On May 12, hackers released a ransomware attack that quickly spread across the globe, affecting thousands of individuals and organizations and in some cases causing significant interruptions in operations. The following are some frequently asked questions concerning ransomware, including answers addressing potential legal implications for victims.
How does ransomware work?
Ransomware is typically transmitted through a malicious email, attachment or URL. If you open the email and attachment or click on the link embedded in the email, the malicious code encrypts all of the data in the computer or system. The data can be decrypted with a key (a password) that only the attacker possesses. The attacker typically will provide the key if the victim pays a ransom. In the case of this attack, the amount demanded escalates as time passes, creating a sense of urgency in the victim.
Are my systems vulnerable?
According to multiple reports, only machines operating Windows have been impacted. In addition, Microsoft has issued a press release indicating that recent security updates (issued in March 2017) would prevent this malware from being successful. It appears most of the victims were utilizing Windows computers with older software or had not yet had the opportunity to update their system. This vulnerability was made known to Microsoft only very recently.
What can I do to protect my systems?
First, back up your data. If you have all data backed up in another location, preferably offline or not connected to your main network, then there is no need to pay the ransom because you will be able to recover your data from another source. Second, if you have not already done so, most security researchers and experts are advising companies to immediately update their systems with the Microsoft patch. This should be done in consultation with your IT department since you may experience significant downtime implementing the patch. Third, educate your employees regarding the existence of this threat. It is suspected that this ransomware is particularly “virulent” because it utilizes codes and techniques developed by the United States government. Employees should be advised to avoid clicking links or emails from unknown sources, as it is currently believed that the ransomware is spreading at least in part through phishing emails.
What are the legal ramifications?
Most states require the victim of a “breach” to notify state regulators and individual victims under certain conditions. Whether targets of this most recent attack will be required to undertake any notification or reporting will depend, in the first instance, on applicable state law and in particular on the definition of “breach” in applicable law that triggers the notification obligation. It should be noted that the timelines for notification of state regulatory authorities can be very short. In New York, for example, it is only 72 hours for some entities. Therefore, victims will need to consult counsel quickly to understand their options and obligations.
With regard to federal regulation, the Department of Health and Human Services issued guidance in 2016 indicating their position that ransomware does constitute a breach under HIPAA. There are exceptions, however, so you should consult counsel before any formal notification. There may be other applicable regulations depending on the client; again, it is important to consult legal counsel regarding applicable state and federal law and obligations arising therefrom.
Whom should I notify? Should I pay the ransom?
The FBI has very recently recommended against paying the ransom—prior guidance on this issue has been more equivocal. The FBI contends that paying the ransom emboldens cybercriminals and further notes that there is no assurance that your data will be decrypted even if the ransom is paid. The FBI also requests that victims of ransomware notify their local FBI field office or the Internet Crime Complaint Center at www.IC3.gov. The decision to notify the FBI, pay the ransom, or both is complex and should be made in consultation with counsel.