A nationwide rise in ransomware attacks that increasingly involve the theft of data on top of the locking out of systems owners means more regulatory and legal headaches for affected companies.
Exfiltrated data taken in what are known as double-extortion attacks can trigger breach reporting requirements and other types of disclosures. Such disclosures boost the chances a company would be subject to regulatory scrutiny and consumer-led litigation.
The uptick in ransomware comes amid a surge in cyberattacks, with nation-state actors targeting companies such as
Double-extortion attacks put companies in a bind because they likely have to navigate potential legal risks regardless of whether they pay the ransom, said Jennifer Beckage, the Buffalo, N.Y.-based founder of an eponymous tech, privacy, and cybersecurity law firm.
“The threat to disclose information in itself raises a lot of different issues, such as determining whether it’s a credible threat,” Beckage said. “A whole analysis has to be performed to understand the ‘who’ and the ‘what’ that occurred.”
Attackers increasingly are threatening to post stolen information if a ransom isn’t paid. That could leave victims potentially running afoul of privacy laws such as the California Consumer Privacy Act and Europe’s General Data Protection Regulation, which may result in hefty fines for businesses that leave customers’ personally identifiable information exposed.
Double-extortion attacks became more popular than standard ransomware attacks because businesses are now better at backing up their systems, providing less incentive for them to fork over a ransom, said Lior Div, CEO and co-founder of Boston-based security company Cybereason.
“In 2020, we saw a major acceleration of ransomware attacks,” Div said. “We haven’t seen a stop to this so far in 2021.”
Last year there were 75 threat actor groups or variants, up from 15 the year before, according to Baker & Hostetler LLP’s 2021 data security incident response report.
Ransomware hit a range of entities, from private businesses, schools, and municipal governments. The average ransom paid last year was around $800,000, according to the BakerHostetler report.
Businesses may be more inclined to pay the large sums if they don’t know what data was taken.
“Increasingly attackers are spending lots of time using anti-forensics and using techniques that make it difficult to forensically reconstruct what they took,” said Eric Friedberg, co-president of Stroz Friedberg, an Aon-acquired cyber consultancy and technical services firm.
Depending on the circumstances of the attack and the type of data that was exfiltrated, companies may have to report incidents under state data breach laws or to businesses they partner with if that’s written into a contract, Friedberg said.
The Securities and Exchange Commission and Commodity Futures Trading Commission may trigger additional reporting obligations if a company is regulated by one of those entities, he said.
Double-extortion attacks are generally more likely to set offbreach reporting requirements because hackers often comb through the data to see what’s valuable and what can be used as a bargaining chip during ransom negotiations.
Files may contain human resources data about employees or customer databases if a company operates in retail or e-commerce, said Kari Rollins, an intellectual property, privacy, and data security partner at Sheppard, Mullin, Richter & Hampton LLP in New York.
“The fact that data’s being exfiltrated creates greater risk for companies,” she said. “When you notify individuals, there could be a regulatory inquiry or private class action litigation.”
That type of litigation frequently alleges negligence or similar claims accusing the company of failing to adequately safeguard user data, Rollins said.
Lawsuits often follow press coverage of ransomware hits and may also stem from lawyers who watch publicly posted data breach lists on the websites of state attorneys general, she said.
“Because of the profile and ubiquity of data breaches today, there’s a greater likelihood you’ll receive some sort of follow-up request from regulators after filing a notification,” Rollins said.
Ransomware attacks paralyze both small and large companies alike, meaning business leaders of all stripes need to prepare for the worst, Beckage said.
“The first thing to do is really get a diverse team together—this isn’t just for information security to handle,” she said. “You need the executive team on board, and it usually requires a few different groups to assist.”
Creating and regularly updating incident response plans and performing tabletop exercises of what a company would do in the event of an actual attack are also critical, Beckage said. Being prepared and having a guide can help companies change “overwhelming” to “manageable,” she said.
Engaging inside and outside counsel to understand legal obligations and strategy is also important, and attorney-client privilege can help clients speak freely to understand what, if any, legal risks might abound, Beckage said.
Still, despite mitigation strategies, companies will have to continue to make hard decisions of whether to pay a ransom, said Andrew Rubin, CEO and founder of Sunnyvale, Calif.-based security company Illumio. Affected companies have no certainty of knowing whether a hacker will actually delete or refrain from posting data if a sum is paid, he said.
“One of the challenges with extortion is we don’t really know who’s on the other side of the table,” Rubin said. “We don’t know what the rules of engagement are.”
—With assistance from Jordan Robertson and William Turton