By George Suh
Ransomware is gaining traction as one of the most significant cyber threats online. On May 12th, 2017, the ransomware “WannaCry” began infecting PCs all over the world. The impact of Wannacry is staggering, infecting over 150 countries and 300,000 computers. Ransomware is a type of malware that encrypts or locks your computer’s data and files for ransom. The use of Bitcoin is a very popular form of currency with cyber attackers, because the money is anonymized to prevent the extortionists from being tracked by federal and international authorities. Moreover, there is no guarantee that paying the ransom will give the infected user access to their computer. Thus, if you do not create a backup of your data, paying the ransom can lead to a costly or futile outcome and leave potentially sensitive data in the hands of clandestine criminals.
Ransomware is not a new phenomenon. This type of malware was first reported in Russia and parts of Eastern Europe in 2005. And starting around 2012, the use of ransomware has grown exponentially. Moreover, the rise in ransomware has proven to be a very lucrative black market enterprise for hackers, with the FBI estimating that another major ransomware, CryptoWall, generated at least $27 million from its victims. Even police departments were among CryptoWall’s victims. In Swansea, Massachusetts, a police department’s computer system became infected. Ultimately, the department paid the ransom of 2 Bitcoins (around $750 at the time), instead of figuring out how to unencrypt the malware. Swansea Police Lt. Gregory Ryan told the Herald News that “CryptoWall is so complicated and successful that you have to buy these Bitcoins, which we had never heard of.”
As recent ransomware events have shown, there is a growing concern about high profile attacks that are an ever growing trend in the cyber landscape. Businesses and organizations that maintain personally identifiable information should take into account the potential legal ramifications for failing to secure critical data:
- Federal Trade Commission Enforcement. In a November 2016 blog entry, the FTC warned that “a business’ failure to secure its networks from ransomware can cause significant harm to the consumers whose personal data is hacked. And in some cases, a business’ inability to maintain its day-to-day operations during a ransomware attack could deny people critical access to services like health care in the event of an emergency.” The FTC also highlighted that “a company’s failure to update its systems and patch vulnerabilities known to be exploited by ransomware could violate Section 5 of the FTC Act.” When data breach occurs, the FTC may also consider the accuracy of the security promises made to the consumer. Under Section 5 of the FTC Act, the “unfair or deceptive acts or practices” doctrine gives the FTC the authority to pursue legal actions against businesses and organizations that misrepresent security measures used to protect sensitive data.
- Breach Notification Requirements. In the U.S., 48 States, the District of Columbia, U.S. Virgin Islands, Guam, and Puerto Rico contain laws that require notification to affected individuals in the event of a breach. Some States also require notification to regulators. Federal laws, such as the Health Insurance Portability and Accountability Act (“HIPPA”), also have specific breach notification requirements. Moreover, U.S. businesses and organizations that operate or sell products internationally may also be subjected to stricter notification laws. For example, on May 25th, 2018, E.U.’s upcoming General Data Protection Regulation (“GDPR”) will require notification to affected individuals “within 72 hours of first having become aware of the breach.” Penalties for businesses or organizations that violate the GDPR can be fined up to a maximum of 4% of annual global turnover or €20 Million (whichever is greater).
Understanding the applicable breach notification laws can save a business or organization from significant legal and monetary complications. The unfortunate reality is that ransomware may be the beginning of much more sophisticated and sinister malware attacks. Therefore, businesses and organizations that maintain personal data should ensure they are complying with data privacy and cyber security laws. With the high profitability and anonymity that ransomware provides for cyber criminals, there will certainly be more attacks in the future.
George Suh is a 3L at Chicago-Kent. He is the co-founder and current Vice President of Chicago-Kent’s Cyber Security and Data Privacy Society.