Best in Law: Ransomware Attack
Privacy & Cybersecurity Attorneys Glen Price and Leeann Habte Give Ransomware Tips for Businesses
By Glen W. Price and Leeann Habte
The recent high-profile ransomware attacks on the Colonial pipeline and JBS meat processing plants have heightened awareness of the threat of ransomware. For the thousands of businesses and public agencies that are hit with a ransomware attack each year, the threat is all too common and increasingly a cost of doing business.
The vast majority of ransomware attacks are simply the latest version of an old criminal enterprise: the protection racket. This is when a criminal organization targets you and, for a relatively small payment (average payout last year was $178,000), let you stay in business. The new twist is that, for the racket to work, they need to hit you first, taking over your network and your data and making you pay to get it back, which significantly increases the risk and the potential damage to your business operations.
How a Ransomware Attack Impacts a Business
A ransomware attack can negatively impact your business in a number of practical and legal ways. The first and most obvious impact is that your operations are suspended and you may not be able to deliver goods and services to your customers until you can get your network back up and running. Unless you have a business continuity plan and have carefully prepared to restore your system from backups, paying a six-figure ransom to get your business back up and running quickly may seem like a smart economic decision, particularly if the inability to ship product could result in liability due to breach of contract and other claims.
Unfortunately, the negative impacts can go far beyond your immediate operations.
A ransomware attack can involve the theft of your data and the private data of your employees, customers and business partners and there is no guarantee that the criminal organization that you pay ransom to will not take the opportunity for a separate payday selling this data on the dark web. This can lead to regulatory and legal liability for your business, requiring you to take steps to inform employees, customers and other third parties that their information may have been stolen and the purchase of identity theft solutions for potentially impacted individuals. The cost of complying with the law following a data breach can result in another six figure expense for your company. If your data included trade secrets and intellectual property, the future of your business and competitiveness in the market could also be impacted.
Steps to Take After Ransomware Attack
So how do you evaluate and address these risks when you have just learned of an attack on your company? There are a couple of important steps that you need to take immediately and time is of the essence:
- The first step is to isolate the infected system and try to stop the spread within your network or to other systems and seek out a cybersecurity vendor that can immediately start a forensic analysis of what has been impacted and whether your access to data has simply been suspended due to encryption by the ransomware or actually transferred or copied by the criminals. This information is vital for understanding your risk.
- Once you have identified the extent of the damage and the data and business operations that are at risk, you will likely need help to negotiate with the criminals who installed the ransomware. Ultimately, you will need to make the decision about whether you want to pay the ransom or have other options, and you may need to buy some time while you are recovering your systems. You do not want to negotiate yourself because the actual ransom payment may be far less than what is initially asked for if you use a trained professional.
- You will also need legal counsel with experience in data security to advise on your regulatory obligations to report the incident and to mitigate any harm that may result if data was accessed or stolen. You will also want to determine when to involve law enforcement. Although law enforcement involvement would seem like an obvious first step, there is actually very little that they can do to help you as the crisis unfolds and their involvement will be important after the fact to help locate and identify the perpetrators of the attack.
- When the immediate threat has passed and you know your reporting obligations, the final step will be investigate how the infection occurred and take steps to prevent this from happening again in the future. Like a protection racket, cyber criminals do not hit once and go away. Once it is known that you will pay a ransom, your business could be a target for further attacks. The best defense it to be prepared. Have a plan in place with vendors and legal counsel selected and on standby so they can move immediately if this happens to you. Train you employees to prevent phishing attacks, as this is the most common way ransomware gets access to your system and use precautions like two-factor identification when employees access your networks. Based on press reports, the Colonial pipeline attack would have been prevented by using this simply and easy to implement precaution.
This article first appeared in The Press-Enterprise and other Southern California Newspaper Group publications online on June 23, 2021. Republished with permission.