Cybersecurity Legal and Compliance Focus: State of Ransomware
- Ransomware threat actors launch 4,000 attacks daily.
- Only .03% of all emails scanned by filter systems are identified as ransomware.
- On any given day, companies are estimated to pay around $250,000 in ransomware demands, though the average cost of an attack is $732,520 when the demands are not met and $1,448,458 when they are.
- On average, there are approximately 19 days of downtime in between ransomware attacks though many threat actors move much, much quicker.
- In just 2019, 19 new ransomware variants were discovered, and in the first quarter of 2021, there are 16 new types.
- Every 11 seconds, another business is targeted with a ransomware attack.
- In just 2021, the estimated cost to resolve ransomware attacks stands at $20 billion.
Ransomware, Data Breaches, Information Security and Your OrganizationIn 1989, the world endured a crimeware first when the AIDS Trojan/PC Cyborg was sent by Harvard-trained evolutionary biologist Joseph L. Popp to attendees of the World Health Organization's International AIDS Conference. The 200,000 discs labeled "AIDS Information – Introductory Diskettes" would subsequently encrypt user data once placed inside a computer and demand a $189 payment be directed to a PO Box set up in Panama. As hard to believe as they may sound for those less experienced with the world of information security, the modus operandi of a modern ransomware attack works similarly to this first attack. Consider Cring. Cring is the latest crypto-ransomware variant. It works by encrypting user data using a series of advanced exploits leading to a grand finale. Users receive a note demanding two bitcoins be paid to a specific wallet address, or the files can never be retrieved again. Sensitive data could fall further into the hands of enterprising criminals. In 2020 alone, the world was rocked with the following high-profile ransomware attacks:
- ISS World: In February of 2020, Danish facilities management company ISS World was hit with a $74 million demand to restore vital employee and operational data access.
- Cognizant: In April of 2020, IT services provider Cognizant was attacked with a ransomware attack estimated to cost between $50-70 million.
- Sopra Steria: In October of 2020, Sopra Steria was attacked by a Ryuk-based ransomware demand that reduced its operating budget by at least $50 million.
How to Respond to a Data Breach Caused by RansomwareResponding to ransomware is a complex undertaking. We advise you to take all necessary precautions to gain the information you need to know how to adequately respond to a data breach without running afoul of the law or further comprising the data guiding your organization’s success. There are specific legal and compliance-related issues to consider depending on what industries your organization work alongside. The following list is not conclusive but offers insight about what to keep in mind should you or your partners experience a data breach caused by ransomware:
HealthcareUnder HIPAA's Breach Notification guidelines, covered organizations such as hospitals, insurance providers, ambulance services are required by law to notify customers and the Department of Health and Human Services when protected health information is compromised due to unauthorized access. Due diligence must occur to ensure that if your organization handles any healthcare-related data on behalf of clients, you have systems in place to safeguard sensitive medical records.
Consumer banks and loan companies
Under the GLBA, the Federal Trade Commission has enforced data protection rules concerning consumer banking and finance through the Safeguards Rule. According to the FTC, ransomware and malware, in general, do not require notification to be sent to customers. Service providers are recommended to inform customers of an adverse threat, but there is no legal requirement.
Brokers, dealers, investment advisorsThe Securities and Exchange Commission (SEC) is responsible for regulating investment activity at these organizations. Under the GBLA, the SEC created Regulation S-P that has created a specific breach response program. This program recommends informing customers of a breach but does not explicitly require it by law.
Investment banks, national banks, private bankersThe Federal Reserve and Treasury Department agencies have created their own rules for responding to a data breach caused by crimeware. These guidelines require that notification only be necessary when there has been a clear and present "misuse" of sensitive data. They also indicate precisely how information disclosure must occur and in what specific language.
US state lawsNew Jersey and Connecticut are the only US states with specific breach notification laws drafted on the books. Nonetheless, there are examples of cases where individuals and organizations argue they should have been notified by events that were transnational or beyond the limits of state boundaries.
EU data lawsThe Data Protection Directive (DPD) created a specific framework for disclosing data breaches in the EU. The EU General Data Protection Regulation (GDPR) is a powerful law regarding disclosures following a breach. Currently, there are specific guidelines related to how severe a data breach caused by a ransomware event is. In any case, legal and compliance professionals must work alongside information security teams to mitigate ongoing threats caused by ransomware and data breaches.