Ambulance Chasing Goes Cyber (EP 909)

Hello, friends, and welcome to another episode of the IT Business Podcast, the show for IT professionals, where we help you run your business better, smarter, and faster. Today is a special report, and just to give you a little bit of an idea what we're talking about, usually in the last couple of years when there's been things like breaches and cyber-attacks, we've talked about the many lawsuits that are going, but now it seems that law firms are advertising to ransomware and data breach victims, and in this next wave of genuine victim advocacy, or is this law firm's ambulance chasing with a digital twist? So we're going to explore that and see what it means for cybersecurity professionals. We're going to break down the surge. 

We're going to break down the risk to IT pros, and to help me do that, I have my good friend of the show, Bradley Gross. You have seen him in the channel. He is the founding partner of the law office of Bradley Gross, PA, a recognized authority on technology law, 20 years of experience, and has been named a super lawyer 14 times, and is also host of the Technology Broadcast, where he shares insights on security contracts and legal best practices for technology professionals. 

Brad, welcome back to the show. Nice to see you. Good to see you too.

It's nice to be here. Unfortunately, we're talking about how people are under attack by lawyers, and you're talking to a lawyer. So I'm going to tell them how to avoid people like lawyers, like me. 

Avoid them. That's what this show is about today. It'll be interesting. 

So let me ask, the way I described it in the beginning, that these law firms are reaching out to victims and saying, hey, if you've been breached, or if you've been victim of a ransom attack, you could be compensated. So let me ask, first of all, have you run into this in any form or capacity? Yes. So we have seen several MSPs that have been targeted by these plaintiff's law firms, these what I'll call bottom feeder law firms. 

I am not a fan, as you can see, of that model, of that way of doing business. But it's like the old expression, you know, rob banks because that's where the money is, right? Well, now plaintiff's lawyers have turned away. Well, I shouldn't say turned away. 

They have included among personal injury cases. Now they're seeing that there is money in data breach. So that's where they're turning their attention. 

So my first thought when I saw this, first of all, there are billboards that people have noted that are out there. There are advertisements on the social medias, which is where a couple of people posted them. And I saw them. 

At first, I'm thinking, OK, I can see it. Attorneys are looking for any advantage to get clients. And of course, cybersecurity is a big area now. 

But then my second thought was to what does that mean for us? Because if the attorneys are getting the victims, who are they suing? I mean, because a lot of times they can't sue the bad actors. They're suing the I.T. professionals that are supposed to be protecting them. Of course, they try to sue the bad actors. 

Right. But the bad actors are well covered with attorneys and so on. So they pick the lowest hanging fruit, which is the party between the bad actor and the customer that was breached, which is the MSP, the I.T. professional.

And they realize and they know that I.T. professionals generally have insurance and that insurance will pay out for nuisance value. But those types of lawsuits go beyond. The damage goes beyond just paying out an insurance claim. 

There's reputational damage. There's internal struggles that now the MSP has to face within its own employees, its own customer database about why did this happen? Are we doing the right thing? The other MSPs are now leveraging this to their advantage to promote themselves over us. So the effects are far reaching. 

They go beyond just an insurance payout. Right. So we both live in Florida, which is notorious for law firms doing this very thing.

And a lot of them have done it very successful. I mean, the biggest, what should I call it? The biggest firm in the world when it comes to injuries and plaintiffs, Morgan & Morgan, is based right here. And they have ads that are all over social media, television and stuff, all of them, if you've been a victim of this. 

And there's a part of me that, yeah, I get it. It's not icky to me. But for some reason, this attorney one, when it comes to cybersecurity, seems icky. 

So that brings up this ethical debate. You talked about them being bottom feeders. There's nothing really ethically wrong with doing this, right? Right. 

Well, there's nothing ethically wrong with doing it. And I call them bottom feeders rhetorically, meaning that it's the lowest hanging fruit. It's sort of the en masse, have you been injured? We don't really care what kind of injury it is. 

Just call us, right? No matter what it is, no matter what the circumstance, just call us. Well, now we're starting to see that transposed to the data industry, right? Has there been a breach? It doesn't matter why there's been a breach, doesn't matter how you've been affected, doesn't matter. Just call us and we'll figure it out from there. 

To me, it's the lowest hanging fruit. Like I said, it's sort of the, we're going to do this by volume, by numbers, without delving into the how and the why. It's sort of a shoot first and ask questions later. 

So MSPs have to be aware that that model now, while it existed in the PI industry, now it's starting to exist in the data breach industry. And understanding that this is now, that model is being transposed to the industry wherein you have to take precautions for it, right? You have to take precautions. Now, some of the things that they have done, it's basically, like you said, they've said, have you had your data breached? Have you done this? I've been a victim of here. 

Now, they're not actually promising compensation. And I'm assuming that if they did, they would get trouble for that, but they are saying- I'm not saying that any of them are violating the law or being unethical. No, not at all. 

There are ethical rules and I'm sure that all these law firms, not even pointing at any particular one, comport with those advertising rules. And if they don't, well, then there's the bar of any applicable state that they're operating in and they'll deal with it. My point is that what used to be something that was only seen in one particular area of society, personal injury, now is being moved to our industry. 

And it's scary. It is very scary because they are not looking for, generally speaking, one or two people that have had their privacy or their data breached. They are looking to start class actions. 

That's where the real money is. You know, if one person had their data breached, you have to sort of first prove standing, meaning you have the right to be in the court, then you have to prove damages and so on. But if you could find hundreds of people that say, yeah, you know, my data was breached, or it ended up here or there and so on, suddenly you can start to make shape of this amorphous, of all these amorphous claims into a class action. 

Class action lawsuits are millions and millions of dollars in damages. So that's why you're seeing, if you have been breached, call us. Because they're not really aiming for the individual victim. 

They're aiming for class action. And of course, who pays for that class action? The MSP. Right. 

So in the recent suits that we've talked about, usually it's been an MSP being sued by their client. We know that Acronis got drug into one. We have known breaches that have happened at some of our larger vendors over the years. 

Could this be something where they're now going to go after those large vendors as part of this, which will trickle down to us? For sure. For sure. I think that the vendors themselves are aware of this and they're starting to become stricter with their licensing agreements. 

I have seen an evolution in the vendors agreements that they're offering to MSPs. They've become far more restrictive, far more limiting. And what the MSPs should realize is that if they have limited ability to go after the vendor, well, they shouldn't be offering more than that to their own customer.

Right? You don't want to promise your customer something more than you're able to fulfill on the other end. MSPs have to be aware of that. So along with being aware, what are the things that we should do ourselves, knowing that this is coming down the road, even though it doesn't directly affect us, it will at some point. 

What are some steps we can do? Well, I think that right now, everything in the data breach in the privacy security area is governed by two principles. One, what does the contract say? And then two, reasonableness. Are you acting reasonably? So I'm going to start with the second one and then work back to the contract.

Reasonableness. There is no standard in the US that says that you must implement a particular solution to protect data, to be secure. There is no law that says that you must hit a certain level.

Instead, virtually all the laws relevant to this topic say that you have to implement solutions that are reasonable given the type of information that you have, right? The scope of that information and the risk that should it get out into the public sector, the risk to the affected people. So you have to consider all of those and then implement a solution accordingly. So MSPs first would be well-advised to make sure that their own house is in order that they are using industry-recognized solutions, that they are not skimping on their own house, their own defenses. 

Because another principle that we're going to talk about here in this area is that nothing's 100% secure. And the law doesn't require a solution provider to be 100% secure. It's not required. 

You have to act reasonably, okay? So that's the first challenge that I'll make to MSPs. Are they acting reasonably, right? Do they have their own house in order? Are they using solutions that are multi-tiered, that affect the various conduits through which data is collected and so forth? This is the first thing that MSPs have to think about. And they do not have to worry about, well, what if something happens anyway? If you're acting reasonably, you're going to be in good shape. 

That's part A of what I want to say. Okay. However, I just have this question because reasonable seems to be very open to interpretation. 

And there seems to be a big gap as to what the standard of care should be based on us as MSPs, what we're supporting. Now, I know our vendors are telling us, hey, if you want a good standard of care, you're going to use our product. That's probably not how we should look at it. 

It's a whole comprehensive look at your stack and all of that stuff. But is this going to start to raise that level of reasonableness or that standard of care? Yeah. Well, I think that the standard of care is going to go up as MSPs become more ubiquitous. 

They're dealing with more and more personal information, personal health information, financial information, and so on. But the status of the law right now is that there has to be a reasonable... You have to implement a reasonable solution to protect this data over which you have control. Now, what is scary, if you read these lawsuits that have come out, these breach lawsuits, you say, oh my God, these breach lawsuits are becoming more and more frequent and people are getting into trouble. 

But if you really delve into them, they usually fit into one of two categories. Either A, the service provider didn't implement reasonable security or dropped the ball in that regard. Or two, the parties didn't have a contract that explained what solutions are in place, what the customer can expect and what the customer should not expect. 

So it's either the MSP just dropped the ball as far as security or didn't have a contract explaining the realities of the industry. And those are the cases that come out and they're becoming more frequent. So people are thinking, oh my God, we're in a lot of trouble.

No, no, no, no. I stand by and maintain that if you implement reasonable security in your workplace and if you have a proper contract with your customer, you are minimizing, if not eliminating it, significantly minimizing the risk that you're going to become a victim of a class action lawsuit. How much fun is this for you now, knowing that there's another level that you have to worry about? Because people like me are going to come to people like you and say, help me, what do I do? Well, you know what it is? It's not so much fun as much as vindication.

And here's why. I've been getting up there now, I'm in my 26th year of doing this. And for 26 years, I have been preaching how MSPs and service providers, I started by the way when they were called ASPs, Application Service Providers, now MSPs. 

I have been preaching that they need contracts for what could possibly happen. And lots of MSPs over the years, over the decades have said, yeah, but you know what? MSPs don't really get sued. Yeah, we have a budget. 

We can't really, you know, we don't want to put any money into legal and so on. Well, now sort of the things have come home to roost, right? Now we're seeing plaintiff's lawyers turn and say, hey, there's a lot of money in this industry. And there are breaches. 

And I think that we can make enough noise, muddy the waters enough that people will start to pay just on the mere threat of litigation. So, you know, it's sort of vindication. I'm not happy that it's vindication. 

But yeah, it is vindication that now MSPs are saying, maybe we do need contracts, even though we haven't been sued in the past, even though we don't know a lot of people have been sued. But now seeing the tide and you know, what's coming in, I think maybe we have to change the way we're doing things. Yeah, I know that adding, you know, a cyber policy was something I've done now. 

So I've now got three policies, my general liability, my E&O and my cyber, that's one thing, writing more stuff into our contracts. It sounds like a lot of us are going to have to revisit that and put in some of these. You're certainly going to have to revisit insurance. 

And along those lines, you know, I encourage everyone to contact their broker, their insurance companies and so on. If they don't know, obviously, they can drop me a line, I can refer people out. But more than that, okay, from my perspective, while you have to revisit your insurance and what you have, you have to revisit your contracts, you have to make sure that customers understand the reality of this industry. 

And the reality is, okay, that nothing is secure, 100% secure, I should say, that breaches will happen, even in the presence of best practice, even where somebody is, you know, doing everything they're supposed to do, a breach can still happen. By the way, I'm dealing with a case right now, MSP, a customer was breached, they had Sentinel One and Fortinet in place. Both, I mean, two top tier, you know, I'm not promoting or endorsing anything, but I think we'd all admit Sentinel One and Fortinet, those are top tier solutions, both were in place, they got breached anyway. 

The point is, is that even in the best-case scenario, breaches happen. And that unless something was due to the negligence of the MSP, that the client can't just simply make an allegation and a claim and expect to recover. These are the things that have to be addressed in the contracts with MSPs. 

Because, you know, I think that if MSPs ask their customers, you know, once we implement this, if they could do like a survey, and they said, if you get breached, who are you going to blame? First thing they're going to say is you, the MSP, right? I mean, it's not going to, they're not going to sit back and say, well, we're going to look at it and see were you are to blame or the upstream provider, but I'm going to blame you. And the reason why that would be the knee jerk reaction, the knee jerk answer, is because no one's told them differently. No one has told them differently. 

It is time for MSPs to tell their customers differently. Explain the story to them, explain the circumstances. Well, before they talk about who to blame, usually the question before that is, how could this happen? That's true.

And that's where you have to say, well, you know, yes, we've got all, I thought we had protection for that. I thought we did, you know, and yes, explaining to them, yes, we have protection, but just like a burglar can break your window, you know, to your house, your doors could be locked, your windows could be locked, your alarm could be on, but they can still get in. They could still get in. 

Right. And it's not, it's not the alarm company's fault. So I think that this reality, and this is, by the way, and this is another thing that I preach, and this is where I sort of differ from other attorneys in the space. 

The way I approach it is a very reality-based approach. Okay. That's what your customers are looking for. 

That's what they're begging for. They don't want to see contracts that just say, oh, if we mess something up, there's limited liability, limited warranties. They are begging for information. 

They're begging for education. Tell me about the risks that are out there. Tell me what you can cover. 

Tell me what you can't cover. So I know, right? I know what's not covered. Tell me this. 

MSPs are either scared to tell them, right? Because they're saying, oh, we don't want to admit what we can't cover, or they're just lazy and they're not saying what they can't cover. My position when I'm, you know, preaching here is you have to explain to your customers, they're begging for this information. More information in this area will keep them from calling lawyers, will keep them from riding home, seeing that billboard and saying, I think I should call that lawyer because I got breached. 

That's my point. More information. All right, Brad. 

Well, thank you for coming on and chatting about this. I know it's just the tip of the iceberg, and we will probably be chatting about this more. Is there any last thoughts that you want to let MSPs know as we head out here? Yeah, I think that you need to do two things. 

One, reevaluate your insurance, make sure you're insured. And then two, take a serious look at your contracts. And if they just talk about, well, if we're breached, if we did something wrong, rather, this is our limit of liability.

No good. I want you to all, I want all of your viewers to look at their contracts and say, does it explain what the service does? What it doesn't do? What its limitations are? Are you managing your customer's expectations through your documents? If you're not, reevaluate. All right. 

Well, there you have it, folks. Bradley Gross, the law. This is Bradley Gross, another Florida man here. 

Once again, we're just a few minutes apart, but we're talking across video. Folks, that's going to wrap up our deep dive here into the legal storm that is now surrounding ransomware and breach victims. And if you're an MSP or an IT pro, stay tuned. 

We will have more practical insights from experts to help you keep your business safe, your clients safe, and hopefully not deal with these. I'm going to go ahead and say that these are predatory advertisements that now could be trying to drag us in. So that's it for the day, folks. 

We'll see you soon.