Historically, one difference between a company victimized by ransomware and those hit with a hacking intrusion that resulted in stolen data was that in a ransomware attack, the data wasn’t actually stolen, but was encrypted so that the victim would have to pay a ransom to regain access. Unlike traditional data thefts, ransomware—the theory went—didn’t really steal data. It encrypted it so that the authorized users couldn’t get to it unless a ransom was paid. As a result, most organizations treated ransomware attacks as simply a business continuity or disaster recovery response although, a true corporate insult to injury, organizations were expected to pay for what they already owned. Now, nearly half of ransomware attacks steal data before encrypting systems, which means that ransomware is no longer just a business continuity or disaster recovery response; it is a full cyber security incident response because the attack may very well constitute a data breach if stolen records include protected data.
Multiple U.S. and international regulations require victim companies to notify individuals and/or regulators and various government bodies when this happens. At this point, all 50 U.S. states, the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, not to mention countries outside the U.S., including in the EU, China, India, and (recently) Brazil, have enacted legislation requiring entities to notify individuals and regulators of security incidents involving personal information or personal data. The notification triggers, and requirements for how notices are to be sent and what they must (or must not) contain vary across jurisdictions, and even vary among the U.S. states. Moreover, numerous jurisdictions have short windows within which notice must be given (e.g., GDPR and the New York Department of Financial Services Cyber Security Rule both require notice within 72 hours). So, one constant in all of this is that you don’t have a lot of time to understand what happened and begin making notifications, if you are required to do so.
Ransomware has been around for a number of years but has become a tremendous problem more recently, surpassing email compromise for the first time ever to become the most popular attack, according to Kroll case data. While original ransoms were small, often measured in hundreds of dollars, current ransom demands can reach hundreds of thousands or even millions of dollars.
The New World of Ransomware + Data Theft
Sadly, those days are largely a memory. Ransomware has become more sophisticated, as have the cybercrime gangs behind it. The traditional hacker approach of “compromise target, encrypt their data, demand a ransom” can no longer be remediated solely by effective backups, enabling victim companies to restore operations without having to deal with the criminals. Criminals now rely on several layers of extortion, with some even sending press releases to the media and regulatory bodies in the event of nonpayment, notifying them of stolen data.
Specifically, the soup-de-jour for attackers is to compromise an organization and perform careful reconnaissance to identify key systems, like those responsible for electronic health records, credit card processing, storing loan documents, and other proprietary or sensitive data. Then, many threat actors will steal anywhere from a couple gigabytes of data to much larger quantities, often several terabytes of data.
This gives criminals multiple options to monetize their attack, as we briefly discuss below:
- Criminals could threaten to release the data or to sell it on various darknet marketplaces if the ransom was not paid. This was typically accompanied by a solemn promise to erase the stolen data if the ransom was paid.
- Criminals may promise to erase data, but even after receiving the ransom, they sell it anyway.
- In a recent version, individuals claiming to have broken away from the ransomware gangs contact a victim and explain that they stole a copy of the victim’s data from the original thieves, and will release (or sell) it, unless they receive an additional payment.
The extortion approach is facilitated by “shaming sites,” often easily accessible online, which criminal groups use to announce new successful attacks, share snippets of stolen data for validation, and publish the full load if ransoms demanded aren’t forthcoming.
Legal and Regulatory Impact of a Ransomware Attack
The problem with all of this is that there is so much focus on the ransomware and payment of the ransom that companies may forget a simple fact. Regardless of how they did it, and independent of their promises to destroy the stolen data, your sensitive information was stolen, and is in the hands of unauthorized parties. And that typically represents a reportable situation under various state, federal and international laws. So yes, ransomware may indeed constitute a data breach.
An initial ransom demand may not mention the theft, and if it is paid, it may never be mentioned by the criminals. The victim receives a decryption key and goes about its business but that doesn’t mean that there wasn’t a reportable incident.
Notification is triggered when there is unauthorized acquisition (exfiltration) or access to protected data. Some jurisdictions (e.g., China) even require notice if there is tampering, modification or destruction of the data, meaning that the encryption of the data itself may trigger notice. In short, the landscape requiring notification has become much more complicated, with many regulators taking positions that notice may be required in the event of ransomware.
Probably most notable was the guidance issued by the United States Department of Health & Human Services (“HHS”) Office of Civil Rights (“OCR”) in 2016. Specifically, HHS OCR explained that “When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.”
The difference between recognizing and reporting an actual breach and not doing so can be substantial. The applicable laws can contain penalties. There can be significant reputational damage. There can be class actions, regulatory enforcement proceedings, and for public companies, shareholder lawsuits. Choosing to believe that it was “just encryption” is not a solid defense.
What this all means is that when impacted by a ransomware attack, deciding whether to pay the ransom involves several difficult considerations, such as whether data was stolen, what sort of records were included in the theft, in addition to business continuity, recovery from backups and others. The key to most of these answers lies in understanding how the dozens of ransomware variants and criminal groups work and accurate digital forensic analysis. In-house technology personnel are unlikely to have the level of experience needed to assist in the investigation, leaving executives, legal teams and insurers poorly equipped to handle the ransomware response and recovery process.
The bottom line is this: given the evolution of the threat, ignoring the potential for a ransomware event to signal that a reportable breach has occurred is an unwise assumption. With stricter privacy laws and greater sophistication of the cybercriminal, an organization must have access to technical, legal and communication experts to help understand what has happened and the best way to mitigate it going forward. Paying a ransom is one of the many paths that must be evaluated and the subsequent steps that occur when your private data becomes public anyway.
Special thanks to Aravind Swaminathan for contributing to this article. Aravind is a partner and Global Co-Chair of Cyber, Privacy & Data Innovation at Orrick. Aravind is a former assistant U.S. attorney and Computer Hacking and Intellectual Property Section attorney.