Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

December 2018
A former prosecutor uses tabletop exercises to help clients build 'response muscles.'
DECEMBER 1, 2018
A few days before Judith Germano took Columbia Law School students through a so-called tabletop scenario [see our related story here] , she talked about the value of these exercises for students and for corporate groups working to strengthen their cybersecurity. And she reviewed the background that prepared her to help them. It says a lot about the diverse skills required that Germano didn’t talk only about the boutique law firm she started five years ago, or her 11 years at the U.S. Attorney’s Office for the District of New Jersey, where she worked her way up to chief of economic crimes, overseeing cyber crime and securities and financial fraud. Or her work at New York University, where she’s a distinguished fellow in the Center for Cybersecurity; a professor in the Cybersecurity Risk and Strategy master’s program; an adjunct professor at the law school; and a senior fellow at the Center on Law and Security. She particularly noted the two years she spent decades ago at an international PR firm working on media relations in the technology and telecom sector. “I continue to be surprised, despite having been a lawyer now for more than 20 years, how that background and experience has also continued to be incredibly valuable,” she says. It helped her understand the way that companies handle both internal and external communications, and it schooled her for working with them as they face the kinds of crises she now sees all the time.

CyberInsecurity News: Tell me about your experience running tabletop exercises.
Judith Germano: Running a tabletop exercise is something I’ve done with a panel at the FBI for companies within their region in New York. I’ve done it in Washington, D.C., for a diverse group with multiple companies. It’s also something that a lot of companies will do with their own security teams. The important thing in understanding how to respond effectively for cybersecurity incidents is to practice. Companies and governments and academic institutions as well need to prepare and have the right plans and policies in place, and also practice what will happen in a scenario. So it helps to run exercises to understand what the different roles are and some of the issues  and how people will make decisions on a simulated real-time basis. That way, they’re working on those response muscles and seeing where their incident response plan may need to be tweaked. They might discover missing components of the plan—or how different individuals within the organization may respond to a media inquiry or to a question about whether to engage with law enforcement.

CN: You will be working with a Columbia Law School class on cybersecurity. What do you hope they learn?
JG: I would like to show the students that responding to a security incident is not always a completely clear, orderly process. There can be a lot of things happening at the same time, with competing concerns about whether, when and how to respond. I would like to show some of the complexity of those challenges, and to raise the issues and the questions that leaders have to consider as they respond.

There’s less of a shock that a cyber incident happens. The attention is on: What have you done about it?

CN: What about when you do these with a company?
JG: With an organization, we can do it as a two-hour exercise or a three-hour exercise. The important part of it is having them think about the questions and issues that come up and what potential responses they may have. But in an actual security incident situation, it’s very fact-dependent. One of the challenges is that you don’t always know all the facts as they’re unfolding, and you have to make decisions based on what is required from a legal and regulatory standpoint. And also what is required concerning trust and reputation, which are paramount to the organization.
     I’ve worked on security incidents where, under the specific governing laws, a company may not be obligated to disclose an incident, but still decides that it is in the company’s best interest, because it wants to be transparent and share with its clients or customers what’s happening at the company. And those are real-time decisions that are very fact-dependent. Those are the things we’ll talk about in the scenario—some of the challenges and considerations as an incident is unfolding. Because it’s not always clear that you’re in a cyber incident. There are flags you’re looking for, but sometimes it’s not completely clear if it’s the right time to disclose. A company doesn’t want to be in the position where they’re crying wolf or reporting on a lot of things that are not required to be reported. It will give a misperception that the company isn’t secure, when, in fact, they might be a more secure organization, because they’re actually monitoring the red flags. The irony is that some companies or entities that are not seeing any red flags may not be more secure. They may not be looking appropriately.
CN: When did you first start doing this, and how has your approach changed over time?
JG: I started my own law firm in 2013, after having spent 11 years as a federal prosecutor. And in that role, I was doing some outreach, working with companies that were victims of cyberattacks, and realizing that there was a lot of
uncertainty in terms of when, how and why companies should engage with government on cybersecurity incidents. And I realized that this is a continually growing problem. I wanted to be able to address issues and help the private sector understand how to better bridge the gap between the private and public sectors. So when I started my boutique law firm, that was part of the inspiration and motivation.
     Since then, I’ve continued to have feet in the private sector for my law firm work and my work in academia, and I also do a lot of collaborative work with the government. To the extent that cybersecurity is best addressed with partnerships, I’m in a good position to help bridge those gaps. And over the years—in terms of how this has changed in the last five years that I’ve been advising companies—I’m encouraged to see that companies are more and more aware of the need to address cybersecurity issues and incidents, and to be proactive about it. When I was starting my business, I was told, “Oh, no one will call you, unless they have a problem.” And my point is that I really want to get in ahead of the problems, ahead of the issues, because that way, companies can better and more adeptly respond when issues do happen. And it also puts entities in a better position with their clients, customers, the public and the government. They want to show that they were making proactive efforts to improve their organization’s security through reviewing policies and practices, and doing tabletop exercises for senior leadership teams, for security responders and also for boards of directors..

CN: And board members have participated?
JG: I have had board members sometimes participate, yes.

CN: Is that one of the ways that you may have tweaked what you’ve been doing over the years, recognizing that you wanted to expand the group of participants?
JG: I’ve actually been saying from the beginning that we need the senior leadership team and the board engaged in cybersecurity issues. It’s just that now, more are taking the time to do it, recognizing that this is something where they can be called out. We’ve had incidents where CEOs have lost their jobs and board members have been replaced if it’s determined that an organization wasn’t sufficiently prepared or hadn’t handled security issues appropriately. So I think the biggest thing that’s changed over the five years is that in the beginning, the focus was more on: How do we best prevent cybersecurity attacks through good preparation and proactive methods? And now there’s a greater focus on the reality that these incidents are happening to organizations in all sectors, of all sizes, and the bigger concern is that companies are being judged and evaluated, and the individuals that run those companies are being evaluated, based on how quickly and effectively they respond to the attacks. There’s less of a shock that a cyber incident happens. The attention is on: What have you done about it? And how much have you shown that you care about the data with which you’ve been entrusted?

CN: How often have you participated in responding to cybersecurity incidents since you started your practice?
JG: Those incidents are happening all the time. Sometimes I’ll get a call, and it may just be a quick incident, or it’s being handled, but the company needs some guidance and a check on what they’re doing and how they’re doing it. Sometimes it’s getting called in for a full-on incident response. The side that I don’t engage in, but I have a lot of other people that I can refer it out to, is the civil litigation that comes after an incident. I will work with a company in speaking with regulators or speaking with the government in addressing the concerns. But in civil litigation, which is another big piece of the work, I’ll recommend a different firm that focuses on that. I would advise and can provide expertise, but the day-to-day civil litigation would take up too much time, and I’m a specialized boutique.

CN: Can you give me an example of a good outcome when you’re called in to help a company respond to an incident?
JG: I had one situation working with a client on a highly sensitive attack—very significant amounts of data around the country. It was a horrible three weeks, but at the end of it, months later, customers called, saying, “Thank you. You guys handled that really well.” It was an opportunity for that company to build trust with their clients, because the CEO made personal calls, saying, “This is what’s happening. This is what we’re doing about it. This is what we don’t know yet. Here’s what we do know, and we’re working on it. We’ve reached out to law enforcement.”

We’ve had incidents where CEOs have lost their jobs, and board members have been replaced if it’s determined that an organization wasn’t sufficiently prepared.

CN: What are some examples of poor responses?
JG: The Target breach, going back to 2013. Target came out and said, “A certain number of [credit] cards were compromised.” Then they had to revise it, and it was more: “But don’t worry, it’s only credit cards. No debit cards, no PIN numbers.” And then they came back: “Oh, well, there were debit cards. But no PIN numbers. It’s OK.” Then they had to come back again and say, “Oh, it was actually a lot more, and they did get the PINs.” And it was news cycle after news cycle. Which really made it worse. And that was one of the earlier cases of mass consumer attention on a data breach.
     Since then, we’ve had a number of breaches in the media. And the biggest thing is: How much do company executives or government officials take responsibility? Equifax did not handle their breach well. That was again a significant data breach, with highly sensitive information. Equifax is one of the companies we turn to if we think we’re a victim of identity theft.  We say, “Hey, is everything OK? Is my credit intact?” When their breach happened, the CEO came out and said, “This is a very bad day for Equifax.” That’s really not the thing to say when millions of clients and customers are thinking, “Oh my gosh, my identity has been taken!” It was a bad day. I’m not disputing that. But that’s not the message. The message is: “We care about you. We care about your data. We’re sorry this happened with your information.” The public needs to know that the company cares. And then Equifax had the additional problem of some executives who knew that there was a breach engaging in some stock trades in advance of the public information, which led to an insider trading investigation.