Jurriaan Jansen, privacy and cyber of Counsel at Norton Rose Fulbright LLP, talked us through the myriad of potential legal implications a ransomware attack could trigger.
Here are the five key takeaways from our discussion:
1. Be Prepared
The first priority when navigating the legal implications of ransomware is preparing in advance for the possibility of an attack. This can include making sure that your incident response plan is up to date and that your employees are aware of their roles regarding cyber security and data protection.
2. Perform Your Due Diligence
Companies should assess their potential cyber risks thoroughly before an incident occurs. Your due diligence process should include understanding terrorism legislation within the regions in which your business operates and whether paying a ransom would implicate the business in criminal activity.
For example, in a traditional piracy case, a UK ship owner would legally be able to pay the ransom to the pirates in exchange for the ship’s release, unless they were under a reasonable belief that the transaction would be used for the purpose of terrorism.
Unfortunately, this process is difficult to conduct if you are unaware of the threat’s source. Therefore performing your due diligence after an incident occurs can prove more beneficial.
Winston Krone, Global Managing Director at Kivu Consulting, adds that “to be found criminally liable, there must be proof that you have been in contact with terrorists or people on a government prohibited list. Performing your due diligence process will significantly reduce your chances of this.
However, the scope of due diligence is constantly expanding; first as it becomes technically possible to further trace bitcoin payments and the identity of attackers, and secondly as regulators consistently add individuals, organisations and even specific bitcoin addresses to the list of prohibited organisations.”
3. Ensure That You Comply with Regulatory Obligations
Check that your business is complying with the various regulatory obligations by getting legal advice. Take all appropriate organisational and technical measures to avoid a breach and, if a breach occurs, identify your notification obligations ASAP to protect the business from the steep noncompliance penalties.
These regulations include: civil liability, data protection, and specific industry legislation. For instance, if you are found to be operating on older servers that weren’t patched appropriately, you could be fined or given substantial sanctions under the GDPR for not having adequate technical protection for personal data related to individuals. You could also be fined or sanctioned for not reporting the incident within 72 hours of detection, as this is another GDPR requirement.
4. GDPR, the Game Changer
Before GDPR came into effect in Europe, there were similar regulations in place, but GDPR has introduced tougher penalties for non-compliance, and more responsibility for businesses. Under the GDPR, businesses need to actively demonstrate the actions they have taken to comply with the relevant obligations.
The actions deemed ‘appropriate’ to avoid a breach will differ depending on your company’s industry, region, and sector, as there are many sector-specific ideas on best practice. To determine your sector’s benchmark for compliant behaviour, it is best to check the ICO certification.
In addition, the GDPR requires businesses to be proactive when clarifying dates and limits and ensuring that all the appropriate technical and organisational measures are in place, including an incident response plan (IRP). It has also forced companies to think more about their cyber risk exposures, security practices and their potential attack response, which can only improve their protection in the future.
Notification requirements can also be affected by the type of data breach. There are three types of data breach; availability, confidentiality and integrity. You must determine whether the incident caused any of the three in order to decide how to resolve, or at least mitigate, the consequences of a ransomware attack.
An availability breach involves access to your systems being restricted or revoked. It can take a long time to decrypt all affected data, which can impact consumers, as your systems need to be available to conduct business.
A confidentiality breach describes your data being used or accessed by unauthorised third parties. Some new strains of ransomware require hackers to look at your data before launching the encryption, and phishing attackers can also access your data before encrypting it.
An integrity breach involves corruption or alteration of data. In most cases this is unintentional, as the decryption key or backup drives may create errors in the data. It is difficult to prove that the data remained the same after a breach.
5. Ensure Your Incident Response Plan Remains Relevant
“Key terms like ‘ransomware’ and ‘cyber extortion’ must be included in your IRP to make it applicable to the situation you find yourself in. The destructiveness of ransomware, the challenges of recovering from a massive encryption attack, and the unique legal issues of cyber extortion are issues that simply didn’t exist when most IRPs were drafted”, comments Winston Krone.
He continues, “Similar to the concept of ‘silent cyber’ that attempts to find cyber coverage in crime and property policies, there is an obvious shortfall in hoping that an IRP that doesn’t mention cyber extortion could successfully respond to such an attack.
The envisaged timelines, reporting structure and expectations of internal resources are radically different for a ransomware attack in comparison with a traditional hacking or network intrusion case.”
Your IRP should be checked by expert vendors to ensure that you have taken all appropriate measures to prevent a breach and comply with all relevant legislation and regulations. The courts are aware that mistakes are always possible, but you need to live up to your promises to be considered compliant. It is also important to include a detailed IT security plan, certified by the ICO, in your response plan to prove that you have market standard cover.
Thorough preparation and planning is vital to protect your company against a ransomware attack and the possible legal implications. You need to understand each applicable regulation and piece of legislation to ensure that every base is covered.
Achieving certification and seeking expert advice can help you assess the best practice expectations for your company. Staying abreast of the latest regulatory updates will also help to keep your incident response plan relevant.
By Cyber Collective Partner Jurriaan Jansen, Norton Rose Fulbright LLP