A practice guide for fighting ransomware
August 2021 | EXPERT BRIEFING | RISK MANAGEMENT
financierworldwide.com
In the past two months, ransomware attacks have captured the attention of the American public and Congress. These attacks now come with ransom demands of many millions of dollars and typically involve the theft of sensitive data, which the attackers threaten to leak on the dark web if victims fail to pay. Given the recent high-profile attacks like the one against Colonial Pipeline, Congress’s interest has become increasingly acute.
Many predict legislation that establishes minimum levels of information security and mandatory reporting of these incidents. In the meantime, however, this article outlines five issues for companies to consider in light of recent trends.
Prepare for data theft
Hackers launching ransomware attacks increasingly steal sensitive private data before triggering the encryption process to paralyse a target’s systems. This practice adds a troubling and challenging new dimension to these attacks, as breaches of sensitive data often trigger notification obligations under both state and federal law.
Companies often find themselves unable to identify what data may have been stolen because their systems are encrypted from the ransomware, leaving them in the unenviable position of waiting for the data to be posted on the dark web before discovering the extent of the breach. Paying a requested ransom may allow a company to assess what data was stolen and its notification obligations, but such payments are the focus of possible congressional action and pose other risks.
To address these challenges, companies should ensure that they have detailed and up-to-date data maps of their systems, including any encryption protocols that apply to their systems. These data maps help companies quickly identify what data may have been exfiltrated and whether that data was in an encrypted state, a critical input for evaluating notification obligations. The maps themselves should be stored in secure locations, preferably in non-networked computers.
Ensure any ransom payment does not run afoul of US sanctions
While the Federal Bureau of Investigation (FBI) generally encourages all ransomware victims not to pay any requested ransoms, federal law does not prohibit their payment with one significant exception. In guidance issued on 1 October 2020, the Office of Foreign Assets Control (OFAC) reminded ransomware victims that they and their financial institutions must perform due diligence on the attackers to whom they plan to pay a ransom.
Because several prolific ransomware groups have been designated by the OFAC, US sanctions laws may inhibit, and in some cases prohibit, the payment of a ransom. For that reason, ransomware victims must thoroughly vet any intended recipients of ransom payments before issuing them. If the ransomware attackers are a sanctioned group – or if they have ties to a sanctioned group – victims are left with no choice but to rebuild their systems from scratch and suffer the consequences of having their data disclosed publicly.
Prepare for potential litigation
Several states have passed laws that allow customers and other victims of a potential breach to seek significant statutory damages in the wake of an attack. Most prominent is the California Consumer Protection Act (CCPA), which entitles consumers whose personal information is breached to seek damages of $150 to $750 per individual. Aggregated in class actions, the potential damages can become enormous.
Moreover, these suits are often filed very shortly after the initial disclosure of a breach or attack, sometimes compelling a company to respond to complaints before it has even completed its investigation of the attack. In light of the fast pace of such litigation, it is important for companies to avail themselves of the protections of the attorney-client privilege, and regularly review insurance policies with counsel to determine their coverage for ransomware-related damages.
Prepare to respond to state attorneys general and other regulators
In addition to class actions in the aftermath of an attack or breach, companies should also expect and prepare for inquiries from state attorney generals and other regulators. Indeed, nearly all the states now require companies to disclose information about a breach in various circumstances, though some have exceptions for certain federally-regulated entities. Importantly, these regulations often require companies to disclose an attack or breach within a very short period of time from the discovery of an attack or breach – in as little as 72 hours in the case of the New York State Department of Financial Services.
Even if an attack or breach does not require disclosure, state and federal regulators may still issue inquiries after a breach has been disclosed. It is critical for companies to address these inquiries accurately and consistently, and to avoid any claim that the protections of the attorney-client privilege have been waived.
Protect claims of privilege over post-attack investigations
Given the near certainty of regulatory action and litigation, companies will often want to have an expert forensic consultant evaluate their systems to determine the extent of an attack and any damages. In several recent decisions, however, courts have voiced scepticism about whether reports prepared by such experts in the aftermath of a ransomware attack or other data-breach can be withheld on the basis of the attorney work-product privilege. To protect such reports, entities should consider taking the following steps.
First, while retaining cyber security consultants before any breach remains a best practice, they should be retained through counsel.
Second, once a breach has taken place, allow counsel to take the lead in directing the subsequent investigation.
Third, any attack or breach will spark inquiries from state attorney generals and other regulators, which will require some sort of reporting. In light of that, it may often be helpful, if a written report is required, for the forensic consultant to prepare a brief, factual summary to be shared with regulators, and another more detailed report – which will ideally remain privileged – that addresses questions posed by litigation counsel.
Fourth, in the event the consultant does produce such a report, it should be sent directly to outside counsel, and its internal distribution should be limited to those individuals who will aid in the preparation for litigation.
Finally, small details matter. Companies must designate outside costs incurred in anticipation of litigation as legal – not business – costs. Similarly, consultants’ agreements should distinguish between their duties in the regular course of business and those in anticipation of litigation.
That said, even after taking all these steps, companies should be ready for the possibility that such reports may still not be protected by the work-product privilege. Accordingly, reports should always abstain from providing extensive commentary about critical legal issues, such as whether the company exercised basic duties of care.
While a ransomware attack or other data breach may raise a host of other legal issues, having a plan in place to address at least these five issues will provide a solid foundation from which a company’s management, board, and outside counsel can build additional strategies to address other issues as they arise.
William Ridgway is a partner and Alexander Kasparie is an associate at Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates. Mr Ridgeway can be contacted on +1 (312) 407 0449 or by email: william.ridgway@skadden.com. Mr Kasparie can be contacted on +1 (312) 407 0614 or by email: alexander.kasparie@skadden.com.
© Financier Worldwide
BY
William Ridgway and Alexander Kasparie
Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates