On this episode of the R&G Tech Studio, data,
privacy & cybersecurity co-lead Rohan Massey sits down with
technology, media & telecommunications co-lead Ed Black to
discuss how he goes into crisis mode when his clients are hit with
a ransomware attack and how he works in tandem with forensics
experts, communications and crisis response teams to understand the
scope of the breach and its impact on clients.
Transcript:
Ed Black: I would like to welcome everyone to
the latest edition of our R&G Tech Studio podcast.
Super pleased that I’m here today with not only my partner but
my good friend, Rohan Massey, a wonderful Ropes & Gray partner
focused on data, privacy, cybersecurity and related issues. Rohan,
thank you so much for joining us. We are going to spend some time
talking about what you do in tech, but before we get there, maybe
just give us two seconds about who you are, where you live and that
kind of thing.
Rohan Massey: As you said, I’m Rohan
Massey. I head up the data, privacy & cybersecurity group here
at Ropes & Gray. The accent kind of gives it away—I’m
based in the London office, and I’ve been with the firm eight
years now. In fact, Ed, you were the first person I met from the
firm all those years ago.
Ed Black: I’m still happy I did. Now, do
you work just in London because I see you everywhere? How do you
view the footprint of your practice?
Rohan Massey: The practice itself is global, so
I do a lot of work out of London, but I travel a lot—I’m
often in the U.S. A lot of our clients are U.S.-based or
multinational, so I’m traveling to see them a lot as well as
moving through Europe and Asia because of the opportunities we have
out through our Shanghai and Hong Kong offices.
Ed Black: Sounds good. Alright, Rohan, we
should turn to the meat of the podcast, and that is what you do in
tech. Can you give me a quick overview of how you help clients in
the world of tech?
Rohan Massey: Obviously, my practice is, as it
says, “data, privacy & cybersecurity,” so pretty much
everything I do, I would say, is tech-related. Now, I work with
private equity (PE) houses on compliance programs. I work with
their portfolio companies in every industry from widget
manufacturing to biotech, life sciences, pharma, all of those
areas, and every time they’re asking me a question or to come
in and assist them, it will be something data- or tech-driven. Even
those that think that they’re not tech companies, maybe
it’s employee data-related issues, I will come in and look at
how we can assist them, especially with regard to compliance in
those areas. So, I’m always involved with our clients on a
tech-focused basis.
Ed Black: Now, when you’re working for
these clients, can you just provide an example: What kinds of
problems do you solve?
Rohan Massey: The types of problems that I
solve are quite a broad universe. So, it could start with a
compliance program. I will look at the data protection compliance
program for an organization, especially multinational
organizations. I’ll look at how they can comply with the
increasing number of regulatory laws and statute requirements in
different jurisdictions, many of which are now extraterritorial, so
for multinationals, that’s a real juggling skill.
Ed Black: Can you give me an example just to
make this concrete, something where a particular client had a
particular problem that you helped them solve?
Rohan Massey: Sure, let’s look at one
I’ve done recently, which was post-transaction. We amalgamated
two multinational groups, one of which had U.S. and a lot of Asian
operations, and the other was mainly based in Europe, and so,
bringing those two together had brought with it a huge employee
database—some were on the European data protection, some
under U.S. data protection, or some under the different data
protection laws of Asia. And post-transaction, the group was
looking to consolidate its HR and talent management database in the
U.S., so we had to try and work out how we could get the data from
Europe and the different Asian countries to the U.S. lawfully. It
was quite a challenge because of the way that the target had been
set up in Europe, they had very strict limitations on what they
could do with their data, and I had to find a work-around for that.
There was a lot of back and forth, and there were a lot of
challenges, but we did manage to find a system, a practical system,
based on the contextual risk that was coming out of what the data
was being transferred for (its purpose), where it was being
transferred to (the U.S.) and why it was being transferred really
for the efficiency of the new, enlarged group or organization. So,
we managed to get there, but it took a lot of explanation and a lot
of understanding of different laws because the approach in Europe
is very different to the approach in the U.S. A lot of the time,
the U.S. client would get frustrated as to why certain data, be it
ethnicity rates or sensitive data, couldn’t be transferred, and
the Europeans would be very frustrated as well that they were being
asked to do things that they thought they couldn’t do until I
found a work-around.
Ed Black: Now, I know that compliance
infrastructure is a focus, and that sounds like it’s something
where you saw the problem and moved forward, but I know you also
deal with things that involve some retrospective issues, things
where you’re looking backward, like breach events. How does
that fit in? If there’s a ransomware attack, if there’s
some cybersecurity hack, how do you deal with that?
Rohan Massey: That is the second part of the
practice, and its bread and butter where cybersecurity becomes the
issue. For organizations, it’s now a case of when they get hit
rather than if they get hit. If it’s a ransomware attack,
it’s locked down the systems—it’s crisis mode from
the get-go. I will get that call usually in the middle of the night
or as soon as I’ve either booked a holiday or I’m on
holiday—it’s the way it works. And it’s a full-on
crisis response mode. So, we will come in, we will look at what the
issues are, work with forensic experts, marketing and
communications teams, crisis communications teams, and work through
all of the issues trying to understand what the scope of the
incident is, what the impact of the incident is, and what the
remediation steps are, both on a technological basis, so the
business can’t stop operating, and also from a regulatory side.
So, what notifications need to be given to regulators in which
jurisdictions, and what detail needs to be in those.
Ed Black: I have two questions here, two
questions on this one. The first one is the Ukraine War started,
and I actually heard some businesspeople, some clients of mine say,
“Thank God the Russian army is not tied up with somebody else.
They won’t be hacking us.” There was this period of time
when cybersecurity attacks, many of which are state sponsored, fell
away, and people breathed a sigh of relief a little bit. But did
that happen, and is that a permanent state? Where are we in terms
of where these hacks are headed? Is it common? Is it less common?
What’s the trend?
Rohan Massey: The halcyon days of it being less
common are over, but we did certainly see a dip from February last
year, and this was reported by regulators—it was reported by
all of those in the industry, both legal and technical forensic
teams, that it certainly did. It looked like the business model of
ransomware attacks where people were getting paid to unencrypt data
was over. Sanctions have kicked in, so the payments couldn’t be
made. And possibly, there was a reallocation of resources because
they were needed to assist certain states in their military
advantage and offensives. That’s over. This year, we’ve
seen a massive spike back in cyber threats and cyberattacks.
Critically, the thing we’re seeing now is not direct attacks on
organizations, but we’re seeing the very sophisticated threat
actors looking at third-party software, looking for vulnerabilities
within that and attacking—so really, it’s attacking down
the supply chain.
The most recent one most people would have read about was
MOVEit. They found a MOVEit piece of software, it’s a
file-transfer software—they found a vulnerability within that
that even the developer didn’t know about. They exploited it
and got into thousands of organizations that use the MOVEit
software. I’ve been involved in response to that in the U.K.
for a number of organizations, and it’s been really challenging
because it’s very difficult for an organization to prevent an
attack that nobody knows is a vulnerability. You can’t patch a
vulnerability because nobody knew about it. But then, it’s how
you respond, and it’s being clear and transparent with users,
clear and transparent with the regulators, and then taking a step
to think, “How do we fix this going forward? What better
diligence can we do in our supply chain? What actions do we need to
take in our audits and reviews to ensure that we are fully patched
from an IT perspective?” So, we limit and mitigate risk. I
don’t think you will ever eradicate risk, but what I’m
making sure clients have got is the least risk open to them so that
they can use as many different resources as they need for their
organization to be efficient.
Ed Black: I think the hard part about these
responses is that everyone knows it’s bad—everyone knows
you’ve got to hop on it and that it’s an emergency
situation. Yet, sometimes, you hear businesspeople talk about how
the treatment is worse than the disease, that the people who come
in and who help you respond are very disruptive. How do you manage
that? Of course, you can’t eliminate some of the
disruption—it’s a hack, and people need to deal with it.
But are there ways to handle these types of events that take into
account the effect on the business that’s experiencing
them?
Rohan Massey: I certainly would take a very
practical approach here—you’ve got to look at the risk
and you’ve got to look at the context. Now, interestingly, with
something like MOVEit, there wasn’t a ransomware attack, it was
a data exfiltration, so business could continue to operate
absolutely normally whilst in the background we tried to do the
assessment of what the implications would be. If you had a
ransomware attack where your entire IT estate has been encrypted
and you can’t even send an email, so you’re suddenly having
to move to other forms of communication because you’ve got no
corporate email, the mindset and the response should be totally
different—I think they are. And the way that you manage that
has to be different—it has to be practical. The most
important thing that I think I bring to the table is that it’s
not my first rodeo. I have so many times talked with CEOs, C-Suites
and boards who have gone almost into analysis paralysis because of
the crisis response that they’re in because they’ve never
experienced it before, and they’re trying to do way too many
things at once, thinking they’ll be moving forward when in fact
they’re either standing still or moving backwards. My job is to
just basically take all of the heat out of our situation to say,
“This is how we address it, x, y, and z. This is the
timeframe. These are the people that we’ll work with. If we put
these processes in place, we should get to the end far more
quickly, and we should be able to be in a position to justify our
response to any regulator far more effectively.” I think
that’s really important.
Ed Black: Spectacular. This has all been super
interesting. I want to shift gears a little bit to a couple of
areas that are a little less concrete. The first one is a little
bit of crystal ball-gazing. If you had to look forward, if you had
to say, “What’s around the corner,” from a data and
cybersecurity perspective, something that’s two to three years
out, what would that be? What do you see headed down the turnpike
towards our clients?
Rohan Massey: For me, two or three years out is
probably already here—it’s just not been made public yet
because that’s the way that technology moves. As a data privacy
lawyer, I think the biggest concern is the confluence of data
protection rights along with the technological developments
we’ve seen in AI, for example, in facial recognition and large
data sets. So, the ability to create, whether it’s deep fakes
or facial recognition linked to behavioral patterns and the
analysis of those—it may sound very Minority Report,
people showing the ability to commit crimes before they’ve
actually been committed because of behavioral profiling and
prediction—these areas for me, I think, are going to be some
of the most challenging. Clients will be developing these
technologies, and we have to make sure that they are developed in a
compliant manner and that they are also ethically developed. I
think that’s a really important part of where my advice will be
over the next three to five years. At the same time, I think
we’ve got a societal responsibility. And I’m very certain
on this that we have to be clear that we are protecting the rights
and freedoms of individuals as we make these technological
developments because the technological capacity that’s out
there is immense and can be used for harm as well as a positive
influence on society. We need to make sure that the positives
really do remain the important focus here.
Ed Black: Alright, I want to save some time for
the portion of these podcasts that is my favorite. We’re going
to do this like a lightning round. First question is an easy one:
Where do you live? What can you tell us about your personal
life?
Rohan Massey: I currently live in South London
in a neighborhood called Dulwich. It’s quite a nice, leafy
neighborhood, a long way from where I was born and grew up, which
was in South Manchester in North of England. I’ve been down in
London now for nearly 30 years.
Ed Black: Now, I hear you mention that you grew
up in South Manchester. Would that be anywhere near the home of two
of the greatest football teams on the planet?
Rohan Massey: It would. It would be very close
to both Manchester United and Preston North End.
Ed Black: I see. Manchester City is 1,000 miles
away?
Rohan Massey: Who? I haven’t really heard
of them. Sorry.
Ed Black: Next time you come to Boston, Rohan,
my office is going to be painted powder puff blue. You’re going
to have to use a blue pen on a blue pad. Alright: Favorite
books?
Rohan Massey: I think my favorite book would
have to be One Hundred Years of Solitude by Gabriel
García Márquez. It starts with the greatest opening
sentence of any book and then gets better.
Ed Black: It’s a perfect day. And
you’re dreaming now at night. It’s a perfect sleep.
You’re in the happiest place doing that thing that you’re
happiest to do. Where are you and what is it?
Rohan Massey: I think I would be downhill
skiing under a blue sky somewhere on a desert island. But it’s
only a dream, right? So, I’m sure I’m allowed to have
it.
Ed Black: Actually, there are these 300-foot
sand dunes in eastern Washington here in the States where people
sand ski down the dunes. Would that be your dream?
Rohan Massey: Yes, I’m looking for a flight
now.
Ed Black: Rohan Massey, thank you so much for
joining us. It’s been a pleasure having you.
Rohan Massey: Ed, it’s been my pleasure to
be here. Thank you very much.
Ed Black: I want to remind our listeners that
this is the R&G Tech Studio podcast. It is available
through the Ropes & Gray website, but also available wherever
you find your podcasts. Thank you for listening.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
