Kidnapping a person and demanding a ransom for the victim’s release is old school. Now the perpetrators can hack your network and either encrypt your data, lock screens or disable the network and demand a ransom for receiving an encryption or enabling key. A variation also involves a threat to make public sensitive or embarrassing information (think Ashley Madison).
Background:
Unfortunately, it is not a joke to refer to ransomware attacks as a business model. The FBI estimates that in 2016 there were 4,000 attacks a day generating annual revenues of $1 billion. Ransomware kits or Ransomware-as-a-Service systems are available online. Typically, ransomware will enter a system through phishing emails, links, infected websites or other social engineering strategies. Ransomware payments are often required to be in non-traceable electronic currencies such as bitcoin. If the ransom is not paid, the data is destroyed or access to the system is permanently denied. Ransomware often uses sophisticated encryption that cannot be cracked by law enforcement.
In the typical ransomware attack, the perpetrators will not remove data, but merely encrypt it where it is as opposed to much other cybercrime that seeks to remove and sell sensitive data. However, not all ransomware attacks are created equal and some also remove and sell data, or seek to gain access to additional systems.
What are the legal obligations of the victims? It’s not so simple.
Legal Obligations of Victims:
Under State Breach Laws. 48 states have breach notification laws requiring notifications and other actions when there is a breach of a business’s information system resulting in authorized access to personally identifiable information (PII). The states do not currently have any specific laws or guidance on how to treat ransomware attacks. However, the laws require notifications when there is unauthorized access to PII. It would seem that, until further guidance is provided by the states, a mere locking up of data, without indication of access or of a taking, may not trigger the notice requirements. This determination will need to be made on a case-by-case basis after a thorough investigation of the incident to understand the full features of the ransomware involved.
Under HIPAA. The Department of Health and Human Services (HHS) issued an informal guidance in July of 2016 for businesses covered by the Health Information Portability and Accountability Act (HIPAA). Generally, entities are required to notify the HHS of an unsecured breach of protected health information (PHI), which means an unauthorized “acquisition, access, use, or disclosure of PHI.” Even though a ransomware attack may not result in the removal of data, the HHS guidance views a ransomware attack as a breach under HIPAA because of the attack, in any case, resulted in the unauthorized acquisition of PHI because the attackers have taken control of the data. Nevertheless, to determine whether a notification is required, a covered entity would still need to apply the multi-factor risk assessment to determine the likelihood that the PHI was compromised.
Crime Reporting. A ransomware attack is a crime under state and federal laws. There are many government agencies that could be contacted, the FBI, Department of Homeland Security, the Department of Defense, and others. While there might not be a legal obligation to report a ransomware attack, the right agency could be very helpful in managing the process, help to identify the type of ransomware used and advising on tactics.
Restrictions on Payors. The U.S. Treasury’s Office of Foreign Asset Controls (OFAC) supervises programs designed to prevent support for individuals, organizations, and countries designated as enemies of the U.S. Government. See OFAC’s web page for a list of designated parties and sanctions. Ransom payments to designated entities or their intermediaries are illegal. Penalties for sanctions violations by entities paying such ransoms can be severe.
Tax Deductions for Ransomware Payments. If the payments are illegal under U.S. law then the payments would not be deductible. However, the burden is on the IRS to show that the payments were illegal (e.g., in violation of sanctions). In addition, there may be deduction obstacles under the rules for payments to independent contractors and associated reporting requirements.
Prevention is the Best Cure:
- Train employees on how to recognize and avoid potential ransomware attacks.
- Implement multiple internal security defenses.
- Regularly back up data.
- Make sure IT is up to date on prevention techniques/strategies.
- Perform regular security reviews.
- Evaluate/obtain insurance coverage.
- Share and obtain intelligence with law enforcement.
- See nomoreransom.org for useful resources.
If attacked:
- Contact law enforcement.
- Secure network from further attack.
- Identify ransomware variety and features.
- Seek available de-encryption codes.
- Make a determination whether to pay the ransom, evaluate any legal obstacles.
- Evaluate legal obligations.
