These facts raise legitimate questions for corporate decision makers. What are the legal implications of ransomware? How should organizations prevent, respond and recover from digital extortion?
Criminals use various strains of ransomware, with popular names including CryptoLocker, Locky and CryptoWall. The malware infects computers through e-mail attachments, malvertising or drive-by downloads often exploiting software vulnerabilities.
The malware copies itself in strategic places in the computer systems. It also edits the registry so that it restarts at each system reboot. It then generates a public-private key pair necessary to encrypt data. A SSL connection with a command and control server is needed. Criminals often use the TOR network for a safer connection. Other malware can generate keys without Internet connection.
Each strain of ransomware has different capabilities. For example, Locky can delete Volume Shadow Copy files generated by Window automatic backup feature while others can encrypt backup repositories while Cerber can kill database-related processes to allow the encryption of all files otherwise blocked.
Malware are often conceived to target users with extended network permissions, such as company executives. One way of doing this is to send phishing e-mails across the organization so that the malware can spread to as many users as necessary. Another option is to send whaling e-mails, e.g. phishing e-mails targeting C-level employees. According to the Harvard Business Review, 25% of computers affected by ransomware belong to Senior and C-level executives.
The malware then encrypts the selected files or systems and sends its ransom demands. Users are often required to pay with bitcoins. This currency protects the identity of users and is closely associated with illegal activities. The MIT Technology Review recently reported that companies are stockpiling Bitcoin to pay off criminals faster in the event of a ransomware attack.
If you think that the threat can’t get worse, think again! Ransomware is already mobile, with malware completely locking you out of your smartphone. Even more frightening, is how ransomware may evolve in a world controlled by the Internet of Things (IoT). Ransomware could stop your car from driving. It could affect electric grids and disturb large manufacturing operations.
In August, Motherboard reported that two researchers were able to hack a smart thermostat. Imagine that the device locks the temperature at 99 degrees unless you pay a ransom. Chances are, you would be willing to pay!
Restoring systems might not be the only worry of victims. Ransomware are cybersecurity incidents with legal implications. The event can amount to a data breach and trigger mandatory notifications. State breach notification rules differ in each jurisdiction. Some are triggered by unlawful and unauthorized acquisition of personal information and others by the unauthorized access of personal information. A risk assessment or other qualifying criteria may also apply.
Related post: Data Breach Notification Laws
A - The acquisition standard
On one hand, the mere encryption of data is unlikely to trigger the notification rules. On the other hand, the viewing, copying, relocating and altering of information can trigger one. Organizations must analyze the malware to determine its capabilities. The following questions are helpful in analyzing said capabilities:
B - The access standard
A small number of States use the 'access' legal standard to trigger a mandatory notification. It includes Connecticut, Florida, Kansas, Louisiana and New Jersey. The HIPAA's definition of a breach also includes accessing of protected health information. (45 C.F.R. 164.402)
According to the U.S. Department of Health and Services, notification depends on a contextual analysis. Yet, it states that the encryption of data is equal to taking control of the information. This is an unauthorized disclosure under the Privacy Rule. Notification is hence required unless organizations conduct a risk assessment. Results must show a low probability that the ransomware has compromised the data.
The risk assessment relies on four factors: (45 C.F.R. 164.402(2))
Under HIPAA, organizations must document the risk assessment to prove its reasonableness. (45 C.F.R. 164.530(j)(iv)).
But what if the data is already encrypted using industry standards? In theory, notification is not necessary. Yet, criminals may have been able to access a decrypted version of a file if ransomware infects a laptop in use by an authenticated user. Organizations must take into consideration all circumstances.
In Canada, the Digital Privacy Act, which will amend PIPEDA upon entry in vigor requires mandatory disclosure to the Commissioner and to the users for “any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual” (s. 10(1) & (4)).
A breach of security safeguard is defined as “the loss of, unauthorized access to or to unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards”. The notion of significant harm requires consideration of bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
The data notification rule will enter in vigor upon releases of the necessary regulations, which may give more precise information to organizations affected by ransomware. A discussion paper released by the Ministry enquired stakeholders’ input on the necessity to identify additional risk-assessment factors.
Prevention is most definitely worth a pound of cure. Your organization should implement an awareness program to train your staff and help reduce the risks associated with malware.
More information on How to Protect your Data from Ransomware Attacks here.
