Last month, the FBI asked the American Bar Association to share a cyberalert with its members warning of an increased risk of ransomware. Ransomware poses significant legal and operational risks to businesses. Personnel at all levels need to be aware of the danger, and lawyers need to be prepared to identify and resolve statutory reporting obligations that can arise following an attack.
Unlike more familiar malware that simply accesses or corrupts data, ransomware encrypts infected files. When ransomware infects a system, a user can no longer access those files. The user then receives a message demanding a sum of money to decrypt the files. Typically, the demand is for Bitcoin or some similar form of exchange; ransomers have also had victims send premium-rate texts or place premium-rate phone calls to effect the payment.
Ransomers typically impose a deadline of one to three days for payment, after which the files are either deleted or left permanently inaccessible. The encryption used in most ransomware attacks is strong enough to be effectively impenetrable. Some particularly unkind variants of ransomware intermittently delete files as the clock ticks down, putting added psychological pressure on the victim to pay the ransom. Other variants achieve a similar effect by gradually increasing the price. In either case, when the ransom is paid, the ransomer usually honors the coercive bargain and sends the victim the key to unlock the files.
Although ransomers can profit handsomely from their extortionate hacking, they usually make their money through volume – the amount sought in any given incident tends to be relatively small, often just several hundred dollars. The risk, meanwhile, can be significant – when a network is infected and all files locked down, a company may lose access to all of its data back to the last off-network backup. The FBI recommends against paying the ransom, but acknowledges that business considerations may weigh in favor of paying.
Prophylactic training can reduce the risk of ransomware incursion – ransomware often enters a network through a phishing e-mail with a link to an infected website or attachment. Although some of the phishing attempts are sophisticated and take some effort to spot, others are more obvious. Regularly reminding employees of the basics of network security has the potential to spare a lot of expense.
Keeping applications, operating systems, and anti-malware software up to date, something everyone should be doing as a matter of course, can also preempt ransomware problems. Another effective defense is to frequently back up files to media disconnected from your network. A company recently struck by ransomware only lost an hour or two of data to the attack due to regular archiving – as a result, the company was able to stand on principle and refuse to pay the demand.
Of particular importance for counsel, the installation of ransomware may constitute a data breach. In each instance, an unauthorized party is accessing and altering data. If the affected data includes protected information, such as personal health information protected by HIPAA or customer financial data protected by the Gramm-Leach-Bliley Act, data breach reporting requirements may be triggered. In addition, at least one recent ransomware incident appears to have masked a more traditional data breach: a ransomer appropriated customer financial data while the data was encrypted. Note, too, that breach reporting may be necessary not just for a compromised network but also for any infected employee devices that contain customer records or other protected information.
Unfortunately, because of its success to date, the threat of ransomware will continue to increase. Planning ahead positions a company to respond efficiently and confidently when disaster strikes. Many states have relatively short deadlines for reporting data breaches, so be ready to consult an attorney experienced in this area as soon as possible following the first indication of a breach. A prudent company will both take steps to prevent incursion and prepare a contingency plan for use if its defenses fail. Companies that are not prepared for an attack, meanwhile, could face serious operational and legal repercussions.