Calfee Connections

In our world of COVID-19 and remote working, we seem to read daily of massive data breaches costing companies millions of dollars and causing extensive reputational harm. The Financial Crimes Enforcement Network (FinCEN) estimates some $590 million in ransomware payments were reportedly made from January to June 2021.^[1] Moreover, hackers are now blatant enough to brand their undertakings as “Ransomware as a Service,” and some reportedly “feel completely safe” from prosecution against their illegal activities in countries such as China.^[2]

What are these data breaches and ransomware attacks, and what can you do to help protect your company?

What Is a Data Breach?

A data breach occurs any time that data is shared or accessed by an unauthorized party. A data breach can result from an inadvertent disclosure,^[3] unauthorized use within a company, a loss of a device, or a cyberattack. Each state has its own laws regarding data breaches, who must be notified, what reporting requirements (if any) are triggered and the like. The number of individuals affected, the state (or country) in which they reside, the type of data exposed, and whether or not the data was encrypted can all impact what requirements may apply.

What Is a Ransomware Attack?

Ransomware is a type of malware secretly installed by hackers in a target’s environment, which blocks access to the target’s system or files. Most often, the files are encrypted and held for ransom and cannot be decrypted unless the ransom is paid and a decryption key provided.

Ransomware victims reportedly paid over $400 million in cryptocurrency to cyberhackers in 2020.^[4] FinCEN examined 635 Suspicious Activity Reports (SARS) and 458 transactions from January 1, 2021 to June 30, 2021, and determined a 42% increase in ransomware attacks so far this year. See FN 1. The chart below details the number of ransomware-related SARS and transactions from 2011 to June 2021, showing a dramatic increase in the past two years.

Chart from FinCEN’s Financial Trend Analysis, available at https://www.moneylaunderingnews.com/wp-content/uploads/sites/12/2021/10/Financial-Trend-Analysis.pdf.

IBM recently released a report on the cost of a data breach in 2021 featuring research from the Ponemon Institute, which analyzed 537 breaches.^[5] Costs reportedly rose 10% from $3.86 million to $4.24 million, the highest cost seen in 17 years of reporting, with remote work due to the pandemic contributing to the rise. Lost business, reputational losses and diminished goodwill account for 38% of the average total cost. Business email compromise carried the highest average total cost ($5.01 million), with phishing second ($4.65 million), and malicious insiders ($4.61 million), social engineering ($4.47 million) and compromised credentials ($4.37 million, representing the most common initial attack responsible for 20% of breaches) in close succession.

What Should You Do if a Breach or Ransomware Attack Occurs?

So, what is one to do if a data breach or ransomware attack occurs? First, don’t panic. Once the “cat is out of the bag,” precipitous technical actions may not be helpful (and can have unintended negative consequences). On average, it takes 212 days to identify a breach and an average of 75 days to contain a breach – almost a year in the total lifecycle.^[6] However, there are some short-term steps that can be particularly beneficial.

Get your attorney involved early (and often).

Getting a qualified attorney involved in a data incident as early as possible can help ensure that the target enterprise is getting proper counsel and, critically, can shield communications and activities in response with the attorney-client privilege. Most state breach laws require notification within a particular timeframe to the affected individuals when personal information is breached or exposed. Indeed, under Europe’s General Data Protection Regulation (GDPR), the notification period is presumptively just 72 hours! (And even companies that don’t think of themselves as doing business in Europe may be subject to GDPR if they collect personal data of European citizens). Sound counsel regarding reporting obligations can be critical.

Preserve the data!

While it may seem somewhat counterintuitive, it’s not always prudent to immediately take attacked systems offline because of the data loss that may result. Data preservation and collection of evidence need to be considered carefully before such decisions are made. Pulling log information, conducting a traffic analysis, and understanding how much and what types of data may have been lost or exposed can be extremely beneficial for mitigation in the aftermath of the event. The type of data and numbers of individuals impacted will also dictate the obligations that are triggered, which can be very difficult to ascertain if it is not clear what may have been lost or taken. Qualified counsel can help to guide such analysis and actions in response and will be sensitive to the evidentiary implications thereof.

Consider the options.

It’s important for a target/victim enterprise’s management team to understand as soon as possible what courses of action may be available in responding, along with the relative costs of each, estimated timelines, demands on enterprise personnel and resources, etc. Ideally, all of this would be considered in advance, with a written response procedure in place (maintained in hard copy, not electronically) so that decisions can be made in a timely, thoughtful and decisive manner. (See some prescriptions for planning ahead below.)

In cases of ransomware, hackers will often demand ransom payments in the form of cryptocurrency (particularly bitcoin) in order to decrypt the files. However, such hackers are cybercriminals and payments to them may be restricted by the Office of Foreign Assets Control (OFAC). Companies may need to undertake due diligence on the hackers before making a payment that may engender legal culpability, potentially including steep fines and even criminal penalties. Ransom cannot legally be paid to individuals, business entities, governments or foreign nationals on OFAC’s currently sanctioned country list,^[7] nor to individuals or entities on the U.S. list of known international terrorists and terrorist organizations. These are strict liability offenses with penalties up to $20 million and imprisonment.

Even assuming it can make payment without incurring such legal exposure, a target company will presumably need to obtain the required number of bitcoins first (since few maintain bitcoin accounts in the normal course). Moreover, after making such payment, decryption of files can take days, weeks, and even months, and some files may likely be lost entirely. To make rational judgments, target companies must weigh these various costs (e.g., data loss, business interruption, reputational harm, etc.), the ransom demanded and the costs to get the business back up and running (in addition to the risk to the target of inviting further ransomware attacks from cybercriminals who learn that it paid a ransom).

A target company should also keep in mind that while it may or may not have a legal duty to contact law enforcement authorities, they can often be a very helpful resource. The FBI has a cybercrimes unit that may be able to identify the particular criminals, know what types of decryption tools would be used and understand how “reliable” they are. (i.e., will they actually decrypt files if the ransom is paid?) Conversely, involving law enforcement may result in certain information becoming public (e.g., to help others prevent and mitigate such breaches in the future), which few companies view as in their best interest.

In conjunction with the foregoing, consideration should be given to whether insurance may cover payment of a ransom and/or breach mitigation and what steps may need to be taken to ensure coverage. 

Again, qualified counsel can help a target company navigate all of the legal implications of the foregoing options, while cloaking deliberations over same with attorney-client privilege.

How Can You Protect Your Company?

More proactively, there are a number of things you can do to protect your company against data breaches and ransomware attacks before they occur.

Plan ahead.

First, make a plan before it’s needed. Develop a clear plan and procedures on what to do, who to call, and first steps to take in event of a breach or attack. Have this plan in a written, hard-copy format (since electronic files may very well be compromised) and include names and numbers of those who should be notified and consulted immediately. As noted, getting qualified counsel involved, who can help to engage a data breach recovery firm, is generally prudent.  

Educate your employees.

Beyond making your employees sit through trainings on phishing schemes, consider really explaining how hackers are able to gain access to a network. While many employees have been told not to use public Wi-Fi or an unverified flash drive, or not to click on links or files from a strange email or account they do not recognize, they may not really understand and appreciate the risks to which they subject the company by doing these things. It may seem harmless to see what a link says or to use a publicly available Wi-Fi network (particularly given the rise in working from home or other remote locales), but such innocent acts can, of course, have dire consequences. Additionally, allowing for alternatives and explaining best practices to follow in order to promote safety and security may be more effective than outright bans on certain practices. Further, as noted above, have a clear plan in place at all levels of the organization so that anyone who encounters a suspected hack knows immediately what to do (and just as importantly, what not to do).

Follow industry standards.

Technology is ever evolving and can be difficult to keep up with. Look for and utilize guidance from trusted organizations such as the National Institute of Standards and Technology (NIST). Some states (including Ohio^[8]) provide legal “safe harbors” for companies that conform to particular NIST data security standards. Additionally, many states do not consider incidents a “data breach” if data was encrypted and the encryption key was not compromised.

Try it yourself.

A good way to learn where you’re vulnerable is through simulation and testing. Conduct tabletop exercises where vulnerabilities are exposed, relevant risks are identified and responsive procedures can be previewed. Again, attorney involvement can keep even these tabletop exercises privileged.

^[1] FinCEN Reports Spiraling SARs Relating to Ransomware, Kelly A. Lenahan-Pfahlert on October 21, 2021, available at https://www.moneylaunderingnews.com/2021/10/fincen-reports-spiraling-sars-relating-to-ransomware/.

^[2] An Interview with LockBit: The risk of being hacked ourselves is always present, Dmitry Smilyanets, October 26, 2021, available at https://therecord.media/an-interview-with-lockbit-the-risk-of-being-hacked-ourselves-is-always-present/.

^[3] For example, in June 2021, One Medical intentionally sent a mass email to hundreds of users, but unintentionally exposed the recipient’s email addresses, which was screenshot and posted on Twitter, affecting more than 900 people. https://medcitynews.com/2021/07/oops-hundreds-of-one-medical-patients-emails-exposed/

^[4] https://blog.chainalysis.com/reports/ransomware-update-may-2021.

^[5] https://www.ibm.com/security/data-breach; See also 2020 Report, available at: https://www.capita.com/sites/g/files/nginej291/files/2020-08/Ponemon-Global-Cost-of-Data-Breach-Study-2020.pdf

^[6] https://www.ibm.com/security/data-breach.

^[7] As of the date of this article, the list of OFAC sanctioned programs includes the Balkans, Belarus, Burma, Cote D'Ivoire (Ivory Coast), Cuba, Democratic Republic of Congo, Iran, Iraq, Liberia, North Korea, Sudan, Syria, and Zimbabwe. However, OFAC’s sanctioned programs also includes sectors and particular industries affected in additional countries. The complete list may be found at https://home.treasury.gov/policy-issues/financial-sanctions/sanctions-programs-and-country-information.

^[8] In Ohio, Ohio Revised Code § 1354, known as the Ohio Data Protection Act or “Ohio DPA,” provides a safe harbor against data breach lawsuits for businesses that implement and maintain cybersecurity programs, such as NIST Special Publication 800-171, available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf.