Unsecurity Podcast

Evan and Brad are joined by Justin Webb. Stories have been circulating about the Target data breach and how they’re suing their former insurance provider from the infamous breach of 2013—a breach Evan served on a special litigation committee for. Justin is a data privacy attorney from Milwaukee and provides some insight into the this story from a legal perspective.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: Welcome back Unless you’re lost. You know that this is the Unsecurity podcast. This is episode 56 I’m Evan Francen senior host. The date is december 2nd and joining me is my buddy. I’m calling you my buddy Brad. I’ll take it. You’ll take it. I’ll take it sweet. We’re buddies. How was your thanksgiving holiday?

[00:00:42] Brad Nigh: Good. How long was it?

[00:00:45] Evan Francen: As long as every other one. Right.

[00:00:47] Brad Nigh: Yeah. When you have a bunch of family around it saying it seems like uh, and then like bad weather where you can’t get out and do stuff. It gets,

[00:00:57] Evan Francen: yeah, I had to shovel my roof twice. Yeah. Well my house was built in 1872 so I have the insulation isn’t quite as good as, you know, normal houses. So you get those big icicles that hang down. But anyway, that’s

[00:01:11] Brad Nigh: no fun. Yeah. How was your thanksgiving other than shoveling your

[00:01:15] Evan Francen: roof, shoveled my roof. Uh went out shopping. And uh, I saw the pictures. Did you really? Where do you see those?

[00:01:24] Brad Nigh: Uh, I showed me,

[00:01:26] Evan Francen: I wasn’t on facebook. Gosh man, people cannot stay off of facebook. I didn’t post those. No, but they were good. A friend of mine did. I liked your backpack. Yeah. A little backpack. Yeah. Anyway, Yeah, that’s what I do when I go shopping. I just mess around. I didn’t buy to do

[00:01:42] Brad Nigh: something to entertain yourself.

[00:01:43] Evan Francen: Yeah, I didn’t buy anything. I don’t, I’m not good at buying stuff. All right, well, we have another awesome show plan today. A couple of weeks ago, I read a news story, uh, about the target, uh, target the target breach. Just kind of lives on right. It happened in 2013. Here we are six years later and it’s almost to the day, six years later, we’re still talking about target and the target breach. Uh, this time the news story as target is suing chub their insurance provider. Actually, it was a space was the original insurance provider chub purchased ace not that long ago. And so now it’s chubs problem, But it’s about claims related to the Target Breach of 2013. Six years later, the fallout continues now. People who know, uh, my past. Uh, no, I spent a long time, almost two years, uh, as a consultant to the special litigation committee, which for people who don’t know what that is, essentially. Target sued. Target, right? The shareholders filed suit against the board of directors. When that happens, it’s called the derivative action or so I’m told I’m not a lawyer. Uh, and the special litigation committee is assembled and its job is I think to investigate the charges. Um, and then consult the judge or the court on whether or not to proceed. So in all of that, my job was to consult the special litigation committee, a bunch of lawyers, which was fun. You know, I think lawyers are different breed than me. But some, some will say the same thing about security people. But anyway, I mentioned that because the target breach, you know, I know many, many things I know the inside stuff, but I’m still, you know, obviously under confidentiality. So I can’t say, you know too much, but we can certainly keep it to what’s public. Um, so when I read the news though about this lawsuit, I figured I’d reach out because it’s an insurance thing that I’d reach out to, you know, my favorite cyber insurance guy, David, Cruz to get his take. And then David, who long story short, just had a baby. So congratulations to David. I hope you’re listening and enjoying not your sleep, but enjoying the baby. Uh, but he introduced me to this cool guy, this cool cat called, His name is Justin Webb is an information security guy. Uh, and uh, an attorney, a privacy attorney with Godfrey and con uh, leading long firm out of Milwaukee Wisconsin. So welcome. Justin

[00:04:25] Justin Webb: Hey guys, I’m glad to be here. You, you mentioned earlier that, um, you know, information security people are a special breed and lawyers are a special breed and I’m both of them. So that makes me, I guess extra special or extra weird. Probably a little bit of bold.

[00:04:42] Evan Francen: Yeah, definitely a unicorn.

[00:04:44] Justin Webb: Yeah.

[00:04:47] Evan Francen: And I was looking at your at your past. I mean you’ve you’ve got a pretty good background, I think you marquette University, are you still at marquette University? No,

[00:04:57] Justin Webb: or Yes, no, I’m at dad’s Rincon now. Um But I was I was the information security officer at security analyst there for about 4.5 5 years. Um And at that time there was only um one person in that role. So I was sort of doing cyber security for the university by myself. Um And then I um I was also going to law school at the same time, so when I finished then I um went to work for a federal judge for about a year and then I started practicing law and I’ve been doing sort of cybersecurity data privacy law Um for about five years now. So um it’s been really fun and it’s it’s super helpful to have like a technical background when you’re um doing uh you handle data breaches and cybersecurity related things. Um So it’s really good to have that technical background. There are there are other attorneys out there to have that background, but they’re pretty rare. Um So it gives me a sort of a unique perspective,

[00:06:02] Evan Francen: including the attorney, you know, I know I read a little bit and we’ll get to this in a little bit too. Uh Briggs and morgan I think is involved in the maybe the representing target in this lawsuit. Uh because I know Briggs and morgan, I know Philip uh shaking berg, I can’t, but I could never say his last name right. Um but I think he was he came about it the other way I’m speaking based on what I remember about him, uh a lawyer who then got into cybersecurity, whereas you kind of came at it from your an information security person at the same time and then became a lawyer, right?

[00:06:42] Justin Webb: Yeah. And I think a lot of, a lot of attorneys come in the other direction um because they may go through straight through law school but having like an interest in it. Um and then you’re sort of um learning the technical stuff um while you’re practicing law and that can be pretty challenging. So I’m always impressed when they’re sort of super smart attorneys who know um technical stuff and the legal stuff. Because it’s it’s a lot to fill your brain. I forget a lot of things because I feel like my brain is full. So

[00:07:16] Brad Nigh: yeah, we have definitely worked with uh some attorneys that for like, yeah, okay, whatever, they clearly have no idea.

[00:07:25] Evan Francen: Well, it’s funny when I was on the special litigation committee, uh are the consultant to the special litigation committee um central to the case with target was network segmentation versus isolation and you know how the attacker was able to pivot from the corporate network into the cardholder data environment and. Um And I was talking to speaking to attorneys there that didn’t even know what a network was

[00:07:53] Brad Nigh: eyes glazed over.

[00:07:55] Evan Francen: Oh my gosh. And it was like, okay whiteboard. And it took, I don’t know, probably uh, a week of daily sessions trying to get them just to understand what pip is. And

[00:08:09] Brad Nigh: this is, these are not dumb people, these are like super smart people. That just, it’s not how their brain works. It’s right. Yeah.

[00:08:18] Evan Francen: I also learned from my time there because I think that was the first time I spent hours and hours and hours with attorneys working on a breach, uh, that they have a different sense of humor than security people.

[00:08:31] Justin Webb: That sounds about right? Yeah, because I

[00:08:35] Evan Francen: would, I would tell a joke and thinking that this is the funniest thing. You know, I’m trying, I want to fit in with these guys and they look at me like I’m from mars then they would say a joke and be like, I don’t get it and they’re rolling. It’s like whatever. Sorry.

[00:08:51] Justin Webb: I mean, I think I’m a big fan of lawyer jokes. Um, I feel like you can’t laugh at yourself. Um, you know, you’re doing something wrong. Uh, so, um, maybe I have that like mixed sense of humor, but I think that’s hilarious because that sounds about right. Also totally interactions

[00:09:10] Evan Francen: when you get it both ways right? Because you are, you know, you are a security guy and you are lawyers, you probably get both sense of you know sense of humor. Maybe it could be that translator.

[00:09:19] Justin Webb: Yeah, maybe I also get people who um just asked me to help him with you know general computer things. So uh you know clients pay us um a decent amount of money per hour and sometimes I’m spending at troubleshooting somebody’s iphone. So um you know you never get out of the I. T. Support um um realm. I’m sure that happens to you guys too.

[00:09:44] Evan Francen: Oh yeah I still have my my mother in law asking me to fix her Windows XP

[00:09:50] Justin Webb: XP

[00:09:52] Evan Francen: Like Lady please lady. I do say you kind of say it like that but it’s time to upgrade but I don’t want to upgrade. No you really need to upgrade. And at that point it’s a whole new system, right? I mean we can’t

[00:10:04] Justin Webb: anyway it’s a lot of training.

[00:10:06] Evan Francen: Yeah. Whole nother story. Uh So you’re at Godfrey and Con uh can tell for people who don’t know what you do. Tell us a little bit about what you do there.

[00:10:17] Justin Webb: Sure. So Godfrey Cons and enter a law firm of about 880 attorneys. Um and it’s sort of like a full service law firm. So we have corporate litigation healthcare. Um we do some work in um startups. Uh you know we sort of have the full slate. We have an insurance practice. Um So we have attorneys in all different areas. um And I co lead the data privacy and cybersecurity practice group and I’m also a member of the sort of larger technology and digital business group. Um And so my my practice is a mix of data breach response so helping clients um when a data breach occurs um also helping companies with their cybersecurity programs so uh written information security policies and incident response plans and doing tabletop exercises to prepare clients for a breach. And then there’s the data privacy side. So I’ve been spending an inordinate amount of time with clients on the California Consumer privacy Act, which goes into effect on January one. and then G. D. P. R. Which is the european data privacy regulation. Um We’ve worked with a number of clients on that um and then just sort of like general um I guess I could see like regular privacy laws in the United States. Um And then our firm also does some um uh a lot of mergers and acquisitions so companies purchasing other companies um And so a lot of the work I do there is just data privacy and cybersecurity due diligence, so let’s get under the hood of a company um see what they’re doing on cybersecurity, see what they’re doing on data privacy um and sort of get a sense of how much risk there is, you know they using multi factor authentication? Have they been doing like penetration testing um going through all of the normal things you would do if you were an outside cybersecurity consultant on the one hand and then sort of framing that within the larger sort of legal compliance obligations. Um because there have been a number of um purchases of companies um uh mary at yahoo um where there was either a latent breach going on during the purchase process or something discovered post um purchase which can have a big effect on the valuation of the company and can cause lots of headaches afterwards.

[00:12:55] Evan Francen: Yeah absolutely. So how do you that brings up a really good question or question off. It’s a good question. But um how do you protect your how do you protect yourself against purchasing a breach? Can you write that into the contract or something so that you know when I if I’m looking to acquire another company and I want to protect myself against you know maybe a breach that I don’t know about. Can you write that into the contract and protect yourself legally? It that way

[00:13:23] Justin Webb: yeah I mean you typically will put um what’s called like a representation of warranty in the purchase agreement that says you know the company represents and warrants that they you know the seller of the company represents and warrants that they have not experienced any like material security incident or data breach etcetera. Um Sometimes that’s knowledge qualified which means that they’re saying like to their knowledge they there’s not a breach. Um But typically, I mean we don’t um right a purchase agreement or negotiate one that doesn’t have that rep innit? Um Unless there’s some extenuating circumstances or we can’t get somebody to agree to that. But yeah, that would be the typical way that you would address it and you can you can get further under the hood if you want. You know, So if you’re buying uh you know, yahoo are uh Marriott, you might bring in an outside cybersecurity consultant to do an actual vulnerability analysis, penetration testing, um potential historical breach analysis if you’re really worried about it. But that typically doesn’t happen a lot in um sort of run of the mill middle market deals.

[00:14:36] Evan Francen: Yeah. I’m actually surprised and how many middle market deals they don’t do enough information security due diligence. Do you see that?

[00:14:45] Justin Webb: Yeah. I mean I think it depends on the level of sophistication of the attorneys and the parties. Um you know, we do a pretty comprehensive job on that and I think it’s absolutely critical um as companies have, you know, more and more information and um you know, it doesn’t have to be just protecting personal information, right? It could be, you know, if your coke protecting the formula to coke or um you know, other intellectual property, trade secrets etcetera. Um And so you know, I think I think the game is being raised and people are more in tune to it. But I think if you look at things maybe five or 10 years ago, there wasn’t a lot of energy spent here now in deals. This is probably the area that gets the most sort of negotiation um, over the reps related to this because a lot of it too is sort of unknowns when you’re making a rep that there hasn’t been any data breach, you have sometimes limited information. Um, and there could be, you know, like some sophisticated nation state attacker in your network that nobody would have been able to discover. Um, and so, you know, there are certain scenarios in which it’s probably unrealistic to be able to say that, you know, for sure that that hasn’t occurred, you know, so it’s an interesting area that’s definitely getting a lot more attention and I think incidents that have occurred where companies have been purchased. Um, and there have been data breaches that were ongoing, have sort of raised the hackles of um, you know, attorneys in this area and they’re spending more time um trying to get into the hood a little further, but there’s no silver bullet. Obviously, I

[00:16:29] Brad Nigh: know we’ve got a couple of companies that are focused on merger acquisition for growth that have put together and are using like uh our vendor risk management platform and they’ll send them, you know, basically treat them as a high risk vendor go from there and take that as at least a starting point. So, you know, we are seeing some that are doing it. But yeah I agree. It’s it’s a little surprising you don’t get more. Yeah like under the hood

[00:16:58] Evan Francen: you know

[00:16:59] Brad Nigh: it’s not cheap to have

[00:17:01] Evan Francen: a good eye breach and it could be a tangled web. Two, right? Because if I’m acquiring another company and let’s say that I didn’t do my proper due diligence in the acquisition before I purchased and then you know a breach, is there or something that I should have sort of known about now? I assume that you could make a case that there’s some liability on on my part because I didn’t do that due diligence. So maybe my shareholders, my stakeholders could file suit against me potentially. Uh I mean is that a thing Justin or mike?

[00:17:34] Justin Webb: Yeah I mean I know I think that’s that’s a potential valid claim. Um I mean it would be sort of like a lack of oversight um um uh and I think you know you can pretty much get sued by shareholders for anything. Um And so I think that that’s certainly possible and I think um you know part of protecting against the risk is to do um some extensive due diligence and I think um you know the the more sophisticated deals with private equity who are buying sort of technology companies, they get pretty far into the weeds, you know if you’re buying a company that has code, they’ll do, you know open source software scans and do static code analysis to determine if there’s any flaws in the code. They will have you know outside I. T. Consultants come in and look at you know all kinds of systems. Um And you know look at you know the underlying code as well um or at least run it through a third party. You can do that. So um you know there is more sophisticated stuff. Absolutely you could have some you know a group of shareholders um going to be in their bonnet. Um And maybe rightfully so if you didn’t do um the right to diligence in the deal and it caused either an entity ending or significant. Um Yeah cost problem or expenses. Um Even even more. So if you didn’t have the right reps and warranties in the deal that would allow you to potentially recover um For you know somebody telling you that there was no breach when they’re actually was or they should have known.

[00:19:10] Evan Francen: Yeah. I’m surprised because we we have what Maybe 800 active clients today here at f are secure and maybe 1500 that we’ve worked with. 1200 or so. So we come across a lot of many um mergers and acquisitions and I’m surprised at how often due diligence, security due diligence isn’t actually

[00:19:32] Brad Nigh: it’s financial due diligence is always looked at the books. Good but no very rare to see. Although we did have somebody asked if we could do like uh with their new Ir stuff, we were doing threat hunting, they said could you come in and do threat hunting and if we were gonna purchase someone rather doing a risk assessment do yeah look for those signs of the breach. Yeah. Right.

[00:19:57] Justin Webb: I mean the other the other thing that we we see or at least that I typically advocate for um is you know, there there are lots of services that sort of like cul publicly available data, you know, so like compromised email accounts of a business and um you know like um email server settings, you know like chicken and demark and stuff like that um to sort of get an outside sense for what a company cybersecurity posture is. Um and so that those would seem to be um in some respects um uh an easy way to get an outside perspective on a company. So you know, like a security scorecard or something like that. Um And so that’s another way you can at least see what the external world sees about the company um when you’re potentially purchasing them and um make some kind of analysis based on that, it doesn’t tell you what’s under the hood, but it does tell you what other people think about it. And if they have like tons of compromised credentials, you might want to get a little more worried. Right?

[00:21:02] Evan Francen: Right. Yeah. And I think, you know the the thing I have, you know, you mentioned security scorecard, The issue I have with that is when people think that that’s comprehensive, you know what I mean? When the most, when the most, the riskiest part or the, you know, the most significant risk is probably people. It’s probably something internal anyway, but good point. I mean you bring up good points about due diligence is important I think. And while it is, yeah, mergers, I’m

[00:21:32] Brad Nigh: just wondering at what point, you know, not doing it kind of like with hip, right. It’s no longer defensible to say I didn’t know you have to do the risk assessments. I wonder how long it’s gonna take before that becomes the norm.

[00:21:46] Evan Francen: Yeah. Well it’s more so today than it was.

[00:21:50] Justin Webb: Yeah. I mean, I think we’re getting close to that point. Um, especially in, in any company that’s got um, personal information, um, you’re, you’re, you’re pretty much playing with fire when you’re not doing that kind of due diligence. Um, mostly because there’s just so much, you know, especially after CCP a um, goes into effect on january 1st. There’s just a lot more privacy and cybersecurity due diligence to be had for sure.

[00:22:20] Evan Francen: Well let’s move on. Let’s talk about target versus chub I assume Justin, you know about this case and you probably dug in a little bit and seen read some things about it.

[00:22:31] Justin Webb: That is correct.

[00:22:32] Evan Francen: What, what’s your take because this was a general liability insurance claim. One of the things that was interesting, you know, when I read the, read the actual lawsuit, there’s this thing called loss of use of tangible property that is not physically injured. That seems to be central to the case that targets bringing against chub. Am I reading that right?

[00:22:56] Justin Webb: Yeah and this is an interesting case generally, but you know you could um have the loss of something. So like take for example a car right? You could have the car stolen or it could be um somebody could poor, you know, sugar in the gas tank and it didn’t work. So you can have like the loss of a use of property without any tangible intangible injury. The sort of sugar in the gas tank is a bad example but there are ways in which um something can be sort of like disabled or otherwise um have an inability to use it without actually um damaging the property itself. And so that’s what that sort of catch all is typically meant to cover. Um And so target is using that here to say look when you have a data breach and there are credit cards that are used and those get compromised as part of the breach, the issuing banks have to reissue the cards and therefore those previous cards that now the number has been disclosed are no longer usable. Uh And so that’s you know um a loss of use of that piece of property of the card itself. Um And so um you know we have to pay for all of these are we settled litigation and otherwise negotiated settlements with various card brands and others um to um you know have these cards reissued to cardholders. And so um we think that that falls under the scope of our general liability policy um and this sort of loss of use provisions

[00:24:32] Evan Francen: and they’re seeking $74 million dollars I think in

[00:24:35] Brad Nigh: yeah

[00:24:36] Evan Francen: in damages

[00:24:38] Justin Webb: correct. And I think I think you know for cyber liability insurers, the the worry is always that the claims fall outside of the you know what would typically be a cyber liability insurance policy. So typically you have like a general liability policy that sort of meant for like premises liability people getting injured, like actual tangible property. Um And typically those aren’t meant to cover or insurers typically don’t like to cover under those um damage that arises out of breach. And so there’s been some other cases involving general liability policies and um you know the opinion and the insurance industry is that that’s not where those claims are supposed to go. Um They’re supposed to go under a cyber liability policy that covers you know first party data breach expenses, like hiring an attorney like me to help you through the data breach, you know doing a forensic investigation um and sending out notification letters etcetera etcetera. Um And uh and then third party expenses which are you know lawsuits arising from the breach itself. So like I get sued by, you know, people who had fraud on their accounts and even finds arising under pc or lawsuits arising under there. Um, And so I think whenever you see it sort of creep out into a general liability policy, um, that’s when insurers um, you know, take a hardline stance and there isn’t a lot of detail. One thing I noticed is there’s been a lot of detail in the lawsuit about sort of the underlying policy, um, and what the, what it defines as a an occurrence. And so it’ll be interesting to see, you know, whenever you get a complaint in the lawsuit, you’re seeing sort of like one side’s take of the case in the light most favorable to that person. Um, and within the facts that they have or the allegations that they potentially have. And so it will be interesting to see um, Ace and shrubs answer in this and what what the basis is for um, them denying the indemnity under the policy because it sounds like at least based on reading of the lawsuit and bearing in mind that I have no involvement in this lawsuit whatsoever and don’t represent either of the parties. Um,

[00:27:02] Evan Francen: Was that like a legal disclaimer you just

[00:27:03] Justin Webb: did right there?

[00:27:04] Brad Nigh: Yeah.

[00:27:06] Justin Webb: Um, is that, um, they um, have been negotiating for awhile over this, um, or at least been in discussions and it sounds like, um, you know, ace slash chubb has said um no we’re not gonna identify you for this, they’ve been talking about it, I’m assuming they probably issued some kind of coverage letter that said no we don’t think this is covered under the policy. Um And so that’s why so targets filing a lawsuit for two things. The first is breach of contract, which is a breach of the insurance agreement between the parties. And there’s actually like multiple policies here, there’s an underlying policy, an excess policy and then another policy on top of that, there’s three. Um And then the other one is something called declaratory Relief which is I go into court and I say, hey judge I want you to declare or issue an order that says that chub slash ace needs to pay me for this so that the court will interpret the contract an issue, a judgment saying yep based on my reading of the contract, they are required to pay you for this. So typically as the case progresses, the declaratory relief um um um would go away uh because the breach of contract claim will potentially resolve the entire thing, but sometimes it stays and it depends on the court, but they’re effectively the same kind of relief because if you win the contract claim, the court is declaring that you’re entitled to be reimbursed under there. So um that’s sort of how all of that works, but this will be an interesting one and I think a lot of insurers and insurance will be paying attention to this case.

[00:28:52] Evan Francen: Yeah, for sure. Now in a yeah, because it’s like watching two heavyweights slug it out. Right. And yeah, the and i is there legal, so whatever happens in this case, will it set legal precedent for other cases in the future?

[00:29:13] Brad Nigh: Opened the floodgates?

[00:29:15] Justin Webb: Potentially. I mean, I think one is one of the things that um you know, every case in the insurance world um has the potential to do that. I think one of the things, you know, the one thing, one of the reasons why it might not is that each policy is written sort of in its own terms. Right? And so it would only set precedent to the extent that you had a similar policy um that had similar coverage. And typically if these kinds of things occur, um insurers are pretty quick to make modifications to the common coverage form um and common language that they typically used to make sure that, you know, there aren’t interpretations of it that are inconsistent with what they intended. Um So I think, you know, potentially there could be changed, but absolutely every case has the potential to set precedent. And I think um you might see um what are called amicus briefs which are sort of like friend of the court briefs, if this were to go up to the appellate level. Um It’s probably gonna be um a considerable amount of time before the case is resolved, especially if it’s appealed. Um And if you’re if you’re insurers you certainly don’t want to have um negative precedent out there. Um That’s sort of broadens the scope of the amount of money or reimbursement or identification that you’re required to do in the policy, especially if that wasn’t contemplated as part of the initial underwriting um You know, like these kinds of expenses and so um you know, it will certainly be um one to watch um like I said, I think it will be interesting once the answer is filed, I’m sure there’ll be a motion to dismiss at some point in time. Um And then you know, you get a lot more of the factual basis underlying um the actual claim itself.

[00:31:09] Evan Francen: Now what will the, will the response also be publicly available?

[00:31:14] Justin Webb: Yeah, so the answer um unless it were to be filed under seal, which I can’t think of a reason why it would be typically can’t file one under seal, it would be um public. So um and I haven’t checked the docket yet to see, but I know the lawsuit was filed Um a few weeks ago I believe. And so um the answer would be due within normally it’s within 60 days.

[00:31:38] Evan Francen: Yeah. Yeah, it was filed on 15 November, so maybe middle of January

[00:31:45] Justin Webb: maybe. Yeah, yeah and you can always file an answer early. Um or they could file a motion to dismiss as opposed to an answer. Um So there’s there’s a whole bunch of different ways that it could evolve, you know, the one of the underlying sort of um interesting parts about this lawsuit or at least this area is, You know, back in I think 2007 or 2008. And then again in 2010 you had states who passed laws that actually allowed financial institutions to recover these exact kind of expenses. So your home state Minnesota has a law that says if you have a data breach um and it affects financial institutions and they have to reissue cards to cardholders, then those financial institutions can recover the money for that. Ah And so it’s not just sort of like this underlying lawsuit that target had against cardholders, but there was some basis in law for that. Um And state legislatures had done that and it was based on pc. I. So there was this codification of P. C. I. And the state of Washington sort of did the exact same thing.

[00:33:00] Evan Francen: Yeah, that’s interesting. So I suppose as a a guy in your seat you’re probably deacon out about this case, right? I mean it’s gonna be pretty cool.

[00:33:09] Justin Webb: Yeah. I mean, I think it’ll it’ll be certainly um uh you know, one to watch, I think the the interesting part will be the fact that it’s being brought under the general liability policy and how the arguments are framed around that like I said, I think um you get insurers who don’t want to be using that kind of policy for these kinds of incidents and a lot of times they’ll have provisions in the general liability policy that exclude things that would arise from a data breach. And so you know, I haven’t looked at the underlying policy, so I’m not sure if it has those, but that would typically be the basis for arguing that this doesn’t apply. Um And that they don’t have any obligation or um that you know sort of the replacement of cards isn’t the kind of damage um that was contemplated by the provisions. Um The other thing I always think is interesting and if those laws that I just talked about um didn’t exist, so like the ones in Minnesota and Washington um other places is that typically the banks do this kind of re issuing for customers like all the time and they don’t charge customers for it. Um So like if you call and say I want a new card, typically you don’t get charged for that. Um And so it’s an interesting concept that what they would normally do for customers um you know they’re suing to get recover recover money for. Um Now of course it does have a cost. But um that’s a sort of interesting concept all together that you know for the majority of time they eat this cost right? They don’t actually pass it on to the customer but in this scenario um They are

[00:34:54] Evan Francen: yeah interesting to, you mentioned two there are two general liability policies that target claims covers the loss, they have policy numbers there and then they say is attached to exhibit a, I didn’t see exhibit a. Is that something that we would see in the

[00:35:14] Justin Webb: yeah it’s probably on the docket. Typically it’s attached um uh to the complaint itself. Um and I haven’t pulled the actual underlying um policy but it’s probably publicly posted to so

[00:35:32] Brad Nigh: so it’s always interesting to me for these things because I actually had a federal lawsuit uh that I filed for some stuff uh early two thousands that went all the way to the Supreme Court and all the behind the scenes stuff that you just don’t ever really think

[00:35:49] Evan Francen: about

[00:35:51] Brad Nigh: and yeah it’s really yeah crazy to to see how much like all the uh you know the filings and the legalese and the interpretation of it and all the stuff that they argue about. It’s it’s

[00:36:05] Evan Francen: interesting. Well that’s why we pay people like Justin to wait. Yeah

[00:36:09] Brad Nigh: I was so lost when they were going through that and it’s like wow.

[00:36:13] Justin Webb: Yeah I mean there’s all these like procedural rules, you know ways that you and terms and it’s you know it’s just like you have sort of nerd speak and like information security and you start whipping out acronyms for like I have no idea what you’re talking about. Um, uh, like, let me talk about the osc model for. Um, uh, and so, you know, sort of the same thing. And I think that’s where, you know, to be honest, it’s sometimes a barrier for people who, you know, have legitimate claims because the system seems like it’s extremely complicated, you know, and um, you know, you need an attorney to sort of walk you through because they’re just traps all along the way. Um, and so yes, you should hire a good attorney to help you. Um, uh, if you have a claim that you need to bring, especially in federal court.

[00:37:05] Evan Francen: So on the, on my website, the Evan francine dot com where I posted the show notes, you can find the link to the actual, uh, case, the docket, I guess On Law 3 60. It’s a good read. It’s only 14 pages long. So, and it seems to be written in plain English. I understood most of what I read, which was good. Uh, but check it out. Maybe we can learn some things. Now. One of the things, and one of the reasons why I wanted to have David on to and you’ll probably be able to speak to this just in, is how could I avoid this? If I was target or in my own business, is it because I think one of the things that David had given really good advice when he was on the show was get a insurance agent who specializes in cyber insurance, um, you know, that way you make sure that you’re covered from a neutral aided stuff and then you’ve got general liability things and whatever. Do you have a piece of advice for listeners on how they can avoid the same situation?

[00:38:16] Justin Webb: Yeah, I mean, I, I completely agree with David. Um, we, um, you know, he’s a great resource for me. He’s a super smart guy. Um, uh, I think he’s um, awesome at what he does in the insurance area. Um, and finding somebody like that, there are a few other people that we deal with in the Milwaukee market who really know cyber liability insurance. And when they come to you, obviously they have multiple policies that you can choose from, you know, like a smorgasbord of, of insurance that you can pick from. And, you know, each policy has different language. And the brokers typically, you know, sort of smart brokers who deal in cyber liability insurance to know the difference between each one of them, how much they cover. Um, you know, right down to like each individual sort of clause, um, for, for potential damages. And so it’s super important that you have somebody that’s advocating for you, um, that’s not just trying to sell, you sort of like the policy that will get them the highest um, uh, commission. Um, and it’s, you know, understand each of these insurers and their coverage forms so I think hiring uh super knowledgeable broker um is absolutely critical especially in this area, you don’t want somebody who only deals in sort of like C. G. L. You know general liability policies to be helping you with something like this, especially if you’re a sophisticated business with lots of personal information because it can be the difference between um having um a lot of comfort during a data breach and having an absolute nightmare. Um We we represent clients all the time who have sort of very low coverage policies that were bought you know years ago and never updated and nobody ever sort of guided them into what they should have had. Um And it’s sort of an uphill battle um all along the way because you know when it’s money coming directly out of the businesses pocket um you know that can be that can cause the business to go under, it can cause sort of like all kinds of problems and so you want to ensure that you know pays the claims and assist you along the way and has smart people working in their cyber claims department um and they’re they’re very good insurers out there um who do all of those things and can really like go to bat for you and and protect you um And you know but these kind of claims also um are inevitable in a world of data breaches. So um you have people who are injured by data breaches like issuing banks who have to re issue these cards um and they see it as the fault of other people who um potentially weren’t doing what they were supposed to do with regard to cybersecurity and so as between the issuing bank and a target or whoever um you know they feel like they are entitled to recover the money for you know, somebody else’s bad cybersecurity um decision. So it’s just as important to have a policy as it is to you know, not suck at cybersecurity. It

[00:41:25] Evan Francen: don’t see he used the word suck,

[00:41:28] Brad Nigh: a

[00:41:29] Evan Francen: lawyer who knows cybersecurity and uses the word suck. My kind of guy. It

[00:41:34] Brad Nigh: always surprises me like how Little people businesses know about their coverage right? They will say, oh yeah we’ve got cyber insurance and you look at it, it’s like a $25,000 rider and that’s

[00:41:47] Justin Webb: it, that’s

[00:41:48] Brad Nigh: not gonna do you any

[00:41:49] Evan Francen: good. Well that’s the thing right? This is not a commodity. So take the time to go through your policies, take the time to to find a trusted advisor who will review the policy for you with you and make sure you’re making the right choice is your, is your

[00:42:03] Brad Nigh: business worth the time to make sure you understand what you’ve got,

[00:42:08] Evan Francen: especially in the mid market right? Because most mid market companies don’t recover from a data breach.

[00:42:15] Justin Webb: Yeah I mean I think the you know they they’re looking for um to save money on insurance, but this is sort of like not the place to gamble um and not the place to skimp. Um I think it’s encouraging that the market has um evolved and more companies have have it, but we still run into clients who don’t have cyber liability coverage. And it’s always like, man, you know, this is gonna be really hard on the company and you feel, you know, and and it’s it’s sort of like it’s out there, it’s being advertised. Um Of course, insurance agents want to sell it right, because um it’s another policy that they can sell to you, but it has to be a standalone policy if you just have a writer, it’s never going to be good news, especially if you have a very complicated breach. Um And so, you know, the the I can’t stress enough how super important it is to have a good cyber liability insurance policy, somebody helping you with it. Um And you know, reviewing it every year. Right? Because there could be some other insurers that has a better deal or um better coverage. You know, maybe they cover more social engineering fraud than another company does. Um And you know that they, you know, or they have a sort of history with either paying or not paying claims or whatever. Um But you know brokers know all that because they’re sort of like dealing with people in that industry and and talking with the underlying insurers all the time.

[00:43:46] Evan Francen: Yeah. Absolutely. All right, well good stuff. Um I’m thinking we have the uh I have two other things to talk to you about Justin. One is c. c. p. a. And the other is China’s cryptography law. We’re at right about 40 almost 45 minutes. I’m wondering if you will have time if you could have time next monday come and talk to us about C. C. C. C. P. A.

[00:44:07] Justin Webb: Absolutely.

[00:44:08] Evan Francen: All right. So you’re going to be the first guest that’s found two consecutive. I

[00:44:13] Justin Webb: feel very excited.

[00:44:15] Brad Nigh: All

[00:44:17] Evan Francen: right. So we’re gonna diversity actually well and we’re honored to yeah, the advice you’ve given so far awesome agreed. Thanks. So we’ll talk to CCP A. Next week. Uh And you know, nothing like last minute everybody’s last minute anyway so you have until january 1 2020. If you haven’t already been down that path for CCP A. Then to get going, he actually should have started a year ago because I think uh We’ll talk about it later but you have 12 months worth of if we had somebody

[00:44:49] Brad Nigh: in november come and say, hey um so do you guys know anything about this C. C. P. A. And what we’re supposed to be doing is uh oh that’s gonna be a bad day for

[00:44:56] Evan Francen: you,

[00:44:57] Justin Webb: we get that all the time. So uh and I’m still getting those calls so um which uh then then you sort of like take on the um worry for the client, you know you’re like oh god they only have a month and what are we going to do? But um it’s a big deal. Um I’m looking forward to talking about it. Um I think I know a lot about it. So cool. Be a good time.

[00:45:24] Evan Francen: Cool. All right, we’ll talk about that next week. Let’s talk about China’s cryptography law. Uh I had uh one of the listeners of the podcast that emailed uh you know our our show and it asked are you going to talk about the, you know this law? I’m like well I guess so. I figured let’s add it, you know we shouldn’t it shouldn’t be a super long discussion but I want to get your take uh included a link to in our show notes Justin ah it comes from Gate Stone Institute International Policy Council and the title of the article is china adopts malicious cyber security rules. Um What’s your now you’ve reviewed it? What’s your take on on what the article says?

[00:46:10] Justin Webb: Yeah, I mean I think I can tell you sort of like taking just a step back real quick that a lot of companies as a matter of fact I think In the past, you know, month or so. I’ve gotten maybe three Three calls on the um new Chinese cyber security law. It’s not really new came out in like 2017 and it’s been they’ve been putting out all these regulations since then and implementations and they have like a personal information law as well regulation, I can’t remember which is which um but um you know they they sort of hue to um what you would expect from china, you know they have to have an extremely large surveillance state. Um They they want to see the internet traffic that’s going through the country and especially outside and a lot of the laws are tailored to um the idea that like even security breaches and other information or other situations that occur in china could potentially have an impact on national security and that’s sort of the the impetus of the encryption laws um and sort of like everything else they’re doing is that they’re trying to protect state secrets, they’re trying to prevent people from being able to encrypt traffic that could potentially not be viewable by the chinese government. And so um all of these laws are sort of uh meant to codify their right to sort of snoop on traffic. Um generally um the weary of any sort of foreign encryption, so you know the law um potentially requires you to register with china if you’re using foreign encryption or it has to be approved. Um And so you know I think there’s a lot of worry there that um you know there’s already sort of a lot of theft of trade secrets um that occurs via um uh either people acting on behalf of china or um china itself. Uh And so I think you know there’s just a ton of worry that this is just another sort of way to peel back the hood look underneath. And so a lot of companies are debating whether or not it’s worth it to have operations in china if these kinds of laws are going to be what they pass. And that’s actually been the framing of the question from some of my clients, is it even worth it to do this if they’re going to be able to look at all the traffic and what does that mean for R. I. P. For personal information etcetera?

[00:48:44] Evan Francen: Well steve Dickinson. I thought there’s an interesting quote in the article, you know, steve Dickinson ah for the china law blog. Right? What rights? Once data across the chinese border border on a network? 100% of that data will be 100% available to the Chinese government and the C. C. C. P. R. C. C. P. Yeah.

[00:49:04] Brad Nigh: And then it’s they’re going to share the seized information with state enterprises. So yeah like you said they’re just basically legalizing the theft

[00:49:11] Evan Francen: well and as a U. S. Company doing business in china, is there any protection whatsoever?

[00:49:19] Justin Webb: I mean I’m not sure. I mean you’re you’re going up against the chinese government and the other thing is that you certainly don’t want to be violating these laws Right Because the penalties um could cause even bigger harm to operations? You know it’s not exactly clear what the penalties are under the law at least I’m not aware of what they are. Um But you certainly don’t want to raise the ire of the chinese government. Um And they make some distinctions in the encryption law between sort of like common encryption versus other types of encryption but what they’re really focused on is like foreign. Um So like us based encryption that could potentially um prevent them from looking at the network traffic. And so you know the other concern is if you’re disclosing all of this stuff or it’s being sort of sniffed or you know they’re doing um packing inspection or deep packet inspection of what you’re transmitting. Are you losing the value of that I. P. Of your potential trade secrets? Um And what kind of effect could that have on um you know a company who has super secret stuff and some of that gets transferred um over you know point to point networks that go to china or whatever. Um And so I think that there’s just a lot of fear. The other thing is that this is so you know in some ways antithetical to U. S. Law it’s sort of like in some respects like the exact opposite. Although let’s set aside sort of like the NSA and other sort of things

[00:50:54] Evan Francen: that have gone on? It’s certainly not compatible? How do we do business well

[00:50:59] Brad Nigh: and how does how does if you comply with that law? If it conflicts with your G. D. P. R. Or some other you know us laws. How how do you reconcile those?

[00:51:11] Justin Webb: What

[00:51:12] Evan Francen: if I can if I can decrypt that just one more thing to if I can decrypt the data, what’s this what’s to save me from changing it? So data integrity is now called into question and then data can be used against me.

[00:51:29] Justin Webb: Yeah that and you know if you’re transmitting um I mean I think the G. D. P. R. Um it’s a great point right? So um if you are somebody else’s viewing the information then you haven’t secured personal information right? That’s an unauthorized disclosure of the information to a third party. Um They would technically be a processor under G. D. P. R. Which um Would actually give rise to certain obligations on the Chinese government. And then you get into this whole like we’re into like sort of crazy land right? Um where uh none of this even makes sense. And so you know 111 way to address it would be that what you do in china is a very limited set of things. You know And so um you shift some of those operations outside of china but for some companies that’s just not possible. Um You know they have huge sort of business arms doing business in china. If you’re a company that makes proprietary items in china that you sell in the United States you have to be worried about you know the underlying I. P. Um potentially being compromised and you just don’t know um you know is this uh is this a legitimate you know concern of the chinese government that traffic could be hidden from them and that could affect national security or is it is a back door way um to get insight into additional traffic and sort of proprietary information for nefarious purposes. And you know to be honest I don’t think the chinese government has the greatest track record on that front. Um And so you know I think that’s where a lot of the worry arises from

[00:53:06] Evan Francen: well and given this with you know kind of all the tariffs stuff going on you know on this macroeconomic thing. It’s a and we’ll be messy and we are in the United States is china’s biggest customer. So the fact that yeah I mean if I was if I was a U. S. Company I don’t I mean I don’t do business in china. I can’t see myself taking that risk unless like you said Justin I could figure out some way to make it really really limited where I don’t care if this data is exposed. But yeah I mean what does

[00:53:44] Justin Webb: that and the other sort of challenge of the chinese cyber security law more generally so you’ve got this encryption portion of it, but it’s got all these other portions they sort of define entities is like a network operator and if you’re a network operator then you have these other obligations that you’re required to do. So the other thing about it is that it’s sort of like extremely confusing to um United States entities and you need sophisticated chinese counsel to assist you with determining what your obligations would be under the law. Um And so for a lot of companies they see a lot of these stories and they don’t have um sophisticated chinese council that can potentially help them work through it. And so it looks even more amorphous and it just has sort of a look you know let’s set aside everything, it just looks almond, that’s right. Um and it looks scary um and that might be enough for the board of a company to say look how much of our operations and revenue comes out of china. Is that something we could shift elsewhere? You know and maybe you know have some hit to our bottom line. Um But I think a lot of companies are probably going to be thinking about that um because these laws continue to be more restrictive more um you know some people would characterize as oppressive um It certainly oppressive to um privacy and security of information, you know, certainly decrypting um information certainly doesn’t make it more secure. Right? Um And so I think there’s both a cyber security and privacy concern,

[00:55:21] Brad Nigh: wow. And

[00:55:22] Evan Francen: I don’t know, and I don’t know what recourse you would have. I mean, you’re file suit in the chinese court and right

[00:55:28] Brad Nigh: now, yeah, what’s that going to go like?

[00:55:30] Justin Webb: Pretty much that that wouldn’t be the place I’d be hanging my hat

[00:55:37] Evan Francen: on. Well, good stuff. We have um like I said, we’re going to have you back next week. So I’m excited about that. We can talk about ccP A. If there is any update to the target breach, we can talk about that too. Um I wanted to get to just real quick. Uh we have a new show of new show format. We mentioned it last week and we already got an email or 2.2 un security at proton mail dot com. That’s her email address. Uh and what we’re doing is just taking 10 minutes of each show uh to talk to somebody who’s looking for a job in information security. Give him 10 minutes talk to them, you know, whatever. I mean, it’s really an open forum, something to hopefully get them some exposure and uh maybe land either their first job or the next job again. That’s that email is un security at proton mail dot com. Uh We’re gonna do that. Starting after the first of the year. So we have about another month left, I’m just kinda letting people know because if you’re not looking if you’re looking for a job now, I hoping you find it already before that january thing comes all right. We have some news. Uh Three things I have a news and they’re all pretty much related. The first one is don’t buy anyone a ring camera. This is uh this is from Gizmodo. It’s uh I think more of an opinion piece by Adam Clark estes and he writes on Gizmodo, don’t buy anyone a ring camera. And he’s got to central reasons for that. The first is a technical one if you use the ring app which you really don’t have an option not to use if you’re using the ring hardware, uh you automatically get enrolled in this thing called neighbors. And there’s no way for you to opt out. And neighbors is a crime fighting feed thing. It’s an invention from ring and law enforcement. The second thing is when you enroll in neighbor neighbors, your videos are data could be shared with law enforcement um when they requested, but there’s kind of the secret network of law enforcement agencies with ring and it’s not really clear. So anyway, the advices not to use ring. Uh we’ve got a legal guy on. So what did you think of this article Justin

[00:58:00] Justin Webb: I mean I I had seen the letter from the senators um about it. Um I mean I think look at you know, as a as a you know user of devices and other things. I think, you know, you you want to know what those companies are doing with your information. Um it’s never a good idea. I think to auto enroll people and features that potentially could be sharing their information with third parties. I mean I um you know, I don’t know exactly what sort of rings practices are per se. I know what I’ve read um on it, I think it’s extremely troubling um when you, you know, it, you know, on the other side, just to sort of play devil’s advocate, you know, I’m sure law enforcement gets a lot of useful information from ring cameras. Um but that’s not really why people buy them right, they buy them for their own sort of security. Um and I think I would be a little bit weirded out if um you know, law enforcement could log into a portal and see what’s going on in my front porch. I mean it would be extremely boring, but um you know, maybe sometimes you catch something interesting and maybe some people would be okay with that. But I think the larger point is that in this day and age users and consumers want the right to make those kinds of

[00:59:18] Evan Francen: choices. And

[00:59:20] Justin Webb: if they if they if there’s not like exigent circumstances or you know, um somebody’s got a warrant to look at that and they don’t want that to happen even if it is in your privacy policy, you should probably still um you know, call users attention to it a little bit more. It shouldn’t come out and sort of like these kinds of news articles, it’s just bad sort of press.

[00:59:43] Brad Nigh: I can’t imagine any way this would be abused.

[00:59:47] Justin Webb: Yeah, I mean I mean the other thing is like how do you know that the people who are accessing it um uh like obviously it’s being provided to law enforcement but then you’ve got the whole like is this thing secured? I mean can you imagine how excited a hacker would be to get access to this portal um that you could look at ring cameras all over the place? Um I mean I think it’s just you know user level privacy choices need to be um you know I think this reminds me of um if you recall there were the genealogy sites that were um having sort of criminal information submitted to them to try and find familial um matches to like killers etcetera. Um And those sites got in trouble for allowing or knowingly allow allowing law enforcement to sort of do that. Um And then they started giving users the chance right to opt out of that. Um uh You know, we can debate whether or not that should be an opt in versus enough doubt but um at least they were giving users choices to do that and I think it’s pretty similar right? You’re allowing law enforcement to sort of get access to these things and and view the information and some people really care about privacy and don’t want that. Or maybe they have a negative opinion of police or whatever.

[01:01:07] Evan Francen: It’ll be interesting. I’m sure there’s going to be some sort of challenge in court around this because it almost seems like a what what amendment is that the Second Amendment violation where unlawful search and seizure? Is that the right? One? Fourth ACSI thank God, we got lawyers.

[01:01:26] Justin Webb: Yeah. I mean, the other thing is that if you’re representing a company, it’s never good news when senators write you a letter, just general

[01:01:35] Brad Nigh: matter, um

[01:01:36] Justin Webb: or write a letter to anybody and publicize it. So, um, it’s certainly, you know, to the extent that people are paying attention to this kind of stuff, you know, um it’s not a good look for them and it could, it could give rise to an action by the FTC um uh for an unfair deceptive trade practice. Um, That’s typically where you would see this kind of enforcement. Um um you know, what road it might head down the wrinkle here is that, you know, it’s not that they’re like providing your ring camera to insurers who are uh then using that to determine, you know, what rate to charge you for insurance. It’s um, you know, they’re providing it to law enforcement for purportedly legitimate law enforcement purposes. And so you get a little bit more of an argument that like there’s some good to be had out of that, which complicates things a little bit. But I think the privacy sort of complaint remains well. And

[01:02:33] Brad Nigh: then the whole thing with allowing giving users a discount for reporting quote unquote suspicious people to police from their ring camera again.

[01:02:45] Evan Francen: Well, and that leads into another story, right? The next news story is from threat post, where Amazon plans to ring facial recognition based watch list. And so here we’re going to add a i into the mix and where people report suspicious people, right? Yeah. I mean this is getting weird.

[01:03:08] Brad Nigh: Well, and you’re outsourcing to people with biases and how do you know what the validity of uh to find suspicious? I

[01:03:19] Justin Webb: mean, yeah, I don’t even know where to start

[01:03:24] Brad Nigh: with.

[01:03:26] Justin Webb: Um you know, I think there are a significant concerns on the privacy front regarding ai and you know, implicit bias. Um and I think, you know, I think there’s a lot of sort of heartburn among consumers about a lot of the potential uses of AI and and the potential misuse of AI. So um I think you’ve seen with a lot of the companies who have either drop um law enforcement involvement with their Ai products or um in the case of amazon, I believe have continued to sort of have, you know, interactions with law enforce law enforcement on the Ai front. Um I think we’re just gonna see this more and there is going to need to be more of an outcry or more of a sort of consumer um, involvement in this issue for really to take hold, but these kinds of things, I mean, it makes me glad I don’t have a ring camera and to be honest with, because, so,

[01:04:25] Evan Francen: well that’s the point. And you bring up, I think it’s going to have to come from consumers, right? It’s going to have to hurt sales before something’s going to happen here. Uh, so spread the word, right? I mean, make sure that people understand that when you, when you go over to your neighbors house and he’s got a ring camera, I mean have the discussion or something, don’t just let people live in ignorance thinking

[01:04:48] Brad Nigh: that other

[01:04:49] Evan Francen: fine. So ignorance kills

[01:04:54] Justin Webb: that. And you know, if you’re walking over there and they have a ring camera and this ai sort of is on, then your biometric information is being collected, right? Um, are you, are you okay with that? I mean, just as a general matter, if you have somebody who has a ring camera um, at their house, um, if you’re a sort of um, super privacy guy, then you’re probably not a big fan of that generally because you’ve got your image being captured and sent to a third party and then shit back down to your friends camera. Um, you know, I don’t want to get into the sort of like the tin foil hat sort of land. But um, you know, yeah, those things are concerning for, for people, you know, granted when you walk around in a city anywhere, you’re being recorded effectively almost all the time, especially if you’re in like new york city. Um but you always do have a choice about at least in some respects, um how much privacy um you want to, you know, how much of your sort of privacy you want to give away versus keep um and how you control that.

[01:05:56] Evan Francen: Yeah, so before, if you’ve, what black friday has already gone today is cyber monday. So if you’re out shopping for a ring, just understand the risks. You know, I’m not, I can’t tell you what to buy and what not to buy, but there are some privacy issues for sure. Alright, the last news is just quick, it’s just a reminder really from this is from sc magazine, it’s uh, the title is black friday cyber monday scams are on the loose, businesses need to prepare. This is an annual thing. Just diligence, right? It’s an awareness uh According to a study in this article from zero Foxes ? team, they’ve already identified 61,305 potential scams spread across 26 brands, Brick and mortar retailers are the primary focus with 92% of the campaigns spotted using a store brand in some manner. So yeah, keep an eye out anyway, we’re not going to go too deep into that one, I think that’s, that’s about it. This is uh episode 56 is kind of a rap. We’ve still got a spillover into episode 57 if you like. Kind of what Listening to this discussion about legal stuff. We’re gonna talk about CC. P. A. and episode 57. I’ll get the show notes out relatively quickly. Thank you Justin for joining us and sharing your perspective.

[01:07:19] Justin Webb: Yeah, it’s been great

[01:07:20] Evan Francen: and thank you to our listeners. Keep the questions and feedback coming. We’re still a little behind and responding. I think there’s probably five or six females in there that we haven’t responded to but we’ll get to it. We love your feedback. Send things to us by email at unsecurity@protonmail.com. Uh If you like socializing on the interwebs, you can find me on twitter @EvanFrancen. You can find Brad @BradNigh and I Justin do you uh do you have a social way that you want people to get in touch with you

[01:07:50] Justin Webb: or um I am on linkedin. So um just search for my name and connect me on there.

[01:07:57] Evan Francen: excellent. So it’s Justin webb W E B B. All right. That’s it. We’ll talk to you next week Justin