Ransomware has become the fastest growing type of cybercrime facing businesses today. In 2021, loss values were estimated to have reached at least 57 times those in 2015, exceeding $20 billion. Data and privacy issues are so prevalent, that it is estimated today that a ransomware attack takes place every 11 seconds. It is essential for businesses to understand the risk of ransomware attacks as data privacy and security cannot be prioritized without a plan to combat potentially damaging cybercrime.
Nashville-based company SmileDirect is a recent victim of a high-cost ransomware attack. The company paid no ransom, but manufacturing and product delivery systems were disrupted. Local governments have also become vulnerable to ransomware attacks. In 2019, Louisiana declared a state of emergency after a cyberattack affected their government servers and “many state websites and emails” after they took extremely protective measures to combat the ransomware attack.
In response to the rise in and because of several recent high profile ransomware attacks, the White House recently issued an open letter detailing five data security best practices. Butler Snow believes these are important in legal circumstances as these threats can become a liability for companies who manage private consumer information if a data breach occurs.
The open letter details 5 best practices, outlined here:
- Backup company data and test regularly while keeping backups offline
- Promptly update and patch systems
- Create and test your incident response plan
- Check your security team’s work and test defense capabilities
- Segment your networks to limit exposure in the event of an attack
These recommendations come at a time where ransomware attacks are much more common and businesses must protect themselves now. The Institute for Security and Technology has also released recommendations to combat ransomware.
Since this issue has become more prevalent, it is also imperative to understand the associated data security legal issues. Not only can ransomware attacks shut down or disrupt business operations; if a ransomware attack is considered a data breach, it could require data breach notification to customers and clients and lead to data breach class action lawsuits.
The laws around data breaches continue to evolve. However, if a ransomware attack exposes consumer data, it would typically be considered a data breach. In this case, businesses must notify potentially impacted parties and the company is subject to litigation, regulatory action, hefty fines and reputational damage. Given the legal implications of ransomware attacks businesses should partner with legal counsel proactively, not in the event of an attack.
It is important for companies to have clear direction on how data privacy law may impact them. Specific to ransomware, an important step the White House laid out was testing an incident response plan. You cannot test an incident response without first having the plan in place. It is crucial to include your legal counsel in plan creation in order to consider the implications of cyber attacks on data security and because there is not a one-size-fits-all solution for every business. Each incident response plan must be hyper individualized because no business has the same exact systems, data or processes.
It is important for businesses to adequately plan and prepare for ransomware threats. This starts with a clear understanding of the legal risks, a company’s individual network, and a robust incident response plan that is regularly tested.