Skip to Main Content
 
Thought Leadership

The Justice Insiders: Mutiny on the Bug Bounty

 
Podcast

     

Episode 12: Mutiny on the Bug Bounty

Host Gregg N. Sofer is joined by Jay Town, former U.S. Attorney and current Vice President and General Counsel at Gray Analytics, and Husch Blackwell partner Jeff Jensen to discuss the recent criminal prosecution of former Uber Chief Security Officer Joe Sullivan. They explore some of the fascinating tactics employed by the government and discuss the implications of the prosecution on the future of cybersecurity regulatory compliance. The discussion ends with some practical considerations for corporate officers and risk professionals responding to cybersecurity incidents and covers how to develop meaningful compliance programs in light of the government’s escalating vigilance across multiple state and federal agencies.

Gregg N. Sofer Biography

Gregg counsels businesses and individuals in connection with a range of criminal, civil and regulatory matters, including government investigations, internal investigations, litigation, export control, sanctions, trade secrets and regulatory compliance. Prior to entering private practice, Gregg served as the United States Attorney for the Western District of Texas—one of the largest and busiest United States Attorney’s Offices in the country—where he supervised more than 300 employees handling a diverse caseload, including matters involving complex white-collar crime, contract fraud, national security, cyber crimes, public corruption, money laundering, export violations, trade secrets, tax, large-scale drug and human trafficking, immigration, child exploitation and violent crime. To read more about Gregg, check out his bio on the Husch Blackwell website.

Jeff Jensen Biography

Jeff is one of the few attorneys in the country with the distinction of serving as a special agent for the FBI, a federal prosecutor, a lawyer in private practice with a large law firm, and U.S. Attorney. To read more about Jeff, check out his bio on the Husch Blackwell website.

Jay Town Biography

Jay E. Town is the Vice President and General Counsel at Gray Analytics, an aerospace and military defense contractor company located in Huntsville, Alabama. Jay plays a large role in leading executive management efforts around supply chain security, cybersecurity, ransomware attack solutions, internal investigations, decree and governance monitoring, digital forensics, and business development. He also provides legal advice and execution related to myriad facets of all Gray Analytics’ service platforms.

Prior to his current position, Jay served as the United States Attorney for the Northern District of Alabama, where he oversaw the largest increase in federal prosecutions in the history of his district. He also served in the Marine Corps for 12 years, where he was a judge advocate and attained the rank of Major prior to his honorable discharge in 2008.

Jay was also an accomplished prosecutor in the Madison County District Attorney’s Office from 2005, when he moved to Huntsville, until his confirmation as U.S. Attorney. He left the District Attorney’s Office as a senior prosecutor handling a full catalogue of crimes, including capital murder, murder, robbery and burglary.

Check out more on Jay’s career by visiting his Wikipedia biography page.

Read the Transcript

This transcript was auto-generated using Adobe Premiere Pro.

00;00;01;23 - 00;01;00;25
Gregg Sofer
Ever wonder what is going on behind the scenes as the government investigates criminal cases? Are you interested in the strategies the government employs when bringing prosecutions? I'm your host, Gregg Sofer, and along with my colleagues and Husch Blackwell's white collar internal investigations and compliance team, we will bring to bear over 200 years of experience inside the government to provide you and your business thought provoking and topical legal analysis as we discuss some of the country's most interesting criminal cases and issues related to compliance and internal investigations. Welcome to the latest edition of the Justice Insiders. I'm your host, Gregg Sofer. And I'm fortunate enough today to be joined by two fantastic guests, Jeff Jensen, who's a partner at Hush Blackwell's White Collar Practice, and our Saint Louis office. And Jay Town, who's a former Marine, former judge advocate general and former U.S. attorney in the northern district of Alabama. Thank you both for joining us today.

00;01;02;09 - 00;01;03;17
Jay Town
Thanks. Very good to be with you.

00;01;03;17 - 00;01;04;13
Jeff Jensen
Thanks for having us.

00;01;05;19 - 00;02;48;25
Gregg Sofer
So today we're going to focus on issues that revolve around a very interesting case in which a the chief security officer of Uber was recently convicted in October of federal charges for covering up a data breach which involved millions of Uber user records, including, as I understand it, over 600,000 driver's licenses, where drivers driver's license information and information that related to tens of millions, 57 million users of Uber's platform. There's a lot of very interesting aspects to this case. Among them are the fact that Mr. Sullivan, who was the chief security officer, was also a former assistant United States attorney, and his former colleagues were actually prosecuting him, or at least his former office was. And in addition to that, as the CSO, he had come in fairly recently when this hack took place or this intrusion took place. And so his reaction to it and what happened afterwards were the subject of this trial. And it very recently, as I said, resulted in his conviction. He's not yet been sentenced, but he faces up to five years, possibly eight years, if they are able to run the sentences consecutively in federal prison. It's a big deal. It's a shot across the bow. Jay, I know you've read a little bit about this. What are your initial impressions about the case and what it means for cyber security folks? And you can tell us a little bit at this point, I stopped your resumé at U.S. attorney. I could have kept going and I should have kept going. So tell tell our listeners a little about what you're doing now.

00;02;48;26 - 00;04;26;11
Jay Town
So so I'm I'm the vice president, general counsel at Gray Analytics, which is primarily a defense industrial based contractor. And pretty much everything that our company does, cyber runs through it. We have a commercial and a government cyber security division, and we have an investigations group and some other things and so whether it's a ransomware attack or different types of hacks or cyber breaches, those are things that our company deals with on a daily basis, whether it's through the United States government or private industry. And so in this particular case, one of the one of the things that is that is really interesting and sort of frightening to anyone who is in-house counsel or in the C-suite at a company that is heavily regulated, such as finance or health care, certainly any of the dot.coms or the tech companies, there are and there is this misimpression of an offense where where you do find that there is not only an incident response to protect your company and your consumers or users, but there's also an actual obligation to the government to report the actual breach. And the FEC, for instance, is working on a regulatory landscape that requires all publicly traded companies to do the very same. So think of the scope of industry. All ten economic sectors are included in that. So it is very important that we that we know as a C-suite or in-house counsel or even outside counsel, what our obligations are as far as reporting of a breach, and then include that in our incident response plans.

00;04;27;25 - 00;04;36;27
Gregg Sofer
Jeff, any of your just sort of initial impressions and we'll get into this Miss Prison concept because I do think it's a fascinating element of this case as well.

00;04;37;28 - 00;05;18;06
Jeff Jensen
What jumps out at me that following up on with Jason, I mean, notification requirements are extremely complex. And also when a breach happens, the information you have changes over time. Sometimes what you think it is immediately is not what it turns out to be based on the forensic work as it's unfolding. And I can't help but wonder if someone in this case, maybe early on, locked into sort of an answer or a theory that notifications were not required. But then as evidence comes in and sometimes your answer needs to change and you have to be willing to have the difficult conversations with the C-suite. And I imagine he had some cognitive dissonance here.

00;05;19;05 - 00;06;34;14
Gregg Sofer
Well, he must have been in a tough spot. I mean, here you are. You're a former AUSA, you're a cybersecurity expert. You come in. They were actually Uber had been in the process before he arrived of dealing with a prior breach that had taken place a few years before he got there. And they were in the middle of an FTC investigation about that. And now here along comes an new breach. And my understanding is that he facilitated or at least participated somehow in paying the people who were able to commit the intrusion through a bug bounty program. That's some program that you have to try to bring outsiders in to try to get to to demonstrate the vulnerabilities in your program. But these guys weren't just showing the vulnerabilities. They were actually hackers. And he ended up hiding this whole incident not only from the his his own and his own colleagues in the legal department. The general counsel testified she knew nothing about this until later, but the C-suite and everybody else. And so this is where he really found himself in trouble. Any apparently, according to the testimony, he lied about this when questioned about it as well.

00;06;34;28 - 00;07;55;24
Jay Town
So a little bit about the bug bounty program, Gregg, and just so the listeners understand what what what the bug bounty program is, is, let's say if you're a highly technical company, so you're Google, you're Uber, you're a company that deals with a large volume of data on a minute to minute basis. What what the bug bounty does is it actually is a system where you're a hacker out there and it awards you actually or rewards you for finding vulnerabilities within the cyber environment of that particular company. So you you call up the company and say, look, I found a way to get in and view the street addresses of every Uber user user. Well, okay, for that, we will give you X amount of money if you will show us how you were able to sort of exploit that vulnerability. And it seems like that this individual that was prosecuted tried to sort of cloak a ransomware attack or some other type of of actual cyber criminal cyber breach into this bug bounty program when that's not really what it was. The breach itself was it was a criminal a criminal act. And so we try to sort of slide it in to this bug bounty program that's not at all what it was.

00;07;56;16 - 00;09;55;22
Gregg Sofer
And the hackers or the intruders actually emailed him directly, apparently. So they they had no idea what they were we're going to do right out of the gate. And again, his initial reaction to go to Jeff's point is, you know, when something like this happens, it's a lot like other difficult decisions about, you know, what have you learned and when do you tell the government. But I think in this area, the government's really signaled about as strongly as possible in this case, is a good example of it, that you have an obligation to to to let the authorities know early on. I mean, just to to to talk about a few things in October of 2021. AG Elise, Dag, Lisa monaco, the DAG for the Department of Justice made a statement that for too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it. Well, that changes today. You know, this case also sends a shot right across the bow to anybody in this area that you better notify early and notify accurately. But again, as to just point, sometimes you don't even really know what's been happening. I took a look at the FCC rule as well, and it talks about notifying within four business days once the breach is considered considered to be material. So there's got to be a lot of hand-wringing about, you know, what's material in the FCC context. There's going to be a lot of hand-wringing about do we really understand what we're telling the government? But, you know, you combine this with this Miss President statute, which which basically says that if you have knowledge of the actual commission of a felony and you conceal it and do not as soon as possible make it known to the same or some judge or other person or civil or military authority under the United States, which is now included includes criminal authorities at this point that you have committed a federal crime and then again, in this context, with this case, I think it's it's got to really perk people's ears up.

00;09;55;22 - 00;11;01;01
Jeff Jensen
And I think. That this is a pretty creative prosecution in that respect, using this provision. That's not that's not very normal. The false statement charges is normal. So they took an extra step that should cause people to worry. And with that, with respect to the FCC proposed rule, that's that's kind of a game changer, in my opinion. Typically, you have if you're a publicly traded company and it's material, but if you have in the normal case up until now, you could delay notifications until you figured out what the facts were through a law enforcement delay. So that's when if it's personal health information, you're dealing with health and human services. If I personally identifying information, it's a state by state regime and we keep track of all those as they as the state rules change. But those are allowed for law enforcement to race, law enforcement to ask you to delay notification while they can conduct their investigation. Then you can figure out what the facts are. There is no such law enforcement delay in this proposed FCC rule. So that's that's going to change things significantly.

00;11;02;22 - 00;11;58;12
Gregg Sofer
So I'll ask both of you guys, you know, you find out on a Friday afternoon, you get a telephone call whether it's Jay or Jeff, you get a call on a Friday afternoon that from a, let's say a CSO like Mr. Sullivan was. It says, We just learned that our company was the subject of a computer intrusion. We think they've gotten their hands on a tremendous amount of information. Could be PII, it could be or PII could be health information could be other kinds of information. God forbid you're a defense contractor. Jay. What kind of what are the steps that the companies need to go through or at least think about in the in the early going here to ensure that there are mitigating risk, but also not running afoul of this uber increased regulatory environment. And when I say Uber in this context, I don't mean the cars.

00;11;58;12 - 00;12;00;16
Jay Town
Jeff, you want to start with that?

00;12;00;16 - 00;13;01;24
Jeff Jensen
Sure. I mean, I keep really a checklist of all the things that need to be done in there. Some are more important than others, but forgetting any one of them is can be fatal. I won't go through them all because forever. But first step is I call it the call it Jay. Call someone to Ray Analytics because the first thing you need to do is to harden the system. You've got to stop the bleeding and then probably have them do or someone on the outside do the forensic review because it appears more independent and it's just a different skill set than being an IP person. So you need that forensic team legally on the legal side, you need to establish, make sure privilege is established, you can't be retroactive. You start thinking about these notifications, insurance coverage, make sure you don't miss notification on that public relations. You need to have one consistent message over time. It can't be. We think 100,000 accounts were compromised. Folks, shoot. Now we think it's 300,000. Now you've got to know your answer before you before you put it out there.

00;13;01;24 - 00;13;29;29
Gregg Sofer
Well, let me stop you there for 1/2. How do you know your answer if you don't know the extent of the breach, for instance, what would you recommend in terms of dealing with something like that? Again, I think that's one of the bigger tensions here is the all this now has to be done, you know, yesterday under what the DOJ and FCC is proposing, and they want this done fast. But how do you handle the fact that you may not fully understand the context, contours, depth of the breach.

00;13;30;06 - 00;14;02;26
Jeff Jensen
And you often don't, and that's why you need it. You know, whether it's great analytics or you need someone who knows what they're doing in there, because this these forensic exams always take longer than you think. But you can't go out and start making predictions about about numbers of of access to counts and driver's license, things like that. You just can't you can't go out early and start making estimates. If you don't have an estimate, you have to say you don't have an estimate at that point in time. You just can't make false statements to investors and every other stakeholder, you know.

00;14;02;26 - 00;16;20;02
Jay Town
Yeah. And Gregg, whenever this happens to a company and they want, okay, what data did they take or were they able to see your ex fill in all what happens is is a company like analytics or Mandiant or you know, there's there's there's countless in the cyber space that have the capability to perform a forensic audit audit of of what went on. And and they can do so quickly as long as they're consulted quickly, they have access to the environment or, you know, the server, the system quickly. But essentially what happens is, is they go into the system, they can see all the different files of data that were recently from the system. First, they find who the threat was and they can tell who that was, and then they can see all the data that they've still keep in mind that many times when there's a ransomware demand, for instance, they've been sitting on the network for months. They, they, they, they're aware of what your ransom insurance, the outer markers of the ransomware insurance might be. They're aware of of when you're getting that big sort of cash flow in from that contract or whatever it might be. Normally companies you're the most flush right around payroll, for instance, or bonuses or whatever it might be. And that's when they attack. That's when they shut down your system. So so the the going in and performing the audit or the autopsy, if you will, of of the of the hack of the breach. It's not terribly difficult for professionals. But one thing I would caution companies from doing is asking the right guy to do it or their system to do it, because you are now putting this entire heap of of the regulatory landscape on their results. And if they are wrong and they knew or should have known to look further, just didn't have the capability because a lot of I.T. folks in your companies, in your firms, wherever, they don't have the chops to perform these services now. Now you're really kind of rolling the dice with what the actual proof is. And so I would I would suggest it's always a wise investment to have a company like analytics on your incident response plan, right in your cargo pocket, ready to speed up.

00;16;20;29 - 00;16;33;25
Gregg Sofer
And you said that these guys are often in your system before they actually conduct the intrusion. Are they in your system while you're reacting to the intrusion as well?

00;16;34;16 - 00;17;46;18
Jay Town
Yeah, oftentimes will will be going into a system to perform a penetration test or threat hunt of some sort, which is just sort of a routine semi semiannual sort of checkup, if you will, of a of a network or a cyber environment. And if there is a threat inside the system and they see us in there because they've been monitoring that there's email traffic or even some of the contracts that are done via email, they could even have access to those are your SharePoint or your oh 365 and they know that it's it's they're going to you're going to be locked out of the system shortly or they're going to have to attack now. And so, you know, it's really bad luck if that's the way things occur. But it does happen more often than that, I would even think would be the case. So, yes, it's it's very important to when you make those decisions to just start going. And if you can do it by the phone because you have a company that does that service for you annually or semiannually, make that phone call. Don't do it. Teams don't do an email, just have as part of your your statement of work and it's just on a continued hourly basis and that'll really help prevent those triggers.

00;17;46;28 - 00;18;00;05
Gregg Sofer
So, Jay, when you're describing the reaction to this, particularly the forensic analysis, does the fact that many companies are moved to the cloud affect or complicate your response?

00;18;00;05 - 00;18;55;29
Jay Town
It doesn't complicate the response. It may make it a little bit more difficult to identify the threat if if if that threat vector was the actual cloud. Right? So sometimes there's a breach of the cloud. Then they have access to sort of an umbrella of of companies or a watershed of companies and corporate cyber environments. So that would make it that would complicate it for for everyone. But if if the threat came in through a business email compromise or a click event at a company, so it originated at the company itself. It really shouldn't impact the response in some ways. It actually makes it easier to abate the threat because a lot of that information that you're encrypted from, we we have access to it now through the cloud and we can just recreate another server and bring that information back down so operations can continue at least on a limited basis until we can abate the entire threat.

00;18;56;07 - 00;20;31;27
Gregg Sofer
So another area that we could focus on, in addition that Mr. Sullivan sort of reputational concerns, which may or may not have played a significant role in the way he did, this is what he actually did to keep this under wraps. So according to the trial testimony, he actually told a subordinate once he found out about the intrusion in 2016 that they can't let this get out, instructed them that the information needed to be tightly controlled and that the story outside of the security group was to be this investigation does not exist. And then he went about paying the hackers in exchange for them signing NDAs or nondisclosure agreements in which the hackers promise not to reveal the hack to anyone. Of course, the hackers hadn't provided their real names at this point, so I'm not sure what an NDA means at that point either. And then he paid him $100,000 in Bitcoin, despite the fact that they hadn't provided their real names. So the NDA question is interesting because the NDA is themselves were viewed as part of the obstruction here, as was the payment. So now you're looking at NDAs in the context of in the context of obstruction here. Jay, what what do you think about that? I think my understanding is that sometimes these bug bounty programs regularly use NDAs as sort of as the concluding piece of them when they're operating correctly. But now you've got to look at them potentially. That is the NDA is something that might catch the eye of a regulator as being obstruction.

00;20;32;27 - 00;22;06;21
Jay Town
Yeah, I think the difference between the NDA is that a bug bounty program would would normally install which which make great sense. Right. Somebody comes to you and says, hey, here's a way I can excel data from your from your server or your system. Now, if you give me some money, I won't tell anybody that seems reasonable, right? I mean, we should want to encourage that as a corporate structure and really is even as a nation. But it's when you when you cloak that conversation into or try to shoehorn it into what's actually a hack or a ransomware, demand and try to call it one thing when it's really something else. It's not apples and oranges, it's apples and dump trucks. And so it's very important that that we know the difference, that the C-suite know the difference when they're making those payments. And one of the ways that you can set up systems and I think this goes along with maybe Jeff's proactive checklist as well for the incident response is to ensure that when we making payments for a bug bounty bounty program, that that, you know, signing those NDAs, those go through a number of departments. They don't just go through the security personnel, which is individual as it was, and so have a system set up where there's at least some redundancy that assures that this was not a hack, that this was just a bounty and our typical sort of white team, red team kind of thing, and that'll help avoid situations where you're obstructing justice or investigations when you have these missed presumed offenses as you as you've already talked about. Gregg,

00;22;06;21 - 00;22;48;27
Jeff Jensen
I would add, I mean, the thing that really jumps out at me about this case is the fact that it's an HSA because you would know this point. Nobody outside of security should know about this. Well, how big is that group? You know, so so you think you have friends, you think you have coworkers, but there's no interests like self-interest. So all of a sudden, when when the federal government comes, people change teams really, really fast. They become cooperators. They seek immunity. They claim to have not had knowledge about things. I'm not saying they're telling the truth that they weren't. I was there for the trial. But it's something that that most people in law enforcement realize that teams change really, really quickly and secrets don't go well.

00;22;49;29 - 00;23;32;27
Gregg Sofer
And I guess the idea of having an insular security department where, you know, your control information and you circle the wagons when something like this happens, as you point out in this case, pretty much the entire rest of the corporation just dropped it all on Joe Sullivan's lap in the end. And eight people either pled guilty and flipped on him or claimed or testified that they knew nothing about this. He really was left holding this bag pretty much all by himself by the end. And Jeff, I think I cut you off. You were you were headed down your checklist. We had gotten to the part where you're making disclosures and you wanted to make sure that they're accurate. What other things should folks be thinking about?

00;23;33;16 - 00;24;49;17
Jeff Jensen
That's mostly it. I'd like to reemphasize something Jay said, though, is to not communicate by email during this incident response. And so often I see that where people have an incident response plan and that requires that people use old fashioned telephones and talk to one another. But some people just have difficulty with that and they start sending email around. That's then being viewed by the hackers as well. And then also people another common mistake I see is not not thinking through the contractual relationship you have with other stakeholders, whether it's vendors or customers. If somebody in your system and you share systems for whatever business purpose that is, you need to start thinking about those notifications that you might have to make or be liable for failing to notify them. And again, I think that gets back to having independent forensic people objective, an objective view of it, because ultimately these most these many of these end up in class action lawsuits and the appearance of having an outside independent forensic review and somebody going through your your contractual relationships will help later on when those lawsuits when those lawsuits come.

00;24;50;29 - 00;25;43;19
Gregg Sofer
It's a great point. So obviously, the way to prevent this ugliness of a fire drill and a crisis management situation is to harden your system. So this never happens. I want to talk a little bit about DOJ's civil cyber fraud initiative, which, you know, really pointed at people contracting with the government. And Jay, you must see a lot of this. What's your what are your thoughts about, you know, can you really build a system these days to outsmart these folks and be what do you have to do to do that? And then how much does this civil cyber fraud initiative scare folks, given the fact that the false claims Act can now be employed and the government saying it's going to employ it against folks who misrepresent exactly how much they've hardened their system or how they don't.

00;25;43;19 - 00;25;46;18
Jay Town
So so let me let me just back up.

00;25;46;18 - 00;25;51;20
Gregg Sofer
You can object, by the way, and say I've asked the compound question if that makes you happy, particularly back in the courtroom days.

00;25;52;02 - 00;28;54;01
Jay Town
That's okay. I don't mind. Well, let me let me kind of sort of set the landscape just a bit, though. So in in defense contracting or any type of government contracting in any sector, if you are contracting with the federal government, you are self certifying annually that your cyber environment meets the tenets of the national standards, which is the 800 171 standards. And what those standards say is that I have a cyber environment that is good enough and for forever. The federal government has said not only do we take your word for it that you have that cyber environment, but you're you're self-certification, that it's that it's good enough is good enough for us that's about to change with the cyber maturity model certification in the CMC that's coming out. But that's only for DOD, not all of defense. I'm sorry, government contracting, US government contracting. So, but, but essentially what in October of last year when DOJ announced the Civil Cyber Fraud Initiative, what they were saying is that, look, your cyber environment, security is important to the defense industrial base. It's important to our national security. It is there's a reason why the G 30, which is a Chinese military aircraft, looks just like a joint strike fighter. It's there's a reason why our Reapers look like or that the Chinese version of our Reaper looks just like ours. It's like capabilities might be slightly different, but China and other nations, they're using economic espionage to steal our designs, steal our ingenuity, which threatens our national security. So what DOJ has done is said, look, it's now going to be in the contracts that you have a certain cyber environment level of maturity. Fine. That's always been the case. But if you don't have that level of maturity and there is a breach and then we find out that there was a breach because you don't have that level of cyber security at your company, then you have violated per the False Claims Act, you know, that material element. And so it never used to be a material element. As long as the government got what it was asking for, typically False Claims Act investigations were declined. But in this case, regardless of what the government has produced, it is a material breach. The same way as if you put, you know, a part that was counterfeit inside of an F 16 when you said you were going to build that part. That is a material breach and you can be prosecuted for it. You can be disbarred, meaning you can no longer participate in government contracts in any in any economic sector, not just DOD. So it's a very important initiative, I think a very important one. And so it does sort of and then with CMC coming in probably in May of next year, all of that is creating this regulatory landscape where companies are just now having you got to budget for your cybersecurity and we didn't do that before your Kaspersky antivirus was enough. Well, it's not enough anymore if you want to keep keep the lights on.

00;28;55;02 - 00;29;22;03
Gregg Sofer
And I noticed again the proposed FCC rule so well beyond just the government contracting area, saying that you need to you need to start divulging who in your company, in the C-suite even, or on the board, has cybersecurity skills and experience because people are going to want to know. It's a big part of every publicly traded companies, whole material sort of well-being to have that in place.

00;29;23;01 - 00;30;05;28
Jay Town
Yep. That's an that's a great point. And you can you'll start to see. So that's through the FCC. I think I said earlier I got elections in my mind, but it's the SEC. But you can start to see all these other executive branch agencies just like the SEC, maybe have some sort of same shape and size, start to have that same regulatory environment, especially the challenges which inevitably there will be, whether or not the FCC has the authority to regulate like this, if that survives and they do, every executive branch agency is going to have that same requirement. And so you can bet that, you know, your your cyber budget is is going to be a real line item in your annual budget.

00;30;06;11 - 00;30;29;01
Gregg Sofer
The great point. But again, talk about line items. You'd rather put that line item out front than have to bring in a company like yours, a law firm like ours, to clean up the giant mess that takes place. Not to mention the fact that the department keeps saying they want to hold individuals accountable, so they're going to be looking for people to send to prison on this, just like poor Mr. Sullivan.

00;30;29;17 - 00;30;53;18
Jeff Jensen
But what you don't want to do is make the prosecutor's job easy, right? So you have all these regulatory regimes out there. What's the worst thing to do is to have a paper program. You're documenting what you should be doing and then you're not following your own program. You're another is to not take reasonable steps, not have table topics or sizes that they would at least show good faith if you end up getting in those those crosshairs.

00;30;54;11 - 00;31;23;13
Gregg Sofer
That's a great point where we say this all the time. The only thing worse is not having a program is having something written down. I should have done all these things. And the government finds out you never trained. You never you never financed it, you never resourced it. It's just a blueprint to stick it to you. So, Jay, given what you've described, you don't even need a breach to trigger liability under the False Claims Act here. Of course, if you have a breach, everyone and their mother is going to be looking at you. But that doesn't mean that a company has to have a breach in order to violate the False Claims Act.

00;31;24;04 - 00;32;05;13
Jay Town
That's 100% accurate. And so the breach is usually because you do have sort of in your incident response that the government is going to is going to find out or they're going to know you're going to call the FBI whatever it might be. But you're right. I mean, in in procurement, even pre contract, if they were to discover that you have in your solicitation or in your bid, you have said that you have a certain environment and you don't that is enough that you could be prosecuted in procurement integrity. Also important the aspects of that as well here. So it's not just the False Claims Act where you had to actually receive something from the government. It could be actually in the procurement process itself.

00;32;05;13 - 00;32;12;18
Jeff Jensen
Jay, what do you what do you typically recommend with respect to paying ransom after a ransomware attack?

00;32;12;18 - 00;33;39;21
Jay Town
So I stick with, you know, I know the FBI says that they're neutral on it, but but they really suggest that you don't pay the ransom. And the reason for that is it does encourage more ransomware attacks. And so I think that you are well advised and I understand, especially for smaller companies that are attacked by ransomware demands, they can't afford to have their systems shut down for a week. They go out of business if they lose that revenue, you know, bigger companies, Boeing, if they got a ransomware attack for $100 million, one they could pay it to, they could probably shut down for a week and aggressively abate against that attack and rebuild their network. So but the smaller companies can't. And so that's why you're seeing $200,000 ransoms being paid by companies that have $2 million a year in sales because they just don't have a choice. So it's an awful decision to have to make. That's why I think to your point, Jeff, integrate point the wisest investment or Gregg might say the more wiser investment is that you say is that is that you invest in your cybersecurity before an attack proactivity because that is really what is going to be your best insurance of keeping hackers and ransomware attackers out of your network.

00;33;41;11 - 00;33;56;05
Gregg Sofer
Well, the more wiser decision I have made today was to have you join us along with Jeff and really appreciate your guys input. Thanks so much for joining us. And as I said at the beginning, we will link to your bios in the show notes.

00;33;57;12 - 00;34;00;05
Jay Town
Thanks, Gregg. It's great to join you, but you too, Jeff.

00;34;00;05 - 00;34;01;15
Jeff Jensen
Thanks. Great to see you.

00;34;02;10 - 00;34;18;22
Gregg Sofer
Thanks for joining us on the Justice Insiders. We hope you enjoyed this episode. Please go to Apple Podcasts or wherever you listen to the podcast to subscribe, rate and review the Justice Insiders. I'm your host, Gregg Sofer. And until next time, be well.

Professional:

Gregg N. Sofer

Partner