Emerging Litigation Podcast

President Biden's Critical Infrastructure Cyber Memo and CrowdStrike's Whoopsie Daisy with Elizabeth Burgin Waller

Tom Hagy Season 1 Episode 90

How secure is our nation's critical infrastructure? One recent event serves as a cautionary tale. In this episode, we tackle this pressing question in the context of cybersecurity. We'll address President Biden's recent National Security Memorandum on Critical Infrastructure Security and Resilience,  and its implications for sectors like energy, water, and transportation.

Our guest, Elizabeth Burgin Waller, from Virginia's WoodsRogers law firm, brings her extensive knowledge in privacy and cybersecurity law to the discussion.

Join us as we discuss ransomware as a service, shedding light on its franchise-like model and the significant challenges in tracking and prosecuting these cybercriminals, especially those hiding in countries like Russia. We discuss the recent takedown of the LockBit ransomware gang under Operation Kronos, and the persistent and growing complications of IoT security.

CrowdStrike's recent software glitch, while not a malicious attack, serves as a stark reminder of the importance of testing and transparency around cyber incidents, and the vulnerability of the systems that drive critical industries. Tune in for expert insights and reflections on the evolving regulatory landscape and what it means for mitigating risk in the Digital Age.

Beth is Principal and Cybersecurity & Data Privacy Practice Chair at WoodsRogers. In addition to a J.D. from William and Mary School of Law, she is certified as a Privacy Law Specialist by the International Association of Privacy Professionals (IAPP), which is accredited by the American Bar Association, a Certified Information Privacy Professional with expertise in both U.S. and European law (CIPP/US & CIPP/E), and a Certified Information Privacy Manager (CIPM), also from the IAPP. Beth also graduated magna cum laude with a B.A. in creative writing, so maybe I should have let her write the show notes.

*******

This podcast is the audio companion to the Journal of Emerging Issues in Litigation. The Journal is a collaborative project between HB Litigation, a brand of Critical Legal Content (a custom legal content service for law firms and service providers) and the vLex Fastcase legal research family, which includes Full Court Press, Law Street Media, and Docket Alarm.

If you have comments, ideas, or wish to participate, please drop me a note at Editor@LitigationConferences.com.

Tom Hagy
Litigation Enthusiast and
Host of the Emerging Litigation Podcast
Home Page
Follow us on LinkedIn
Subscribe on your favorite platform. 

Tom :

Welcome to the Emerging Litigation Podcast. This is a group project driven by HB Litigation, now part of Critical Legal Content and VLEX Company's Fastc ase and Law Street Media. I'm your host, Tom Hagy, longtime litigation news editor and publisher and current litigation enthusiast. If you wish to reach me, please check the appropriate links in the show notes. This podcast is also a companion to the Journal of Emerging Issues and Litigation, for which I serve as editor-in-chief, published by Fastcase Full Court Press. And now here's today's episode. If you like what you hear, please give us a rating.

Tom :

President Biden you've heard of him. He's been in the news a lot recently After a pretty big move that's got a lot of people talking, and, of course, I'm referring to his recent National Security Memorandum, which underscores the importance of cybersecurity to protect the nation's infrastructure. Did I trick you at all there? The memorandum highlights escalating threats facing critical sectors like energy, water and transportation, emphasizing the need for robust defenses and coordinated responses to protect against malicious activities. Foreshadowing the memorandum enhances the role of the Cybersecurity and Infrastructure Security Agency CISA in overseeing and strengthening resilience against cyber threats nationwide. And, although not a cyber attack, the recent CrowdStrike blue screen of death takedown that affected airlines, banks, supermarkets, hospitals and other businesses is a cautionary tale. The effects of a software glitch something bad in the software certainly felt to those affected like a malware attack or something malicious. You know, mal being Latin for bad and where you know from software. I think I've over explained that.

Tom :

According to reports, parties are considering legal action against crowd strike. It's the worldwide leader in endpoint security. They're considering going after them for costs incurred from the disruptions or for potential violations of federal securities laws, investors having experienced a drop in stock value after the incident. There could be other customer lawsuits, regulatory fines. There'll be increased operational costs and potential loss of business as some clients may migrate to other service providers. So there's plenty of blame and finger-pointing. A Microsoft spokesperson told the Wall Street Journal that it was forced by the European Commission in 2009 to open up Windows to third-party security companies like CrowdStrike, giving them the same level of access to Windows that it gets itself. He suggests the takedown can be traced all the way back to that decision. Questions are going to be asked about whether the company took all the proper precautions, like testing and staggering rollouts and having rollback mechanisms and using enhanced monitoring systems, all of which the company may have done. You know, they're a wildly popular company around the world and, as far as I know, a pretty impressive track record to get to where they are. So did they just have a bad day? We all have those. Their legal department and outside counsel, either way, are certain to have their hands full as plaintiff attorneys circle in the aftermath. So let's dive into all of this with updates on ransomware, supply chain vulnerabilities, critical infrastructure attacks, nation-state attacks and the good old internet of things, what we can learn about President Biden's national security memorandum and what we can learn from CrowdStrike's very bad day.

Tom :

My guest, as I artfully foreshadowed, is Elizabeth Bergen-Waller at the Woods Rogers Law Firm. In addition to a JD from William and Mary School of Law, she is certified as a privacy law specialist by the International Association of Privacy Professionals, which is accredited by the American Bar Association, and a certified information privacy professional with expertise in both US and European law. She's also a certified information privacy manager from the IAPP and, something dear to my heart she graduated magna cum laude with a BA in creative writing. Who doesn't love that? I know IAPP. And something dear to my heart, she graduated magna cum laude with a BA in creative writing. Who doesn't love that I know I do, so here's my interview with Elizabeth Bergen-Waller. Can I call you Beth of Woods Rogers in Virginia. I hope you enjoy it. Beth Bergen-Waller, thank you very much for talking to me today.

Beth:

Thank you, it's a pleasure to be here.

Tom :

Today we're going to talk about critical infrastructure risks in the cyber security context, and so there are a couple of big items that we're leading into with this. One is President Biden's recent national security memorandum, and then we had more of a recent event that wasn't while not an attack, it was certainly a takedown, and we're going to talk about CrowdStrike, too. Why don't we kick off with ransomware attacks? I haven't tracked them lately. I know for a while they were like the biggest thing and, oh my gosh, everybody was scared to death of them. But are they? Do ransomware attacks continue to increase? Have they changed at all?

Beth:

Ransomware attacks have continued to increase, really in terms of their breadth and scope. Maybe they're not as prevalent as we see them in terms of little minor ones popping up on the regular, but they have started to increase again. There was a period of time, especially right after the Russian invasion of Ukraine, where there was a little bit of a quiet period of time. Now we've started to see them increase and really, in terms of their sophistication, they've gotten much more damaging over the course of the last few years.

Tom :

Nothing exposed the supply chain vulnerabilities, I think, like COVID did when car parts and medicines and everything else were suddenly held up. So what can you tell us about those vulnerabilities?

Beth:

Well, I think increasingly businesses are supported by a wide range of different suppliers. We see that across. You know. It could be a mom and pop that's helping a manufacturing company keep a certain piece of equipment online. It could be a large-scale software system that is keeping the entire operation going from an enterprise level. But increasingly, supply chain risk is critical and you actually see that being reflected also with the Securities Exchange Commission. Recently they've issued some guidance that says that public companies need to address in their disclosures, in their risk disclosures they need to be sharing. How is it that they are looking at third-party supply chain risk and how are they managing that so that investors can have an understanding of public companies and how they're managing these types of concerns and considerations?

Beth:

So when I look at this, for a lot of my clients, what we tend to look at is you know, how are we assessing these vendors? That is, how are we bringing them in the door? Are we looking at their security posture? Are we examining it? And then also, from a contractual standpoint, how are we addressing the risk that they present? So are we putting out contracts similar to security contracts, or addendums or data privacy addendums associated with the engagements that we have with these third-party suppliers so that we're really protecting against the risks that they may present, and a lot of times in these agreements that we're putting forward, we're having them step up in terms of this is the type of security that we're going to maintain while we're providing services or products to you. This is the type of cyber insurance that we're going to maintain while we're providing services to you. In other words, we're going to keep at least $5 million in cyber insurance coverage out there.

Beth:

If I'm a vendor, or require that of my vendors, and then also if the vendor experiences a breach and this is really critical how are they going to make you as a business whole? How is it that they are going to come and provide both information about the incident? Do they have to provide you a notice within a period of hours or days or immediately you know, quote unquote. I'm using scare quotes, but immediately you know. But the idea being that you know, you know what are we requiring of our vendors and how are we making sure that they tell us about the issue that they're facing? How are we making sure that they stand up and provide notifications to our customers or employees if they've experienced a breach, and then the other thing that we're building into these provisions is also indemnification for things like attorney's fees.

Beth:

So let's say that I represent company A, who has a vendor that's experienced a big breach and we've lost all of the social security numbers of our 10,000 plus employees, right? Well, company A is hiring me as outside counsel to represent them, to look at the vendor's issues, and so they are incurring costs associated with outside counsel fees. What we're really trying to make sure we have in place in these contracts is the ability to recoup those costs. So what we're building into these security supplements is the idea that not only are you going to provide the breach notice to my employees, but you're now also going to provide my attorney's fees for having to deal with the headache that you caused, and so these agreements are really critical to making sure that we shore up some of this supply chain risk.

Tom :

Yeah, you know what and I'm going to come back to critical infrastructure because we'll see if that's appropriate, but I want to come back to that in a minute. Okay, nation-state threats how is that going? I mean, we certainly will hear a lot of it, I guess in the well, I don't know when it's not political season but leading up to elections and things. But what can you tell us about nation state threats? Are they persistent? Are they increasing? What? What should we tell people about those?

Beth:

They are persistent and, I think, increasing and, and what is a little bit scary is that they they with nation states. They're not, you know, banging around making a lot of noise that they're there right. The idea being what we've seen, for example, in the water critical infrastructure space, is that there is a lot of concern that there are what we call, in the industry, advanced persistent threats or APTs, or the idea that they're in hiding, lying in wait. For example, china, you know, dug in deep with the idea being that, if they did decide to take an offensive action against Taiwan, that they would be able to utilize this as a distraction to our national security by impacting something like our water or, for example, the power grid or things of that nature, in order to again distract from what they may be doing abroad. So nation states are absolutely active and in the field, it's a little bit more difficult to ascertain that someone is, you know, associated with them, but they're absolutely out there. You do, a lot of times, the challenges in terms of trying to go after some of these nation states. That's really a US government related issue versus a private entity or a local government, for example, in the national critical infrastructure space, but you do occasionally see the takedown of threat actors. It's not common because what we're dealing with is a criminal underworld and so a lot of times they're masking their location through IP masking services or kind of like hiding your phone number, right. They try to show up as if they're coming from a different location than they actually are.

Beth:

But you do occasionally see the takedown of some of these threat actors. We saw it most recently with the takedown of LockBit. Now, these ransomware gangs all have kind of nonsense names, and LockBit was one of them. But in Operation Kronos, which was the project name from the, it was across FBI, uk you know, us UK law enforcement takedown of one of these big ransomware gangs. They were able to take down the ransomware threat actors website. They were able to also do an unmasking, as they called it, of LockBit SUP, which like the supervisor, so LockBit S-U-P-P, and they were able to identify him as a man named Dmitry Krovoshev. Of course they sanctioned him, but he was based in Russia. So the concern is a lot of these folks live in places where we can't really extradite them or get them here on US soil to be prosecuted, and so instead we're really left with things like sanctions or public shaming, if you will, to share that. This is who they are and what they're about.

Tom :

Yeah, that'll get them, that's right. It seems like naming these different groups must be the most fun. The rest of it, that's right, that's right?

Beth:

Well, a lot of times they have wild names like Royal or, like I said, Lockbit, or, you know, Akira, which I always think of. It has almost like an Atari interface on their website.

Beth:

And most of the time, they have these names A lot of times too. It's now developed not just as kind of one gang, but they've developed what we call ransomware as a service. It's almost like software as a service or like a Chick-fil-A franchise. So it's like, hey, I'm going to go get me a LockBit franchise and I'm going to go out there and say that I'm part of LockBit and I just send back to the mothership much like in franchisee kind of scenario I send back a taste and I get to use their mark and their materials to say that I'm associated with this, and so that's really what's caused kind of ransomware to spread a little bit like the octopus tendons everywhere is you've got you know people all over the place. It could be two dudes in a basement sitting in Baltimore, or it could be you know a nation state like North Korea. You just don't know.

Tom :

I don't know if the franchise model, if there's any history for that in crime, if I thought about it for a bit, I mean, did the mafia have that?

Beth:

I suppose To some extent maybe.

Tom :

Yeah, they did, that's right. Yeah, maybe like if you were a New York mob, maybe you were out and like you had the Toledo franchise, right.

Beth:

Well, the challenge too, with you know. People often ask me, knowing that I'm a cybersecurity attorney, they say, ok, well, would you pay a ransom or do you suggest paying a ransom? Or they kind of assume a position on ransom payments. And what I tell people is again, when you think about it, it is like the mob family or like you know, tony Soprano. If you're making a payment to, if you watch the Sopranos, you know you're saying you're making a payment to Tony. That doesn't mean that Christopher Moltisanti or some other member of the family is not going to come along right and ask for a taste as well. So you have to understand you're dealing with criminals and so, yes, they're going to make promises, but are they promises they intend to keep? Who knows? And so that's why we often recommend not making a ransom payment, if you can help it.

Tom :

You obviously did watch the Sopranos. You know only the first name, but the last name of Christopher et cetera, that's right First name, but the last name of Christopher etc.

Beth:

That's right. That's right. I'm a big Sopranos fan. That's right.

Tom :

I get tired of having them in my living room. I loved it, but after a while I'm like you know I hate everybody here.

Beth:

I don't even like the kids.

Tom :

I didn't like the FBI, I didn't like the kids, I didn't like the priest.

Beth:

That's right that Check that out yeah.

Tom :

If you're a Sopranos fan. They are charming and funny and because they really bonded as kids on that show and they talk about how James Gandolfini was really protective of them and now they are so sweet and funny. It's just, it's cool. So the Internet of Things that was really hip and vogue for a while. Everybody talking about that, but is that still an issue?

Beth:

Absolutely. I think we see more and more connected devices everywhere you turn. I mean right now, your fridge, your refrigerator might even have an IP address associated with it and will tell you when it's out of milk. I most recently was driving my car and it sent me a text message telling me that it's had a low tire. You know so it is.

Beth:

You know, the internet of things is really everywhere at this stage, and so one of the concerns especially if you're representing businesses or even within a law firm or otherwise, you know one of the concerns is thinking about okay, you know, this is a connected device, which means it's connected to something and it's potentially on our network. Is it a doorway in, is it a way for somebody to gain a foothold, as we call it, into our environment, and how do we protect against that? And it goes back to some of the contract issues that we talked about before. Whether it's direct access into your network with a VPN or whether it's just this teeny little device that's connecting in, each of them can have the same level of risk, and so you need to be thinking of that and really contracting around that risk.

Tom :

I didn't mean to ask the question as though I'm some rube who didn't know the Internet of Things was still a thing. I was just you know.

Beth:

I like it.

Tom :

Just so people know that I ask questions as if I don't know anything and in some cases I really don't. But I am familiar with that and also I'm a very satisfied CPAP machine user. You know, sometimes I will wake up with a hose around my neck, but mostly I think it's fine. But I will get texts saying I did get, oh, I got a call from my general practitioner saying we see, you're really only breathing. You know you're not breathing nearly this many oh. And then they sent something about my heart and so I had to go get my heart checked.

Beth:

Right.

Beth:

Well, there's benefits with connected devices, like you say, and I think that from putting my privacy attorney hat on for a second, because I practice in privacy and cybersecurity you have both the security concerns, but you also have the privacy related concerns, especially with these health related devices where they are learning such intimate information about you.

Beth:

I mean here, you know, sitting here with my Fitbit on and it's tracking my emotion, you know, it's tracking me as well, you know, and so that is a trade-off here as a consumer right In terms of what it is, I'm willing to share in order to get that convenience, and a lot of times I think we see people really opting for hey, I want my doctor to give me that call and tell me I have the potential heart issue. And I tell businesses all the time, in terms of privacy policy drafting, it's not a question of can we collect this information under the laws? It really is a question of have we disclosed to people what it is that we are collecting and are we properly sharing that information with people, that this is what we may learn about you? Are you okay with it? Then, yes, continue using our product.

Tom :

Yeah, no, it was. Yeah, it was certainly welcome news. I mean, anyway, one thing led to another, but we don't need to talk about my health, I'm healthy. Thank you for asking. But I want to get to CrowdStrike and then talk about critical infrastructure, because I feel like some of the things that were impacted not everything, but some of the things that had to do with critical infrastructure because a cyber attack can affect energy, like you said, water, health care and then, in the case of CrowdStrike, travel. I don't know if financial systems were affected. I feel like they might have been, but I can't. Anyway, financial systems obviously would be a big thing to shut down and business operations for some companies let's talk about CrowdStrike.

Tom :

So we kind of kicked it off and I said correct me if I'm wrong, but it seems like CrowdStrike is, while it wasn't an attack, it's certainly the ramifications of it, the effects of it were very similar to a serious attack. So what can you tell us about the CrowdStrike? For people who, speaking of fun names, what I was reading about it was it was an outage caused by CrowdStrike was due to a faulty update in their Falcon sensor software which is a fun name, which led to the widespread blue screen of death, which is a fun name, which led to the widespread blue screen of death, which is actually a term of art. But anyway, why don't you tell us about what happened there? Sure, and then what was the impact?

Beth:

So absolutely Well, crowdstrike, if you're not familiar, is a cybersecurity software company. So what is kind of interesting about this, as you said, is you know, here we have the impact, if you will, of a wide-scale ransomware event without the malicious intent. We had people crippled down, it took time to go door-to-door to get things fixed. That's a lot like a ransomware event but wasn't a ransomware event. Crowdstrike provided, as you noted, this Falcon software and has sensors, essentially on devices that are supposed to alert to a cybersecurity-related event. So they provide what's called an EDR or an endpoint detection response tool or software tool, and they're really, in terms of market share, I would say they're seen as one of the top three providers in this space, and so you see them everywhere and they really are, at least prior to this incident, were known as being in the gold standard in terms of what it is you could get for an endpoint detection response tool or partner. But what happened, or what we are learning has happened, is that they essentially pushed out a software update and they have conducted their own internal investigation or have been reporting on the fact that they've conducted their own internal investigation, and it appears that normally when they push out a software update, it would run through kind of a series of tests or some sort of mechanism to make sure it wasn't going to break the Internet, to make sure it wasn't going to break the internet and instead, unfortunately, they ran it through and they did not run it through that process or that process did not go through the way that it was supposed to go through. So, essentially, what we have is a glitch, and I think there's going to be a lot of questions around the lead up in terms of what was CrowdStrike doing to make sure that its software was properly updated and run in a non-negligent to use a legal term fashion, and then also what was the impact of that to businesses that were customers of CrowdStrike?

Beth:

Obviously, we saw the blue screen of death, as you saw it popping up, at least a lot of reporting around it popping up in airlines, right.

Beth:

So you saw Delta apparently as a major CrowdStrike customer and you saw pictures of blue screens of death across a lot of boarding gates, right so you saw Delta apparently as a major CrowdStrike customer and you saw pictures of blue screens of death across a lot of boarding gates, right, because what ended up needing to happen in order to fix it and this was the big problem was that it wasn't something that you could fix with what we call like a group policy push out or like a big, you know a single push from the IT administrators of that of Delta, for example, out the door.

Beth:

Instead, the only workaround was to go door to door and to fix it manually, so you had to go and touch each device that had been impacted to get around that blue screen of death. So that's what really caused the widespread concern. Businesses that had sophisticated IT departments or a lot of boots on the ground, or perhaps who were creative in terms of how they were trying to get operational you saw them really resolve the issue quickly. But other businesses where perhaps they had a lot of devices spread out over a lot of different places, that obviously took a lot more time to go door to door, and so I think you will see a lot of businesses experience downtime, because it really did critically impact a lot of businesses across not only the United States but abroad, and I think that we're going to see claims being made against CrowdStrike for that, for those related concerns.

Tom :

Yeah, that's where I wanted to end up is what is the potential liability? I saw talk of you know somebody either thinking of lawsuits, and then I saw so what is the liability? And then a lot of it had to do, going back to your previous comments around what's in the contract. So there's some discussion in contract versus tort law. Well, talk to me about the liabilities.

Beth:

Sure, talk to me about the liabilities. Sure, well, one of the first things that I, when I woke up that morning and was hearing about kind of widespread doom and gloom, one of the first things that I thought of was well, let me go look at the terms and conditions, because, being a software company, a lot of times terms and conditions are published online, right, or they're standard terms and conditions. So we do have available the CrowdStrike terms and conditions. Their standard terms are posted online. Now, for most businesses that may not have had a lot of leverage in the negotiation process, they're probably going to be limited to those standard terms and conditions. For others, maybe again I keep coming back to Delta Airlines as my example here maybe they had something different where they were able to navigate or negotiate around some of those types of terms or the standard terms. They were able to navigate or negotiate around some of those types of terms or the standard terms, but, as you see, in these you know types, it's a very standard software contract right.

Beth:

You have a limitation of liability clause in it. You have, you know, disclaimers of consequential damages, which would include things like lost profits and downtime, and then that limitation of liability does state that neither party and I'm quoting shall be liable for more than quote an amount that exceeds the total fees paid or payable to CrowdStrike for the relevant offering during that offering subscription slash order, and so end quote. So again, the idea being that you are limited to fees paid, even if you can get around the consequential damages disclaimer. But the terms are governed by California law. So I think it's going to be a question and venue is in California. So I think we may see some lawsuits pop up under California courts and we'll have to see what the courts do with these terms and conditions and what they say those terms mean we are also seeing. So you have kind of claims, business against business against CrowdStrike so I think that could occur. You also have shareholder claims that have already started popping up. Within the first 24 hours you saw advertisements for shareholder class action lawsuits against CrowdStrike. You also saw some other class actions being potentially thrown around, the idea of maybe other businesses joining in potentially into a class.

Beth:

Then, of course, there's also the bucket of impacted. You know, let's say that I am a business that was impacted. There are also possible claims against cyber insurers as well. So the idea and this is really where, from a geeky lawyer standpoint, where I'm interested to see what happens Because, as you said, this is not a malicious software event. This is potentially a negligent push out of a software update. Again, I say potentially because again some court is going to have to make that determination but we have a software impact or glitch that essentially caused this impact.

Beth:

But a lot of cyber insurance has, or several. There are cyber insurance policies that have basically business interruption clauses in them, and so we are seeing claims being made under those policies, and so we'll have to see what the insurance carriers really do with that and whether those types of matters end up into the courts as well. The idea being, what does this term mean under the insurance policy? I think we're going to see that happen. I will say I think I saw that at least one major carrier had its public filing you know, financial disclosure within the last few days and it had not updated its guidance suggesting that it thought it was going to have widespread losses from this. So they may be feeling pretty confident about the language that they've used, the idea that it's got to be a malicious software or a malicious event that triggers this. But I think we're going to see this play out in the courts, and I think the cyber insurance industry is also going to be really watching it closely.

Tom :

They end up paying or not paying for a lot of things, and then when they don't, obviously then there's massive litigation. You talked about geeking out about insurance law when I told you earlier about how I all I did for years and years was write about law. For many years, all I wrote about was the pollution exclusion in insurance contracts, exactly yeah. So boring, right. No one wanted to talk to me about that, but I was. I became like so interested to me. That's when law to to me became.

Beth:

It's like a philosophical argument that has a big impact, a real world impact it's not just you know what do you think in any way, so I appreciate the geekiness well, I really think that that pollution exclusion that you're talking about it's the same kind of it's the same thing you were wrestling with back in the day on on that particular exclusion, the same kind of concerns are going to emerge related to this dependent business interruption and all this jazz, those types of provisions, and we saw this also happen with cyber war exclusions a couple of years ago too.

Beth:

Even if it's not reflected in the courts, I certainly think it's going to be reflected in policy drafts and specimens that we see in the next few years, that it's going to be absolutely crystal clear that this relates to a malicious event. It's not a whoops, whoopsie-daisy. You know the intern hit the wrong button on a Friday afternoon and sent down the internet, or took down the internet. I think it's going to be you know much. It's going to be spelled out a lot clearer if there is ambiguity currently in those policies.

Tom :

Yeah, no, I mean there was an original draft of the pollution exclusion where they actually had the word, the phrase whoopsie daisy in it it's a legal term. Well, it had to do with sudden and accidental accidental is whoopsie daisy, I'll just ask you this question generally. How a company reacts when an event like this happens has to have a huge impact on their liability or their insurance coverage, right.

Beth:

Absolutely.

Tom :

So did you observe anything here that, or would you have general like what maybe a company should do when this happens?

Beth:

Well, I will say that I think you have to be. It depends on what, in terms of if you're thinking of it from if I was representing somebody who had the whoopsie daisy that occurred. I think that there are certainly things that they did right from out the gate, which is, you know, within something like 78 minutes, they had made the determination as to what it was that had broken and they had gotten the fix out. The problem was, the fix was such a manual fix that nobody could fix it fast enough, and so you know, I think being transparent is a really good thing. I will say that there, when you look at where they are from a Securities Exchange Commission filing standpoint, that's where I think it's getting very interesting. And again, from a geeky standpoint, interesting because they filed an 8K. They did not file it under the and I won't go down too deep in the weeds under securities laws, but they went down a different path than the cybersecurity material incident path. They made a disclosure, it was very brief and they said hey, this is an evolving situation. We continue to evaluate the impact of the event on our business and operations, but they didn't describe it as a material event, and so I think that's going to be interesting to watch. Maybe pop some popcorn and see what happens with the SEC and the courts and shareholders in the future about was this an appropriate disclosure of what it is that they faced?

Beth:

They didn't say a lot of our customers are mad at us. They didn't say we were being called to testify before Congress. They didn't say some of of our customers are mad at us. They didn't say we were being called to testify before Congress. Like they didn't say some of those issues. Maybe they don't need to say them right away, but I think again, much in the same way that insurance policies tend to catch up after something like this, we could see also regulations catch up after this and say, ok, technically you're right, ok, we'll play the game. This may not be a cybersecurity incident, but you still had a requirement to tell your investors or your shareholders that this was a severe event. And did you meet the letter of the law question mark? We don't know.

Tom :

I'll say this it was a cyber event. You know what I mean.

Beth:

Right, I think it's interesting because what think it's it's interesting because what also happened and again to geek out briefly is that there was another major incident that affected another software company within the last few years that had a lawsuit from the Securities Exchange Commission. That's SolarWinds. Solarwinds, the Securities Exchange Commission sued the SolarWinds software company and they also sued the chief information security officer, tim Brown, and the, and the industry, in particular my industry was really watching what was happening with that particular lawsuit because it was the first time really that a CISO chief information security officer, had been named to be basically personally liable for something like this. And what was wild is the day before the CrowdStrike incident you have SolarWinds.

Beth:

The district court issued its opinion in the motion to dismiss related to the Securities Exchange Commission filing or the really large complaint filed against the CISO and SolarWinds, and the court really gutted that particular lawsuit by the SEC and said look, solarwinds was transparent with its shareholders.

Beth:

Said, look, solarwinds was transparent with its shareholders, you know, because they were really relying on pre-incident securities exchange commission filings and post-incident securities exchange commission filings. The SEC was in its complaint and the court cut a lot of that out and said listen, you don't need to get into like maximal specificity around these incidents and what has occurred, but you do need to convey the severity of the situation. So you know, in the the dust settling around solar winds, bam, here comes CrowdStrike and says evolving situation. You will let you know. So we'll see again what's going to happen from a regulation standpoint in terms of are there going to be, is there additional guidance that's going to come out to companies about these types of issues that like look, you need to really get into sharing with people the impact this can have on the brand and on the finances of the company.

Tom :

Yeah, yeah, what companies say publicly what they say in SEC. And it's like, if you want to feel bad for companies sometimes I do it's like, well, if we apologize, does that mean something? Were you admitting something? And then what they say that'll affect their stock value. That can just be wildly like. It doesn't take. Somebody sneezes and suddenly everybody wants to sell. And I do remember when I first started covering anything to do with the SEC and reading this, reading these their five company filings, I was always impressed with the disclaimer that, by the way, everything here might be wrong. I don't know, I'm paraphrasing, but I feel like there's a disclaimer like that, it's like.

Tom :

this is forward-looking.

Beth:

Forward-looking, like we don't know. We don't know, we don't have a magic eight ball right Exactly, but I do think that you do know something and so I think you have a duty to share something. Sure, but, like you said, in the immediate aftermath and back to kind of ransomware concerns, you know, being one of the first people called to the scene, almost like the fire truck, you know, my concern is immediately about privilege, and it is about what is it that we're saying in the first few moments, because class action lawsuits can occur, can occur. There is a chessboard that immediately starts to emerge, where everything we're doing in the immediate aftermath could be used, can and will likely be used against us in future litigation. So, trying to be both transparent with your constituents and be open and upfront about things, but then also, to your point, be very careful about do you say you're sorry, yes or no, you know? Do you admit some sort of liability? Hopefully not, you know. So the goal is to really it's a fine line and really it's a very difficult needle to thread.

Tom :

So, beth, thank you very much for talking to me today. This was fun.

Beth:

Thank you. It was great to be here and to geek out with you.

Tom :

That concludes this episode of the Emerging Litigation Podcast, a co-production of HB Litigation, critical Legal Content, vlex Fastc ase and our friends at Law Street Media. I'm Tom Hagy, your host, which would explain why I'm talking. Please feel free to reach out to me if you have ideas for a future episode and don't hesitate to share this with clients, colleagues, friends, animals you may have left at home, teenagers you irresponsibly left unsupervised, and certain classifications of fruits and vegetables. And if you feel so moved, please give us a rating. Those always help. Thank you for listening.