Nicholas Merker knows that most people at Black Hat feel like they have a good enough handle on the law to do their jobs. After all, before he was an attorney with Ice Miller, he spent a decade working in IT and infosec. But he also has a message for current infosec pros: if you learned a little bit more about the law, you would be able to do your job a little bit better.
His Wednesday talk at Black Hat, "Legal Pitfalls to Avoid in Security Incidents," will discuss all the ways he has either seen infosec pros stumble, either derailing their security work or ending in the hot seat themselves.
"I was on the other side of this doing security incident work as an IT professional, and then when I became an attorney and I found that IT folks can walk onto these legal landmines without knowing it," he said.
For example, one of the big changes in ransomware response over the last year was the Treasury Department announcing that paying ransoms to terrorist groups would have legal consequences. Does everyone in forensics now need to know offhand the ever-changing list of ransomware groups tied to terrorist organizations?
No, said Merker. But many of the effects of compliance will affect how forensics teams do their jobs.
"The people pulling the strings on when payment occurs is probably going to be the legal team, but IT folks would be impacted by the practical effects of this through delays. If you want to make a ransom payment, you might have a two-day delay at your bank, and then a two-day delay at your insurance carrier, and you could run into issues getting your company back online as quickly as you promised, because everyone's trying to do compliance around this new thing," he said.
Security teams, he said, also need to be keenly aware of the limits of legal privilege. There are circumstances where an investigator directly telling an IT team to patch a system involved in a breach would wave privilege on that part of the remediation. Doing the intuitive thing to plug a hole would be immediately turn unwitting forensics teams into "plantiff's exhibit one."
Merker realizes that the brunt of the potential audience might see the topic and think his is not a talk they need to attend. Twelve years ago, attending Black Hat as an infosec professional, he says it is a topic he would brush off.
"I know I'm not disclosing some zero-day vulnerability for the first time announced on stage — I'm not going to do that. But this talk, I think, is super important for this audience. You will walk away with the knowledge of some of the things to be thinking about during an incident that you may not be thinking about today. The last thing anyone attending Black Hat wants to be is deposed," he said.
"Legal Pitfalls to Avoid in Security Incidents" is slated for 2:30 PT.