The Lock & Key Lounge — An ArmorText Original Podcast
Welcome to The Lock & Key Lounge, the official podcast from ArmorText, the leader in secure out-of-band communications. Each episode brings you into the conversation with the sharpest minds in cybersecurity, law, critical infrastructure, intelligence, and government. We go beyond the headlines and vendor buzzwords to unpack real-world challenges—from incident response and cybercrime innovation to legal landmines, boardroom decisions, and threat intelligence at scale.
Pull up a chair, pour a drink, and join us as we explore what it takes to stay resilient in a world where operational security, compliance, and communication have never been more intertwined.
Available wherever you stream your podcasts, or right here on ArmorText.com.
The Lock & Key Lounge — An ArmorText Original Podcast
Podcast#20 Secure Isn't the Same as Defensible Part 2
What the Signal IG Report Teaches Enterprises About Communications Risk
This episode touches on a topic we initially covered in Episode #2 where discussed the Signal/Atlantic group chat with Marisa Darden of Benesch Law. The latest DoD IG report has brought the privacy-vs-compliance conflict back to the front page. So, today we’re going to translate those findings for the enterprise.
Welcome back to The Lock & Key Lounge. If you're just joining us, this is part two of our conversation with Amy Mushahwar, Kathleen McGee, and Rachel Maimin of Lowenstein Sandler. In part one, we unpacked how the recent Inspector General findings around Signal use highlighted a broader issue. When organizations rely on tools that feel secure but don't meet enterprise requirements for governance, retention, and oversight, they expose themselves to real legal and operational risk. If you're joining us here in part two, you can catch up on part one of this discussion at armortext.com/podcast. This is also available on Apple Podcasts and Spotify. Now, let's pick up right where we left off. All right. So Amy, given everything we've been talking about up until this point, I'd love for you to make the case to the enterprise. Why not Signal or WhatsApp for sensitive business? What does the enterprise grade out-of-band communications really add?
Amy Mushahwar:Oh, absolutely. Enterprise-grade applications add enterprise security and enterprise retention controls. So, especially if we're working with a client that is highly regulated—a bank, a government contractor, an educational institution, a telecommunications company—we especially want to make sure that they're meeting their statutory promises for security. And in the case of the banks, FFIEC IT security book standards and NYDFS standards, depending on how they're licensed. We don't want them using out-of-band communications methods where maybe it's SMS, maybe it's iMessage. One's encrypted, one's not. Maybe if someone changes their phone, half of the records were wiped, or there might not be a centralized storage repository whatsoever. So if a user deletes, the only way that you could get information might be subpoenaing Apple or subpoenaing Signal and WhatsApp, and good luck doing that. We really want enterprise-grade applications so our clients can be following their appropriate security standards—admittedly, too, their privacy standards as well—because who wants a full preservation over their phone. It's much easier for us to preserve an out-of-band communications app and all of the communications running across it than individual phone records. Much more privacy-protective. And I'll kick it over to Kathleen and to Rachel, who I'm sure can give us an earful about the fact that we really do want good retention on these.
Rachel Maimin:Kathleen, do you want to take this one first?
Kathleen McGee:Happy to. Thanks. So I do think that there are several reasons why you want to maintain your retention consistent with what regulators and best practices are. And that always is going to extend to messaging, in whatever form it comes in. So when you're involved in this out-of-band practice, you need to make sure that you have controls in place that are going to allow you to comply with regulatorily mandated and expected retention policies. And the penalties for not doing that—I think we've touched a bit on this earlier on in our conversation—can go from sort of sanctions and spoliation concerns to—there can be lighter-touch repercussions. But I don't think you ever want to assume that that's going to be the case. And I'm sure Rachel has seen instances on the criminal side, but I've certainly seen instances on the civil side where failure to maintain in that way—and again, I know we've talked about this a bit before—can really have repercussions.
Rachel:Yeah. I mean, right now the expectation of regulators is, no matter what platform you're using, you're meeting the maintenance standards. So, to the extent that a platform has—is it—as a—is ephemeral or has auto-delete, or is it in any way non-compliant with the regulations? Then there was a time, I think, perhaps in the past before the government really had a grip on ephemeral messaging, and before really business had a full grip on it, when it was okay to say, well, we were using this app or we were using this device in good faith, things weren't maintained, but it was all in good faith. So, sorry you're not getting those documents or those communications, but that time has long since passed. And so, as new—as there are new innovations to make communications more secure, perhaps more ephemeral, that excuse—the Department of Justice, for example, has said—is simply not going to be an excuse for failure to produce documents or maintain documents, and will be held against you in connection with trying to get cooperation credit.
Amy:Really good point, Rachel. I would just like to emphasize also, from the incident responder side of this, these communications and the preservation obligations can have a very long tail, as Kathleen and I, on the incident response side of this, when we deal with breaches that are in the millions of records and have thousands of customers, it's easy to have litigation that lasts for 2 to 3-plus years, or maybe even more, before you finish not just with the litigation, but with the 50-state AG action, with kind of all of the customer disputes. Nowadays, a breach has a very long tail. So, as Rachel's talking about spoliation, as well as Kathleen, if you don't have an enterprise application, you're probably working with the need to preserve phones on an ongoing basis and preserve personal communications on an ongoing basis for quite a long time. So, I also think if you don't have an enterprise out-of-band communication package, you're putting yourself in a world of hurt where you're going to have constant phone and personal device preservation, or you run the risks that both Kathleen and Rachel have discussed.
Navroop:I'm actually wondering what happens if you initially assume all you needed to image were four or five devices, and somewhere 1–2 years in, you realized you should have imaged two or three more devices for other parties that you hadn't realized were gonna be a part of this action. Have you seen that come up where 2 or 3 years into an incident, maybe you're realizing that there was something else that should've been captured, that maybe wasn't at the time, and you're having to go back and scramble to try and find those people and those devices to see if you can recover anything.
Amy:So I've never had it come up where there's actually been a negative inference against the client. On the breach responder side, we have it come up, and you are desperately searching for someone in the room who has captured the fact that there was either awareness or nonlinear awareness of X, Y, or Z fact. And on the functional basis, making sure you have an enterprise-grade communications platform makes that search so much easier. And you're not in a position—which sometimes we are if there's not a due preservation, there's—if you don't have an enterprise-grade application, it puts you at risk that you might not be able to find, especially the facts that you need in order to defend your client well.
Kathleen:I'll piggyback on to that to say that, from the government perspective, the expectation is you know what's within your environment. And there is just not an excuse for saying we had no idea, because you're supposed to do a fulsome search in response to a subpoena or information request. Full stop. So, making sure that you have those tools in place to do that comprehensive review and know what's there is critical.
Navroop:So one of the things we've been talking about here are some of the different drivers. If I remember correctly, when we came to that roughly 3.4 billion initially, and then something like 4.3—or whatever it was—billion in fines issued by the SEC and the CFTC related to a lack of business record retention, not being able to supply the regulator with copies of the conversations when asked. If I remember correctly, someone made the comment that this was just two potential regulators who would have had a reason to go to the banks and say, hey, we need a copy of who said what to whom, when it was said, and how it was consumed. Does that mean that there potentially are more liabilities hanging out there for those banks, or even others beyond just DOJ, SEC, CFTC? Are there—how many more regulators, depending on sector, are folks potentially going to have to worry about?
Amy:Yeah. So—
Navroop:And can you be fined for—I'm sorry, Amy, not to cut you up—but can you be fined for the same issue by each of these regulators independently?
Amy:So it doesn't really work that way in practice. The way that it—that this issue would come up—is, let's say you are a larger entity where you have 50 state AG actions, FTC actions, DHHS actions, SEC actions—yes, there's the potential for you to be fined for not preserving. But what's more damaging is not having the facts that you need in order to properly defend yourself, even if you're not fined. So, the issue of preservation can especially come up before those agencies where you are highly regulated, in highly regulated sectors. But the issue of were you acting reasonably under the circumstances with regard to security is one where there's often, especially on the larger matters, clusters of state and federal regulators, where you need to have the facts at hand to prove what was known and not known at the time of your incident response. And the danger of not having those facts, were callable, makes it to be very difficult events. So, Amy, since you just joined us recently for a CLE and CB credit webinar on this topic, I'd love to actually go back and look at something we discussed there, which was around IR comms and privilege and waiver. There's always this risk of defeating privilege when some non-privileged parties are on the line, either a PR agency or the insurer. How can an out-of-band communications platform either help or hurt when it comes to helping maintain privilege? Yeah, absolutely. And I don't want to name names, but we do have some platforms that can be sponsored by insurance providers. And we have seen instances in the press—I have not faced this personally—but we have seen instances where settings may not be set in a way to appropriately segregate the insurer from the full response environment, or the insurer might have access to the full response environment by default. I think that insurers are getting more savvy regarding this, and they also want to be careful because they realize the importance of privilege and want to make sure that they are mitigating losses and helping their clients to appropriately defend and mitigate losses by not defeating privilege. But it's helpful to have a true out-of-band communications platform that you can fully pre-orchestrate so that, as the incident responder or the client, whoever’s setting it up, can pre-orchestrate workflows. So, you know this is the room or the document repository that has potentially non-privileged parties. I don't want to say they're always privileged, because there is some variation in state law. But potentially non-privileged parties like insurers, like PR agencies, like town hall setups, and other vendors, and then having the true IR privileged workflow that includes the breach code, that includes the incident responder retained by outside counsel, that includes the client, so that you maintain a level of discipline. But again, like our team, our clients always want to keep the insurer informed so that they are aware of the loss environment. But the insurer is also very sensitive to being careful and maintaining that level of discipline. So, we create the best loss-mitigating environment for the client without adding undue friction, and potentially failing to orchestrate things well. When you’re in a circumstance where there's always a hundred things to do, anything that you can pre-orchestrate and pre-organize helps you not make mistakes.
Navroop:Kathleen, Rachel, do you—do either of you want to add anything there?
Kathleen:I think that Amy said it very well. There is a real legitimate concern. It's something that we talked—we touched on a little bit earlier on in the conversation—but is underscored here that, in any context where you have to be prepared for non-privileged parties to join a conversation. And we certainly know some of those contexts, observers to the board, or we're talking about, as in the context of—as Amy pointed out—the emergent situation where you know from a tabletop, you're going to have to have communications come in, or you're going to have to have outside parties come in that are not part of the attorney-client privilege relationship. You can anticipate a good number of those. And we're going to be better off if we've prepared by having some clear preset limits in the communication. Having an out-of-band communication system that's going to be able to have preset controls is a fabulous tech solution to that sticky problem that people continuously have.
Navroop:So, actually, Kathleen, on that point, since you brought up the boards and board observers and others, what do boards actually misunderstand about secure messaging, and what should they be asking CISOs and their general counsel before the next incident, and especially if they want to avoid becoming the next off-channel headline?
Kathleen:Yeah. That's something that we talked about, I think, earlier on in our conversation as well. Boards don't understand that there can be easier tech solutions to communicating, where very often we have clients who have board members who are part of other organizations with other servers and other email accounts. And they may not want to implicate their servers or their personal devices and their other work accounts on board matters because, certainly—most certainly, actually—together, Rachel and I, on cases, have worked to pursue board communications where we had an inkling that perhaps privilege had not been maintained because communications had occurred outside the fold, so to speak, in a board context. Or you're always looking for that advantage when you're looking to press, to get information, and to challenge privilege in a certain way. I think that what boards then don't understand, when they're working in relationship to a company CISO and a GC, is that if you're thinking through potential tech solutions to maintain the integrity of the communication, you actually can also make it easier for people to communicate. So, it's a twofold win. The first thing you're doing is maintaining the integrity of the communication. But the second thing you're doing is just facilitating an easier way to communicate with the people. People don't want to have to be burdened. And I think I said this earlier in our conversation, you really don't want to have to be burdened with five different email accounts. If you're a board member and you have a day job, you've got a personal account, you've got a work account, maybe you're on two boards, maybe you're an observer on a third. And so, having a streamlined way to control communications is a real benefit for everybody.
Navroop:Yeah. I couldn't agree more. And it actually kind of speaks to some upcoming features we've got on our own platform that will be coming out to help assist with that. It's a very specific use case that I think, Kathleen, to your point, requires kind of rethinking through some of that user experience, that user interface, to make that much easier, particularly for board members or executives who may have responsibilities to more than one organization. Amy, is there anything else, though, that, given your given your background—having been the CISO, right, having been on both sides of this table—is there anything that you would add there, other than things that CISOs and GCs should then be speaking to their boards about proactively, because the board may not even know that they should be asking the question?
Amy:Yeah, I would just bring up the constant tension that we always have, is one when to bring in the board is a very difficult question on a breach. And when is it time to bring in the board? Having a communications and orchestrated line where you can do that in an organized fashion, quite frankly, quite simply, like remind you that you need to constantly be thinking of that. And I'm not saying that the board gets ignored. No, certainly they do not. But I will tell you, on likely almost every single breach, many folks fake space, not just us. There's always a constant tension between when do you bring in the board and when do you truly know that there is a matter, in accordance with the incident response plan, that would necessitate a board escalation because it's material, and so that tension always exists. Having an orchestrated process make sure—makes sure that that question is constantly asked during the incident response process. So, that's one little insurance policy to the board to make sure that they're always being considered. But I will also say, on the board side, without orchestrated workflows, you never know what the important facts are until you're dealing with a challenge where either someone is trying to challenge the privilege of those facts, and you really are starting to understand the arguments that are being constructed. So, also, just having an orchestrated workflow where perhaps you don't make a mistake. And there are board members on this text thread, but not on this text thread. You get into the right e-room where all the appropriate people are aligned. It just creates a better level of discipline, because you never know the facts that are going to be important when you're actually going through the incident. When you're going through the incident, your main object is survival and treating your clients well, treating your business providers well. It's not—you, of course—you want to be mitigating damages. You want to be constantly thinking of that. But your primary concern is true security and customer service. When you’re in the throes of a breach and you just don't know what the litigation consequences are until much further down the road, it's better to have it orchestrated so you don't have a privilege issue by mistake.
Navroop:So, that's interesting, right? So, if we're thinking about having to do that in the middle of an incident, it seems like that would be much harder to do than if you had already not only laid out those workflows in advance but also exercised them. I think, Amy, that brings back to your favorite topic—tabletop exercises, right? How can you actually leverage the exercise to help validate the team, the executives, the board members, and others, so they can actually move out-of-band appropriately, but do so without losing governance privilege or risking retention and review capabilities. How do you actually do the exercises?
Amy:Absolutely. And this is, as you know, near and dear to my heart, because I'm going to say the 1 on 1 answer before we move to the 2 on 2, to the 3 on 3. The 1 on 1 answer is, can everyone get onboarded? Do we have the list of people who are on the incident response plan in the e-room? Now, that is never going to be a perfect process. People will always be joining and leaving the company. We'll always have changing incident response thresholds for the different team members that need to be assigned. There's always complexity, especially with large organizations, but even with small organizations and just plain old turnover. If you tabletop the platform, people are at least aware that the platform exists because they had to get on it. If you don't tabletop the platform and people never see it, then whatever happens when you're going through the incident response with the platform is what happens. So, I highly encourage, even if it's not a formal piece of the tabletop exercise, making sure, for the administrative professional who is responsible for ensuring that different investigative teams make it to different calls, they should be periodically exercising. Okay, well, does my CISO have access to this? Does my general counsel have access to this? Does our outside counsel have access to this? Do these three customer service folks, that if any PII was interrupted these folks would have to be involved, do they have access to this? And just if it's either formal tabletops or just administrative due diligence, please, please, please, whatever enterprise platform you're going to switch to, make sure that your incident response team is aware of it.
Navroop:Amy, is there any reason you wouldn't want to practice that as a part of the formal tabletop? One of the things we kept hearing from the banks was the value they had in actually exercising their out-of-band options during the tabletops because it help reinforce how to use the technology, especially for kind of the more senior executives on the team who otherwise wouldn't have a need to touch it on a more regular basis. Right, can you—was there a reason not to include it in the tabletop? Amy, is there any reason you wouldn't want to practice that as a part of the formal tabletop? One of the things we kept hearing from the banks was the value they had in actually exercising their out-of-band options during the tabletops, because it helped reinforce how to use the technology, especially for the more senior executives on the team who otherwise wouldn't have a need to touch it on a more regular basis. Right, can you—was there a reason not to include it in the tabletop?
Amy:Only time. I will say, having done hundreds of tabletop exercises, the time that you take from that executive team and the technology team, when you're taking 3 to 6 hours out of somebody's day, that is a huge investment of time. Now, I do think trying to make the out-of-band communications platform is worth the time spent. But you always have a list of objectives whenever you're designing a tabletop exercise—of what you want to do, points that you want to make, even substantive funding decisions that you want to surface in the course of a tabletop—by having a problem that's illustrative of a problem that you're anticipating you might encounter. There's always very, very specific goals when I go into tabletops, usually of our CISOs and our general counsel's office, to make sure that they're raising a point that gets reacted to by the organization. If you have an out-of-band platform where you have a significant amount of the time taken up on technology, you might not get to the substance. I think it's probably best for you to do a little combination of the two. Or maybe you have some administrative staff prep folks on how to get on to the platform and then folks who are already prepped and ready on the tabletop exercise are exercising the platform just to reinforce that knowledge. But there is always a wide variety of goals and a very expensive audience that you have when you're exercising just a traditional tabletop, but especially if you're doing a tabletop with executives plus technologists.
Navroop:Yeah. That's a fair point. I think time is always a big consideration when it comes to these exercises. One of the things I often come back to, though, is there are some stats that came out from our friends over at Dragos and others, when their team that was looking at global tabletop exercises were reviewing data. What they saw was that 70% of organizations had no idea what they would actually move to. They would have a gap when it came to how they would communicate during an incident, and of the remaining 30%, basically 29 would potentially move to something that would either cause issues right in the moment and/or create potential liabilities for the future. So, less than 1% got it right. So, even if you're not practicing the technology, it feels like there would at least still be value in reconfirming that everyone knows what it is they're expected to do and where they're expected to go, even if they're not actually going to practice the technology itself, because that seems to be a huge gap. And then for organizations that have already selected something, yes, it's easy. You can just kind of point to an answer, but if you haven't selected anything, it sounds like there might still be value in kind of going through that exercise to confirm whether or not there is actually an active selection in place, and people do know where they're supposed to go.
Amy:Yeah, no, that's a very valid point. And I love the people at Dragos. So, they're—especially as you're dealing with larger organizations that, like the Dragos, would serve with operational technology. It's a fair and important point just to make sure that someone's thought of this issue.
Navroop:Yeah. And that brings me back to Kathleen—you and Rachel. One of the questions I've been thinking about for quite some time is, what are the analogs to this outside of the breach context? And given your backgrounds, I'd love to hear from both of you.
Kathleen:Well, I mean, I'll kick off by saying, in the criminal and civil context, really, any time there's an investigation, any time there's litigation that's even private—private-oriented and privately driven or plaintiff's class action, for example—the—one of the primary issues becomes how can we control certain types of communications in a privileged context? The moment that litigation begins, there is always a concern about people starting to speak about litigation matters in channels that are inappropriate, quite frankly, to a discussion about litigation matters. I really don't want my colleague—my colleagues—speaking with or interfacing with their clients over their own personal cellphone or having to resort to Signal. It just makes it messy. And so, it's a lot easier when we have, and clients very often now do do that, because they want to have a higher level of confidence that the communications they're engaging with counsel are secure and are outside the regular band. So, that is certainly one context in which—I mean, I just think it's universal. People understandably get very nervous once there is the specter of an investigation going on, and being able to provide a clear alternative to what people think is like the best, most secret way to have a communication with counsel is really important.
Amy:If I can add just one also non-breach but not litigation context. Something that we deal with in the proactive security and proactive privacy environment is also audits and audit attestations and compliance attestations. And many auditors have a full documentation platform. But you're usually searching for audit evidence and a whole host of emails. So, as clients are also thinking about the organization and whether or not you have your sufficient evidence organized for your SoC or your PCI attestation or your government contractor attestations or your NYDFS attestations. When you do a mini risk assessment, it's not a bad idea, especially for the interviews, because your auditors are typically going through, in addition to documentation, substantive interviews with your specialists. Having that evidence—it's not mandatory, but in the event, as a company, if you're trying to do a fulsome audit documentation file so you can really retrace the steps if you ever need to—it's not a bad idea to think about it.
Navroop:Very interesting. And I thought about the use case. All right. So, this is definitely a topic we could talk about for quite some time to come. This second part of our conversation has already been going on for quite some time. And so, I really appreciate all of you taking the time with us today. But, ladies, if you have time, I'd like to ask one more final question. Awesome. So, the final question is something that we like to do here on The Lock & Key Lounge, and that's to ask about kind of celebratory libations. So, when privacy and compliance finally align, the records are defensible, and the post-incident review doesn't make your stomach drop, what's the libation that marks that rare, satisfying win for you?
Kathleen:I think it depends on how bad it was before everything locked in. It’s either—yeah, it's either whatever's in my fridge with a cork in it, or if it's really—if we're really getting down to it, it's going to be maybe a bourbon or a rye on the rocks.
Navroop:Got it. So, we've got the tier one responses. I'll just go over a glass of wine. And then, if it was really bad, we hit the hard stuff.
Kathleen:That's right, that's right. Oh, I think it's an honest—I think it's a clean, straightforward approach to risk management.
Navroop:I totally agree. I distinguish between when I would use a Corona versus when I'm going straight to an Old Fashioned or a Manhattan, or just straight rye. I get it. So, what about you, Amy? What would you go to?
Amy:I'm going to choose wine because it's my standard, but also because I dealt with a really nasty incident within the winery payments industry very early on in my career and was fortunately introduced to some really great wine. So, it matches my personality and matches my incident response history. So, it is just much more fun for me. Plus, I can't take the hard stuff anymore. After kids, you have to be able to wake up the next morning to be able to help out your kids.
Navroop:I like it. Now, by chance, Amy, does that winery still send you a case every so often as just a thank you for getting them through that moment?
Amy:No, they don't, but it was—with especially the wineries and alcohol distributors market—I think it's such an interesting segment of just retail industry, because it is—many small businesses own multi-million dollar wineries or liquor distributors and family-owned businesses. So, it is—whenever you are in a retail environment, especially if it's either a distributor network or where you might have a franchisee-franchisor relationship, it is—you really feel the stakes because it's small businesses, hardworking people who are doing their very best under very difficult situations. And you always want to help them. So, for me, that industry I always want to support it just because they're good people.
Navroop:They also helped keep the country moving during Covid so—
Kathleen:Oh they did, yes.
Navroop:I'm quite thankful for their contribution to national security. And with that said, I'd like to say thank you. Amy, Kathleen, and Rachel, I really appreciate you guys joining us for this discussion today. Ladies, it's been an absolute pleasure. And also, a big thank you to our listeners for joining us on this latest episode of The Lock & Key Lounge.
Amy:Thank you.
Rachel:Thank you.
Kathleen:Thank you so much.
Navroop:This concludes part 2 of our discussion with Amy, Kathleen, and Rachel, and the full conversation we began in part 1. If you're just joining us, you can catch up on part 1 of this discussion, along with other episodes of The Lock & Key Lounge at armortext.com/podcast. These, and all of our other episodes, are also available on Apple Podcasts and Spotify. As always, we hope you found this conversation thoughtful and practical. If you have a unique perspective, a question we should tackle next, or a guest you think we should bring into the lounge, we'd love to hear from you. You can reach us at lounge@armortext.com. Until next time, keep your communication secure, compliant, and intentional.