Ransomware – COVID-19 & Upgrading Your Defenses

It’s pretty shameful that in the current crisis we’re seeing ransomware on the rise. It’s even more shameful that organizations involved in fighting the virus seem to be especially at risk. Last year ransomware targeted healthcare more than any other industry, accounting for 29% of total ransomware attacks, according to Beazley’s 2020 Breach Briefing report. Recent events suggest that attacks are up as the COVID-19 virus spreads, with criminals working on the theory that an organization desperate to unlock its data is now more likely to pay.

The combined effects of COVID-19 + ransomware have already seen one victim as Travelex entered into administration on Aug. 6, 2020 after having reportedly paid a ransom to hackers. A rescue package was agreed but with the loss of 1,300 jobs. Regrettably it is likely that Travelex will be just the first of many victims.

What Techniques Are Hackers Using?

A ransomware attack uses malware that encrypts or otherwise restricts access to computers, system or data by exploiting system vulnerabilities. The attackers demand that the victim pays money (usually in cybercurrency such as Bitcoin) to receive the decryption key or recover access.

The main ways that a ransomware ‘payload’ can enter an organization’s network are via:

• An attachment to an email (usually framed as something important or “urgent”);
• Web browsing;
• What looks to be a voicemail message perhaps via social media;
• Remote access and remote control applications; or
• Removable media and personally owned devices.

The criminals usually exploit a vulnerability in the operating system or other installed software, which then starts the encryption process.

What’s the Worst That Can Happen?

The impact of a ransomware attack can be severe and far-reaching. For the corporate victim, it can mean business disruption, financial loss and reputational damage. For some it may mean that they are forced to close.

For those whose data has been compromised, this could mean that critical data is rendered inaccessible or disclosed to unauthorized people — in some cases this could include sensitive data.

In terms of data protection law impact, the General Data Protection Regulation (GDPR) imposes key requirements relating to security. Controllers must take appropriate technical and organizational measures (TOMs) to keep personal data secure against loss or destruction.

Where a ransomware attack means that an organization is unable to restore compromised data, this could constitute a breach of GDPR on the basis that appropriate measures have not been taken to keep the data secure.

If a personal data breach has occurred, this will need to be reported by the controller organization to the relevant data protection regulator(s) (in the UK, the Information Commissioner’s Office (ICO)) within 72 hours, unless the personal data breach is unlikely to result in a risk to individuals. If the personal data breach is likely to result in a high risk to individuals, the controller needs to also communicate the breach to individuals whose data has been compromised without undue delay.

It is possible that the incident may not amount to a reportable personal data breach if:

• A working copy of the data can be restored from back-ups, then the loss of data may not be permanent; and/or
• It can be established that the data being held ransom has not been accessed or misused.

We know that a number of organizations who have suffered a ransomware attack have argued that because the data has not left their systems no data breach has occurred. That’s unlikely to be correct. There’s detailed guidance on this at an EU level. Individual data protection authorities have issued guidance too — for example the ICO’s guidance says that even if it can restore data from back-up an organization “would still need to look at the circumstances of the case to determine whether or not there were appropriate measures in place which could have prevented the attack from succeeding”.

Organizations that fail to meet their security obligations under the GDPR face high fines as follows:

GDPR Provision	Requirement	Maximum Fines
Article 5(1)(f)	For not ensuring that personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).	The higher of €20,000,000 ($23,891,100) and up to 4% of the total worldwide annual turnover of the preceding financial year
Article 32	For not implementing appropriate TOMs to ensure a level of security appropriate to the risk, including as appropriate: This premium content is locked for Cybersecurity Law & Strategy subscribers only Continue reading by getting started with a subscription. ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN CYBERSECURITY, PRIVACY, INFORMATION GOVERNANCE, LEGAL TECHNOLOGY AND E-DISCOVERY. Stay current on the latest information, rulings, regulations, and trends Includes practical, must-have information on cyber threats, data breaches, and legal technology Tap into expert guidance from top legal tech lawyers and experts SUBSCRIBE NOW Subscribe Now For Unlimited Access Already a have an account? Sign In Now For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473 Already a subscriber? Log In Now Share This Story Share on Facebook Share on Twitter Share on LinkedIn Cybersecurity Law & Strategy ›   September 2020 › Search Archives › Subscribe Read These Next DOJ’s Cyber Fraud Initiative Is a Wake-Up Call That Keeps Ringing By Randy S. Grossman, Kareem A. Salem and Kayla LaRosa The DOJ's Cyber-Fraud Initiative’s results and DOJ’s guidance on corporate compliance have made the point to government contractors and corporate America — “now is the time to invest and reinvest” in cybersecurity compliance. Read More › The Legal Help Desk: Shifting Toward User Sentiment as the Primary Health Factor By Andrew Dober Traditional metrics that once defined the effectiveness of help desk operations within law firms are undergoing a profound transformation. The new era places user sentiment and new delivery models at the forefront of service as a quicker “get back to work” mentality coupled with a technology-savvy generational shift. As a result, the gauges we use to measure customer satisfaction have changed and are shaping the overall future success of the legal tech support ecosystem. Read More › The Perfect Storm: Why Contract Hiring Will Eclipse Direct Hiring In Privacy and Tech In 2024 By Jared Coseglia Part Two of a Two Part Article Part 1 of this article looked at how remote flexibility is driving job seekers, that most privacy programs will use contractors by 2026, the speed of hire, the real cost of DIY staffing and whether posting jobs online really works. Part 2 looks at what’s next for CPOs, AI jobs in privacy, where the new jobs will come from, whose salaries are spiking and some guidance for the latter half of 2024. Read More › Six Reasons e-Discovery Benefits from AI By Khaled Jebbari Recent media coverage makes it clear that the time for law firms to embrace the disruption of AI is now. If you wait, from the looks of it, you risk losing business, and perhaps credibility. Read More › Related Stories LJN Quarterly Update: 2024 Q2 By Steve Salkin The LJN Quarterly Update highlights some of the articles from the nine LJN Newsletters titles over the quarter. Articles include in-depth analysis and insights from lawyers and other practice area experts. Read More › DOJ’s Cyber Fraud Initiative Is a Wake-Up Call That Keeps Ringing By Randy S. Grossman, Kareem A. Salem and Kayla LaRosa The DOJ's Cyber-Fraud Initiative’s results and DOJ’s guidance on corporate compliance have made the point to government contractors and corporate America — “now is the time to invest and reinvest” in cybersecurity compliance. Read More › The Legal Help Desk: Shifting Toward User Sentiment as the Primary Health Factor By Andrew Dober Traditional metrics that once defined the effectiveness of help desk operations within law firms are undergoing a profound transformation. The new era places user sentiment and new delivery models at the forefront of service as a quicker “get back to work” mentality coupled with a technology-savvy generational shift. As a result, the gauges we use to measure customer satisfaction have changed and are shaping the overall future success of the legal tech support ecosystem. Read More › About Us About Us Contact Us Board of Editors Reprints Customer Service FAQ Topics Commercial Law Litigation Regulation Law Firm Management Technology Media and Telecom Newsletters Accounting and Financial Planning for Law Firms Business Crimes Bulletin Commercial Leasing Law & Strategy Cybersecurity Law & Strategy Entertainment Law & Finance Marketing the Law Firm New York Real Estate Law Reporter The Bankruptcy Strategist The Intellectual Property Strategist   ALM Network Law Journal Press Law.com The American Lawyer Litigation Daily Corporate Counsel New York Law Journal Legaltech News The National Law Journal LegalWeek The Supreme Court Brief The Recorder (CA) Connecticut Law Tribune Daily Business Review (FL) Delaware Law Weekly Texas Lawyer Delaware Business Court Insider Daily Report (GA) The Legal Intelligencer (PA) New Jersey Law Journal Newsletters About Us Contact Us Reprints Customer Service FAQ Copyright © ALM Global, LLC. All Rights Reserved. About ALM Advertise With Us Customer Support Terms of Use Privacy Policy