd like to thank our sponsors for this b-sides event very important st mary's university where you are usaa trend micro digital offense digital defense not offense sans national security agency exi beam accenture federal services open security titanium level cyber sec jobs denim group alamo issa landmark solutions texas cyber summit also some other the events supporters bobcat lock sport kudu dynamics those of you that did not find the raffle prize at the registration desk be sure to get that before the end of the day and now we're going to hear from two very important people bill rice

and tsuchi pahi are going to talk to us about talking to lawyers without catching a case or as council advises take it away thank you thank you welcome here to our temple [Applause] thank you um i'm not going to read all that that is who we are we both work for a company called raleigh health it's a dc based uh digital wellness platform that's what we call it yep um done a lot of things i am a manager of security there and of the network team uh i was at a law firm doing cyber security and data privacy for about five years and then had the pleasure of joining rally health to work on some really fun

tech law stuff um just a couple of notes that i have to make i'm not your lawyer you are not my clients this is all purely informational it is not legal advice um and i'm really excited to share all of this with you guys so um and we're down to person john nichols on assignment um get us you'll have an opinion about half an hour if it's good or bad we already talked about that that happened i'm blowing it already i'm sorry but it's okay all right uh so why do you care about this knowing these things can make a big difference in whenever your company bad things happen if you have instant an incident you have

to respond to you have to deal with problematic customers or partners you have to deal with people in suits you're going to need to know this right so whenever people threaten like there might be a lawsuit or something like that uh sometimes you get an idea that it's gonna be like a couple hours of trial maybe you've seen some shows it's not actually how that works so when i had clients who had to go through litigation they had to prep with me for a couple hours out of their work day then they had to go do their normal work stuff and then see me again and this would repeat for probably like two weeks and then they had to sit down

with me and opposing counsel for the other party and answer a bunch of questions and then they had to show up for trial if they were chosen as witnesses so it's basically the most miserable situation you can find yourself in other than being part of a security team during an incident anyway so which a lot of csuns have definitely just quit their jobs during that time because they've had to deal with the the crazy goat rodeo that ensues so we want to get you to a place where you're comfortable with your lawyers and your rest of your company so that you don't ever have to really work with people like me to be in that kind of a [ __ ] show

so pardon my language try not to swear um and we've both seen what this has looked like in places that did it well and ones that didn't right so uh format before we get really started uh questions at the end if you would right if your question starts with this is not a question but please just stop we're gonna leave plenty of time and we've asked that we turn off the cameras for q a because people when they have questions about this tend to talk about things that maybe you don't want on camera on youtube and so we'll just cut mic at that point and as you would guess we are talking about things have happened a

variety of places we're not saying these happen to our employer none of the bad ones happen to our employer we're telling stories about from friends from people we've worked with hundreds of clients it's yeah there's an entire industry's worth of stories and i think we have more than enough between the two of us so please don't say oh rally had this bad time because they talked no those stories will happen far later okay so dotted lines and dashed lines and fair warning and actually i'm just going to walk over here so fair warning that this is about to get into some corporate structure information and so i just need you to hang in there with me

through this slide and the next slide and i think potentially the slide after it but i'll try to keep it interesting so before we switch slides dotted lines are typically dotted and dashed lines actually are typically people who report across to one another so you're not necessarily reporting up you're just kind of like buddies um and then solid lines up would be reporting directly up or the dashed line can mean that you're not really having a relationship inside of the corporation so you can see where this gets complicated um go ahead thanks bill okay figuring out corporate structures you want to work with your legal team or your legal person but you need to first figure out where the heck they are

right so sometimes you'll have companies that have a general counsel and that's someone who works with your c-suite or your board and then you have a legal department under them and it might be a robust legal department with like 15 to 20 lawyers maybe hundreds depending on how big your company is or it might be a small legal department that's got like three people including the gc you could also have what we call outside counsel and these are the attorneys you pay lots of money to do not sit within your company and they might team with your general counsel or like a dedicated attorney um you could also have an outside counsel who acts as a general counsel

for you guys and in that case they're probably still charging a lot of money but they might sit within the company for a little while like a couple days a week and then go deal with other clients later it really depends on the terms of their agreement you could also have a chief privacy officer plus your general counsel which is if you have a privacy department that sits outside of legal and you could have a chief legal officer who is potentially like a general counsel and then have a legal department attached with that chief legal officer which is kind of the same setup as the first bullet point what i didn't include in here and that's

why there's question marks is that you have endless iterations of what this could be depending on the size of your company you might also have uh risk management compliance um and perhaps people sitting within security that actually report it to legal as well so let it go am i still in this one next oh i'm supposed to tell a story there story time i want to talk about this so a previous employer of mine name uh not to be given didn't have lawyers for a while they were small you know when you're a tiny company you don't have lawyers and so you you do a lot of things you sign contracts you you also make money and

we've gotten big enough where we have a lawyer yay said lawyer comes to me one day and goes bill i'm sure the answer to this is is fine but you need to tell me what it is uh we asserted this company that we do itar correctly and so we've never like sold the software or allowed anybody to download on the public website um anything if they're from one of the countries we can't talk to or like people are on like the list right we do that right like how does that work with the open source portion

not the answer she wanted yeah um the answer after quite a lot of hassle and a bunch of those people mostly outside was we're just going to like redline that off the contract and see if they notice and then having to make much technical changes that cost us some time is great uh and then boiled down to like nobody at the time had read that contract because we didn't have a lawyer and so nobody had said like that looks hard let's ask if they care about that yeah that's why like when bill first told me that story that caused major heartburn and anxiety to me because i could not imagine being either the company or the lawyer who found that out

because that's terrifying i'm terrified right now so yeah it was all fine by the way so if you don't already know or have a relationship with the lawyers within your company or who service your company it's really incumbent on you guys to like put out some feelers figure out who that person is and and get to know them it could be people who work on contracts for you guys as part of your security team or to work on contracts for your it team like i'm not really sure it depends on how you're structured with your technology and your security it could be the person who's running training down to the entire company um and it could be your incident

response attorney no guarantees there hopefully you have an incident response attorney but we'll get to that later so

yeah find your lawyer and then you're gonna go talk to them that's part two so you found them right you know where your lawyer is hopefully the answer isn't we don't have one you should talk to them early right you should know this person well before things have gone wrong you keep a couple of things in mind right um if someone is a lawyer they went through a lot of painful schooling and classes about things that i can't fathom and they know a lot right but they're not technical they're not hackers they don't know we know and vice versa right and so you need to master like hitting the i'm giving you the important details

and i can explain further but i'm not going to like nerd out on this stuff we're not talking about malware we're not talking about reversing techniques we're talking about like i think the server might have a new admin today and we don't know them and never when you're talking to your lawyer about potential problems talk about a thing you like don't make conclusions right you want to say hey these things happened what do you think of that yeah is that bad i think it's bad do you tell me and you need to be really clear and this is something that was hard for me to learn i had to learn through painful repetition about like this

happened was like this happened like i think this happened because the answer is gonna be really different right if you say like this machine is it not saying that word uh this machine has been hacked versus like i think this there's something weird with this machine like what do we do those are very different because the conclusions are gonna be different so i started to piggyback off of that one part of the lawyer's job when you talk to them is to frame the things that you're telling them and it involves it's it's almost like being an artist in a sense in a sense i'm trying to find the broad strokes of what you're saying and figure out

where we want to go and so i'm looking at it from a legal risk perspective and then like a 10 000 foot view of where the pitfalls might be depending on any which option is next so it's like a choose your own adventure but based on law school and then the information that you've given me from the security side um it can actually be really fun sometimes if you have a great relationship like bill and i work together regularly if you have a really good relationship or a partnership then you can get a lot of things done that are beneficial to the company and kind of grow things in the right direction so what i really like is hey how bad would

this be which is very proactive versus hey we um have a problem this is what happened i don't want to come in on the back end of it as your legal person i want to help you move towards your goal by proactively working with you before you get there if you're working with like outside counsel calls like this like hey what do you think can be really expensive and there's probably someone in between that you should be talking to before you make that call to your outside counsel unless it's someone who you hired to work within your company sgc um so i would be careful with how you frame the situations and not be super

open-ended which you learn by experience but i wouldn't ever hesitate to pick up the phone and ask for advice before taking a step that might really mess up wherever you're actually trying to get to and then there's a piece of this that's not incident related and that's your vendors or your contracting so if you're trying to work with a vendor or something along those lines give us the contracts or the paperwork early loop us in early with like the who what where when why how and that way we can help you with the vendor contracting side of it too so it has made a massive difference once i learned that instead of legal being the last

step in contracts we're going to figure this all out please sign this tell me if it's wrong way earlier saying like is this even going to work like is this a thing we should do so that we don't have months of effort before legal says that's not a thing you get to do sorry yeah or you can do it but it's a terrible idea

so

[Music]

[Music]

[Music] we've been involved in

[Music] all right so totally hypothetical had a bad day right you hope that you're hacked do you think that you're hacked so you fire up your insta response team right everybody like gets in a room you buy some pizza you like start looking at stuff and you spend a while doing it and so you know you get into a mode and so you start getting a little reckless about what you say maybe right and so you in chat say things like they got this machine got hit like we told them they should have patched it like that was three months ago why did they not like we told you or like oh that's totally customer data

and that has three buckets public like whoops or um is this something we have to notify about like do we have to talk to do we have to tell people about this thing [Music] and then you know so you chatted you fix it up you like you clean up the machines you patched some stuff you like chastise the user or you like using training whatever great that's life and then three months later the roster is hey like remember infrequent sunshine where we have that bad day yeah we're getting sued and so they have to see uh all the communications about it and you didn't talk to legal so legal's finding out about infrequent sunshine right there they're already not

happy but we're just gonna have to give them all of our chat history about that instrument so when you said like haha they should have patched that um that means you knew that that could have gone badly back when you said that and you didn't take care of it which looks maybe neglectful maybe oh like there was customer data in that s3 bucket like that's not the sort of thing you should be doing contracts talk about commercially reasonable actions sometimes when we didn't do that and so all those contracts where we said we did those things we may not have done right uh like but who would ever do that don't show hands please let's

don't don't do that like oh i wonder now we don't need to notify uh some of those laws like have timers if you get like 48 hours or 72 hours to like talk to the feds or talk to a state government or whatever [Music] and you like got out your chest clock and hit it real hard when you said that in chat and you probably didn't do the right thing about it and so as soon as you said earlier like you're going to work

going to court's bad right so if only there was some way to like go back in time and say how do we keep ourselves from going to court and maybe looking like jerks in front of our customers and losing them so instead now you've seen this talk talk to your lawyers um you before you start the ira machine you go talk to your friendly lawyer you say hey um this might have happened we i think we had a bad day what would you like me to do about it and you say i'm gonna say go look into it but before you do anything let's make sure everything is privileged and confidential and this actually ends

up being a whole conversation about making sure that you're talking to the right people and only talking to those people and doing certain things during your investigation to make sure to retain particular types of records and stuff like that so there's a whole process that comes into this from the legal side that should be started with just that can we notice something funny so and that starts the project confidential party i'm super happy that's animated because it wasn't in the preview this is actually a good phrase for this because like we're working uh on security incidents actually across all the companies every security team i work with has just been like why do i have to put privilege

and confidential everywhere and it really is a privilege and confidential party like that is everything is privileged and confident it's amazing um and there's a lot of nuance around that which we'll get into a little bit later and then i do have a resource for you guys at the end as well so yeah cool so now you're not just doing incident response from the security team side and basically your lawyer is like hey go look into this so that i can give you legal advice about the situation and help handle it and that's when you get to the communications with your attorney which is mostly protected from discovery and so we say mostly because a lot of times

people do waive privilege during uh litigation and through other things that happen running up to litigation but you want to start from having your information like your communications and things like that reports etc that you've gotten to support yourself during incident response protected okay how many of you know what discovery is okay most of you so discovery for those who don't know is a process in which the other side gets to ask for basically everything under the sun and you get to do the same to them and then some poor sorry person has to go through all of those files um and figure out what's really juicy and then pick who they want to talk to

and what the facts look like so it's a giant process that can take a lot of time especially if you're involved in litigation with very large companies um so using that previous non-lawyer ir um you have now a lawyered ir so maybe there won't be someone going through all of your chat transcripts trying to figure everything out so it's important to point out it has to be your lawyer right at the beginning of the talk and it's like she's not your lawyer that matters it can't just be any lawyer could we hold questions till the end okay if if you have a like technical thing go ahead but otherwise just wait till the end just a quick definition of the

difference between privileged and confidential that's not going to be quick in any way but i appreciate that question i'm told in law school like that middle sentence there is like a class that mostly asterisk or just an asterisk is a while good yeah so let's talk about how to do this right let's learn to uh get a lawyer uh first off get a lawyer if you have if you're a small shop you need to have one on retainer right the worst time to shop for anything and like negotiate prices when you're in trouble and need it and that includes people who charge high watering amounts of money to talk to you right whereas a retainer is like an

agreement that maybe i'm going to have to call you someday and need some help and we'll put some money down to do that if you have regulatory concerns right if anybody's going to like go to jail if you mess this up or if anybody's going to end up in the news you need to have a lawyer if you're if you're a big company that has what's some regulation that we don't care about at work uh it's pretend it's something that some something juicy some like oil and gas industry thing like you have to have a lawyer you should have to have one and so go find them if you don't have a lawyer needed a

retainer like ask around for references this is not by and large like super competitive sensitive stuff right you can just ask people in your industry like who do you talk to about this stuff help me out because there's people out there like in art like in the security industry who are like bad at this and much like security like getting the wrong firm to do your instant response or your your lawyering could be terrible yeah at the least ask for who not to go to talk to like at least do that much because once someone does a bad job on this i'm i mean they'll wreck things and their clients will know it will be angry

about it so you can just find out beforehand and not go through that experience yourselves so and so then once you have that a person identified and you either work with them or you've given them a stack of cash then go talk to them and make sure that you know each other and have figured some of this out before things are on fire right because you don't want to during the instant response process where time matters what is going on oh she's like dang how do i how are we going no yeah you want your ir lawyer on speed dial or at least you want your legal team to have them on speed dial your legal team roped into what you're

doing and also just like free tip if a lawyer is trying to get your business and they work for a law firm so if you're going to outside counsel they can charge their own company to take you to lunch and take you to coffee so if you need them to take you out so you can talk to them kind of like what your company is like it's like dating let them take you out and then you go have that conversation and you date your lawyers until you find one that you find works for you and most lawyers that bigger firms will do that and so then you can find a lawyer who you kind of connect with and also

understands your business and where you guys are going and what some of the intricacies can be and you probably don't need to actually pay them a thousand or more dollars an hour to like have that launch right [Music] yeah so i really like it when i hear these phrases hey let's talk about some stuff hey do you have a minute let's grab a room to talk um i know something's up and i know i need to be attentive but at the same time you haven't said anything that starts any type of uh legal issues going or notification obligations going or anything like that so i'm not panicked but i know that something's going on and you need some

assistance yeah that's the way to get that attention um we not everybody has to do it like this but it works for us um we give sorry sushi's number to basically everybody who might find an incident on the security team right and the deal is if you get a text from those people it's like do you have a minute it might matter yeah and we've agreed to not troll each other by being like hey do you have a minute nice running out there was a little bit of time right to walk up and everyone would get really tense and worried because they thought i was coming to them with a potential incident or something like that so uh

that was a lot of fun for me okay the trolling agreement is one way i used to get texts like do you have a minute like oh no what hey we're talking this thing don't start there with your lawyers though okay so after i get that type of information from my security team um that's when i start with the whole let's do things privileged confidential and party cards yeah exactly and then you guys still get to do everything that you you need to do the lawyer's job is not to get in the way of your investigation if that's what your lawyer is doing your lawyer's doing it wrong and you can tell them that you can hold

me to that you can take that as a quote and just play it on repeat for them okay so you spin up your incident response team hopefully you have one you're working off of your security incident response plan hopefully you have one um your lawyers are involved somewhere during this spin-up of one and two only the people who need to know about the incident are involved in the incident response and if you need other people you have a core group that you can actually ask about bringing other people in and make sure it's all approved um and you're working on behalf of the attorneys at the direction of your attorneys which is which means that your work is

more protected than not and so this gets into work product protections attorney client privilege and then confidential slash trade secret language um and like bill said each of those is a course or a year-long course in its own so um it gets complicated quickly and if i can say real quick that all sounds pretty formal and like a lot of work uh you will be so happy if you put an hour into like when something's bad who do we talk to that's your insta response team right like do you need to get your cso involved do you need to get people from legal involved yes do you need to get people from hr involved hopefully not um but like

document that beforehand you will it will pay dividends every time and the same for the incident response plan right it's a quick form of if you've declared an incident you need to talk about how did you find it how are you getting rid of it how do you know you've gotten rid of it who did you talk to that sort of thing spend like an hour or two up there and it will pay the first time you have to do this because again much like finding the lawyer you don't want to figure that out like under fire like oh jeez does our does our head of counsel need to know about this right now like i don't know do we need to talk to

marketing yeah hopefully not

uh don't get lost in the weeds when you come talk to your lawyer buddies because it just isn't important like it doesn't help us unless we ask questions that eventually get into the weeds so um what we want to know is what was affected was it sensitive data was it a sensitive system and really depending on the company and the type of regulations you're under or your stamps on privacy and security that could be any number of things could someone have acquired or accessed information that's something that is actually you have to vet on like a state by state level as well as country by country level so depending on the size of your company

and what you're potentially looking at that analysis could take forever but from you guys it would be something like hey we think that someone was just like hanging out in our system for the last eight months and i'm gonna go okay what do you mean by hanging out like what were they clicking on what were they doing um and then what i want to know at the very end is what's the likeliest scenario based on your investigation don't tell me all of the different ways in which something may have happened but give me your like 70 to 80 likelihood or 60 i don't know what you would call not the edge case so what feels like

yeah yeah

yeah don't do that especially not like this is the whole reaching a legal conclusion a breach can mean something for you guys in infosec and cyber security that's different from a breach as a legal term and breach is actually complicated so compromise breach and there's a couple of other ones that are defined differently by almost every state law um and also by federal rags and by national laws so you don't want to say it's a breach because that has different meanings for lawyers and on the regulatory side so you want to find out uh whatever your terminology of choice is within your company to describe like hey something's happened um yeah if i give a brief story uh way back in

the before time i worked for department of energy i was an intern and uh through some terrible choices they allowed me to be part of the red team as an intern so they let me like do it live in production on a site of 18 000 devices and i had something it was great and i'm like guys great i compromised this machine and we got very serious as it turns out in doe land what compromise means is you just moved some classified data downstream and boy how did i not do that um but putting that in writing meant that i had like a bunch of unwinding to do and i had to like talk to people and send a couple of

emails like my bad um and so you need to ask for lawyers like what are those magic words that mean something right um breach is a common one compromise some organizations and there's no easy way to know because it's not like there's a place you look up like what are the magic words for health care regs in the state of oklahoma right like that's that's a question you gotta ask lauren yeah and you know what if you do have a conversation with a lawyer where you go it's a breach the words you're like okay well what do you mean and then you're gonna give me a bunch of information i'm gonna say it depends you're gonna hate me forever

but it'll get us all to the same point in the end hopefully not reach right so and it's true like it's it is genuinely super context sensitive all right uh that felt like kind of a lot of material so key takeaways and then we've got question time for sure find your lawyer or lawyers figure out who the most likely one to hear from you on a bad day is and like be their friend like be nice again super handy to like have sushi's phone number so i can be like i think i did a bad thing or i think a bad thing happened yeah um i need an adult in the room real quick for a thing we're looking at

um in a big org maybe that's a bunch of lawyers right you might have different different people who do privacy and incident response and contracts and customer negotiations and regulations you know that might be a lot of people but you need to know who they are and you can do this this is you this is within your capability i promise you yeah keep it simple uh but don't gloss over what might be important facts uh like i said i don't need every technical detail i don't really need no like i don't that doesn't mean okay it means something to me but it doesn't mean anything to most your lawyers you don't need to sit down and explain

salted hashes to me like i don't care okay i i want to know what's important was it encrypted um that's important i don't need to know the how the extremely detailed how i don't need that so keep it simple when you're talking to your lawyer you're probably going to get better answers in related that like put on your i'm talking to a smart person in a related field ad and realize they might ask questions and you need to explain but like start start big and they will do the same courtesy yeah yeah um i think i've said this a couple times over and that's why it's in the key takeaway if you can bring legal in

early in your incident response process then you're really setting yourself up for success here because there are other things other than privilege and confidential that come into play like uh litigation holds and that's something that'll come out of your legal department and it's hey don't delete or erase anything related to this matter don't do anything with that um a lot of times if you're working with something that's been compromised potentially you'll have to make an image of it to do your investigation so that you're not screwing with the original issue because that might be involved with litigation later as well so it's important to keep legal early in the process because we can flag that

stuff for you and you don't have to do any guesswork and you don't get rid of stuff that's critical my experience is that lawyers are never gonna say you know what we talked about like you let me know about a little too much stuff they might say okay for this class of things cool but they're happy to be brought in because they're not gonna find they're not gonna get surprised by it later um and this seems we've said this a couple of times you need to ask what to do right when this the important parts of this is that you are doing things at the direction of your council and so you need to actually go and say

hey i i think this this might have happened like here's what it looks like should i do anything about that like what should i do and that's not just a formality it's actually like they're telling you what things to do and what not to do and that could matter and then obviously like listen if you ask your lawyers and then go do something else instead super bad look for all involved i see a wince there but like it's a thing so this goes back to the don't just say something's a breach and and if you notice something suspicious i know almost all of us probably have companies that have chats that you guys use for chat rooms um just

be careful with with what you're really saying in those because you don't want to accidentally cause cause a breach which sounds weird but cause and legal obligation that doesn't actually exist and then you'll end up with a fake emergency in your hands so

okay about the privilege of confidential oh i totally didn't work it is probably it would have been a link no one will remember but uh wendy knox everett gave a really good talk about incident response and privilege and confidential and work product protections at uh shmukong this year and she works at leviathan security and she really broke it down into a nice easily digestible chart it's worth your time i think it was like 11 minutes long during them i think it might be half an hour okay it was it's good it's worth it it was well done so you can find it on youtube by looking for her name in shmoocon uh or you can probably pull it off of

her twitter she's here um yeah so we're not like pitching leviathan security they didn't pay us to say anything wendy didn't pay us to promote her um we just thought that the talk was really good we both liked it and saw it separately so it was really well done we were texting her to talk being like this is great let's show it to the team so um so the the schmuck on has a youtube playlist every year so you can just find the skiers it was really early in it she's probably the only wendy knox ever that spoke that year about legal stuff you can find them uh also it's totally my bad i was

put blank in there all right that's it questions so if we can kill a recording real quick