Seven Tips for Negotiating with Hackers (or Anyone for that Matter)

These tips will help cyber-security experts in ransomware negotiations with hackers. But they apply universally to any negotiation in business, legal, or even personal affairs.

1.       Be Kind

Confrontation is pointless in negotiations. Not only does it cloud thinking, but it raises defensiveness on the other side, which can end any hope of a resolution. The same is true with a neutral, poker-face style of communication. It comes across as unnatural, putting the other side on guard that something might not be right. So, be kind. Or, at least appear that way, and if things go sideways, take a break or resume another day.

2.       Do Your Homework

Making moves in negotiations requires understanding the options: best case, worst case, and everything in between. And the side with more options—or perceived to have more—often has the power. Before negotiations, figure this out through research and analysis. View the options and pressure points from the other side as well. Knowing those, counter arguments and ways to exploit pressure can be developed, and “walk-away” points can be clearly defined.

3.       Solicit Information

Making moves in negotiations also requires obtaining information from the other side. Two classic (but still effective) ways to do this are (1) through silence (listen more than talk)—leading the other side to communicate to end the discomfort—and (2) open-ended questions (use the “5Ws 1H” approach)—inviting the other side into a dialogue that you control.

4.       Avoid Ranges / Round Numbers

A range of numbers has a low end and a high end. Naturally, giving a range in negotiations signals that your low end is acceptable. So, stick with specific figures, but at the same time avoid round ones—they can lack believability and suggest a made-up number without justification. If possible, slow down the back and forth by remaining patient and not overly eager to conclude a deal that may leave money on the table.

5.       Choose Words Carefully

Different words can carry similar meanings, but selecting the right word (and sometimes the right time for it) is a skill in negotiations. Aggressive words can always be toned down. Consider, for example, position, objection, and impasse versus view, reservation, and stuck. And when dealing with those whose first or even second language is not the same, diction and tone can be even more important.

6.       Use “Tactical Empathy”

When the other side knows they have been understood, negotiations can continue. Demonstrate appreciation for the other side’s perspective, even if you disagree with it. Get the other side to do the same. Use this to develop a working relationship. *Read Chris Voss’ book “Never Split The Difference.”

7.       Maintain Credibility

Just as challenging, the other side in negotiations can reset leverage, so be willing to accept challenges going in the opposite direction. Otherwise, the other side may feel things are one-sided. This can lead to a loss of credibility in wanting—or being perceived as wanting—to work toward an agreed solution. Indeed, sometimes giving in on small but important issues can prompt bigger moves in your favor. Don’t concede on key points without getting something back.

***

Ransomware attacks continue to rise. The ideal approach is to prevent them in the first place with the right mix of cybersecurity services and a ransomware-specific cyber-incident response plan.  In reality, hackers will sometimes find ways to penetrate even the most well-protected organizations. If your company does become an unwitting victim of a ransomware attack, these tips provide the foundation to the “dos and don’ts” of negotiating with hackers and putting you or your organization in a more advantageous position to achieve the best outcome for your company.

By Kurtis Minder, CEO, GroupSense & Joe Meadows, Partner, Gordon Rees Scully Mansukhani, LLP

This content was prepared for informational purposes only and was not intended to provide legal advice. Any views expressed herein are those of the author(s), and are not necessarily the views of any firm or client. This document may be considered attorney advertising under the rules of some states. Prior results do not guarantee a similar outcome.

Colorado Becomes the Third State to Pass Consumer Data Privacy Bill

Colorado’s legislature has overwhelmingly passed the Colorado Privacy Act (“CPA”), making it the third state, after California and Virginia, to pass a comprehensive consumer data privacy bill. If the Colorado Governor signs the CPA, it will become effective on July 1, 2023.

Applicability. CPA will apply to any organization conducting business in Colorado or targeting its products or services to Colorado residents that either: (1) process or control the personal data of more than 100,000 consumers annually; or (2) derive revenue from the sale of personal data in addition to processing or controlling the personal data of 25,000 consumers or more.

Exemptions. CPA exempts several entities and types of personal information governed under federal law, including protected health information and de-identified information under HIPAA, financial institutions and nonpublic personal information under the GLBA, information regulated by the FCRA, COPPA, and FERPA, and information regulated by the Driver’s Privacy Protection Act of 1994.

Consumer rights. CPA provides consumers with rights for access, deletion, correction, portability, and opt out for targeted advertising, sales, and certain profiling decisions that have legal or similar effects. Controllers are required to respond to a consumer’s request to exercise their rights within 45 days of receipt of the request. CPA requires controllers to allow consumers to appeal a controller’s decision not to comply with a consumer’s request. The controller must inform the consumer of its rejection reasons, and notify the consumer of the ability to contact the Attorney General with concerns about the appeal result.

Controller duties. CPA establishes duties for controllers, including the duties of transparency, purpose specification, data minimization, avoiding secondary use, care, avoiding unlawful discrimination, and duties regarding sensitive data. These duties create related obligations, such as providing a privacy policy, establishing security practices to secure personal data, and obtaining consent prior to processing sensitive data or children’s data. Controllers must provide a privacy notice to consumers that includes: (1) the categories of personal data collected, processed, and/or shared with third parties; (2) the purposes for processing such data; (3) the categories of third parties with whom the controller shares personal data; (4) how and where consumers may exercise their rights; and (5) whether the controller sells personal data or processes personal data for targeted advertising.

Data protection assessments. CPA requires data protection assessments (“DPAs”) for certain processing activities, such as targeted advertising, sales, certain profiling, and processing of sensitive personal data.

Universal opt-out requests. CPA also requires the Attorney General to establish technical specifications for a universal targeted advertising and sale opt-out by July 1, 2023, which controllers must honor starting July 1, 2024. This is not optional.

Opt-in Consent for certain processing. CPA requires opt-in consent for the processing of sensitive personal information, which covers racial or ethnic origin, religious beliefs, citizenship, or genetic or biometric data. CPA also requires consent for processing the data of children under the age of 13.

Right to cure. CPA allows controllers a long 60-day period in which to cure violations. This cure period will be phased out after January 1, 2025, at which time the Colorado Attorney General will be able to act without such notice.

Enforcement. There is no private right of action, but the Colorado Attorney General’s office and state district attorneys will enforce CPA and may fine violators up to $500,000.

The Florida House of Representatives Has Resoundingly Passed HB 969

The Florida House of Representatives has resoundingly passed HB 969, a comprehensive consumer data privacy bill similar to California’s enacted CCPA and Virginia’s VCDPA. HB 969 would give Florida residents a broad right to access, delete, correct, opt-in or opt-out, and stop the sale or sharing of their personal information. It requires business to post privacy policies, maintain written security programs and have procedures to comply when data subjects exercise their rights.

While the bill has the types of exemptions that have by now become commonplace (HIPAA, GLB and the like) it also has a few unusual elements including a broad definition of biometric data that does not contain the typical carve-out for biometric information data subjects voluntarily submit for testing and screening.

The bill would also include a resident’s private right of action. If passed, the Florida law would have the most extensive private right of action of any currently in-effect comprehensive privacy law, including Europe’s GDPR.

HB 969 has now moved to the Florida State Senate. The Florida State Senate is also currently considering passage of related a narrower consumer data privacy bill, SB 1734, which does not include a consumer’s private right of action.

Is Illinois Moving Away from its Strict BIPA Law?

 

By now, you’ve probably heard of the Illinois Biometric Information Privacy Act (“BIPA”), even if it was just a message you received to the tune of “Facebook users in Illinois may be entitled to payment if their face appeared in a picture on Facebook after June 7, 2011.”

The law, the first in the country purpose-built to regulate only biometric information, is among the strictest biometric laws in the world right now. Among other things, it requires that data subjects be provided with notice and deliver a signed written release (as opposed to the more prevalent electronic consent) before facial recognition, fingerprints or other biometric features can be collected and used. That was the crux of the Facebook case, where the photo-tagging feature we all hate-to-love and love-to-hate, resulted in a $650M class action lawsuit settlement.

But the Illinois statute is not without its critics.

BIPA remains the only state law that allows private individuals to bring a suit and recover up to $5,000 in statutory damages (and much more if actual damages are proved) without having suffered anything approaching the harm required under other state privacy law regimes. As a result, with more than 200 class actions filed, many have expressed concern that BIPA has become good business for class-action attorneys, but bad business for actual businesses, especially Illinois’ small business community.

In an attempt to strike a new balance, on March 9, 2021 the Illinois House judiciary committee advanced House Bill 559 (“HB 559”) which would amend BIPA.

HB 559’s key amendments do the following:

  • permit notice of biometric data collection to be made specifically to affected data subjects, rather than generally to the public
  • allow electronic consent to be used instead of written releases
  • create a one year statute of limitations (currently, there is no BIPA-specific statute of limitations)
  • require a 30 day notice and cure period before private actions can be brought
  • allow an otherwise offending party to prevent suit by private parties, whether as individuals or via a class action, if the noticed violation is cured and certain other conditions are met (including the provision of written assurances)
  • implicitly require that actual damages be shown insofar as it would do away with liquidated (aka “statutory”) damages
  • permit recovery of those actual damages by private individuals for negligent violations
  • consolidate and raise the standard for enhanced damages from intentional or reckless to solely “willful”
  • impose the same implied actual damages requirement for willful violations as is used with negligent violations, but does allow the right to seek recovery of double damages from willful violators; and
  • provide that BIPA will no longer apply to union employees who are covered by collective bargaining agreements.

We will continue to monitor the status of HB 559 and keep a close eye on the legal landscape if the Bill becomes law. In the meantime, it is always a good idea to review the current law and ensure that your company’s practices are aligned.

Sic Semper Privacy: Virginia Becomes Second State to Enact Consumer Privacy Law

Well, we all knew it was coming.

The longer the US continues without a comprehensive federal privacy law to rival Europe’s GDPR, the more the individual states are going to move to fill the void—and also make sure they’re not completely outdone by California where the curtain’s already dropping on CCPA and everyone’s getting ready for the second act of CPRA. It is, however, a bit surprising to see Virginia beat the State of Washington as the next in line. But sure enough, on March 2, 2021, Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (“VCDPA”) into law. Like California’s CCPA replacement, the CPRA, Virginia’s VCDPA will take effect on January 1, 2023.

As with most similar laws, VCDPA gives consumers new rights to access and control the personal data that businesses collect about them. For businesses, the Virginia law imposes new obligations that include:

  • obtaining data subject consent in certain circumstances
  • implementing a security program
  • restricting sales of personal data
  • conducting data impact assessments
  • using specialized contract terms with third parties

The popular media has been quick to run with all manner of such comparisons between California’s current law, the CCPA, and the VCDPA. While there are certainly similarities in a few key areas, a close read of Virginia’s new law suggests that VCDPA resembles the GDPR at least as much as it does CCPA.

For instance, while the VDCPA, like its California analog, requires detailed notices to data subjects, creates various data subject access rights and puts restrictions on the sale of personal information, the Virginia law’s third party oversight, impact assessment and security program obligations are considerably more extensive than what is currently required in California, and much similar to GDPR.

Over the course of the next few weeks, we’ll break down all the major elements of VCDPA. Today, we begin at the beginning with the basics of who and what are covered.

Who does the VCDPA Protect?

Similar to California, Virginia’s new act states that it protects Virginia “consumers.” As with California, however, the word consumer is a bit of a misnomer. Understood colloquially and under many other legal regimes, a consumer is typically a purchaser/user of goods and services. That’s not at all the case under the Virginia law. Under the VCDPA, the word “consumer” actually means “a natural person who is a resident [of Virginia][ . . . ] in an individual or household context [to the exclusion of purely business/employment contexts].”

Who must comply with the VCDPA?

The VCDPA covers all “persons” who either conduct business in Virginia or, as is similar to the standard set by the GDPR, who “target” residents in Virginia if, in both cases, those persons control, process or sell certain prescribed volumes of personal data in the course of a calendar year.

Like CCPA, the Virginia law has certain exemptions to who is covered. These exemptions are, however, notably different from CCPA. Both the California and Virginia laws have HIPAA and GLB exemptions. In California, those exemptions apply only to the affected data itself, not the overall business. In Virginia, the HIPAA and GLB exemptions read more broadly: if your business is governed by HIPAA or GLB, it is entirely exempt from VCDPA.

What is Protected?

The VCDPA protects “personal data” using a fairly straightforward, and by now familiar, definition. To wit: “information that is linked or reasonably linkable to an identified or identifiable natural person.” The list of what’s excluded from that definition is somewhat extensive spanning about 18 separate items that include:

  • business data
  • employment data
  • de-identified data;
  • publicly available data;
  • HIPAA data (note this is separate from and appears supplemental to the exemption for entities governed by HIPAA);
  • human research, public health, patient safety and related data; and
  • data governed by various additional U.S. federal laws, including FERPA, which is the educational equivalent to GLB.

Notably, the business and employment data exemptions in Virginia are baked right into the language of the statute itself. In California, those exemptions exist, for now anyway, only by virtue of special ancillary laws having only temporary effect.

How is it Protected?

In our next installment, we’ll review how VCDPA seeks to protect personal data and where its most extensive obligations can be found. In the meantime, remember our refrain about applying the Pareto Principle to data security and privacy (discussed here among other places). If you take the following steps, your compliance program will be ready for most of whatever Virginia, Washington, Minnesota or any other jurisdiction require:

  • adopt a risk-based technical and administrative data protection program;
  • take the time to actually implement that program (“saying” it is one thing, “doing it” is another);
  • tell your employees and customers what you’re doing with the data you collect about them and why;
  • give your employees and customers some degree of access to, and autonomy over, that data;
  • keep a close eye on third parties (including vendors) with whom you share that data; and
  • respond swiftly to, and be honest with those affected by, unauthorized use if it occurs.

The European Commission Released a Draft Adequacy Decision for the United Kingdom

 

In case you’ve been busy dodging novel viruses and winter storms, here’s a recap of why that’s important (be forewarned, we’re oversimplifying and condensing quite a bit for brevity).

Among other momentous things that occurred in 2016, the UK voted to leave the European Union in what has been dubbed “Brexit.” Brexit became effective on January 31, 2020 and thereafter EU law and the EU Court of Justice or “ECJ” no longer had precedence over British law and courts. To help ease the impact of that abrupt change, the UK Parliament passed the European Union (Withdrawal) Act 2018 which retains relevant EU law as domestic UK law.

For privacy and data security law purposes, the Withdrawal Act and related regulations did two key things:

  • First, they “froze” the GDPR, in its then-current EU form as of January 31, 2020. That frozen or “EU GDPR” version was then applied to all data received/transferred from the period before Brexit went into effect up to December 31, 2020.
  • Second, from December 31, 2020 and after, they make the GDPR part of domestic UK law and rename it the “UK GDPR.”

The UK GDPR isn’t quite an exact replica of the “frozen” EU GDPR. For instance, it changes the governing and binding interpretive bodies from the European Commission and ECJ, respectively, to the UK Secretary of State and UK courts. The replacement of the ECJ with the UK courts means the UK GDPR will inevitably continue to diverge from EU GDPR over time—though we suspect, that on big issues (like Schrems II which we explain here) the UK courts will follow the Swiss model of hewing closely to the ECJ.

So what does any of this have to do with an adequacy decision by the EU, you ask? Good question.

Recall that under the GDPR personal data can only be transferred out of the European Economic Area in one of two ways, either:

  • through an approved mechanism under GDPR Articles 46 or 49; or
  • if the European Commission has deemed the privacy laws of the destination country to be “adequate”

Since Article 46 mechanisms have been relentlessly (and successfully) attacked by Schrems and his aligned groups for over four years now, and Article 49 is largely untested, adequacy is far and away the preferred basis for transfer. Adequacy decisions are, however, very hard to come by. Up until now, only about a dozen have been granted.

To be sure, for companies governed by the GDPR who regularly move personal data to the UK, the failure of the UK to receive its own adequacy decision would be pretty burdensome. It would mean that long-standing personal data transfer practices would need to be entirely revisited, contracts amended and all manner of other compliance and operational impacts dealt with.

If, on the other hand, the UK receives an adequacy decision, things pretty much remain status quo ante for the foreseeable future. So while there are a few hurdles left before it becomes official, the fact that the EU has issued a draft decision this soon after the magic date of December 31, 2020, is a very good sign.

Watch this space. We’ll keep you updated.

New York Introduces Its Own Version of Illinois’ BIPA

In 2010, Illinois passed the Biometric Information Privacy Act, leading to over one thousand class action complaints between the years 2015 and 2020, alone. On January 6, 2021, the New York state legislature introduced Assembly Bill 27, titled the New York Biometric Privacy Act (“BPA”), which is a carbon copy version of the Illinois law.

New York’s BPA proposes to prohibit private entities from capturing, collecting, or storing a person’s biometrics without first implementing a policy and obtaining the person’s written consent. The New York BPA would provide for the identical remedies as the Illinois version, specifically, a private right of action with the ability to recover $1,000 for each negligent violation, $5,000 for each intentional or reckless violation, along with reasonable attorneys’ fees and costs.

While New York’s BPA is only proposed, if the language of the bill remains unchanged, New York companies can expect a similarly heavy flow of litigation. Companies operating in New York that utilize data that at all resembles biometric data should consider immediate steps towards prospective compliance. Companies should be auditing their practices and begin to develop written procedures so that, in the event New York’s BPA passes as written, exposure is limited from the outset. The language of the bill provides that the BPA shall take effect ninety (90) days after becoming law. We will continue to monitor the progress of the proposed legislation as it moves through the Assembly and the Senate.

California Legislative Update: Prop 24

Apparently there’s some stuff going on with a couple of guys named Joe and Don that’s got everyone distracted for some reason. The cool kids know, however, that the most important thing to happen last night was the passage of Prop 24 in California which means the CCPA is old news and the CPRA is the new game in town.

You read that right. Having just (mostly) figured out what the implementing regulations should be for CCPA, a massive new privacy law that’s only been in effect since January, California voters said, “Eh, know what? Let’s do it all over again.”

We’ll let you get back to clicking around about this Joe and Don thing, but here’s a quick run-down of what the new CPRA adds to the CCPA:

  • specific third-party oversight responsibilities, similar to GDPR;
  • requirements for annual audits and regular risk assessments for certain businesses;
  • requirements when doing “profiling” that are in-line with the GDPR:
  • an entirely new enforcement authority the California Privacy Protection Agency;
  • an expanded private right of action to cover beaches of account access credentials;
  • increased penalties for mishandling of children’s data;
  • a consumer right to correct data; and
  • more specific data retention disclosures

We’ll have more in-depth analysis and thoughts on readiness programs to come in the near future.

California Legislative Update

Just a quick legislative update from everyone’s favorite US privacy jurisdiction, California. Governor Newsom:

Signed AB 1281 – That Act extends the B2B and HR data exemptions under CCPA for another year. This is very good news.

Vetoed AB 1138 – That Act would have given CA a state analog to COPPA and required, among other things, parental consent prior to kids under 13 using social media. In his veto message found here, Newsom said he based his decision on the same reasons many of us lawyers and privacy professionals had been criticizing AB 1138, which is that COPPA already robustly occupies the field and the FTC has an excellent track record of enforcement. A state law analog would have added nothing more than regulatory burden and cost amidst the already challenging pandemic economy.

Proposed Bill to Establish Security Standards for IoT Devices Used by Government Officials Passes House

 

For many, being able to securely connect, access, and move data across multiple devices is an integral aspect of everyday life. Some of our nation’s lawmakers are wanting to ensure that the internet connected devices that they use have the same established cybersecurity standards that the public has come to expect in the private sector. Lawmakers got one step closer to making that a reality this week.

The U.S. House of Representatives passed the Internet of Things (IoT) Cybersecurity Improvement Act, known as House Bill 1668, earlier this week, which seeks to establish security standards for the federal purchases of internet-connected devices and the private sector groups providing such devices.

Currently, there is no national standard to ensure the security of internet-connected devices purchased by the federal government. Under the proposed law, these internet-connected devices, which would include computers, mobile devices and other devices that have the ability to connect to the internet, would now have to comply with minimum security recommendations issued by the National Institute of Standards and Technology (NIST). The bill does not lay out what those standards should be; rather, it tasks the Office of Management and Budget to oversee that adopted IoT cybersecurity standards are in line with minimum information security requirements.

Devices covered under the bill

The bill would not only cover computers and smart phones used by federal government officials. The legislation defines a covered device to include a physical object that is capable of being in regular connection with the Internet or a network that is connected to the Internet, and has computer processing capabilities of collecting, sending or receiving data. It would not include personal cell phones or personal computers. It also exempts devices that are necessary for “national security” or “research purposes”.

Obligations on the private sector under bill

The bill would require contractors and their subcontractors that provide covered devices to the federal government to notify government agencies of any security vulnerabilities. While security standards are being considered, private sector providers, contractors and subcontractors can look to Standards 29147 and 30111 in the International Standards Organization for guidance since bill drafters explicitly cited to them in the Act. There’s a process for companies to challenge whether their devices are covered under the bill as well.

Cyberthreat on IoT

The Mirai botnet attack in 2016 served as the drive for the Bill’s sponsors. Recall that the Mirai botnet attack left millions in the East Coast, among other locations, without access to many popular websites for a few hours in late October of 2016. The attack blocked unsecured internet connected devices from accessing popular websites such as Twitter, Netflix and the New York Times in order to carry out a cyber attack.

While Mirai primarily impacted internet connected computers, for many, including the IoT Cybersecurity Improvement Act sponsors, the Mirai attack showed just how debilitating a cyber attack can have on a heavily connected internet life, and the havoc attackers can create on unsecured internet connectable devices and the lives that depend on their functionality. Internet connected devices, or IoT devices, are devices which can be controlled or accessed using the internet, including everything from webcams to baby monitors to gaming consoles. It includes any exercise tracker or a programmable lock to your home. According to some estimates, there will be close to 75 billion IoT connected devices by 2025. The IoT Cybersecurity Improvement Act would work toward ensuring the government’s IoT connected devices containing the nation’s top data information are secure.

Up next for the bill

The IoT Cybersecurity Improvement Act heads next to the Senate floor, after passing unanimously by the House.

Up next for you

Gordon & Rees will keep an eye on cutting-edge developments in this space. We can expect similar regulations in the private sector with various guiding authorities, such as NIST, providing similar recommendations.