Cyber Defense: Elizabeth Vandesteeg of Levenfeld Pearlstein On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack
Business leaders should ensure that their organizations invest in a dedicated cyber insurance policy. Data breaches or other cybers incidents are likely an inevitability for more organizations, at some point in their life cycle, and they are likely to only continue to grow in cost. Cyber insurance can provide a great deal of protection against cyber-related losses caused either by first- or third-party actions. There has been a recent explosion in quantity and cost of ransomware attacks, causing the cyber insurance industry to tighten restrictions and raise costs. Businesses that have implemented the recommended preventative measures are more likely to get better coverage at a lower premium cost.
In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?
In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us.
As a part of this series, I had the pleasure of interviewing Elizabeth (Lisa) Vandesteeg.
Elizabeth (Lisa) Vandesteeg is a Partner in the Financial Services & Restructuring Group at Levenfeld Pearlstein. She focuses on identifying risk exposure and mitigating liability for clients, with a concentration in the areas of bankruptcy, creditors’ rights, commercial litigation, and data security and privacy.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Candidly, I stumbled my way into law and then into my current areas of practice. When I first started college at Columbia University, I was planning on a pre-med track, with a major in environmental biology. After a couple of years and some very interesting classes, I was drawn to making a switch into political science and economics. But I did not have a clear picture of what I wanted to do when I graduated. I had thought I might want to try lobbying work on behalf of a cause that motivated me. But my older sister had just started law school and my mom convinced me that maybe a law degree would give me even better footing in that industry than a bachelor’s degree alone.
My mom’s argument made some sense to me — and it didn’t hurt that I tested well on the LSAT — and I eventually found myself at Boston College Law School. I spent the summer after my first year as a legal intern at Common Cause working on election campaign finance reform. After that, New York City and private practice called to me. I spent the following summer — and the past 18 years — in private practice.
Straight out of law school, my primary focus was on commercial and bankruptcy litigation, representing organizations in disputes with both healthy and financially distressed businesses. In connection with those disputes, my clients would engage in “discovery” — a litigation procedure in which the parties have to produce responsive documents, often massive quantities of documents, requested by the other side. These documents would have to be reviewed by attorneys before production to confirm that they were responsive to the requests and not subject to “attorney-client privilege.” The more data that had to be reviewed, the more attorney hours were involved, and the higher the cost. That is where my relationship with advising clients on their data first began. And the rest, as they say, is history.
Can you share an interesting story that happened to you since you began this fascinating career?
I’ve advised a few clients recently in the wake of a business email compromise. Business email compromise happens when you’ve got two business associates emailing back and forth, and a bad actor inserts themself into the conversation without either of the actual business parties being aware of it. The bad actor is then able to steer the conversation in a different direction, typically by providing new wire or payment instructions. These bad actors are able to mimic the font and tone of the prior communications, so the associate who is supposed to make a payment doesn’t recognize that this is not the same person that they have been in communication with and sends money to the new set of wire instructions. Payment has been made, but not to the right party. Whose fault is this?
Business email compromise is not uncommon, but there is not yet much established caselaw or guidance as to responsibility or liability. The parties could both engage a forensic expert to analyze whose system allowed the first authorized access, but that can get expensive and very contentious. Typically, these business email compromise disputes are resolved through settlement discussions and negotiations, with each party taking some of the financial hit.
Companies that have cyber insurance may have coverage for losses caused by business email compromise. The best way for a business to avoid business email compromise, however, is to establish internal policies and practices and regularly train employees. For example, the establishment of a simple rule requiring telephonic verification of wire instructions with the counterparty, particularly if those wire instructions are in any way changed or modified, is an easy and inexpensive safeguard and best practice.
You’re a successful leader, which three character traits do you think were most instrumental to your success? Can you please share a story or example for each of the three?
One of the things that I believe is critical to effective leadership is the ability to create a safe space for your team. If your team feels safe, you are going to get more open communications and conversations, which in turn result in more creative and out-of-the-box thinking.
One of the character traits that I consistently turn to in leadership roles is my desire to seek out and find commonalities with or ways to relate to each member of my team. Sometimes this is a professional connection, such as people or schools in common, but more often it’s much more personal things, such as kids or hobbies. Ideally, it’s a combination of multiple different touchpoints.
Another trait that directly ties into that desire to relate to others is my willingness to be vulnerable, to allow people to see who I really am, and to be open about my own mistakes or imperfections. For example, I own the fact that my husband and I are both full-time working parents, with two kids in elementary and middle school, and it is challenging. It’s hard to balance work and family, and I often feel like I am letting people down on either the home or work side of things. I am open and vocal about it. I know that I am not alone with this challenge, and by acknowledging my challenges to others, I give them the courage and confidence to feel and express their own challenges. By forming those kinds of genuine relationships and opportunities for honesty, it leads to much more effective communication and problem solving, with true diverse perspectives from the team.
The third character trait that I think helps me in positions of leadership is my self-confidence (which is something that took me years to build). My mom raised me and my two sisters with the very clear directive that we could be whatever we wanted to be. And I have a burning desire to pass this message along to other women and other diverse friends and colleagues in order to promote and champion diversity in positions of leadership. Having been the first woman promoted to full equity partner and executive committee member at my prior firm, I had firsthand experience in seeing how a different and diverse perspective can lead to unprecedented conversations and meaningful change. My self-confidence has allowed me not just to recognize that I have a voice, but that I can and should use it.
Are you working on any exciting new projects now and how do you think that those will help clients?
I represent clients with respect to their legal and regulatory compliance issues related to privacy and data security. I find it to be particularly exciting (and frustrating, and challenging…) because the legal landscape is rapidly changing, mainly on a state-to-state basis, with limited federal guidance. The first, and still most widespread, data-related laws here in the United States were the data breach notification laws, which require businesses to provide certain notices to impacted individuals if there is a breach of their personal information. California was the first state to pass such a law back in 2003, with other states following suit thereafter. And by 2018, all 50 states, as well as the District of Columbia, Puerto Rico, Guam, and the US Virgin Islands, each had their own individual data breach notification statute, with their own individual definitions and applications. Yet, these notification laws do little to set out preventative data security requirements; they are strictly reactionary. With a few limited exceptions, neither the individual states nor the federal government have required businesses to take specific steps to protect personal information.
On the privacy side, California was again the first individual state to act with the adoption of the California Consumer Protection Act (CCPA) in 2018. The CCPA provided California residents with unprecedented privacy rights, including rights to: (i) know what personal data is being collected about them; (ii) know whether their personal data is sold or disclosed and to whom; (iii) access their personal data; (iv) request that a business delete any personal information collected from the individual; and (v) not be discriminated against for exercising their CCPA privacy rights. The CCPA was drafted and passed on a rushed basis, so in 2020, California enacted the California Privacy Rights Act of 2020 (CPRA), expanding and modifying the CCPA to allow individuals even greater control of their personal data and establishing the California Privacy Protection Agency to provide regulations and enforce the laws.
Following in California’s footsteps, three other states (Virginia, Colorado, and Utah) have enacted laws establishing privacy rights for their state’s residents. The CPRA and the Virginia Consumer Data Protection Act (VCDPA) are both going into effect January 1st, 2023. The Colorado Privacy Act (ColoPA) will go into effect on July 1, 2023. And the Utah Consumer Privacy Act will follow with an effective date of December 31, 2023. I’m in the midst of working with a number of clients to help prepare them for these changes.
Each of these laws is different in scope and application, and there are multiple additional states with privacy-related legislation in some form working through the legislature. This patchwork of different state laws is going to make privacy-related compliance more complicated and expensive. It’s a rapidly developing landscape that we are helping our clients navigate. It’s both an exciting and challenging process.
For the benefit of our readers, can you briefly tell our readers why you’re an authority about the topic of cybersecurity?
My expertise in data security and privacy issues has had a long path. I first began advising clients who had been frustrated by the cost of discovery on how to assess what data they had, why they had it, and whether they would be better served by simply deleting large parts of it that was no longer relevant to their business. My timing was good. This was about 10–15 years ago, just as consumer awareness of their personal information was starting to be a real thing — with e-commerce, social media, and mobile devices and applications all increasing exponentially the quantity of consumer and personal information floating around.
Both individuals and lawmakers (here and abroad) were waking up to the fact that there were not many laws, rules, or even notices out that about what businesses were doing with the personal data they were collecting. Selling and sharing personal information were quite common, often without an individual’s knowledge or consent. And people were not happy about that.
So various laws have been passed, here in the U.S. and in other nations, that may govern both privacy (what rights an individual has regarding the personal information they share with a business), as well as data security (what specific safeguards a business must have in place to protect the personal or otherwise confidential information it has collected). And this is a rapidly changing legal landscape, with both state and the federal governments passing their own laws, with additional pending potential legislation looming on both levels.
I advise clients regarding their legal compliance obligations. Where no specific legal or regulatory framework is mandated, we work through reasonable best practices based upon a client’s known and anticipated risks, as well as the severity and potential consequences of inaction. When implementing a security program, the challenge is to balance appropriate security and safeguards with the need to still allow the business to provide its good and services to customers with as little disruption as possible.
Can you tell our readers about the different forms of cyber-attacks we need to be cognizant of?
The most headline-grabbing one these days is probably ransomware, in which case a bad actor has taken control of your system (and data) and refused to return your access unless you pay the demanded ransom. Often a second component of the attack will involve a threat to expose hijacked data unless the ransom is paid. Ransomware attacks have become far more expensive recently, up to an average of $4.62 million in 2021, according to the “Cost of a Data Breach Report” prepared by IBM Security and the Ponemon Institute.
In addition to ransomware, breaches can be intentionally triggered by bad actors through compromised credentials, phishing, social engineering, business email compromise, physical security compromise, or malicious insiders. There are also data breaches that may be triggered more by carelessness, such as: accidental loss of data or devices, system error, cloud misconfiguration, or vulnerabilities in third-party software.
Who has to be the most concerned about a cyber-attack? Is it primarily a business or private individuals?
The answer is everybody needs to be aware and concerned.
Individuals might find themselves the victim of identity theft or false tax return claims where people submit returns on their behalf and try to get their tax refunds back. High-net worth individuals may be targeted more frequently, as could more vulnerable groups, such as seniors.
Businesses, on the other hand, likely have more data and more money at stake than most individuals. Businesses need to be protecting not only their own confidential or sensitive data, but also that of their employees, vendors, customers, and clients. In good news for businesses, they have the option of obtaining a cyber insurance policy to protect against loss or damage in the event of a data-related incident.
Who should be called first after one is aware that they are their victim of a cyber-attack. The police, the FBI, a cybersecurity expert?
In a perfect world, the business will have an incident response plan already drafted and in place, identifying the members of the incident response team and setting forth the steps and procedures for analyzing the issues and escalating where necessary. The incident response team will include both internal and external resources, and different members of the team will be activated and involved depending on the severity of the incident.
The basic playbook for any security incident is:
- Discovery and reporting: identify the potential incident and report it to the proper person in accordance with the incident response plan (likely someone in IT);
- Containment: secure and isolate affected systems and preserve evidence;
- Investigation: gather information to determine what happened and determine whether legal obligations to fulfill;
- Eradication of the incident;
- Recovery and remediation: bring all systems back online and comply with notification requirements, if necessary; and
- Post-incident review: review and improve practices and policies, as needed.
It is critical for businesses to understand that not every security incident is or results in a data breach, and business should be very cautious about this terminology. The word “breach” means that the incident is one that fits definitions set forth in the various individual states’ breach notification laws and triggers legal obligations.
Law enforcement can be incredibly helpful upon discovery that a data breach or other substantial cybersecurity incident has occurred. The FBI is the lead federal agency tasked with investigating cyber-attacks and they are familiar with many of the bad actors and their playbooks. The FBI has also established the Internet Crime Complaint Center (IC3) for victims of cybercrimes (including individuals) to file complaints. For businesses who have determined that they have indeed suffered a data breach, the involvement of law enforcement may give that business some breathing room on notification obligations, as several notification laws have notification deadline extensions while a criminal investigation is underway.
What are the five things every American business leader should do to shield them from a cyber-attack and why? And please share a story or an example for each.
First, business leaders should foster a culture of security awareness with their organizations. The messaging should be clear from the top down that data security is not just an IT issue — it really is an issue for everybody working and engaged with the business. Having this type of clear and consistent messaging is vitally important to keep it top of mind for employees, including the leaders of the organization, for it to be effective and credible.
Second, business leaders should make sure that their organizations have clear written information security policies and incident response plans. An ounce of prevention is worth a pound of cure when it comes to internal policies and practices. Employees should have clear guidance on rules and expectations when it comes to handling and accessing company systems and information, and they should know who to report to if they spot a problem. By going through the process of creating and implementing policies and procedures, the business leaders will spend meaningful time really thinking through risks and prevention strategies related to the collection and maintenance of sensitive or protected information.
Third, business leaders must provide regular and consistent training to employees related to data security. I really cannot emphasize enough how important training is. A business can spend countless dollars on information security tools and software, all of which may be useless if your employees don’t know not to click on that unknown link or open that unexpected attachment. Businesses are constantly being probed from outside sources trying to penetrate their technical safeguards. Most employees are not typically looking to hurt the business intentionally, and they’re not intentionally looking to divert funds or information. They’re just going about doing their jobs, as quickly and efficiently as they can. But they need to be made aware that even though they might not see it and they might not feel it all the time, they are constantly under attack. Regular training will create a vigilant workforce, which can be the best defense against a whole lot of bad actors.
Fourth, business leaders need to invest in technical safeguards and in the people needed to keep them technologically up to date. They will want to consider investing in continual monitoring of systems and need to make sure that updates and patching are happening on a regular basis. Business leaders should also remember to consider basic physical security best practices, like keeping doors locked to onsite servers, and not leaving Human Resource and other sensitive documents out of unlocked file cabinets.
Finally, business leaders should ensure that their organizations invest in a dedicated cyber insurance policy. Data breaches or other cybers incidents are likely an inevitability for more organizations, at some point in their life cycle, and they are likely to only continue to grow in cost. Cyber insurance can provide a great deal of protection against cyber-related losses caused either by first- or third-party actions. There has been a recent explosion in quantity and cost of ransomware attacks, causing the cyber insurance industry to tighten restrictions and raise costs. Businesses that have implemented the recommended preventative measures are more likely to get better coverage at a lower premium cost.
So you’re a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? And you never know what it could trigger.
If I truly had a magic wand, I would address a number of fundamental human rights crises, such as climate change, hunger, and peace across the globe. Change that I think I could actually help to effect, particularly within my area of expertise, federal legislation enacted to protect privacy rights of all US citizens.
How can our readers further follow your work?
https://www.linkedin.com/in/lisavandesteeg/
This was very meaningful, thank you so much. We wish you only continued success on your great work!
