On this episode of the R&G Tech Studio, data, privacy & cybersecurity co-lead Rohan Massey sits down with technology, media & telecommunications co-lead Ed Black to discuss how he goes into crisis mode when his clients are hit with a ransomware attack and how he works in tandem with forensics experts, communications and crisis response teams to understand the scope of the breach and its impact on clients.
Transcript:
Ed Black: I would like to welcome everyone to the latest edition of our R&G Tech Studio podcast. Super pleased that I'm here today with not only my partner but my good friend, Rohan Massey, a wonderful Ropes & Gray partner focused on data, privacy, cybersecurity and related issues. Rohan, thank you so much for joining us. We are going to spend some time talking about what you do in tech, but before we get there, maybe just give us two seconds about who you are, where you live and that kind of thing.
Rohan Massey: As you said, I'm Rohan Massey. I head up the data, privacy & cybersecurity group here at Ropes & Gray. The accent kind of gives it away—I'm based in the London office, and I've been with the firm eight years now. In fact, Ed, you were the first person I met from the firm all those years ago.
Ed Black: I'm still happy I did. Now, do you work just in London because I see you everywhere? How do you view the footprint of your practice?
Rohan Massey: The practice itself is global, so I do a lot of work out of London, but I travel a lot—I'm often in the U.S. A lot of our clients are U.S.-based or multinational, so I'm traveling to see them a lot as well as moving through Europe and Asia because of the opportunities we have out through our Shanghai and Hong Kong offices.
Ed Black: Sounds good. Alright, Rohan, we should turn to the meat of the podcast, and that is what you do in tech. Can you give me a quick overview of how you help clients in the world of tech?
Rohan Massey: Obviously, my practice is, as it says, "data, privacy & cybersecurity," so pretty much everything I do, I would say, is tech-related. Now, I work with private equity (PE) houses on compliance programs. I work with their portfolio companies in every industry from widget manufacturing to biotech, life sciences, pharma, all of those areas, and every time they're asking me a question or to come in and assist them, it will be something data- or tech-driven. Even those that think that they're not tech companies, maybe it's employee data-related issues, I will come in and look at how we can assist them, especially with regard to compliance in those areas. So, I'm always involved with our clients on a tech-focused basis.
Ed Black: Now, when you're working for these clients, can you just provide an example: What kinds of problems do you solve?
Rohan Massey: The types of problems that I solve are quite a broad universe. So, it could start with a compliance program. I will look at the data protection compliance program for an organization, especially multinational organizations. I'll look at how they can comply with the increasing number of regulatory laws and statute requirements in different jurisdictions, many of which are now extraterritorial, so for multinationals, that's a real juggling skill.
Ed Black: Can you give me an example just to make this concrete, something where a particular client had a particular problem that you helped them solve?
Rohan Massey: Sure, let's look at one I've done recently, which was post-transaction. We amalgamated two multinational groups, one of which had U.S. and a lot of Asian operations, and the other was mainly based in Europe, and so, bringing those two together had brought with it a huge employee database—some were on the European data protection, some under U.S. data protection, or some under the different data protection laws of Asia. And post-transaction, the group was looking to consolidate its HR and talent management database in the U.S., so we had to try and work out how we could get the data from Europe and the different Asian countries to the U.S. lawfully. It was quite a challenge because of the way that the target had been set up in Europe, they had very strict limitations on what they could do with their data, and I had to find a work-around for that. There was a lot of back and forth, and there were a lot of challenges, but we did manage to find a system, a practical system, based on the contextual risk that was coming out of what the data was being transferred for (its purpose), where it was being transferred to (the U.S.) and why it was being transferred really for the efficiency of the new, enlarged group or organization. So, we managed to get there, but it took a lot of explanation and a lot of understanding of different laws because the approach in Europe is very different to the approach in the U.S. A lot of the time, the U.S. client would get frustrated as to why certain data, be it ethnicity rates or sensitive data, couldn't be transferred, and the Europeans would be very frustrated as well that they were being asked to do things that they thought they couldn't do until I found a work-around.
Ed Black: Now, I know that compliance infrastructure is a focus, and that sounds like it's something where you saw the problem and moved forward, but I know you also deal with things that involve some retrospective issues, things where you're looking backward, like breach events. How does that fit in? If there's a ransomware attack, if there's some cybersecurity hack, how do you deal with that?
Rohan Massey: That is the second part of the practice, and its bread and butter where cybersecurity becomes the issue. For organizations, it's now a case of when they get hit rather than if they get hit. If it's a ransomware attack, it's locked down the systems—it's crisis mode from the get-go. I will get that call usually in the middle of the night or as soon as I've either booked a holiday or I'm on holiday—it's the way it works. And it's a full-on crisis response mode. So, we will come in, we will look at what the issues are, work with forensic experts, marketing and communications teams, crisis communications teams, and work through all of the issues trying to understand what the scope of the incident is, what the impact of the incident is, and what the remediation steps are, both on a technological basis, so the business can't stop operating, and also from a regulatory side. So, what notifications need to be given to regulators in which jurisdictions, and what detail needs to be in those.
Ed Black: I have two questions here, two questions on this one. The first one is the Ukraine War started, and I actually heard some businesspeople, some clients of mine say, "Thank God the Russian army is not tied up with somebody else. They won't be hacking us." There was this period of time when cybersecurity attacks, many of which are state sponsored, fell away, and people breathed a sigh of relief a little bit. But did that happen, and is that a permanent state? Where are we in terms of where these hacks are headed? Is it common? Is it less common? What's the trend?
Rohan Massey: The halcyon days of it being less common are over, but we did certainly see a dip from February last year, and this was reported by regulators—it was reported by all of those in the industry, both legal and technical forensic teams, that it certainly did. It looked like the business model of ransomware attacks where people were getting paid to unencrypt data was over. Sanctions have kicked in, so the payments couldn't be made. And possibly, there was a reallocation of resources because they were needed to assist certain states in their military advantage and offensives. That's over. This year, we've seen a massive spike back in cyber threats and cyberattacks. Critically, the thing we're seeing now is not direct attacks on organizations, but we're seeing the very sophisticated threat actors looking at third-party software, looking for vulnerabilities within that and attacking—so really, it's attacking down the supply chain.
The most recent one most people would have read about was MOVEit. They found a MOVEit piece of software, it's a file-transfer software—they found a vulnerability within that that even the developer didn't know about. They exploited it and got into thousands of organizations that use the MOVEit software. I've been involved in response to that in the U.K. for a number of organizations, and it's been really challenging because it's very difficult for an organization to prevent an attack that nobody knows is a vulnerability. You can't patch a vulnerability because nobody knew about it. But then, it's how you respond, and it's being clear and transparent with users, clear and transparent with the regulators, and then taking a step to think, "How do we fix this going forward? What better diligence can we do in our supply chain? What actions do we need to take in our audits and reviews to ensure that we are fully patched from an IT perspective?" So, we limit and mitigate risk. I don't think you will ever eradicate risk, but what I'm making sure clients have got is the least risk open to them so that they can use as many different resources as they need for their organization to be efficient.
Ed Black: I think the hard part about these responses is that everyone knows it's bad—everyone knows you've got to hop on it and that it's an emergency situation. Yet, sometimes, you hear businesspeople talk about how the treatment is worse than the disease, that the people who come in and who help you respond are very disruptive. How do you manage that? Of course, you can't eliminate some of the disruption—it's a hack, and people need to deal with it. But are there ways to handle these types of events that take into account the effect on the business that's experiencing them?
Rohan Massey: I certainly would take a very practical approach here—you've got to look at the risk and you've got to look at the context. Now, interestingly, with something like MOVEit, there wasn't a ransomware attack, it was a data exfiltration, so business could continue to operate absolutely normally whilst in the background we tried to do the assessment of what the implications would be. If you had a ransomware attack where your entire IT estate has been encrypted and you can't even send an email, so you're suddenly having to move to other forms of communication because you've got no corporate email, the mindset and the response should be totally different—I think they are. And the way that you manage that has to be different—it has to be practical. The most important thing that I think I bring to the table is that it's not my first rodeo. I have so many times talked with CEOs, C-Suites and boards who have gone almost into analysis paralysis because of the crisis response that they're in because they've never experienced it before, and they're trying to do way too many things at once, thinking they'll be moving forward when in fact they're either standing still or moving backwards. My job is to just basically take all of the heat out of our situation to say, "This is how we address it, x, y, and z. This is the timeframe. These are the people that we'll work with. If we put these processes in place, we should get to the end far more quickly, and we should be able to be in a position to justify our response to any regulator far more effectively." I think that's really important.
Ed Black: Spectacular. This has all been super interesting. I want to shift gears a little bit to a couple of areas that are a little less concrete. The first one is a little bit of crystal ball-gazing. If you had to look forward, if you had to say, "What's around the corner," from a data and cybersecurity perspective, something that's two to three years out, what would that be? What do you see headed down the turnpike towards our clients?
Rohan Massey: For me, two or three years out is probably already here—it's just not been made public yet because that's the way that technology moves. As a data privacy lawyer, I think the biggest concern is the confluence of data protection rights along with the technological developments we've seen in AI, for example, in facial recognition and large data sets. So, the ability to create, whether it's deep fakes or facial recognition linked to behavioral patterns and the analysis of those—it may sound very Minority Report, people showing the ability to commit crimes before they've actually been committed because of behavioral profiling and prediction—these areas for me, I think, are going to be some of the most challenging. Clients will be developing these technologies, and we have to make sure that they are developed in a compliant manner and that they are also ethically developed. I think that's a really important part of where my advice will be over the next three to five years. At the same time, I think we've got a societal responsibility. And I'm very certain on this that we have to be clear that we are protecting the rights and freedoms of individuals as we make these technological developments because the technological capacity that's out there is immense and can be used for harm as well as a positive influence on society. We need to make sure that the positives really do remain the important focus here.
Ed Black: Alright, I want to save some time for the portion of these podcasts that is my favorite. We're going to do this like a lightning round. First question is an easy one: Where do you live? What can you tell us about your personal life?
Rohan Massey: I currently live in South London in a neighborhood called Dulwich. It's quite a nice, leafy neighborhood, a long way from where I was born and grew up, which was in South Manchester in North of England. I've been down in London now for nearly 30 years.
Ed Black: Now, I hear you mention that you grew up in South Manchester. Would that be anywhere near the home of two of the greatest football teams on the planet?
Rohan Massey: It would. It would be very close to both Manchester United and Preston North End.
Ed Black: I see. Manchester City is 1,000 miles away?
Rohan Massey: Who? I haven't really heard of them. Sorry.
Ed Black: Next time you come to Boston, Rohan, my office is going to be painted powder puff blue. You're going to have to use a blue pen on a blue pad. Alright: Favorite books?
Rohan Massey: I think my favorite book would have to be One Hundred Years of Solitude by Gabriel García Márquez. It starts with the greatest opening sentence of any book and then gets better.
Ed Black: It's a perfect day. And you're dreaming now at night. It's a perfect sleep. You're in the happiest place doing that thing that you're happiest to do. Where are you and what is it?
Rohan Massey: I think I would be downhill skiing under a blue sky somewhere on a desert island. But it's only a dream, right? So, I'm sure I'm allowed to have it.
Ed Black: Actually, there are these 300-foot sand dunes in eastern Washington here in the States where people sand ski down the dunes. Would that be your dream?
Rohan Massey: Yes, I'm looking for a flight now.
Ed Black: Rohan Massey, thank you so much for joining us. It's been a pleasure having you.
Rohan Massey: Ed, it's been my pleasure to be here. Thank you very much.
Ed Black: I want to remind our listeners that this is the R&G Tech Studio podcast. It is available through the Ropes & Gray website, but also available wherever you find your podcasts. Thank you for listening.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
