Worried about Ransomware? Ten Steps to Help Legal Counsel Understand and Mitigate the Risk

Executive teams in the U.S. live in fear of a successful ransomware attack, and who can blame them? Attacks are both prevalent and evolving. Many attackers have shifted from encrypting data and locking up systems to also (or in the alternative) stealing data to extort payment. Some of these attacks presume organizations will pay to restore data, avoid a more extensive data breach, or protect consumers from further harm. More recently, attacks have targeted organizations thought to be in a sensitive financial position and who might be more willing to pay to keep that secret. If you are not sure how your business would respond to these multi-faceted, sometimes devastating attacks, here are steps you can take to mitigate the impact of these events and reduce their likelihood.

  1. Train your workforce

The weakest link in the security program of most businesses is their employees. End users click on malware, fall for phishing attacks, and reuse their network credentials across ecommerce and gaming sites, among other behaviors that facilitate ransomware and other attacks. Take the time to issue training that addresses risky behavior, rather than pound regulatory content into your employees’ brains. You can also train employees to know the signs of a ransomware attack (or a demand for ransom based on exfiltration) and to report it immediately, following your organization’s incident response plan.

  1. Implement and test “reasonable” security

Multiple state and federal laws require at least “reasonable” security and some, like New York’s SHIELD law and the newly enhanced Safeguards Rule from the Federal Trade Commission, mandate specific measures, including intrusion detection systems and multifactor authentication. Obviously, your organization should implement the controls necessary to comply with law. But continuous risk analysis and testing also are increasingly required by law (besides being a good idea). Measures recently outlined by CISA also are a good start.

Your focus should therefore be not only on current-state compliance, but also on continuous improvement and justifying risk-based decisions about security implementation. If you take that view, your organization will be better situated to prevent or minimize the effect of a ransomware attack, and to demonstrate compliance in the event of follow-on regulatory scrutiny.

  1. Be ready for regulatory reviews

Speaking of regulators, a seemingly endless parade of agencies is keenly interested in ransomware. These include DHS, DOJ, NSA, FBI, SEC, Treasury, Fin Cen, DOE, DHHS, and The White House, among others. You should be prepared to proactively report an incident to one or more of these agencies, depending on your legal obligations, and to respond to questions they may have about your response, including the nature of your security (see above).

  1. Have an incident response plan

Your organization should already have a written incident response plan. It’s required by multiple state and federal data security laws, and it will be hard to argue that your organization maintains “reasonable” security  absent such a plan. You should review the plan, particularly if it was drafted by your IT department without input from legal counsel.

At minimum, there needs to be an appropriate point in the plan when legal counsel is included in the response. Because ransomware raises legal issues beyond whether personal data was accessed, that trigger should not be limited to incidents that implicate personal data. And, of course, a “security incident” is not limited to a “personal data breach.” The communications protocols in your response plan should address the situation in which typical methods like email are inoperable.

Importantly, copies of your plan should be stored such that a ransomware attack does not deprive you of access to it.

  1. Consider a practice run and ask tough questions now

Not sure how well-prepared your business is to respond to ransomware? Find out. Not sure whether you should pay a ransom? Play out the factors now. Get the subject matter experts and decision makers in a room and do a practice run, asking hard questions as you go. Do you know whether it is legal to pay a ransom? Can you figure it out if the actor gives you a deadline of 24 hours? Is your organization willing or unwilling to pay criminals to avoid having your data published online?

A practice run can also surface gaps in your plans or preparedness. If more than half the response team cannot articulate their role, or their description of their role does not align to your incident response plan, you will prefer to find out during a collaborative meeting than in the middle of a real attack. Does the plan address restoration of encrypted data, or only exfiltration? Does the plan identify third parties that may be necessary for support, like forensics, legal partners, and law enforcement? It only takes a few hours to run a table-top exercise, and you will almost certainly identify enhancements that will improve the timeliness and efficacy of your response.

  1. Create data and system resilience

One of the best steps you can take to minimize the impact of ransomware is to develop resilient systems, including regular and robust data backups. Ideally, your organization has a business continuity plan. That plan would typically be based on a criticality assessment that identified your organization’s most business-critical systems and data. Back up and restoration plans would be tied to that criticality assessment, restoring operations in order of importance. That plan also should address emergency access. For example, if your communication systems are unavailable, the plan should address how your organization will operate while systems are restored. If your plan has not been adjusted to account for a ransomware attack, or if your business has not assessed whether it can and is willing to forgo a ransom payment for the duration necessary to get back up and running, those issues should be addressed with urgency.

  1. Implement strong data governance, or at least limited retention

Of course, attackers cannot steal and publish data you don’t retain, so data minimization has long been a best practice when reducing the impact of a future data breach. Now, it’s also an emerging legal requirement as states roll out new, comprehensive privacy laws. This best practice also has added fringe benefits: reducing the impact of legal holds, improving system performance, and decreasing storage costs.

Improving data governance also should give your organization a clearer understanding of the types of data it uses and stores, where that data is located and, the security measures used to protect those repositories and whether they are appropriate. This same mapping process will also support the aforementioned resilience efforts.

  1. Avoid encouraging the use of unstructured data

Speaking of good data governance: it can also help avoid or minimize unstructured data. Unstructured data resides in repositories that are not centrally managed or have no organizational system imposed on the content of the repository.

Email is a classic example. Your organization’s email likely includes an array of sensitive information, none of it organized into any certain form that would allow you to quickly know the types of information affected by ransomware. Shared network drives are another common example. Unlike a database, which may have a specific purpose or data types organized in rows or columns, it is hard to know exactly what was in an email account or shared drive when the repository has no real structure. When repositories that lack structure are subject to attack, it usually will be necessary to search of the entire content and produce an inventory of affected information. (If you are wondering why that’s necessary, consider how you will know whether any personal or confidential information was affected in a shared network drive, and to whom that data pertains so that you can carry out legal notification directed to affected persons.)

In our experience, reviewing and inventorying impacted data in an unstructured repository is time consuming and expensive. That experience suggests it can account for half or more of the total cost of addressing notification obligations in a ransomware attack, and double the timeline to carry out the response. If you can minimize or avoid maintaining unstructured data repositories, you will reduce cost and legal risk.

  1. Work with experts, particularly when paying a ransom

If you expect to need outside support, you should arrange that now. Forensic experts, legal counsel, and ransom negotiators are all options, as are services that handle consumer protection enrollments, should that prove necessary. Particularly counsel and forensics should be lined up in advance, however, since your organization may want to assert legal privilege and get a sense of the impacts before directly addressing the ransom demand which will likely come with a ticking clock.

It is particularly important to engage with experts if you intend to consider paying a ransom, which the FBI discourages. In 2020, the Treasury Department’s Office of Foreign Assets Controls (OFAC) advised that paying ransoms encourages further attacks, and warned that it could pursue sanctions in the event a ransomware victim or violated U.S. sanctions prohibitions by paying an actor identified on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List). OFAC has designated numerous malicious cyber actors under its sanctions programs, and these sanctions can be imposed on a strict liability basis.

More recently, OFAC reiterated that position and its application to third parties facilitating payments, not only the party making the payment, including forensic and incident response organizations that assist in negotiations, financial institutions, and insurers. Because of this potential liability, you should only engage service providers that can reliably advise on whether the attacker has left any evidence or given any indication that would correlate to the SDN List.

The risk of sanctions is significant, but not the only factor to consider. You also should consider the actor’s history and credibility. Making a payment will do little good if the actor ghosts you upon payment without providing a decryption tool, the tool does not work or corrupts data, the actor comes back for a second payment, or the actor publishes data despite promises not to do so. An experienced negotiator will have some background information to help you judge the prospects and may be able to procure proof of decryption capabilities or data disposal post-payment.

You should also consult your insurance policy regarding reliance on expert support. Besides determining that it will cover a full ransomware response (it may not cover the ransom payment due to OFAC sanctions risk), you may want to assess whether you have a choice about the experts that will be assigned to your matter.

  1. Be mindful of privilege

If you decide to procure a forensic investigation, be thoughtful about the engagement and the output. It is challenging to effectively assert legal privilege over these engagements, and your chances are reduced if your organization leverages an existing contract, including hiring a security consultant already on retainer for breach response.

Instead, outside counsel should initiate a fresh engagement with a forensic provider. There are additional steps you can take to increase the chances a forensic report will be considered privileged, but you may also want to consider foregoing a written report. Of course, if PCI DSS is implicated, you will need to participate in a review by a PCI forensic investigator (PFI), which will necessarily complicate a privilege argument. Privilege considerations (along with the potential for regulatory requests noted above) may motivate you to forgo a final report entirely, but these are all elements you can consider and tentatively plan for before a ransomware attack occurs.

*  *  *  *

Pursuing these steps will put your organization in a better position to respond to a ransomware attack, and bring peace of mind even if the threat is never realized. Most of these steps also are relevant to incident response generally, regardless of the attack vector, and create opportunities for counsel to build expertise and rewarding internal and external relationships. And of course, “Lead company preparations to engage in ransomware response” is not a bad addition to your resume or year-end review.