A Q&A with David Cole of Freeman Mathis & Gary
Do you know where your ransomware payment is really going? Among the ethical quandaries posed by the notion of paying criminals to access your own data are the increasing regulatory and legal risks associated with ransoms.
We talked to David Cole of Freeman Mathis & Gary LLP, Co-Chair of the firm’s Data Security, Privacy & Technology practice group, about why cryptocurrency ransoms are difficult to track and how his firm uses the same technology as law enforcement to track them.
Freeman Mathis & Gary LLP is a NetDiligence-authorized Breach Coach® law firm.
What interests you most about working in the cybersecurity space at this particular time?
Data security and privacy law presents an enjoyable challenge to me as an attorney because it is an emerging field with laws that are literally still being written and enacted around the country. Courts are also grappling with how to apply new and old laws to emerging scenarios, so you have to stay up to date and really think through all the issues to present the best possible arguments for your clients.
I also like the satisfaction that comes with helping clients through these stressful events. Often as a lawyer, particularly in litigation, you’re arguing and you’re defending cases. This work presents a unique situation where through our expertise we can bring clients a sense of calm, particularly through ransomware cases.
Why are ransomware cases so challenging?
First, there’s the regulatory environment that now surrounds ransom payments, such as the OFAC and FinCEN guidance, which creates the potential for strict liability if payments are made to a sanctioned organization or actor. It’s very difficult to know who’s on the other end of these payments, and yet your organization has an obligation to conduct due diligence and not make a payment to someone that it shouldn’t.
There also are new state laws already on the books or on the way that actually prohibit communications or negotiations for ransom payments. Right now, these laws are focused on public entities like city or county governments, but it’s a growing area that we have to keep an eye on.
Second, policy considerations are always involved. Specifically, whether you should make a payment or not. As an industry, we’ve started talking about that question more, which I think is a good thing. We have to acknowledge that we are paying money to criminal actors and that this money gets used to fund further criminal activity. It’s always difficult to trace the money, but it’s often reported that there are connections not just with cybercrime, but with other sorts of crime, like trafficking and drugs.
These are tough questions to answer when you’re under a great deal of strain, when your systems are encrypted and you can’t act.
Why are ransomware payments so hard to track?
One great feature of cryptocurrency payments is that they are recorded on the blockchain, which provides a verifiable transaction history. The challenge, though, is that threat actors use different techniques to try and hide their transactions to make them private. They use anonymized crypto wallets or they put payments through mixers that are designed to intentionally conceal the source of cryptocurrency and often involve “cross-chain” transfers to different cryptocurrencies.
Your firm has a unique capability to track ransomware payments in coordination with law enforcement. Can you explain how that works and what makes it special?
Our firm has invested in this area and partnered with a software provider to give us access to some of the same tools as law enforcement for blockchain analysis and tracing of crypto payments. Attorneys in our practice group are trained and specially licensed in these tools, which gives us some unique capabilities to help our clients.
First, it allows additional due diligence on the front end before a payment is made. We can look at attribution data with the organization we think we’re dealing with, based on the crypto wallet address that’s provided. This information, along with details and indicators of compromise learned during the investigation, can help us with OFAC and FinCEN due diligence.
Second, these tools also allow us to “follow the money” after a payment is made. At some point there are so many hops on the blockchain that it’s very difficult for humans to follow a transaction all the way through to its ultimate destination, particularly where the payment is funneled through a mixer. Using these tools, we can trace payments and perform blockchain analysis on the transactions.
What do you do with the information once you have traced a payment?
This sort of analysis can potentially help reveal things like the identity of your subject or their co-conspirators, details of how the money is being laundered, the nature of the criminal scheme, and even other victims. Our goal is to use these tools and the information we obtain to help recover funds through coordination with law enforcement if we see an opportunity for civil forfeiture. Law enforcement has limited resources [for ransomware cases] and can’t always do this level of investigation, but if we can help by providing them with information, there is a greater possibility of recovering the funds once they’re paid.
Are there other unique differentiators or specialties the firm has in handling these cyber matters?
One differentiator is that our firm has always been, at its core, a litigation defense firm. All our attorneys are litigators and have that background. When serving as breach counsel, this gives us a different perspective because we can guide our clients through incidents with an eye toward not only the regulatory aspects of notification, but also how to structure a response in a way that minimizes potential liability down the road.
We handle a lot of data breach class action defense cases and other third-party cyber and privacy claims. As a result, we often see the unintended consequences of decisions that were made during the incident response process by other breach counsel or their clients, which informs our own incident response work. It also allows us to handle claims from beginning to end, i.e., both the incident response phase and subsequent litigation.
As a litigation firm, we also have full in-house e-discovery capabilities through our e-discovery team and access to specialized tools. This provides us with robust document search and review capabilities that we can use in our cyber claims as well as to datamine for PII and prepare notification lists in-house. This allows us to cover as much of the investigation as possible with attorney-client privilege and make notification more efficient in terms of time and cost.
Are there any helpful resources you’d like to share with business leaders around these issues? What should they be focusing on and how can they be staying informed?
We maintain an online blog that covers all our practice areas, including our Data Security & Privacy group, and our attorneys write there regularly. I would promote NetDiligence blogs and repositories as well. Many of our attorneys are Certified Information Privacy Professionals by the IAPP, which also is a great resource.
That being said, I don’t think that an executive-level person managing an organization has to be an expert on the technical side of things or all the current risks and cybersecurity trends. This is an increasingly complex field with a lot of experts available to help. Let them advise you and, unless you have strong cybersecurity capabilities in-house, partner with external providers to conduct regular security risk assessments of your organization and implement management plans to address those risks.
What an executive can do is build a culture of security and privacy within their organization. They should train their workforce, talk about it, and make security and privacy a priority through investment in resources and internal roles. There is no single “set it and forget it” solution. What often gets businesses burned when dealing with litigation or a breach investigation by a government regulator is whether they’re performing regular assessments of their organization’s security risks and implementing a plan to address those risks. Doing that requires a culture that prioritizes security and privacy, which is something that is created from the top of the organization and flows down to every part of your business.
Do you have any other insights you’d like to share with our readers?
I would encourage people, and particularly those on the claims side of things, to not get lulled into a paint-by-numbers approach to incident response. We do see that a lot—a sort of formulaic, scripted response—which often does not lead to the best results.
For instance, we see situations where there is over-notification or generic or inaccurate notification, which creates problems later. It also can result in additional costs being incurred that were not necessary, which erodes policy limits that may be needed later for third-party claims or which simply makes the process more expensive than it has to be.
Instead, we believe that every case needs to be evaluated individually for the most effective strategy. At our firm, we focus on helping clients think that through and, as this industry continues to grow through the proliferation of cyber incidents, it will be important for the industry to emphasize this individualized approach and not commoditize the incident response process.
To learn more about David Cole and Freeman Mathis & Gary, visit their website.
To learn more about Mark Greisiger, visit this page.