The Growing Ransomware Threat: Legal and Compliance Considerations for Your Organization

A digital crime wave is sweeping across the globe, targeting both public and private sector organizations. The rise of crimeware, or software designed to commit crimes, is alarming, with some analysts predicting the market could reach a value of $10.5 trillion by 2025. Among the most prominent types of crimeware, ransomware has made a dramatic comeback. High-profile ransomware groups like Cring, REvil, Ryuk, Maze, and Conti have grabbed international headlines, launching attacks on market-leading companies worldwide. The infamous REvil attack on Acer earlier this year, which demanded a staggering $50 million ransom, is just one example of the damage ransomware can inflict.

The Current State of Ransomware

As ransomware continues to escalate, here are a few critical stats to keep in mind:

• 4,000 ransomware attacks are launched daily.
• Only 0.03% of all scanned emails are flagged as containing ransomware.
• The average ransomware payout is around $250,000, but when ransom demands are not met, the cost of an attack can reach an average of $732,520, and $1.4 million when the demands are paid.
• On average, ransomware attacks cause 19 days of downtime.
• In 2021 alone, 16 new ransomware variants were discovered in the first quarter.
• Every 11 seconds, another business is targeted by ransomware.
• By the end of 2021, the estimated global cost of ransomware is expected to reach $20 billion.

Given the scale and frequency of these attacks, it is clear that ransomware is here to stay. For organizations, the collaboration between cybersecurity, legal, and compliance teams is essential to mitigate risk and prepare for the inevitable.

A Brief History of Ransomware

The concept of ransomware dates back to 1989 when the AIDS Trojan/PC Cyborg ransomware attack was launched by Joseph L. Popp. Attendees of the World Health Organization's International AIDS Conference received diskettes that, once inserted, encrypted their data and demanded a ransom of $189. Fast forward to today, and ransomware has evolved into a much more sophisticated threat, with modern ransomware attacks—like the Cring ransomware—using advanced encryption and delivering devastating results.

High-Profile Ransomware Attacks

Here are some of the notable ransomware incidents that have rocked the business world in recent years:

• ISS World: In February 2020, Danish facilities management company ISS World was hit with a $74 million ransomware demand, causing significant operational disruption.
• Cognizant: In April 2020, IT services provider Cognizant suffered a ransomware attack that cost the company between $50-70 million.
• Sopra Steria: In October 2020, French IT services giant Sopra Steria was targeted by the Ryuk ransomware, resulting in an operational hit of at least $50 million.

The Legal and Compliance Implications of Ransomware

When ransomware attacks occur, legal and compliance teams must work closely with information security professionals to ensure they follow the necessary steps to mitigate the damage and maintain regulatory compliance. Different industries face unique compliance challenges:

• Healthcare
  Under HIPAA, healthcare organizations such as hospitals and insurance providers are legally required to notify the Department of Health and Human Services (HHS) and affected individuals if protected health information (PHI) is compromised during a breach.

• Consumer Banks and Loan Companies
  The Gramm-Leach-Bliley Act (GLBA) governs data protection for consumer banking. The Federal Trade Commission (FTC) does not require ransomware breaches to be reported, but service providers are encouraged to inform customers.

• Brokers, Dealers, and Investment Advisors
  The Securities and Exchange Commission (SEC), under Regulation S-P, recommends notifying customers of a breach but does not legally require it.

• Investment Banks and National Banks
  Regulatory guidelines from the Federal Reserve and Treasury Department require notification only if sensitive data has been misused. These guidelines outline how and when disclosure should occur.

• U.S. State Laws
  New Jersey and Connecticut have specific breach notification laws in place. In cases involving cross-border or transnational breaches, compliance requirements may become more complex.

• EU Data Laws
  Under the General Data Protection Regulation (GDPR), organizations in the EU must disclose data breaches, including those caused by ransomware, if they compromise personal data.

How to Respond to a Ransomware Attack

If your organization or a partner experiences a data breach caused by ransomware, you must act quickly. Consider the following steps:

1. Assess the Breach: Determine the scope of the attack, what data has been compromised, and the potential legal implications.
2. Notify the Appropriate Parties: Based on the type of data and industry-specific regulations, notify customers, regulatory bodies, and law enforcement if necessary.
3. Work with Legal and Compliance Teams: Collaborate with internal teams to ensure that your response adheres to legal requirements and mitigates further damage.

Final Thoughts

The ransomware threat is growing, and businesses need to take action now to strengthen their defenses. Legal, compliance, and cybersecurity teams must work hand-in-hand to reduce the risk of attacks and develop response strategies that comply with the ever-evolving regulatory landscape.