CYBERSECURITY LESSONS FROM THE TRENCHES
Now a Big Law partner, a lawyer draws from his years in-house and from running his own firm.
Daniel Pepper knows about cybersecurity and privacy through the eyes of a lawyer who works in-house, one who works for a large firm and one who hangs out his own shingle. He knows because he’s been all three. And data protection has been a big part of each job.
He recently joined BakerHostetler as a partner on the firm’s Privacy and Data Protection team. His ability to counsel clients in various sectors, he says, owes a lot to the years he spent working as in-house counsel at Comcast, Verizon, BEA Systems and Oracle. He remembers the days before the field was regulated, before there was malware, when part of his security plan was repeating the sage advice: “Don’t be stupid.”
Things are a bit more complicated these days. Privacy regulations seem to sprout like mushrooms. Organizations are struggling to keep up. And one of the biggest vulnerabilities, for companies, vendors and consumers alike, hearkens back to Pepper’s old mantra. The internet of things is filled with what he calls “dumb smart devices.”
CyberInsecurity News: When did you first get interested in tech?
Daniel Pepper: During high school, I was an early adopter of the bulletin board systems that preceded companies like CompuServe and early AOL, where you had your dial-up modem, and you would see discussion boards and plain text. Once I got to college, I got a job selling computer chips back when a four-megabyte RAM chip cost about $400. I was building computer systems and having fun. I always felt it would be great if I could ultimately find a career in technology; I just didn’t know how.
CIN: But you were a political science major.
DP: I was. I took a stab at computer science, but coding all day wasn’t the right fit for me. I enjoyed working with people. So I shelved that idea and hoped that maybe someday I’d find a way to incorporate tech into my career. And a couple of years after law school, it really found me. I got an opportunity to join the legal department of an insurance company to help them negotiate deals with software and hardware companies. Didn’t know the first thing about it. They were somehow convinced that I could do the job. And that was where it began in 1996.
CIN: What was the attraction of law?
DP: Growing up, I was really influenced by the TV show “L.A. Law.” It glamorized the profession, and I thought, “That’s what I want to do—all that drama in the courtroom.” I quickly learned after I got to law school that actually practicing law had little to do with any of that.
CIN: It seems that it hasn’t been a bad choice for you.
DP: It worked out. Back in ’96 was when the commercialization of the internet really started to take off. It was serendipitous that there was a real need to help companies understand what it meant to have an online presence and the ability to sell products and services online. And, of course, no one had any idea what the rules were, because there really weren’t any.
CIN: When did cybersecurity enter the picture?
DP: Initially, working at that insurance company. Then I went into private practice at a larger firm and moved on to some in-house opportunities. Most of my time there was spent doing deals—negotiating and drafting software license agreements, professional services agreements and some early hosting agreements. And the concepts of data protection and privacy weren’t even a thought. This preceded HIPAA and Gramm-Leach-Bliley. There was little-to-no regulation when it came to data privacy and security. It wasn’t until I launched my own practice focusing on tech that these things started coming into focus. The regulations began. Some early data breaches were on the map. I started having clients inquire, “Do we need to care about this stuff? What do we need to do?” That was when I started looking into this a little more deeply, figuring it was something that would only grow.
CIN: What made you decide you wanted to start your own firm?
DP: I thought it would be fun to take a lot of what I had learned—some of these best practices working as an in-house counsel—and do that for others. I also really enjoyed helping small companies grow into powerful players. Today it’s very common for organizations to have in-house counsel that has experience with these sorts of issues. Back in 2006, it wasn’t.
CIN: When did privacy become a big part of the world you were working in?
DP: I started to be more focused on privacy about 10 years ago, due to the interest and the amount of requests coming in from clients, as well as what I was seeing in the market generally.
CIN: You’ve worked in-house. You’ve worked as an outside counsel. You started your own firm, and you’re now a Big Law partner. What are some of the lessons you learned in each job that contributed to your skills as a lawyer?
DP: From my in-house opportunities, the No. 1 thing I learned is that being a good business person is just as important as providing legal advice as an attorney. When I came out of law school, the idea was to identify the risks and the issues for your clients, and let your clients make the decisions on which way to go and what risks to assume. I quickly learned that when you’re in-house, that’s not going to work. You’re really asked to weigh those risks on behalf of your company and make those decisions. I think that’s something that most lawyers that go in-house learn. It was a big takeaway for me, as well as learning to perform some nonlegal skills. Whether it was project management or conducting meetings and giving presentations—these are things you didn’t learn in law school, but you quickly had to pick up to be a good business person.
With my own practice, I learned a lot about business development, growing a strong professional network, marketing and keeping overhead low. Fortunately, being in the technology and internet space, I had access to several online tools that made that possible. I also learned about the importance of showing clients that you genuinely care about seeing them succeed. Attorneys should treat a client’s business with as much care as they would their own venture. Probably the biggest takeaway was the importance of maximizing empathy and trust to foster relationship building. I took great pride in becoming known to clients as a go-to person that can be counted on to deliver excellent results. At the end of the day, it comes down to establishing and maintaining good relationships. That’s really the thumbnail sketch of the progression for me.
CIN: How did it all lead you back to being an outside lawyer at a big firm?
DP: As I sit here, at a law firm that represents many large companies, I understand what goes on behind the scenes at those companies. So if I’m working with inside counsel, or I’m working with an executive, and I’m offering suggestions or providing advice on next steps and what should be done and what risks to consider, having spent so much time in-house, I understand what that means to the client—what they need to do and how they may need to sell it internally. Obviously, every company is different. Risk tolerances are different. But at the end of the day, businesses all operate under the same rubric of always having to weigh risks to understand how it’s going to impact the bottom line, employees and customers.
CIN: Let’s talk about the cybersecurity risks and challenges in each of those three businesses. How about in-house?
DP: The No. 1 challenge in-house is that resources and more money are always needed. There’s too much risk to address. There are too many potential attack vectors. There’s too much data to protect. The other piece of it is—assuming that we do have those resources—if we implement all of the security controls that we’d like, and we follow all of the best practices and guidelines to put ourselves in the position that we’ve minimized the risks, how does that impact employee and customer experiences? If I’m an employee and need to access HR information or need to get onto my systems to do my job, if the security levels are too high, it makes it a real challenge. How do you make that a process that is feasible? As a customer, if I’m looking to call a company to gain access to my account, and I have to speak to somebody in customer service, and do the authentication before the company can feel comfortable that it's me, and it’s so difficult that I’m frustrated, I’m going to say, “You know what? This is just too much work, and I’m going to look for someone else to provide that product or service.” That’s the biggest tension that I see now—finding that right balance.
CIN: What about in your own firm, which was a startup in a different era—beginning in 2006.
DP: Yes, a little different era. The primary issue was, where do I keep sensitive client information? How do we store that? At the time, there really weren’t any true commercial cloud-based or hosted database storage systems available. There were some early ones, but they really weren’t marketable at that point. You had to keep a lot of this information locally. You didn’t have the same sort of malware and attacks that you see today, which obviously increase the risk. But the truth was, I didn’t spend as much time thinking about security back then as I do today. “Don’t be stupid” was sort of the mantra—and the marching orders—I gave myself.
CIN: How about the outside counsel world? There were a lot of law firms that, for a long time, were lax in paying attention to these threats, especially in comparison to some of their large clients. And it took a while for some companies to pick up on how large a threat that could represent.
DP: I have a lot of visibility into this, even though I have not worked at many law firms. Going back to my days at Verizon and Comcast, part of my job was to help conduct the security analyses of the outside vendors, including law firms. There would be certain mandatory requirements, security controls and processes that were necessary for any vendor to implement before the company would use them. It became very apparent to me, because both companies had a whole host of outside counsel firms that they worked with, that many of these firms were not thinking about security in a meaningful way. Either it was a cost issue, a time issue or a personnel issue—they just didn’t understand how to do these things. I believe that’s been improving dramatically over the past few years, but it’s a challenge for smaller law firms that don’t have the resources to do it. Fortunately, at BakerHostetler, we have a robust and comprehensive set of security controls and processes.
CIN: How about the challenges that in-house lawyers have collaborating with their colleagues in tech? Where are the pressure points?
DP: Share information in a relatively easy, functional way—while still being mindful of security. It’s always a challenge, because the easier you make that, the easier it is for that information to land in the hands of a third party, even inadvertently, which you don’t want. So where is that balance?
CIN: Who should be involved in making those decisions?
DP: That’s a good question. Is it the chief information security officer? Is it the general counsel? Is it someone at the C-level—an executive? Is it everybody? In my experience, that answer varies greatly, depending on the company. In some cases, there is no defined decision-maker, and people have to figure it out as they go, which is very inefficient.
CIN: Do you help companies navigate a solution?
DP: In many cases, we can. It really comes down to—and this is certainly something that we do—helping establish good data governance and data hygiene, and programs that identify not only what controls are necessary, but also how you manage exceptions. You might have certain rules about how information can be stored and what third-party tools can be used, but regardless of what rules you put in place, there will always be exceptions. “This tool doesn’t work for me, I need to use that one instead.” Who approves that, and what are the parameters? What are the workarounds? Security is a piece of that, and the security professionals need to be part of that conversation. But there are legal considerations and other business considerations that the security team may not have visibility into. We can put all those things out there as part of an overall governance plan and make sure the right stakeholders are involved in those conversations.
CIN: The security team and the in-house legal team can both be seen as cost centers. And they both depend on adequate budgets to do their jobs. How can they make their cases for adequate budgets in the uncertain world of cybersecurity?
DP: This was a much tougher argument a few years ago, before you had the whole panoply of data breaches that you see every day in the news. You had to listen to the “so what” questions that would come from the executive management team: “Yes, I hear you. Yes, I understand that we need to be careful, but so what? If it happens, what are we looking at? What does the dollar figure look like?” Because you’re right, it is a cost center, so there’s always going to be the analysis of: Do we want to spend $1 million to protect against $100,000 of risk or liability? And before we saw the numbers grow with exposure and liability and fines, it was a lot tougher to make that case. Now we have attorneys in-house who have access to all sorts of data that shows exactly what these things cost, what regulators can assess and what plaintiffs lawyers are able to recover. Now you have security professionals often sitting in these C-level positions, where they get the ears of the CEOs and CFOs. I see nothing but increases in those budgets, because the case is much more easily made now.
CIN: Are there opportunities for the lawyers and the tech side to work together to build a case for what’s needed?
DP: I think they must. Due to the increased number of regulations, it’s really difficult, if not impossible, for security professionals, whose job is to focus on the types of technology now available and the nature of the technical risks associated with particular applications or architecture, to focus on what these regulations look like across the states. That’s really the in-house counsel’s job. I think they have to work together in order to create an accurate picture of what the risk looks like.
CIN: Do you think it’s happening commonly now? Do you think what was once a pretty large division between these two groups has narrowed, and they’ve learned that they have too much aligned to avoid collaborating?
DP: It’s happening a lot more, certainly with large organizations. It’s the small organizations where you don’t see it happening as much. Unfortunately, it may happen after there’s a problem—a breach or some violation—which is frequently the wake-up call.
CIN: Let’s talk about law firms again for a moment. These days, most large firms have chief information security officers, as yours does. That wasn’t always the case. But the lawyers at a law firm aren’t just another cost center, like IT. They are the business. So how does the division between the lawyers and the tech people play out at a big firm like yours?
DP: It’s a close relationship. I can tell you here the directive is that privacy and security is everyone’s job. It’s not just in the CISO’s office. It’s not just in the IT group. The expectation is that everyone is familiar with and understands what the rules are, how the technology works, how the information should be stored and shared. That’s a good thing. If you leave it only to the tech folks, it’s easy to inadvertently miss something.
CIN: Ransomware is much in the news these days. The onslaught of attacks seems to be increasing rapidly. Do you see this as a large risk for companies? And what can they do to protect themselves?
DP: It’s a huge risk for companies, and we see a tremendous number of ransomware incidents on a weekly basis. What most security professionals will tell you is that the No. 1 attack vector is phishing. Companies have to be very mindful and spend a lot of time on employee training. So that’s one piece of it. And any security person will tell you the need for regular data backup. Because a company can say, “We did our training, we conducted a simulation, and it went great. We have 95 percent of the employees recognizing that our simulation was a phishing incident, and isn’t that great?” But we know it only takes one person.
CIN: What about the threat represented by the internet of things [IoT]? We’ve heard a lot about how vulnerable devices are, and how rapidly the number of so-called smart devices is growing. What threats and risks does that development represent?
DP: I think that’s going to be a really big risk as well. California has enacted their own IoT security law, which goes into effect in January 2020. Among other things, the law requires that any manufacturer of a device that can connect to the internet—that has an IP address and connects via Bluetooth—has what the law calls “reasonable security features.” There’s some discussion about what that means—not having default passwords. Before the device can connect to the internet, there has to be a unique password set by the user, which is a good start. From a technical perspective, a huge problem is the inability for many of these devices to be patched or updated. They’re sort of dumb devices. There’s no way to push updates to them or introduce security patches in response to these threats. Whether it’s a smart refrigerator, a wearable device, an alarm system or a thermostat—if those devices can’t be patched to address new threats, they’re hugely vulnerable.
CIN: So we’re going to be talking about dumb smart devices in 2020?
DP: I think that’s right.
https://www.cyberinsecuritynews.com/cyber-lessons
