This post was originally published on Seyfarth’s Gadgets, Gigabytes & Goodwill blog.
Ransomware attacks have become one of the most common and pervasive cybercrimes perpetrated against US companies. A bad actor, often from overseas, will gain access to upload malware onto a company’s network storage or application platforms that encrypts all files it can access. A message or text file is usually left with instructions on how to contact the attacker to pay a ransom for the decryption key. In the worst case, a ransomware attack can freeze the business operations by effectively removing access to the company’s critical systems and rendering them useless. Aside from the business impact, what legal implications are created by a ransomware attack?
The greatest legal concern is one of privacy. By definition, ransomware attacks gain access to the internal systems maintained or owned by a business. However, not all ransomware attacks are created equal and privacy obligations differ from one attack to another.
The most harmless ransomware attack is one that encrypts data on an identifiable location that is confirmed to not contain any personal information for employees or customers and which can be easily restored from clean backups. Assuming information that meets the definition of personal data (including PII or PHI) is affected, then further legal analysis is required in order to determine whether or not the business has further legal responsibilities. In that evaluation, the availability of reliable system logs, network traffic, and other information becomes critical. For example, some state data breach notification laws do not require notification to potentially affected individuals unless information was obtained by the unauthorized attacker. In other words, unless data was copied or exfiltrated by the attacker, there is not a breach. However, other states define a data breach as the unauthorized acquisition or access to certain categories of protected information. In states that include “access” in their definition of a breach, a ransomware attacker who is able to remotely browse through a network environment and select the target systems of files for an attack has obtained access. If the malware operates independently and there was no external access outside the execution of the computer code, it is arguable that there has been no unauthorized access by a person. It can be difficult to gain concrete information as to whether the attack resulted in the loss of data—but mere encryption, without more, is a arguably a “better case scenario” compared to one involving the loss or removal of information.
Hackers have caught on to this. In some cases, a ransomware assailant will provide proof that they have accessed personal information and can publish it on the dark web. These “proof of life” attacks provide a snippet of the personal information—for example, one of many social security numbers stored on the now-encrypted database—and hackers will threaten to publish all of the personal information if their demands are not met. Unfortunately, even though ransomware attackers when paid almost always live up to their end of the bargain by providing decryption keys and deleting exfiltrated data, the fact that information has been obtained by unauthorized individuals is unquestionably a breach, even if the attackers agree to delete it. This means, if personal information is involved, an attack that includes exfiltration is most likely going to trigger a reporting obligation.
Congress has introduced several bills that would require the reporting of a ransomware attack to the Department of Homeland Security within a certain time frame, usually 24-72 hours, with certain mandatory reporting obligations for certain industries already in place. It is unclear, however, what obligations will be incurred by the attacked party or whether the exfiltration of personal information will modify those obligations.
Many companies maintain their “secret sauce” as a trade secret. Whether a company develops software, manufactures adhesive, or trades on Wall Street, trade secret protection is paramount for the intangible assets of a company that are not patented. A ransomware attack can result in the exfiltration of the trade secret and possible publication of the trade secret—an act that would eliminate any protection for the trade secret at hand. And victims of such attacks are surprised to learn that their cyber insurance often does not cover such loss. Indeed, important trade secrets should be kept under proverbial lock and key to protect against exploitation or publication by ransomware attackers.
Ransomware attacks take many forms. Many involve the exfiltration or unauthorized access to employee or customer personal information or trade secrets, which can lead to catastrophic loss for a company with a large privacy or trade secret footprint. In addition to practicing good network and data security, employee training, and record retention to minimize the impact of attacks, it is imperative (and in some states required) that businesses have a written information security response program for the management and remediation of cyberattacks. In the investigation and response to an incident, it is important to determine what type of ransomware attack has occurred so that a company can determine the resulting privacy notification and intellectual property loss associated with the attack.
We strongly recommend consultation with capable outside legal counsel and experienced computer forensic experts in the response, remediation and investigation of a ransomware incident. The reasonableness of a business’ safeguards, the adequacy of its investigation, and the speed of its remediation response could all be subject to scrutiny in the event of litigation or a regulatory investigation. A proper team of internal stakeholders, counsel and forensic investigators should collaborate in addressing the investigation, documentation, remediation, insurance, customer and governmental notifications, law enforcement and public relations questions in swift – and where necessary, legally privileged discussions. Companies can also mitigate their risk by securing personal information or trade secrets behind updated network controls; employing encryption; conducting regular training and anti-phishing exercises; and deploying more secure multi-factor identification for workers and external users.