Working From Home: Cyber Hygiene in the COVID Crisis

Listen & Download

As corporations and even entire municipalities are increasingly advising or requiring their employees to work from home in light of COVID-19, it is important to remember that doing so it not without its risks. For any organization that has information to protect -- whether customer or employee personal information, financial information, or confidential and proprietary trade secrets -- permitting company data to travel home with or be remotely accessed by employees raises the chances of a cyber incident involving that data. When a “cyber-mishap” occurs, the company may have a duty to report the incident to consumers, regulators and business counterparties. Put simply, cyber criminals are not expected to take a “corona-holiday.” In fact, some might even prey on vulnerabilities created by the situation. Fortunately, there still is time to address the potential privacy and data security risks — and to develop clear guidance for employees to follow. These policies should be tailored to each company’s specific risk profile and communicated clearly to all employees. 

While every organization’s information security defenses are unique, some of the most common risks to be addressed concerning remote work include the following: unsecure personal and public WiFi networks; working on unsecure personal devices; transferring corporate data using personal e-mail accounts; synching with personal cloud storage accounts; physical document management and destruction; unsecure connections to employer systems; unsecure conference call lines; and phishing schemes and other frauds. Because many employees are justifiably concerned for the health and safety of themselves and their families, it is understandable if data security is not their first priority. However, with some careful planning, well-defined policies, and transparent communication between employees and management, companies should be able to maintain the security of their data while keeping their employees safe.

Featuring: 

Nicholas Degani, Senior Counsel, Federal Communications Commission

Paul Eisler, Director, Cybersecurity, USTelecom 

Joseph V. DeMarco, Partner, DeVore & DeMarco LLP

 

 

Teleforum calls are open to all dues paying members of the Federalist Society. To become a member, sign up on our website. As a member, you should receive email announcements of upcoming Teleforum calls which contain the conference call phone number. If you are not receiving those email announcements, please contact us at 202-822-8138.

Event Transcript

[Music]

 

Dean Reuter:  Welcome to Teleforum, a podcast of The Federalist Society's practice groups. I’m Dean Reuter, Vice President, General Counsel, and Director of Practice Groups at The Federalist Society. For exclusive access to live recordings of practice group teleforum calls, become a Federalist Society member today at fedsoc.org.

 

 

Micah Wallen:  Welcome to The Federalist Society’s teleforum conference call. This afternoon's topic is titled, “Working From Home: Cyber Hygiene in the COVID-19 Crisis. My name is Micah Wallen, and I'm the Assistant Director of Practice Groups at The Federalist Society.

 

      As always, please note that all expressions of opinion are those of the experts on today's call.

 

      Today we are fortunate to have with us our moderator, Nicholas Degani, who is Senior Counsel at the Federal Communications Commission. We also have as our panelist, Paul Eisler, who is the Director of Cybersecurity at USTelecom. We also have Joseph DeMarco, who is a partner at DeVore & DeMarco LLP.

 

      After our panel has their opening remarks, we'll then move to an audience Q&A. Thank you for sharing with us today. And Nick, I hand the floor over to you.

 

Nicholas Degani:  Thanks so much and welcome everybody at home for what I hope is going to be a very exciting discussion about cyber hygiene and the move that we've all made. So COVID-19 is one of those things that's a once in a lifetime opportunity for most. Although I know I talked with my grandmother recently and she was telling me how, when she was young back in the 1920s, they occasionally had pandemic or epidemic scares and everyone stayed home. But she said it was nothing quite like what we're facing now. And of course, then, it was much more complicated, but for individuals with families, as well as for companies, it is now, unlike back in the day, we don't keep track of all of our paperwork with paper. We do it all online, and it creates a new set of challenges for companies to face as we've grown with things like personal devices, home access to computers, to corporate servers, unencrypted networks, and of course, the mass migration to teleworking that we've seen for the white-collar workforce.

 

      Now the FCC does have a small part to play here. They've been working with our ISPs and telephone service providers to keep Americans connected. And as of today, there's over 700 companies have taken the pledge that Chairman Pai put out to keep Americans connected and do things like waive late fees for Americans that can't pay, as well as opening up more Wi-Fi hotspots to the public to reduce the load on any given hotspot in the network. But there's so much more than needs to be done, that needs to be taken into account by the General Counsels and the IT systems of those who are trying to manage these corporate work-at-home arrangements. 

 

      So Joe, I think I'm going to turn it over to you. Do you want to tell us a few things that you're seeing out there, in terms of why cyber hygiene is so important with COVID today?

 

Joseph V. DeMarco:  Sure. Thanks so much Nicholas and thank you Micah and to everyone at The Federalist Society for supporting this teleforum. So just by way of background, I'm a lawyer and the full-time focus of my practice is the law of data-privacy and security regularly representing companies and organizations that have faced issues of cyber-crime, data hygiene, data privacy, and the like.

 

      Before starting the firm, I was a federal prosecutor in Manhattan, and I ran the cyber-crime program at the U.S. Attorney's Office in Manhattan. So I've been doing this about 20 years and the first thing that struck me, in addition to the immediate safety of the people around me when, in early March, this hit with full force, was the realization that we're about to see—and we, in fact, have seen—what is arguably the largest mass migration of a workforce in human history. Because essentially, in most countries around the world, huge segments of the population, basically anyone that can work from home remotely, has been working from home remotely. And that is never -- that has never been happening before. People have episodically worked from home before. Some more, some less.

 

      But I know the very first thought in my mind, when that realization hit me was that we were going to see an incredibly large number of cyber incidents occurring as a result of the inherent insecurity of most home connections. And that there were going to be profound law and policy consequences, not only during this time, but also in the aftermath. Because I do think it will become the new normal that a substantial percentage of the population substantially remains at home working from home and telecommuting. A number of my friends have said to me, why do I have offices when I could be working from home?

 

      I think the very first important thing to keep in mind is awareness. Understanding just what the risks are and what the vulnerabilities are and then trying to manage those. And look, I'm not saying that everyone's home connection is necessarily a breeding ground for cyber-crime, or inherently vulnerable. I have had some clients, organizational clients, where the companies, or the organizations, have literally built home offices for their employees. And they've built those home offices to office-standard specifications with the same kind of robust security that the employee would otherwise have in the office.

 

      But what I'm also aware of is the fact that people who would only occasionally work from home, or never work from home, or just maybe occasionally worked on their iPhone at home, are all the sudden finding themselves working off of their, let's say, daughter's 2002-era Gateway laptop computer, which hasn't had its antivirus or antimalware systems updated since 2006 and cannot even be updated at this point because it's so old and out of date. What I do see, in a nutshell, is a lot of attorneys, a lot of businesspeople working on insecure networks, insecure laptops, insecure desktops with insecure connections practicing poor data hygiene. And by data hygiene, I mean simply keeping your data organized so you know where it is. Comingling their company, and their client's data, with personal data on shared machines, or shared drives, short networks, or shared thumb drives, and not really thinking as much as they should be about how to fix that situation.

 

      I think the first point is just kind of understanding that any organization has, as its weakest link, potentially, an employee working from home in these days. And unfortunately, for better or for worse, the law does not care where a company, or an employee, or an organization has a vulnerability. The law will impose the same consequences on that organization, regardless of whether or not the data snafu or hiccup happens in a very secure environment or an insecure environment. So I think the first key point is just kind of raising awareness and really providing a call to action to everyone who is listening to do everything that they humanly can within their powers and abilities to lockdown their systems, lockdown their networks, update their antivirus, antimalware systems as much as they can, work collaboratively with their employers—again, many of whom are quite capable of helping out—and understanding what they inherent risks are. I think that's, I think, one key point.

 

      I think another key point is understanding that just because you're working from home and you may need to have meetings via teleconference calls or video conference calls using services like Zoom or GoToMyPC or LogMeet, or TeamView, or any one of the great platforms that the FCC -- I'm sorry, that broadband has enabled, what that means is that with those technologies and platforms come vulnerabilities. For example, you may be on a Zoom conference call. And for very good and legitimate reasons, you may want to record that call for note taking. Well, again, just kind of an ounce of awareness is worth a pound of cure. There are laws in many states that prohibit the recording of telecommunications, telephone calls, or audio calls, unless every party to the communication consents. And even where you do have the consent of every party on, let's say, a 23-person or a 10-person Zoom meeting—and I'm just using Zoom as an example. My comments are technology neutral—it may not be the case that people who just wander into the room when an employee is on a remote call, that those people have consented. And if they haven't consented, then you don't have everyone's consent to a call.

 

      So I think raising awareness as to the fact that these technologies do allow for incredible communications, resilience, collaboration, productivity, even in the face of this global pandemic, doesn't necessarily mean that you should only be thinking about those considerations. You should also be thinking about security, privacy, data integrity, data hygiene, and the like.

 

      And then I think the final point I would make before turning it over to Paul, is just kind of raising an awareness that, as we saw in the days after 9/11, when I was working in Lower Manhattan as a federal prosecutor, and the days following Superstorm Sandy, when I was at my current firm. In the aftermath of these great tragedies, or great news events, unfortunately, criminals see opportunity. And so I, in my own practice, just literally in the last six weeks have seen a dramatic increase in the number of clients, companies calling me, following their being targeted by phishing attacks, email spoofing, watering hole attacks, the whole range of cyber-crime, as well as intellectual property theft.

 

      The fact of the matter is, people's guards are down, they're kind of back on their heels, they're off their game, they're distracted by their kids or their loved ones, or whatever the distractions at home might be. And they're just not quite as on their game as they normally are, being on the alert for cyber-crime. And unfortunately, in the world in which we live in today, even one or two incidents of cyber-crime can be potentially crippling to an organization. Particularly if it relates to a [inaudible 00:10:41] attack.

 

      So I think the key takeaways are awareness. Do the best you can. Control what you can control. Secure where you can control. Prepare for the day when you will return to work, because you will, someday, return to work. And be cognizant of where all your work materials are so that you can take them back to work with you, where they belong. Shred things that need to be shredded, even at home. Or have a shred bin that you bring back to the office to shred in your office shredder. And be on the lookout for suspicious things: emails, communications, that you don't expect to come in. I think if everyone just does a few of those things, their risk profile will decrease dramatically and, undoubtedly, everyone at this time, especially, has a lot of other things to do besides responding to a cyber-crime incident that they, unfortunately, enabled or permitted.

 

Nicholas Degani:  Thanks Joe. Paul?

 

Paul Eisler:  So as mentioned, I'm the Director of Cybersecurity at USTelecom. I come to you from about a decade of experience in cyber policy. And I serve as Legal Advisor to the Counsel of Secure Division Economy, which is a partnership of 13 global ICP companies that publish influential security guidance, as well as Vice Chair of the Communications Sector Coordinating Counsel Cybersecurity Committee, which facilitates public/private cybersecurity initiatives across the U.S. government.

 

      So I want to take a step back and just start by appreciating how remarkable it is that millions of Americans are working from home during this historic crisis. It shows a high degree of adaptability and resilience, not only of the American people, but also of the technologies that allow them to keep working while distancing socially.

 

      Throughout this pandemic, the internet has been the central means of keeping Americans connected and enabling telework. Internet service providers are working day and night to meet the broadband capacity needs of families, communities, and enterprises they serve. Prior to the pandemic, people might wonder, how will America's broadband networks fair in a crisis? Will the infrastructure hold up? The networks have proven to be strong and resilient, like the American people. Having spoken to companies whose employees are on frontlines, I can say with certainty, they view the current situation as a wartime-like effort. There's a real sense of civic duty. That is why major providers have signed the Keep Americans Connected Pledge to ensure the people's ability to communicate unhindered by the coronavirus. And I'm proud to say that my employer, USTelecom, is among the signatories.

 

      According to data from six large ISPs, the increase in network traffic rages from 13.7 percent to over 55 percent at the high end with a mean of 27 percent. The network performance remains strong and efficient. We, as a nation, are doing remarkably well in terms of enabling telework. And I don't want to lose sight of that as I describe some of the known cybersecurity challenges, which the teleworking environment exacerbates.

 

      We have seen a number of cyber-threats emerge to exploit the current coronavirus pandemic. The threats include nation-state sponsored cyber-attacks against hospitals and testing labs, misinformation campaigns, and a barrage of criminal activity aimed directly at ordinary people working from home.

 

      Millions of ordinary people who are not cyber experts now find themselves in a position of significant responsibility with respect to cyber hygiene. Maybe for the first time in their lives, they have to start making decisions about cybersecurity risk management. That is no easy task and the learning curve is steep. Decisions about cyber risk would normally have been taken care of by their employer or third party, in many cases. Hackers are aware of the steep learning curves and they're hoping to exploit the teleworking environment's often weaker security.

 

      The Cybersecurity and Infrastructure Security Agency, CISA, informs us that hackers are scanning for known vulnerabilities in remote working tools and software. For example, hackers may target videoconference software, such as Zoom and Microsoft Teams and virtual private network vulnerabilities. We also know that hacking groups with ties to nation states are exploiting the global COVID-19 pandemic to lure people into opening emails that spread malware. These sorts of attacks, which exploit the human element of an organization are known as phishing attacks. Everyone is a potential target. The hackers may target a low-level employee, an intern, a CEO, a senior government official. Unwittingly, by opening an email attachment or clicking on a link, the recipient may give hacking groups a foothold into sensitive systems, for instance, critical healthcare infrastructure. We may not feel some of the cybersecurity impacts of COVID-19 until months from now, or even much later, as malicious actors may be using this opportunity to gain footholds within organizations that they can exploit at a later date.

 

      So while state sponsored hacking groups make headlines, profit seeking cyber criminals have been exploiting the pandemic to line their pockets. How can we protect ourselves? CISA and the National Institute of Standards and Technology, NIST, have each published guidance that's worth examining on various technical measures to protect yourself and others while teleworking. This NIST document is not the easiest read for the average consumer, but it's very thorough.

 

      And that brings us to the next fact. Not everyone is going to be able to implement appropriate security guidance using their own technical skills. For some people in organizations, getting professional assistance will be essential. You may even consider managed security services, depending on how serious your security needs and responsibilities are. One aspect of the NIST guidance I really want to stress is the importance of updating your software on home devices, such as personal laptops and IOT devices because this relatively easy to implement and can make a big difference. Automatic updates are usually the best way to protect yourself because then you don't have to worry about remembering to update.

 

      I also want to underscore the importance in many cases of using a virtual private network, or VPN. A VPN not only enable remote access, but also can encrypt communications, making it more difficult for hackers to spy on you. My last piece of technical advice, be aware of what's connected to your network. Our households are filled with devices that can connect to the internet, from cell phones and laptops to refrigerators and children's toys. My go-to example of what can go wrong when you underestimate connected devices is a casino that has its database of high-rollers, gamblers who like to wage a lot of money, stolen. Hackers managed to steal the casino's database through a smart thermostat in the casino's aquarium. This device meant to monitor the aquarium water was connected to the internet and it gave hackers the very small window they needed to break in.

 

      Beyond technical recommendations, I want the focus on the human element of cyber defense. Because this is something that can benefit everyone, regardless of technical skill. We need to foster an attitude of alertness and caution when people communicate electronically. Hackers know that when you are desperate to learn a new piece of information, it is much harder to resist clicking on a suspicious link. That's why they use COVID-19 stories as lures. People should resist the urge, whenever possible, to click on untrustworthy links, and instead, rely on official government sources. But even that can get complicated.

 

      Some people have received malicious emails that appear to come from sources of authority such as the Director General of the World Health Organization. Some emails falsely offer thermometers and face masks to protect against the novel coronavirus. A good rule of thumb is, if you didn't solicit a message, be very cautious. Protecting yourself doesn't just mean avoiding emails from strangers. A phishing email could seem to be coming from your boss, a coworker, or even a family member. It is important to raise awareness about how sophisticated today's phishing attacks really are.

 

      An organization I work with, the Counsels of Secure Divisional Economy, which USTelecom founded, put together an annual report on botnets. These are malicious software that can enable many types of cybercrimes, including phishing. They can send thousands of phishing emails at a time. The report we put together shows how malicious actors are upping their game. There are now botnets that can look through your emails, take pieces of conversations you've actually had with real people, and create a new fake conversation that references the original conversation you actually had. And this is completely automated. It's done by bots, not humans, so it can be done at scale. This is why there are certain types of information, for example, passwords and credentials to access financial instruments, and other sensitive information that you probably shouldn't give via email, even if the would-be recipient appears to be someone you know and trust completely. And in the work context, you could even be exposed to legal liability for accidently divulging sensitive information.

 

      Since this is a Federalist Society forum, I'd be remiss if I didn't speak to some of the legal issues of keeping information secure. The precarious cyber-threat environment creates, not only security concerns, but also potential legal pitfalls. As Joe eluded to, your legal responsibility doesn't just end because there's a crisis. For the most part, the law is indifferent to the crisis. So if you had a responsibility to keep data private or confidential before, you generally still have it now with the work-from-home environment.

 

      This is true whether you're a company, a government agency, a nonprofit, or an academic entity. Even if you're a private individual running your own small business, you may have legal responsibilities you aren't aware of. If you're a leader, you're going to need reliable cooperation from your employees, since you're only as strong as your weakest link. There may be situations where a whole organization incurs liability for a single employee's actions.

 

      So the proper question is, what can you do to protect yourself? One of the answers, besides speaking to an attorney about your precise situation, should be to implement better cyber hygiene. As discussed, there are basic steps to almost any company or organization can take to improve security. CISA and NIST provide excellent resources to get started. Beyond that, it is everyone's civic responsibility to increase their knowledge of cyber threats and take the appropriate precautions.

 

      I want to thank The Federalist Society for organizing this teleforum and look forward to your questions.

 

Nicholas Degani:  Thanks Paul. There's so much to talk about here. Thank you guys for that long and interesting introduction to this. Joe, I'm going to start with one thing you said. You suggested this is the greatest mass migration of workers in a long period of time and that telework can be made even normal. I wonder, you suggested that we will be going back to work at some point. Do you think that's actually true for all of us? Or will teleworking be the new normal, potentially for some people who used to be a (inaudible 00:22:10) on an everyday basis?

 

Joseph V. DeMarco:  You know, that's a great question. It's hard to know. But certainly, for many people, at least many people just anecdotally that I've spoken to, who literally can do their job anywhere there's a good internet connection, many of them are wondering do they really need to rent an office when they could work from home. So I think that there will be some portion that, of course, race back as soon as possible. There may be an initial surge as people just want to return to normalcy and maybe get away from the people that've been tugging at their shirt sleeves while they're trying to get their work done.

 

      But on a more serious note, I do think that, again from folks that I've spoken to—and again this is just anecdotal evidence—I think there will be qualitatively more people that will work from home more often. And some portion will work from home all the time. And some portion will work at home just a little bit more. But I do think that trend will continue. I mean, I know we had very high-speed connectivity from the house beforehand, and so we're doing fine. But I know a lot of my colleagues who maybe did not have the fastest connectivity from home are now upgrading quite rapidly. And I don't see them going back to slower connections.

 

Nicholas Degani:  Does that mean, and I guess this is to both of you, with all these at home now, does that mean that we're increasing the attack factors for the state--sponsored enemies and the other guys who try to go after corporations by having some people -- more people at home and connecting remotely? Or is that something that's not going to actually increase the overall danger to our companies?

 

Joseph V. DeMarco:  Paul, do you want to go first?

 

Paul Eisler:  Yes. So one of the things you got to look at in cyber threats related to COVID-19 is that many of them are not new cyber threats. Many of them are just exacerbations of existing ones. I mean, there are many some new vectors. There might be some things in the home that typically don't exist in companies. But generally speaking, what you're seeing is more of an opportunism because a lot of people who are managing cybersecurity from the home just aren't familiar with the different risk variables.

 

      So what we need to do is make sure that the people who could be exposed to liability, or just have a civic responsibility, or  have a responsibility to their employers, or some kind of a responsibility to keep information safe, that they are able to access tools the same way they would if they were in the workplace.  I don't think that this is something that particularly can be said to affect particular organizations more than others, except that as an organization becomes bigger and scales its resources, it's able to afford a greater degree of security and expertise.

 

      For example, you've seen very similar threats affecting organizations cross industries and even organizations that -- you might think that a very large multi-billion-dollar company that is facing threats that are of a different type than those facing a small business. But very often, it's just that human element. That human trustworthiness where you see an email, you want to be helpful, and what ends up happening is that, in efforts to just be a good person and answer an email, you end up divulging something that you shouldn't. Or you end up opening the door for a bad actor. So that's a very long round-about way that I don't think that there's a way of generalizing.

 

Nicholas Degani:  There was another thing that you mentioned, Paul, that has me wondering now. So a lot of us at home now have Nest smart thermometers -- smart thermostats and other smart devices. And the [inaudible 26:17] Internet of Things I don't think enables one to get hacked like the casino you mentioned. Does that mean we should be disconnecting all of these things? Is there some other step that we should be taking to protect ourselves?

 

Paul Eisler:  So it is a good idea, if you're not using a particular connection, to not have that connection enabled. But while you're working, there's certain legitimate connections that you're going to need to be able to use. So you're going to need security for the legitimate connections or -- by legitimate, I simply mean legitimate in the context that you've actually opened them or activated them yourself, and it's not some hacker doing it remotely. So you're going to want to have protection for those. And then for the ones you're not using, it is generally good practice, even though it can be a little bit burdensome to have to maybe tell your kids to turn off an internet-enabled toy when they're not using it. But these are the sorts of things you have to start thinking about as we grow into a more connected environment with more hack factors.

 

Nicholas Degani:  Okay.  And Joe, I know you've written on another type of security issue that we've had before, which is unsecured conference lines. I think everyone's familiar with Zoom and Zoom's obviously coming into condemnation lately. Do you have any particular concerns with the business use of unsecured conference lines? Or what's the one or two things that a business can do to make sure that whatever conference line they're using is adequately protected?

 

Joseph V. DeMarco:  Yeah, it's a great question, and you know Zoom has gotten a lot of press as a lot of people have started using it over the last few weeks. But for some time, I've been talking and writing about the need for people to be generally concerned with all types of communication methodologies. Whether that be a video conference service or whether that is a teleconference service. There are free teleconference services and there are paid-for teleconference services. There are teleconference services where you just need the number and you're automatically in the call. There are others where you need a number and a meeting name or number and a password.

 

      And the same holds true for videoconferences. I mean, what I would say is, regardless of the service that you're using, whether it's a videoconference service or a teleconference service for group communications, or even a cordless phone for one-on-one communications, scale your security requirements to the risk and the level of confidentiality that the communication requires, which is just a fancy way of giving out common sense advice. Which is, if you're having a meeting with opposing counsel on scheduling depositions or scheduling discovery in a case that has no protective orders in place and is not particularly confidential, then it's probably fine to use a free conference call line or a free videoconference line.

 

      On the other hand, if you're negotiating the meets and bounds of a protective order in a trade secret case and having very granular and detailed discussions with opposing counsel, or your client about the nature of the secret and what the protective order should and should not include, you probably want to be using a conference call or video call service that is paid for, which generally allows you to deploy more security features.

 

      So I think that we really just need to, again, balance the need to get our job done and the great desire to use the sufficient tools with security and confidentiality considerations baked in. You don't really need a videoconference for every single communication. Sometimes the plain old copper line, hand-held, plugged into the wall telephone, if anyone still has one of those, will do. I think that's kind of my key takeaway point.

 

Nicholas Degani:  My understanding from Paul's organization is that almost no one does have those anymore. The takeaway.

 

      So one last thing that I just wanted to go to both of you guys is the need for us all to be cybersecurity experts now. And I know that NIST and CISA have a lot of specific information about that. If there's just one thing each of us should know or do as an employee who wants to be a good corporate citizen, what should we know or do to improve our cyber hygiene? This question's for both of you guys.

 

Paul Eisler:  I could go first. So I would say that, install every update that you can. Not just your operating system. You want to install updates for your email clients, your web browsers. There's a whole bunch of applications on your personal computer and your work computers. Hopefully you're using your work computer for work issues. And insofar that updates are necessary, don't put them off. Update, update, update.

 

      I would also say to be aware of some of the limits in your technical knowledge and don't be afraid to just ask somebody for help. It's better to ask a question, and maybe it comes across as a little bit redundant, than to be sorry later. So treat this as a collective human problem, even though ultimately, if things go wrong, you may end up being solely responsible and solely liable. That's a situation you want to avoid. So don't be afraid to go ask an expert for help.

 

      And I'll also just echo a point that Joe made in his remarks, which is you have to raise that level of awareness. There's this human element where you get an email, it seems to be from someone you know, they're talking about something that you regularly talk about with that specific person and you just have this natural desire. Oh, they need help. They need this information. Sure, I want to be a good coworker. I don't want to cause delay. I don't want to be inconvenient to anybody and ask questions and seem paranoid. But the truth is that's what the hackers, that's the very instinct that the hackers are counting on. That people don't want to be inconvenienced or don't want to be -- look like they're asking too many questions. And they just give the information.

 

      And that's how the hackers -- they're not even hacking machines. They're hacking humans. So just don't be afraid to be a little bit on the paranoid side and just be cautious about the types of threats that are out there. And I think that people will -- like I said, it's a steep learning curve. I think that people will get smart about this hopefully faster even than we can imagine.

 

Joseph V. DeMarco:  Yeah, and I would agree with that. And I would just add, you know, the advice I'm giving to my clients, which are mainly companies and organizations, is to have these conversations with their workforce. And I think the same advice is the advice that I would give to employees. Have the conversation. If you're an employee, raise the issue with your employer. If you're an employer, raise the issues with your workforce. Now, hopefully that we're past the initial hump of everybody getting home and settling in their homes, and hopefully something resembling a little bit more normalcy, perhaps, has started to exist. Now is a good time to have those conversations about how to secure home networks.

 

      I've found in counseling my clients, that when they've raised these issues with their employees, again in a collaborative way designed to foster maximum partnership and common objectives, employees have responded incredibly positively. And I know that from times that employees have raised these issues with clients of mine, the clients have been incredibly grateful and helpful. So I think that it's a great way to have a conversation.

 

      It's also a great time for employers to roll out a lot of amazingly free tools that are out there on cybersecurity. I mean, people do have a little bit more free time on their hands, maybe. Some of them do. Not all. But it is a good time to use the time wisely to learn a lot about cyber hygiene and data privacy and security. And hopefully, this is one example of that.

 

Nicholas Degani:  One last question before we turn it to callers. From the policy side, I work at the FCC every day. What can the government be doing better? How can we be better serving the American people? Is there any policy prescriptions you guys would have? So I assume you guys would not favor the government stepping into direct private companies how to do this. But should we be providing more education, using more information sharing, how can we actually better help the situation here?

 

Paul Eisler:  So I would start by saying there has been a really good collaboration across all aspect of this pandemic between industry and the U.S. government. At the same time, I think that just continuing to work closely with industry and share relevant actionable information within legal boundaries. And also, just provide the industry to the extent possible with the resources and tools to help keep their workers safe. And just address the more immediate aspects of this pandemic. I think that that's where the focus is right now.

 

      I think that afterwards, we can do a post-mortem where we're starting look, okay how can we maybe change certain laws to make it so that information can be shared more easily? How can we change certain laws to even further collaboration among the private sector and the government partners? Because there really is a very unique and strong public/private partnership in the United States between the U.S. government and many sectors of industry. Certainly in telecom. That said, I think that we really are focused on the fundamentals of the immediate response to the crisis, making sure workers are safe, making sure we keep everybody connected.

 

Joseph V. DeMarco:  Yeah, and I would add, I think that's a great question. I think that at this stage, we just don't know. I think we're still too much in the event. But I do think over time we will see issues bubble up that come out of the fact that, to the greatest extent at least in my lifetime, the line between work and home has been blurred. And maybe even in some cases, obliterated, when you have, again, a large percentage of your workforce doing a large percentage of their work from home, that's a very different model than the model of 10, 20, 30, 40 years ago where there were very bright lines between the workplace, what employers could do in the workplace, what they couldn't do in the workplace, what employers’ rights were, over the home lives of their employees and what they weren't. Those issues will bubble up. I believe they're coming. But it's really hard to predict what they're going to be. Particularly, I think, we're just still a little bit too much in this event. But those issues are coming and they're going to be resolved ultimately by courts and legislatures.

 

Nicholas Degani:  It sounds like what you're recommending is maybe (inaudible 00:37:46) act during the COVID crisis to lead to kind of a postmortem on how we can do better next time.

 

Paul Eisler:  I think that's a great idea.  Hopefully live.

 

Nicholas Degani:  It's a thought.  Micah, back to you.

 

Micah Wallen:  Wonderful. All right. Let's go ahead and open up the floor for any audience questions. We already have our first question coming in, so without further ado, we'll move to our first caller.

 

Cordell Corder (sp):  Hey guys. Cordell Corder, private lawyer. This is so timely. I have so many questions. But a couple of them, when you use third-party services and vendors, you know I have eero Plus at home, for example, how much does that shield you? You transfer your liability to them. Are there -- do you foresee that with all these people working at home, that companies that provide GL insurance policies that have cyber protection is going to generate a lot of new litigation? And the one thing that seems to annoy me a lot is, a lot of legitimate companies send you click-through emails all the time. Is there a way we can improve that aspect of things?

 

Joseph V. DeMarco:  So I'll take the cyber insurance question.  This is Joe DeMarco. It's a great question. Five, ten years ago, cyber insurance covering data privacy and security, in a sense, really didn't exist or was a specialty product. It's now been kind of rolled out by all the major carriers as a stand-alone product that's available. And it's not, certainly, as mature as fire, theft, and errors and omissions, and DNL policies, but your question raises a good point, which I neglected to mention. Which is, again, to the extent that you're responsible for these issues in an organization, or you're just a solo law practitioner and maybe you have cyber insurance and maybe you don't. Now's a great time to ask those questions of your broker. If I have a data security event and it happens at home, on a home machine, and results in fill-in-the-blank bad thing, am I just as covered for fill-in-the-blank bad thing as if the incident happened on premises? So now's a great time to ask your broker in the first instance. And look at the policy, those very questions. Paul, I'll defer to you to the others.

 

Paul Eisler:  So first I'll answer to the easy question. Will there be more litigation as a result of this? Yes. A lot of it. In terms of the more specific question, it's really going to depend on the nature of the agreement that you have with the third-party provider, in combination with provisions of law that could come from either specific contracts you have with other parties. It could be a matter of federal or even state laws, potentially. You'd really need to speak to somebody about the specifics of your situation. So I hate to answer with a, it depends, answer. But unfortunately, that's the only one that we can really give right here.

 

Cordell Corder:  Does the fact that, you know, I'll get an email from Chase saying, click through and it's legitimate. Does that behavior bother you, and do you think there should be some kind of movement to stop that?

 

Joseph V. DeMarco:  You know, this is Joe. It's hard to answer that in the abstract. I mean, the fact is, many organizations do communicate with customers. I think a lot depends on whether there's a customer relationship or not. It's just very hard to answer in the abstract. I mean, there are a lot of communications that are completely legitimate that come from legitimate senders and it's really hard to know how to handle those, except I think, the common advice that Paul and I would give is, be very cautious. Be very cautious.

 

Micah Wallen:  All right. We'll now move to our next caller in the queue.

 

Richard Faulkner (sp):  This is Richard Faulkner. I'm an attorney in Dallas, and I wanted to follow up with a question on the cyber insurance. Do the panelists have any recommendations on specific coverages or amounts of coverage? Having looked at many of these policies, they're more hot air than actual coverage, particularly if they're simply incorporated in a CGL policy. So do you guys have any recommendations for us or any specific endorsements we may need to work from home?

 

Joseph V. DeMarco:  It's a great question. Again, not being an insurance lawyer and not being an insurance broker, I can't give you specific advice other than to confer with those specialists. But what I will say is, as a general matter, the most important thing, and I do help out lawyers from time to time deciding what they need. I think the most important thing is to understand the nature of the risk that your particular practice faces.

 

      So for example, if you're a trust and estates attorney, or a real estate attorney, or a personal injury lawyer, and you're regularly handling either settlement checks or highly detailed personally identifiable information, you're probably going to want to be most concerned about insurance that covers you for a fraudulent email that results in a fraudulent wire transfer. Or a data spill of personally identifiable information which requires you to notify individuals and regulators.

 

      So really, it is kind of, I think, in terms of just kind of brass tacks practical advice is to kind of think about what's the most likely risk your practice faces from some cyber incident. Is it a fraudulent wire transfer, a spill of PII, a theft of trade secrets or something like that? And then have that conversation with your broker, making sure that you're getting coverage exactly for that and not for incidents that really just don't apply to you.

 

      I mean, if you were an IP attorney helping clients with patent advice and not really handling any personally identifiable information, you may not need the coverage that's going to apply and pay for mass notification if you have a data breech of PII.  I think it's just starting with an understanding of your practice, the most likely cyber risk you face, and then having a candid conversation with your broker about that. And really, then, going out and getting the policy that applies to that risk.

 

Micah Wallen:  All right.  No other questions in the queue as of now. Nick, I'll toss it back over to you unless I have another question come through the line.

 

Nicholas Degani:  I have one last question, if that's okay from me.  Earlier, Joe, you had mentioned, and Paul, you as well, is there's some phishing emails that are out there. That people are specifically trying to exploit the COVID crisis. Joe, you talked about some state-backed entities. And Paul, you were talking about also how there are private businesses out there trying to scam the American people. If either of you guys have any very specific examples of what to watch out for on that, or who might be behind some of these phishing emails, that would certainly be interesting to me to know.

 

Paul Eisler:  Sure so I'll -- I mean again, common examples of things that we're seeing are, we're seeing fraudulent emails and robocalls coming from entities purporting to be Zoom. We're seeing that. We're seeing -- and other platforms. Again, my comments are platform neutral. We're also seeing fraudulent emails coming from entities purporting to be governmental regulators. We're also seeing fraudulent emails pretending to be from IT help desks at companies asking for credentials. Those are, I think, just some of the examples that we're seeing these days.

 

Joseph V. DeMarco:  So I'll take the part about the state-backed entities. What we're really talking about here are what are known as advanced persistent threat groups, or APTs. So the U.S. government, they track a variety of these groups. And they come from the usual suspect countries that you might imagine in a situation like these that have competitive interests that may be adverse to those of the United States, in many instances. And you know, for example, you go to CISA's website. You can get information about APTs and get the latest information that the government has published. There's also a lot of news articles with -- that have some experts who will strongly suggest which actors are in play. So the information is pretty easy to find.

 

      I think that with an audience of lawyers, here, we're all a little bit sensitive about naming names when you haven't examined a case with yourself and haven't seen the evidence with your own eyes. Because attribution is always a big challenge. But the information is definitely out there and it's accessible. I would start with CISA's website and then just go to your usual trusted sources

 

Micah Wallen:  Thank you much. So does anybody have anything else they wanted to cover, or any closing remarks today?

 

Joseph V. DeMarco:  Sure, this Joe DeMarco. Again, I would just urge people to understand that when they're in their home on their computer and maybe they're connected to their work computer systems, from a law and policy point of view, it's largely the same as if they're sitting at their desk. And there are a lot of great free resources out there, by the way, on how to work efficiently and effectively at home. And a lot of them have a common theme of them, which is to kind of have a dedicated workspace, a dedicated work computer, not to be shifting among devices. Again, that can be challenging if you have little kids, too. And to really kind of just frame off as much as you can, the space you're working in and have that be your workspace. And really, just kind of mentally, when you cross that line, and maybe even put a masking tape line down on the floor. When you cross that line, think of yourself as being in the office and applying all the same policies, procedures, and good best practices that you do at your office with a dash more caution and vigilance thrown in.

 

Paul Eisler:  And I would just add that when you are in a position of making cybersecurity risk management decisions, which is what pretty much everybody has to do at this point, if you're working from home, do not be afraid to reach out to an expert and just ask for advice if you aren't sure about something. It's always better to ask questions.

 

Nicholas Degani:  This is Nick. I just wanted to say thank you to Paul and to Joe for their insight. I know the one thing I'm probably do after this call is over is update, update, update, grab all my kids devices and look at all my devices and see what I need to update there. I know it's been too long since I last checked on that.

 

Paul Eisler:  Thank you.

 

Joseph V. DeMarco:  Thank you.

 

Micah Wallen:  All right. And on behalf of The Federalist Society, I'd like to thank all of our experts for the benefit of their valuable time and expertise today. We welcome listener feedback by email at [email protected]. Thank you all for joining us, we are adjourned.

 

[Music]

 

Dean Reuter:  Thank you for listening to this episode of Teleforum, a podcast of The Federalist Society’s practice groups. For more information about The Federalist Society, the practice groups, and to become a Federalist Society member, please visit our website at fedsoc.org.