Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Fortra: Data Breach Response: Legal Risk, Ransomware & Recovery

Fortra
07/10/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


♪♪ Data has value. An end user accepts cookies on a free website, exchanging their data to access the content. Organizations collect personal information on their customers to support immediate sales, but also to find future deals or to inform product development. And in the AI arms race, models succeed or fail based on the volume and quality of data they are trained on. So what happens when you lose that data? Data that is protected by laws and compliance frameworks, data that can be used to further fraud or cyber attacks on users, data that gives organizations a competitive edge. This global data has exploded, reaching unprecedented zettabytes, zettabytes that are spread across SaaS platforms, cloud stores, on-premise databases, geolocations, and jurisdictions. And the explosion of data and significance of data has not gone unnoticed by threat actors. Ransomware used to be more about losing access to your systems, but today it's more about losing ownership of the data and dealing with the fallout, unless you pay the extortion demand. Yet when you pay the ransomware hydra, you might have chopped off the head threatening your organization only for the beast to grow three more heads when the funds are reinvested into the criminal operations. Furthermore, how can you be sure that the criminals will honor their word, return the data, and not come after a second extortion payment? But a data breach is not limited to malicious exfiltration. It can be publicly exposed data in a database or an accidental email from an employee on a stressful day. But even these data breaches have consequences, from specific compliance fines to almost unquantifiable reputational damage. Today, on the Art of Security, we're getting an exciting perspective on data breaches. Tyler and I will be comparing our security practitioner notes with Brent Arnold, a legal expert, litigator, and data breach coach to lift the lid on what happens after a data breach occurs. Brent, thank you very much for joining us today. Yeah, thanks. I'm a lawyer by training. I've been a lawyer in Toronto for about 20 years now. Litigator to start, and I still litigate. I started off doing construction disputes, so I regularly had my life threatened. So now I'm dealing with cybercriminals, and it's actually a lot more civilized. So now my practice is a combination of litigation that's mostly to do with technology, often to do with the fallout from data breaches, and we're seeing more of that. And the other half of my practice is I'm a data breach coach, as you say. I actually don't love that term. I met the guy that invented it, and I took him to task because it sounds like I'm giving life advice, and no one should take life advice from me. So in that role, though, as you know, it's a sort of a conciliary role. You get brought in kind of like, I flatter myself to say, it's like Winston Wolf and Pulp Fiction. You get brought into a mess, and your job is to tell everyone what to do to clean it up and make sure it gets done properly. And if I do a good job and if the chips fall the way we hope they do, the data breach stays private, people don't find out about it, and the business gets back up and running as quickly as possible. That's the hope, but the expectation is I am preparing the business for the legal and regulatory fallout that may come down the road and trying to put them in the best possible position when all that happens. We all, on every team that I've worked on, I've had one or two Wolfs that we would call in when it mattered. That trope seems to carry throughout. Data coach, that spun me out a little bit as well. It's not something I'd seen before, or data breach coach, sorry. It does have those connotations of almost like a life style coach or something. But to help us understand what that term is, and you gave a little bit there, is this something you do to prepare organizations, or are you somebody they pick when they have to break the glass, it's an emergency, we need help? Yes and yes. And I think the reason that the term coach, it's kind of a North America thing. I think the reason they say coach, I prefer data breach counsel, but I think that they were trying to push away from the sense that all you're doing is showing up and talking about legal compliance. So the job, that's certainly part of it. I come into it typically hours or days into a data breach that the client has been late to discover and has tried to manage themselves before somebody said, you really need help. If I'm lucky, we've got a good external forensics team on the ground. My first job is to triage it essentially. I jump in and I say, all right, what are we talking about? What do we think the threat actor is? What do we think the kind of attack is? Have we managed to isolate it? Have we managed to stop the bleeding? What kind of data is involved? Because I'm thinking downstream regulatory obligations, notice and reporting to privacy commissioners. I'm worried about the possibility that data that belongs to the company's counterparties, like companies they do business with might be implicated, in which case they may be in breach of their contracts. We're worried about all kinds of other things, right? I mean, if we're talking about crypto, we might be worried about the physical safety of people involved because ransomware, like what we're now seeing there, is not just remote attacks like ransomware and so forth. We're having people show up to people's houses and beat them for their crypto wallets. So there's all kinds of sort of assessing what it is we need to do here. It's a little different in just about every case I deal with. And so my job is to sort of bring in the team of external experts that they need and we sort of manage the crisis together. Maybe it's crisis communications too. Maybe it's a ransomware negotiator, depending on the kind of breach. And we just sort of stick handle it through to the end. And then I do my best to make sure afterwards, because courts and regulators expect this, the company is in a position to be better than it was before the breach, more secure than it was, more ready. Now, when I'm lucky, and this happens more and more these days, I get brought in before anything bad happens. So we have time to sort of get that relationship in place. We find a rhythm together. And also I can make sure that they're doing the sort of basic things they should be doing so that when something happens, we'll be able to respond quickly and act as a team. Maybe I could bring you in then, because I really like the proactive nature of that there. And I think we've been in security for a while, but we've probably seen it being almost a purely reactive discipline. So what's your kind of experience on data breaches? What's your lived experience there? I don't have a lot of lived experience being in the VM space. A lot of, you know, something happened. Why didn't you cover this vulnerability is usually the messaging that would come through to me. You know, why didn't you have detection for this random one-off vulnerability? And my initial response was, why didn't you ever tell us you had this random piece of software that nobody else in the world runs? So we knew we had to cover it for you. And so a lot of it comes down to, I think, that of people not knowing what they have. And therefore, we would do our best in the VM space and a lot of really asset management with the way our VM solution worked at the time of trying to help people know what they had on their network, telling them when there were things that were unidentified or unknown so that they could identify them and submit requests so we could help them there. Because I think that's, you know, there's plenty of ways that breaches occur, right? Phishing and external attacks and vulnerabilities and insider risk. And so I think, you know, knowing where your crown jewels are is really that starting point. And that's where we were the most helpful, I think, was helping people identify that so they knew what they had on their network. Music to my ears, Tyler. The best illustration I can think of of what you're talking about was the University of Calgary breach where a year after they remediated, they were still finding servers and closets that they didn't know they had that were connected to their network. We won in Windows 2003 as well or something. So I thought, and I'm going to go back, Josh, to your intro. The employee, and I'm just curious. I have a question for Brent after I tell this anecdote. You talked about, you know, employees accidentally emailing information. And that's the most personal experience that I've had with it. When my wife and I were looking into mortgage applications, we were talking to a bank. I won't say which bank. And they ended up, when they went to email me files, emailed me somebody else's mortgage application with all of their details, all of their, like, SIN, salary, employer, everything was included in there. And I emailed them back and said, hey, this was not intended for me. I deleted it. But you may want to inform the person that you've, and they're like, oh, it doesn't really matter. It's not a big deal. And so we're not talking about a major enterprise breach there. But I'm curious for Brent, like when these little instances happen to organizations and you have data loss happening like that, what are the risks to the organization if the employee doesn't take the right steps? Well, so the example you just gave, that is an actual, it's not just an incident. That's a privacy breach. When social insurance numbers are involved, we pretty much default to you have to give notice to everyone affected and you have to notify the privacy commissioner. And in our jurisdiction, it doesn't matter if only one person was affected. You still have to do all that. So like we don't have a sort of, unlike some jurisdictions, we don't have a sort of a meat chart for if it's this kind of data, it's reportable. If it's this kind, it's not. It's more of a holistic approach where if the data points put together help you identify a specific person, it's reportable. And social insurance numbers do that pretty much out of the gate. So you were right, they were wrong in that instance. And in terms of the risk, I mean, there's a few things, right? There's the possibility, the nightmare scenario, and I've actually litigated one of these, is a class action lawsuit because you have millions of people whose data has been compromised and it's sensitive data. And there is the threat that they could be defrauded. They could be impersonated. They could be, you know, whatever, take your pick. They could have their bank accounts drained depending on the information that was out there. That was actually the Capital One Data Breach case. And so the information in that was people's banking information. It was incredibly sensitive. And it was millions of people. So that's the nightmare scenario for the organization is that. If you're scaling back from there, it might be lawsuits from individuals or from companies they do business with because, you know, we were working on a top secret project together in the defense space and you got hacked and our plans are out there and our proprietary information's out there. Incredibly sensitive stuff. Or it's the private information of millions of individuals and now their information's on the dark web and so they might sue you or the Privacy Commissioner might come after you. Now at the moment here, Privacy Commissioner doesn't really have powers to do much in that case. They make findings and then maybe the government prosecutes you. But we are, and the bill came down last night, we're going to soon have an authority in this country that can actually impose massive fines if you are offside your privacy obligations. So there's the civil liability. There's the regulatory piece. There's, I mean, it could just be as simple as business interruption so profound your business just doesn't recover. And I've had that happen with some clients where the hit was so bad, they simply never got back on their feet. Interesting. So I, as a follow-up to that, one of the things you said earlier is that you prefer when you're brought in earlier, preferably even before a breach happens to start talking about it, making sure they're prepared for it. Yeah. You know, I can't help but think there's technologies that would have prevented this bank employee from sending me this. Is that when you're coming in and talking, are you making technology recommendations? Are you suggesting these are not necessarily this is the product, but this is the tool set that you should have in your organization? Is that the type of thing you're doing when you're counseling people on this? Well, I get folks like you, except on the vendor side, to give that kind of technical advice, but it's usually things. So there's two things. One is I know just enough about the technical stuff with my two degrees in political science to have a sense of what some of the basics are like penetration testing, continuous monitoring, ideally, data segregation, data mapping. But a lot of the things that I care about are not, and this is where I really am always trying to emphasize to people, to clients, that IT is different from cyber. It's a different way of thinking about the world. They're both invaluable, but you need both of them, and they are different disciplines. Most of cyber, in my experience, comes down to process. Are we structuring, like are we storing things in such a way? Are we putting controls in place? And mostly, like often, these are not technical solutions. They're just the way we do business in such a way that we minimize risk, right? You minimize people's access, so you don't have people accessing stuff they have no business accessing and don't need for their jobs. You don't take in more data than you need to and hang onto it forever, which is something that has happened in almost every data breach I've seen. Privacy law, almost in every jurisdiction in the world, says you retain as little as you need to and you get rid of it as soon as you don't need to keep it anymore. Most companies don't do that because it takes time and there's no money in deleting stuff. So a lot of it, and just simple process things. One of the most elegant breaches I've ever dealt with, and this would be close to the example that you gave about yourself, Tyler, a woman manages to infiltrate a company that sort of does lending to people. Now, it's not one of the major banks. It's one that sort of does, you know, subprime kind of, you know, not payday loan, but just barely above that, giving people mortgages and loans and stuff. So they were getting all kinds of applications in with all the sensitive data that you have to put into those things. And they had great physical security. You couldn't plug a USB in. They had firewalls. They had everything else. This woman was coming in and you know how she was getting the information and using it to apply for credit cards? Notebook and pen. Nobody thought about a notebook and pen. She was sitting in front of her computer at lunch and writing down the information. And the only reason that she got caught was her boyfriend was also putting in fraudulent credit card applications. The cops busted into their apartment, found her notebook. So you see what I'm talking about here. I mean, that's not something a technical control is going to fix, but it's something process will fix, right? You're sort of, first of all, better vetting of who applies for a job there. And also you can notice if somebody's sitting there taking a notebook, right? Taking, you know, writing stuff down in a notebook. So these are the things we worry about. And, you know, physical security is a part of this too. Yeah, I think that's a good distinction to make the kind of. that sometimes we get so focused on the high tech that actually it's sometimes the low tech or the obvious that is actually where we really fall down, not just in data breaches, but all across cybersecurity. And I have a similar story from a colleague who works in a very advanced crypto exchange. They have some of the best tech and data loss prevention tools money can buy. They couldn't stop an employee from taking photos of his work screen and passing that off to certain threat actors who use it to then go and spearfish some of the bigger wallets. So it's something that really needs to be addressed on multiple angles. And it's a good distinction from yourself, I think that we need those kind of multiple, those different heads with different ways of looking at things. IT needs to make things work. Security need to make sure you're doing it in a safe way. And then there's that balance to be had. I'm quite curious how you find that balance plays out as a legal practitioner, because Tyler started with, let's call it a small infringement compared to, say a massive data breach or a ransomware attack. You know, there are still procedures you need to follow. It sounds like the person's response was almost, hey, it's not worth my time. I can't be bothered to raise this. I'm gonna have to go through all the paperwork, maybe get into trouble. So how do you, I know the official answer is you do report it every time, but what's the real pragmatic experience or answer when it comes to those? Well, I can't ever tell a client, don't do this. Don't follow the law. What I can say is, here's the likely consequence if you don't, and often the answer is nothing. I actually had, you're talking about email, employees emailing something they shouldn't. I had a case of a university, where I'm going with this is sometimes the cost of doing things right vastly outweighs the risk. I had a situation where a university graduate program, so they had like an alumni program and they had alumni all over the planet. We're sending out an email to all the alumni, but the employee accidentally attached the spreadsheet with all of the alumni's information on it to every one of them on the planet. Now, technically speaking, that's sensitive enough information it's gonna trigger regulatory obligations in dozens of countries. And you would need a lawyer in every one of those countries, just about one lawyer for all of Europe, let's say. But you'd need lawyers all over the planet to stick handle, do we have a reporting obligation or not help us do it because we don't even speak the language and so on and so forth. So the cost of dealing with that properly would probably have been hundreds of thousands of dollars. What's the downside risk if you do nothing? Almost certainly nothing unless somebody tells a privacy commissioner. And if they tell a privacy commissioner and millions of people aren't involved and it's not a high risk attack where information's going on the dark web, in this case, it was just a screw up, right? None of these students have any interest in sharing that information because someone might do that to them too. But so if you brought this to a privacy commissioner's attention, they probably would do nothing because candidly, most of our privacy commissioners at least are so under-resourced that they have to focus on the big fish, right? They're focusing on a rock, they're focusing on clear view AI and so forth. Like the big fish whose conduct is impacting the most people. So what's the downside risk of doing nothing? Almost certainly nothing. So the client did nothing, understandably. So that's often the calculus is what's it going to cost me versus what's to do it right versus what's my actual business risk in doing it wrong. That really resonated. The law stuff with GDPR when that came over here and everyone thought, hey, any tiny infraction is going to hit me with a giant fine. And I think sometimes you need to analyze the spirit in which some of these regulations are made. And is it really to go after a little mom and pop shop for having some data poorly secured or held on to for slightly too long? So reporting it is always the right thing to do. People don't always have the faith in those regulatory bodies that they aren't going to just nickel and dime them. They actually are kind of, like you say, going after the big fish there. But you transition slightly into ransomware then, which is great, because that's where I'm most excited to talk about today. And so what is your involvement with ransomware cases? Once they have taken the data and they are asking for, they are trying to pull all the levers. Sometimes those are regulatory fines. Hey, we're going to tell on you and you're going to have a huge fine, or we can keep this quiet and we'll give it back to you. So what's your involvement in those sorts of scenarios? So let me sort of walk you through the process. I get a call from a client who now realizes, oh, okay, our files are bricked. It looks like this is real. They've called their own lawyer and their lawyer doesn't know what to do with this. The lawyer saw me on a webinar or something or knows me through my law firm. So they get me involved. I have a call with them where I immediately sort of triage. I actually now have built this, like built into an email signature, an email where I just send it to them with like 50 questions. But then I sort of, in the first call, deal with the first few things we need to worry about. Like, first of all, do you have cyber insurance? Because if you have cyber insurance, your insurance company has a lot of control over, first of all, who you use, whether it's me or another law firm or forensics vendors and so forth, but they also need to be notified. So I tick that box because if I put them offside their insurance, then they're going to end up paying this out of pocket. I want to know, what do we know about this threat actor? Now, in the old days, as you know, they'd take credit. And so they would tell us who they were. And then I can sort of assess that quickly. Often these days, the attribution piece is more difficult. They're silent about it. And a lot of these groups that we knew we had profiles on have sort of dispersed. So we are less likely to know who we're dealing with. But if I've got 10 minutes before the call, I'll take whatever information I have about the attack in advance and I'll chuck it into perplexity using a prompt that I have ready. And it'll give me the sort of up to the minute publicly available threat intelligence on everything I need to know about this. Because when I get brought into that call, if it's a client I don't know already, if they haven't worked with me before, I've got about 10 minutes to gain their trust and they're already paranoid and they're scared. But I need to get across, I know enough about this that you can follow my lead. So I try to get in there knowing, okay, it's this kind of attack. That means they will post your data to the dark web if they have it. They will probably not post it if you pay them. They will provide tech support if you pay them, but their tech support's not very good. Because as you know, some of the players in this ransomware ecosystem are less sophisticated than others. And so you've got a sophisticated backend that sort of provides the service, the ransomware as a service, but the people out there actually committing the attacks might be new at this. So it's hard to know all of that stuff. But I'm assessing who do I need to bring in now? Have they already got external forensics engaged? If not, how much can they afford? Because there's, and how big is this attack? Because I know different, a big part of this job is essentially being concierge, right? Knowing who to bring in for what they need. So which forensics vendors do I need for this? Is this breach likely gonna be, is it already publicly known? Is it because like, let's say a government organization's website goes down, people notice that in a hurry. And maybe somebody's already contacted the media. Maybe the employees are so upset about this, they're starting to post about it on social media. So I might need to bring in professional crisis communications people because somebody has to say something in public about this. And I need it not to paper the file against us if we end up getting sued. And on and on and on. Maybe I'm bringing in a ransomware negotiator. Is there any appetite for that? And often the reason for doing that, increasingly the reason for doing that is no intention to pay, but we need the file tree. We don't have backups that we can trust or we don't have the backups at all, or they're just too old and we're gonna lose three months, six months of data and we can't afford that. So we might actually consider paying, but at the minimum, we might need to get intelligence from the threat actor so we can see, because let's say our data mapping is so bad, we don't know if personally identifiable information has been impacted. We just can't tell because they attacked a shared drive that no one's been keeping track of. So now we can get information from the threat actor to help us assess, okay, we've got a huge regulatory risk because of the nature of the privacy information. So I'm doing all that sort of assessment. We set up a regular cadence of whether it's video calls or however we're gonna do it. Sometimes we'll have a third party app where we've got a chat going constantly because people are gonna be working on this around the clock. And so as the first few days go through, we're hours and hours and hours meeting and keeping each other up to date and then sort of tapers off a bit as we contain the breach. Maybe we're now involved in a negotiation or maybe we've managed to restore from backups if there are backups and we're just now trying to assess the regulatory piece and what do we need to do to make sure this doesn't happen again. So it starts off as a flurry of activity and then it sort of becomes a more manageable pace. And this goes on for weeks, right? Typically, if it's a serious breach because the downstream remediation can take a long time and recovery, even if you get your, even if we pay the threat actor, we get our decryptors, we get everything back up, you're still gonna have massive data loss. I've never seen recovery with decryptors from a threat actor where we got a hundred percent of the data back up and running. So fixing everything is still gonna be a mess. So we work through all that process. And I can tell you, some of these things take me five hours, some of them are 50 hours. It just depends on how big the mess is, how much hand-holding the client needs and how sophisticated they are. Because often, if I'm lucky, I'm dealing with a client, it's bad for billables, but it's good for their sake. If I'm dealing with a client that's got a really good, well-organized cyber team, it's just a, here we go again, bring in the usual suspects and we'll manage it. I have one client actually who's, they're a massive target. So they get attacked two or three times a year and they've got like, so I'll get brought in and I'm like, hey guys, I see we're here again. What's at this time? And we just deal with it and it's all very orderly and almost sort of business as usual, dealing with those kinds of threats because they're ready for it and they're expecting it. Other times it's a catastrophic event and there's all this human drama. So it depends a lot on the nature of the attack, the nature of the victim and so forth. That was a very long winded way of saying it, but what you might be taking away from this is it sounds chaotic and it is. Yeah. So you mentioned, you know, there's various reasons why negotiations might happen. I'm just curious. And do you find that it tends to skew more to people want the tech support and data back or that people want to prevent the data being leaked? Is there one camp that more organizations fall into or that is the usual means of reason why people pay? A few years ago, I would have said it could be either or. It's either fix the business interruption or deal with the threat of the privacy impact on customers. If it's a university students, if it's a medical institution patients. And I would, you know, so it was just as likely that they would be doing paying in the hope of preventing further risk to the people whose personal data was involved. Increasingly, that is less of a factor, I would say. And I credit a few things with that. One, I think that law enforcement has been beating the drum for years now saying, when you, and you said this in your introduction, Josh, when you pay this, you are funding the next attack. You are funding their R&D. So you're making it worse for everyone, including yourself. So just don't do it. So I think that message has come through. And we've also never seen a situation where a court has said your duty of care involves paying criminals to protect your victims. No court I think is going to say that. So I don't think there's ever gonna be a legal expectation that someone should pay the ransom to protect the people whose data is involved. And I think that it's become publicly way more acceptable to understand. You're gonna get, someone with your data is gonna get breached and you're going to be a victim of one of these at some point or another. I can tell you that, because I run my email addresses through Have I Been Pawned regularly. And I know, I also know that I've been part of like five different class action lawsuits, one of which I was defending against myself technically, because I had a MasterCard, because I took my parents to the Tenement Museum in Manhattan, because I signed my kid up for Animal Jam, a video, like this game that she liked when she was a kid. So in like, in all these cases, I was as careful as I always am about everything, but I'm not the one that lost the data. So people have sort of come to treat this like bad weather, right, they know it's gonna happen. So I think that there's less of an expectation that everyone's gonna be furious at me and my company if we get breached and their data is compromised. So most of the time now, finally, long-winded answer to a simple question, most of the time these days, they're paying if there's the only way that they can get back up and running quickly. It's the business interruption piece they care about the most. Interesting, I always thought it might, yeah, with the value of data now, and you know, you can re-image your systems. So like, we've got a lot better disaster recovery. Yeah. And pieces like that, getting back up and running, you know, gone are the days when you talk about organizations going to pen and paper to kind of keep ticking over during that period. Well, the other thing I forgot to mention as part of why is this the trend now is that people finally got the memo about backups. So most of the time now, the client has got a backup and it's either the case that their system is just very complicated and even running a good current backup is just gonna take a long time, or it's some freak event where there's a problem with the backup. I dealt with a case about a year ago where my client, they weren't an MSP, but it was something like that. And one of their jobs for their customers was to maintain digital backups of their systems in case they get hit with an attack. And one of their customers got hit by a ransomware attack and came and said, no problem, we'll go to our vendor who has the backup. And our clients had been taking money from this customer for years to make backups, forgot to make the backups. So there wasn't one and nobody had checked. So nobody knew until there was an attack. But most of the time that's, you're absolutely right. Most of the time that recovery is more frictionless than it would have been 10 years, even five years ago. Yeah, definitely. And that's a great lesson on the single points of failures that we often lie to. And Tyler, I know you've got a question, but I just wanted to color a little bit of this with some stats. Because the payments have been going down i've got chainalysis's report here they've got data up to 2025 i think they tend to trace the crypto payments i always think they're great authority when it comes to what's what's going where yeah the the payment rate is down to about 30 percent from 62 last uh year and 2024 and 72 percent in 23 but the price or the amount that's being paid out in an individual instance is increasing significantly which i think kind of talks to i don't know maybe it's it's it's we target so we make more money or maybe it's the value of that data and the value of the impact the cost of fines reputational damage you know you people expect you to have a plan in place and if you don't maybe paying them is what you fall back on but there's no question in there tyler so i'll uh i'll let you carry on with you let me just say that is the trend that most of the companies that track this stuff and of course for most of them it's anecdotal right they talk about the breaches they've been involved in chainalysis is a nice one to work with because they're sort of it that i mean they've got access to the whole blockchain uh but most of them are saying more or less the same thing price has gone up where people paying is lower i think part of that as well as we're also seeing more targeted sophisticated attacks so often now the threat actors when they like fewer op just simple opportunistic ones those ones where they're paying out a lot i suspect are ones where somebody got in there really scoped out the data knew exactly what the value data was worth knew that they had insurance and on and on and on so they really had those people go ahead sorry all good um always interesting i was gonna on the backup note um one of the things that i've seen a few times now um on social media is people talking about one drive ransomware protection i don't know if anybody's a one drive user personally and has seen this feature roll out in the last couple of years um but i was just curious because i make use of it i mean i've never been personally hit with ransomware and don't expect to be but um i still make sure i have it turned on and i'm using it and i'm just wondering is that one of the things that has contributed to people um recovering faster is the fact that we have so many microsoft ecosystems out there and they now have this baked into everyone's account automatically so you know like all of my files on my documents folder are backed up to one drive regularly they have the ransomware rollback are you seeing this make a difference in the real world i guess is what i'm asking i can't say i've seen the one drive example in particular making a difference but i definitely think cloud storage and improvements in cloud security have made a difference now that can also go catastrophically wrong if you screw it up because what happened in the capital one data breach case was they misconfigured a firewall and somebody that knew their way around aws architecture managed to get in and then they posted the instructions on how to do that to github for the lulz so um like if you do it right it's really good if you screw it up and as you know with those cloud security models it's a shared security model uh you're responsible for parts of making sure the architecture is properly configured and set up if you screw it up you might still be vulnerable but i do think it's really reduced a lot of the nonsense we used to see uh and i hope we don't go back to on-prem servers i actually dealt with a um but i've heard me hearing some experts say that that may be what happens uh is is we're moving back because the problem one of the problems we're seeing now and this gets geopolitical is can we trust um vendors in other jurisdictions right well like we're you're healing or hearing a lot about digital sovereignty so one of the concerns now is because we just saw this with uh anthropic and fable the u.s government says nope no fable for you rest of the world can't have it um elon a lot of the north in our country is uh it's the internet is powered by starlink we know that elon musk during the ukraine war said nope no internet for ukraine i don't like that they're going to do this one particular attack so the more dependent we are on those cloud solutions what you're depending on is largely american companies that are very much beholden to the american government who doesn't like us so i'm hearing some security people say we may have to go back to more on-prem solutions or at least uh you know canadian local cloud solutions and this is applicable to just about any country it's not the u.s i would say europe is looking at sovereign solutions there's a big push on that digital sovereignty angle now isn't there and yeah yeah but the pendulum swings and we seem to have swung back to open and cloud everywhere yeah yeah back to something a little bit more well more so we have more control of i was gonna say secure but i won't say that but the on-prem thing could be a nightmare i dealt with one breach where it was a client on the far north and it had servers in five different locations and so the forensics guys needed to be able to image the drives to figure out what was going on and we spent about 48 hours trying to do that and the link kept collapsing because they were on starlink which wasn't fast enough to provide this the speed it's like turning your tap on with just a barely a trickle it's not enough to even wash your hands so we realized we were going to have to send send some poor guy from the forensics company around in a small plane flying all over the canadian arctic to collect the servers from these different locations and bring them back to toronto and that ended up being faster than trying to do it over the internet so uh you know on-prem could end up being a whole different kind of nightmare all over again if we end up back there if you allow me to just tie up the ransomware part maybe a nice neat bow um you know i've really ransomware operations have always excited me as a kind of working in some response because it tends to be yeah occasionally to expose data storm you gave some examples of the kind of cloud exposures there um but often it's it's a long patient multi-chain attack tree that has to spread across lots of different systems using many different vulnerabilities or techniques in order to get to either enough of the system to encrypt it or these days to find the sensitive data and push that out and as a result we've seen real sophistication um the specialization into initial access brokers how they get into the environment compromise it gain a foothold then sell it off to people who can do the recon and lateral movement we've got people who are groups who can exfiltrate really well or even tools that are really good at that you can buy it as ransom as a service and share portion of the funds there's financial experts who come in to kind of work out how much you can extort them by there's ai bots or chat room chat specialists and first line support people do the negotiations all this to say it's a really sophisticated uh operation and i think you knew this was coming when i mentioned the hydra at the very top but how do you sleep at night knowing that you may have contributed towards this beast growing um when when an organization you work with ends up paying the extortion to their threat actors and they can reinvest those ill-gotten gains and then turn their focus onto the next target well a client asked me last year how do you sleep at night knowing what you know about all this because they were it was eye-opening as it often is for clients when you explain all of this to them because it's a world they just don't have sideline into and i said easy it's not my data um thankfully that's a client with a sense of humor i can make that joke but in terms of uh like how do i parse that well if you're a lawyer my contracts professor in law school said the key to becoming a lawyer is learning to compartmentalize he said after that it's hard to do if you arrive at school as a whole person uh so as a lawyer you do have to sort of compartmentalize and say i have a duty to this client i have sworn a duty to look after this client that's what my oath says and that's what i do it's not an oath to fix the whole world by sacrificing a client uh we're sacrificing a whole industry that's not my decision to make i'm there to advocate for and to try to protect the client that's in front of me it's a little bit like you know i'm flattering myself here a bit because it's not nearly the stakes but it's a bit like you know you'll sometimes see in tv shows uh a doctor star trek's got like four episodes like this a doctor is put in the position of being asked to save a patient who they know is a terrible person who's committed murders uh and well what do you do right your your humanity says i don't contribute to this but you also have the duty that's in front of you so that's the way i approach it uh and and i part of the what i try to give back into the world karmically is things like this i do a lot of public speaking i do public speaking and public fora to just regular people trying to help them protect themselves and tell them what they need to know so i'm hoping that on balance i sort of help more people get to the point where this isn't going to have to happen to them than uh than i've the bad i've done in the world by helping clients get the ransoms paid but that's a by the way i've never been asked that i love that question oh really the question no no no no i i felt i mean it was my attempt at a kind of i think i'll be a political reporter because you give a really good philosophical nuanced answer to my attempt at a simplistic gotcha but it is often on all the security petitioners minds that hey you see the payments getting paid yeah we have to go battle what comes next so thank you for allowing me to ask that lawyers get this question all the time in a different form how can you defend somebody who does or did something awful or how can you defend someone that may have killed someone or done something terrible to the child and the answer is that's my job so you know sometimes but but it gets a real gray area not for me but we have seen instances where we know ransomware negotiators were actually in bed with the threat actors people have gone to jail over that so you know this is now a question i have to deal with sometimes with clients that know just enough about this to know that that's a thing i have to say i've got a guy he's you know i trust them he's not uh you know in the way that i know i can trust them is that most of the time we're not paying and often he'll be the one to say i wouldn't but you do what you can absolutely so i think there's a lot of regulation around the world and i'm going to hand over to tyler because i think we've seen a trend towards limitations on who can pay and when they should pay and previously that's been more based on the sanctions piece and that you alluded to the lot of the big groups disappearing i think that's partly rebranding so they're no longer known as the russian ransomware gangs yeah so they can not have to be you know companies don't get whacked for paying uh something who is somebody an organization who falls under the sanctions but tyler i believe there's a canadian example where this is a lot more real and now where we're potentially going with regulation in this space that's an excellent i mean we should ask brent that question um i want to talk about a bill um but it's not about that so i don't know if we have anything on tap in canada about the ability to pay or not pay not yet and every once in a while as in many countries the idea of banning paying gets floated the police are floating this idea all the time um haven't seen it happen um in the states the closest they got was a bill i think under biden that essentially shames companies where if you pay a ransom you have to report it to the government your name goes up on a list so everyone's like here's the dunce here's the dunce cap list of companies that got hit and paid um some companies will go public with the fact they because they're working that angle like we talked about before wanting to be able to say we did everything we could to protect the people affected by this including paid criminals to not put their information on the dark web some companies are out front um but no i i haven't seen in any western countries at least uh an actual outright ban as you said we do have the sanctions lists and that complicates and that's another reason why not to pay frankly because and actually i was talking to the rcmp out in edmonton about this just last week because the attribution is less reliable than it used to be and it changes by the hour right and this is why my ransom or negotiator that when i use is running those sanctions checks right up to the minute that they pay a ransom uh because the best you could do it's illegal to fund terrorism it's not illegal to pay a ransom but if you know that they're probably funding terrorism you shouldn't do it because you need to have that sort of we did our best to make sure we weren't defense uh but i remember a few years ago one of the more notorious gangs one of their people gave an anonymously gave an interview to a reporter can't imagine why but they did and they said you're never going to catch us we store the data in iran which meant overnight no one could pay that threat actor anymore because iran's on the sanctions list and then they're like no no no no no no we were kidding like that's not a joke sir uh but yeah you're absolutely right the fact that uh unfortunately we've been so successful with these with these disruptions and also some arrests even that a lot of these groups have scattered to winds and now they've reconstituted in different ways like canadian bands like broken social scene everyone's in it uh so everything sort of moves around so that often now means first of all i can't i'm less certain than i could have been that this isn't a uh an actor like first of all a known take tie do an own terrorist group or in a sanctioned country uh and also it means at a more mundane level we don't really know the things that like i can have a negotiator see i've dealt with the let's say it's a killing attack and i had one of these last years as i've done dozens of these the problem is that the group that we're actually dealing with at the front end of the attack is different every time or can be different every time as you were talking about how these days some of these critical infrastructure um companies or organizations rather are getting quite good at at their defense is taking this a lot seriously i quickly googled a story that came to mind about the pentagon's weapon systems that had standard passwords on lots of things and that was 2018 so it was a while ago i thought it was more recent in my memory but we still see examples i think of these really mission critical um organizations still having poor security practice and that's a reflection of maybe the you know the endless journey that you have to be on that it is in a point in time exercise you have to keep revisiting it and so therefore focusing on the lower hanging fruit or the the ones that have the biggest impact and you can have the control of it probably makes more sense um although i am having to getting to the heads of canadian legislators which is not something that i normally do but i think we just have a state where we realize hey all let let's be clear all nations are in each other's systems and know what they can do and that's why they take extra precautions because they say hey i know what i can do in your system so i'm pretty sure you can do it to mine it is a kind of mutually assured of mutually assured destruction that we've, we've arrived to, but a lot much, much sneakier destruction that we've uh we've arrived to um but a lot much much sneaky version than say, we saw in the 70s. Yeah, I mean, even even Canada, as of about I think, 10 years ago has defend forward offensive capability. It's housed in the military, but we do use it. And you're right, every country is sort of poking around and seeing what it can find out. And on the supply chain piece, I agree. I mean, the best you can do sometimes, because no one, for instance, exercises audit rights, no one, you, you could spend it could be somebody's full time job, just kicking the tires on every vendor that they sign up with. Some companies, there is that person, but you'd have to be doing constantly. The best you can do is sort of plan to make sure that you're not entirely dependent on one, one vendor that could go down. So a lot of this is redundancy planning, and it's an expensive and it's, it's, it's, it's irritating. It's not economically efficient, but you have to do it. Well, Brent, thank you very much for your insights. Tyler, do you have any final questions before if we can roll the carpet out for Brent? We're good. Excellent. So yeah, thank you very much for taking the time to join us on the security podcast. And this is the part where you to thank you, we usually say anything you want to promote, whether it's personal, professional, now is your opportunity, the floor is yours. So two things. One, if you do have a data breach, reach out to me, I'm at thinklaw, which is I N Q, and then the word law. And the other is you should join the Canadian internet society because it's a think tank I run. We worry about internet policy and we do lots of good work in trying to influence the government to make good decisions. And if your organization doesn't belong to a threat information exchange, you should join one. And if you're in Canada, you should join the CCTX and hang out with Tyler and I. So behalf of myself, Josh Davison, and my cohost Tyler Reguli, this has been the art of security. And thank you for listening. We'll see you next time.

TL;DR

  • Data breach counsel Brent Arnold describes his role as a crisis concierge — triaging incidents, assembling expert teams, and managing legal and regulatory exposure from the moment he is engaged, often hours into an active breach.
  • Ransomware response has become highly complex, requiring real-time sanctions checks, threat actor attribution, and negotiator vetting, as major criminal groups have fragmented and reconstituted under new identities to evade law enforcement.
  • The decision to report a breach is often a pragmatic cost-benefit calculation — regulatory bodies are under-resourced and focused on large-scale incidents, meaning smaller breaches may carry minimal enforcement risk even when technically reportable.
  • Asset visibility is the foundational prerequisite for breach prevention — organizations that don't know what systems and data they have cannot adequately protect them or respond effectively when something goes wrong.
  • Digital sovereignty concerns and geopolitical tensions are prompting some security professionals to reconsider cloud-first strategies, with potential movement back toward on-premises or locally controlled infrastructure despite the operational complexity that entails.
  • Proactive engagement with legal counsel before a breach occurs — rather than waiting for an emergency — significantly improves an organization's ability to respond quickly, maintain insurance coverage, and satisfy post-incident regulatory expectations.

What a Data Breach Counsel Actually Does

This episode of The Art of Security brings together cybersecurity practitioners Josh Davies and Tyler Reguly with Brent Arnold, a Toronto-based litigator and data breach counsel at INQ Law, to explore what organizations face in the immediate aftermath of a breach. Brent describes his role as a concierge for crisis response — arriving hours or days into an incident to triage the situation, assess the threat actor, determine what data is implicated, and assemble the right external team including forensics specialists, crisis communications experts, and ransomware negotiators. A critical early step is confirming whether the organization has cyber insurance, since insurers often dictate which vendors can be engaged and must be notified promptly to avoid voiding coverage. Brent also emphasizes that courts and regulators expect organizations to emerge from a breach more secure than before, making post-incident remediation a legal and reputational imperative, not just a technical one.

Ransomware Negotiations and the Sanctions Minefield

The conversation dives deep into ransomware response mechanics. Brent explains how he uses AI tools like Perplexity to rapidly gather threat intelligence before client calls, enabling him to quickly establish credibility with panicked clients. The ransomware ecosystem has grown highly sophisticated — with initial access brokers, lateral movement specialists, exfiltration tools, financial analysts, and even first-line support staff operating as a coordinated criminal enterprise. Attribution has become increasingly difficult as major ransomware groups have scattered and reconstituted under new identities, complicating sanctions compliance. Brent's negotiator runs sanctions checks up to the moment of payment, because funding a sanctioned entity — even unknowingly — carries serious legal exposure. The panel also discusses the ethics of paying ransoms, the debate around banning payments outright, and why some organizations publicly disclose payments as a reputational strategy to demonstrate they acted in good faith to protect affected individuals.

Regulatory Calculus and the Cost of Doing Things Right

Not every breach triggers the same regulatory response, and Brent walks through the pragmatic calculus organizations use when deciding whether to report. Using the example of a university that accidentally emailed an alumni spreadsheet to thousands of recipients globally, he illustrates how the cost of full regulatory compliance — engaging lawyers across dozens of jurisdictions — can vastly exceed the realistic risk of enforcement, particularly when privacy commissioners are under-resourced and focused on high-impact cases. Tyler adds context from the vulnerability management space, noting that organizations often don't know what assets they have, making it impossible to protect them. The episode closes with a discussion of digital sovereignty, cloud security trade-offs, and the geopolitical pressures pushing some organizations back toward on-premises infrastructure — a shift that brings its own operational nightmares, as illustrated by a forensics team that had to physically fly servers out of the Canadian Arctic because Starlink connectivity was too slow to image them remotely.

Prevention, Preparedness, and Threat Intelligence Sharing

Throughout the episode, all three participants return to the theme that prevention requires both technology and process. Tyler emphasizes that asset visibility — knowing what's on your network — is the foundational starting point for any security program, since you cannot protect what you cannot see. Brent notes that when he is engaged proactively, before an incident occurs, he can help organizations build the relationships, workflows, and documentation needed to respond quickly and cohesively when something does go wrong. He also highlights the value of threat intelligence sharing communities, specifically recommending the Canadian Cyber Threat Exchange (CCTX) as a resource for organizations operating in Canada. The episode reinforces that ransomware and data breach response is no longer purely a technical discipline — legal counsel, regulatory awareness, insurance coordination, and crisis communications are now essential components of any mature incident response program.

Chapters

0:00 - The Value and Vulnerability of Data
2:00 - Introducing Brent Arnold, Data Breach Counsel
4:06 - Triaging a Breach: First Hours
6:08 - Tyler's VM Perspective on Asset Visibility
16:03 - Regulatory Reporting: The Real Calculus
19:01 - Ransomware Response and Negotiation
31:55 - Cloud Security, Digital Sovereignty, and On-Prem Trade-offs
35:03 - Ransomware Ecosystem Sophistication
36:27 - Ethics of Paying Ransoms
39:31 - Sanctions, Payment Bans, and Regulation
44:48 - Closing Thoughts and Resources

Key Quotes

2:44 "You get brought in kind of like, I flatter myself to say, it's like Winston Wolf in Pulp Fiction. You get brought into a mess, and your job is to tell everyone what to do to clean it up and make sure it gets done properly."
4:06 "I come into it typically hours or days into a data breach that the client has been late to discover and has tried to manage themselves before somebody said, you really need help."
20:49 "I've got about 10 minutes to gain their trust and they're already paranoid and they're scared. But I need to get across, I know enough about this that you can follow my lead."
36:27 "A client asked me last year how do you sleep at night knowing what you know about all this. And I said easy, it's not my data."
39:05 "We have seen instances where we know ransomware negotiators were actually in bed with the threat actors. People have gone to jail over that."
41:30 "It's illegal to fund terrorism. It's not illegal to pay a ransom. But if you know that they're probably funding terrorism you shouldn't do it because you need to have that sort of we did our best to make sure we weren't defense."

FAQ

What should an organization do in the first hours after discovering a data breach?

According to Brent Arnold, the immediate priorities are: notify your cyber insurer (failure to do so can void coverage), engage external forensics if not already done, triage what type of attack occurred and whether it has been contained, assess what categories of data are involved to understand regulatory obligations, and bring in a data breach counsel to coordinate the response. The goal in the first hours is to stop the bleeding, understand the scope, and assemble the right team before making any decisions about notification or ransom.

Is paying a ransomware demand legal, and what are the risks?

In most Western countries, paying a ransom is not illegal, but it carries significant legal risk. The primary concern is sanctions compliance — if the threat actor is affiliated with a sanctioned country or terrorist organization, paying them can constitute a violation of law. Because ransomware group attribution has become less reliable as major gangs have fragmented and rebranded, Brent Arnold's negotiators run sanctions checks right up to the moment of payment. There is also no guarantee that paying will result in data deletion or decryption, and payment funds criminal operations that will be used against future victims.

How do organizations decide whether to report a breach to regulators?

The decision is often a pragmatic risk calculation rather than a purely legal one. Brent Arnold explains that while reporting is always the technically correct answer, the realistic enforcement risk for smaller or lower-impact breaches is often minimal because privacy commissioners are severely under-resourced and prioritize high-profile cases. The calculus involves comparing the cost of full compliance — which can run into hundreds of thousands of dollars for incidents with cross-jurisdictional exposure — against the actual likelihood of regulatory action. Organizations should consult legal counsel to make this assessment rather than making it unilaterally.


Categories:
  • » Cybersecurity » Data Security
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Security Operations
  • Threat Intelligence
  • Compliance & Governance
  • Data Privacy
  • Best Practices
  • Webinar
  • Data breach response
  • Ransomware negotiation
  • Incident response
  • Regulatory compliance
  • Cyber insurance
  • Digital sovereignty
  • Threat actor attribution
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Fortra: Data Breach Response: Legal Risk, Ransomware & Recovery

              Upcoming Webinar Calendar

              • 07/14/2026
                01:00 PM
                07/14/2026
                Crafting a Championship-Worthy Security Team for Unmatched Defense
                https://www.truthinit.com/index.php/channel/2025/crafting-a-championship-worthy-security-team-for-unmatched-defense/
              • 07/14/2026
                02:00 PM
                07/14/2026
                Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data
                https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-safeguarding-ai-accessible-data/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Strategies for Effective Data Privacy and Protection
                https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-for-effective-data-privacy-and-protection/
              • 07/22/2026
                01:00 PM
                07/22/2026
                Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue
                https://www.truthinit.com/index.php/channel/2029/insights-from-attackers-during-the-fifa-world-cup-a-human-dialogue/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 07/29/2026
                12:00 PM
                07/29/2026
                Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
              • 07/29/2026
                01:00 PM
                07/29/2026
                Ask Your Cloud Anything: Unlocking Governance Silos in your Environments
                https://www.truthinit.com/index.php/channel/2048/ask-your-cloud-anything-unlocking-governance-silos-in-your-environments/
              • 08/19/2026
                12:00 PM
                08/19/2026
                Becoming Agent Ready: Insights from Cyera's Expertise
                https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jul
                14

                Crafting a Championship-Worthy Security Team for Unmatched Defense

                07/14/202601:00 PM ET
                • Jul
                  14

                  Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data

                  07/14/202602:00 PM ET
                  • Jul
                    21

                    Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

                    07/21/202604:00 AM ET
                    • Jul
                      22

                      Insights and Strategies for Effective Data Privacy and Protection

                      07/22/202606:30 AM ET
                      • Jul
                        22

                        Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue

                        07/22/202601:00 PM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version