As cybersecurity has become an increasingly important consideration for all corporate operations, one of the most pernicious problems has been the rise of so-called “ransomware” attacks – that is, systems breaches in which hackers take control of corporate networks and demand ransom payments as a condition of unlocking the systems. In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a look at the ransomware phenomenon, how companies are responding, and why. A version of this article previously was published on Securities Docket. I would like to thank John for allowing me to publish his article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.
Ransomware attacks have reached epidemic proportions, but nobody is talking about it. Why? Because corporate ransomware victims are discreetly paying the ransoms and are (lawfully) sweeping the incidents under the rug.
Tendering ransomware payments has evolved into yet another dirty little secret of corporate operations — just like U.S. corporate foreign bribes prior to the enactment of the Foreign Corrupt Practices Act or U.S. business dealings with terrorists prior to the enactment of the USA Patriot Act. Except this time, there may not exist a statutory remedy for the current ransomware payment scourge – and this time one cannot help but sympathize with the excruciating suffering endured by ransomware victims.
In most cases of ransomware, the fact pattern is the same:
- Ransomware attackers break into a corporate system and encrypt, or lock-up, a corporate victim’s data. Most ransomware infections come from phishing attacks, in which unwitting users are enticed to open a file or click on a link containing the ransomware malware;
- The ransomware attackers demand payment in cryptocurrency, typically bitcoin, for the encryption key to enable the victim corporation to unlock the now inaccessible data;
- The ransomware victim pays the cryptocurrency ransom to the attacker; and
- The ransomware attackers move on to their next victim.
What makes ransomware attacks so distinctive is that the corporate victim never loses possession of the data, merely access to it. In other words, whereas most other forms of cybercrime involve some type of theft such as exfiltrating credit card data or intellectual property that can be sold on the dark web, ransomware is different. In a ransomware scenario, the crime is more akin to a shakedown where the corporate victim’s data is held hostage until the company pays the ransom.
What makes ransomware attacks so devastating is that many variants do not simply target individual endpoints, but rather establish a foothold on one device and then fan out across a corporate network, encrypting everything from shared drives and email servers to website platforms and backup servers. In this way, ransomware attackers can cripple significant portions, or even all, of a company’s technologically facilitated operations.
Rarely is there ever even an arrest, let alone a successful prosecution, of a ransomware attacker. Law enforcement remains virtually paralyzed, while bitcoin continues to gain popularity as the outlaw’s currency of choice. Ransomware attackers have become yet another class of cyber-criminal who continue to enrich themselves while, for the most part, law enforcement can only watch from the sidelines.
While payment of a ransomware demand does not guarantee that the ransomware attacker will provide the right encryption keys with the proper decryption algorithms and may not stop the ransomware attacker from returning, the arguments for rendering a ransomware payment have nonetheless become increasingly compelling:
- Ransomware payment is often the least costly option. For instance, the city Atlanta spent more than $2.6 million on emergency efforts to respond to a ransomware attack that destabilized municipal operations last month. Attackers, who infected the city’s systems with the pernicious SamSam malware, asked for a ransom of roughly $50,000 worth of bitcoin. Atlanta officials have not stated whether they paid the ransom, or even tried, but it seems that they may not have even had the chance; the attackers (who were, in a rare instance, allegedly caught) quickly took the payment portal offline, and left the city to fend for itself;
- Ransomware payment can be in the best interest of stakeholders. For example, consider hospital patients in desperate need of an immediate operation but whose records are locked up by a ransomware attack – quick payment may save their lives; and
- Ransomware payment may mean not going public with the data breach. As described below, state, federal and international breach notification laws arguably do not apply to ransomware attacks because no corporate data is actually pilfered.
Indeed, it is not surprising that paying ransomware attackers has become as routine a cost of business as paying the electric bill – but what is surprising (and shocking) is that no one seems to care.
This article: 1) discusses why, and how, corporate victims are paying ransom to ransomware attackers; 2) analyzes the legalities involved when a corporation refuses to disclose publicly the details of a ransomware attack; and 3) offers some thoughts on the future concerning ransomware’s current economic boom.
But first a little background.
What is Ransomware?
Ransomware is a type of malicious software that infects a computer and restricts users’ access to certain data, systems and/or files until a ransom is paid. Ransomware can come in many forms and iterations and like any other virus or infection, ransomware can evolve and transmogrify to counter cyber-defenses and remediation. Although only a fraction of ransomware attacks are actually reported to federal authorities (see discussion below), the U.S. Department of Justice reports over 4,000 ransomware attacks occur daily.
According to Verizon’s most recent 2018 Data Breach Investigations Report, ransom attacks were the most prevalent variety of malware in 2017. The report looked at more than 50,000 incidents from all over the world. Ransomware was found in more than 700 of the incidents — and has steadily increased since Verizon started counting them explicitly in 2014.
In 2017, ransomware resulted in $5 billion in losses, both in terms of ransoms paid and spending and lost time in recovering from attacks and are expected to hit $11.5 billion in 2019. That’s up 15 times from 2015. Every 40 seconds a business falls victim to a ransomware attack, according to a recent story by the Forbes Technology Council, per a security bulletin posted by the cybersecurity firm Kaspersky Lab, which stated that the number of attacks rose from every two minutes in early 2016. Cybersecurity Ventures predicts there will be a ransomware attack on corporations every 14 seconds by the end of 2019.
The impact of a ransomware attack can be mammoth. Typically, all files servers and workstations are renamed with virus like extensions. Email servers and website servers become inoperable. Operations cease – no ability to track accounts receivable, issue invoices, and pay bills and employees. Employees quickly become panicked, while there is often now way even contact company executives, salespersons or any other personnel. Amid the bedlam, the damage due to a ransomware shutdown costs raises exponentially, not to mention the dire business development and reputational ramifications.
Cryptocurrency and Ransomware
Lost to many commentators is that bitcoin and other convertible crypto-currencies have become the keystone to current ransomware schemes, rendering the transactions practically untraceable and well suited for criminal transactions. Unlike the sequence of events during a common kidnapping scenario, where the exchange of money arguably places criminals in their most vulnerable position, virtual kidnapping of ransomware actually facilitates pseudo-anonymity throughout payment processes such as the bitcoin transaction process.
Bitcoin is also an efficient means of payment for a ransomware attacker. Per one expert, it’s fast, reliable, and verifiable. The hacker can simply watch the public blockchain to know if and when a victim has paid up; she can even make a unique payment address for each victim and automate the process of unlocking their files upon a confirmed bitcoin transaction to that unique address.
Once the ransomware attackers have the bitcoin, it is simply a matter of laundering via the Dark Web (or even through the rapidly evolving “legitimate” bitcoin conversion shops which are sprouting all over the world, where the hackers can then convert the bitcoin to cash.
U.S. Law Enforcement is Virtually Powerless Against Ransomware
Historically, national law enforcement agencies such as the Federal Bureau of Investigation (FBI) have successfully tackled crime waves orchestrated by nationally organized mobsters; internationally organized terrorists; and other notorious, sophisticated and nefarious criminal enterprises. But sadly, with a few exceptions, the FBI has apparently met their match when it comes to capturing (or even identifying) ransomware attackers.
Ironically, the FBI has itself even been used as a pawn in ransomware schemes, illustrating the hubris of ransomware purveyors and their overall sense of invincibility.
In general, seeking law enforcement help for a ransomware attack unfortunately remains a very limited option. First, law enforcement has become inundated with ransomware reports and lacks the resources and wherewithal to assist victims. Second, most of the ransomware attackers are overseas, where merely obtaining electronic evidence or interviewing a witness, let alone successful extradition and prosecution, are rarely possible. Finally, ransomware demands are often at monetary levels in the hundreds or thousands of dollars – too small to warrant federal law enforcement consideration and clearly beyond of the jurisdiction of local law enforcement.
Thus, it should come as no surprise that: when padlocked files are business-critical (e.g. an important intellectual property formula); when encryption cannot be defeated (no matter how good the code-breaker) or when time is of the essence (e.g. when patient data is needed for life-saving surgery), paying the ransom can become the proverbial best worst option.
Law Enforcement and Ransomware: The Official View
The official line from federal law enforcement with respect to Ransomware is: Report the Incident and Don’t Pay. Specifically, the FBI warns:
“The FBI doesn’t support paying a ransom in response to a ransomware attack . . . Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. [B]y paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
Notwithstanding, the FBI’s official ransomware guidance does not state “do not pay under any circumstances.” Rather, the FBI’s “Ransomware Prevention and Response for CISOs” document, states:
“Whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees and customers. Victims will want to evaluate the technical feasibility, timeliness, and cost of restarting systems from backup.”
The FBI also warns that paying ransomware does not guarantee that a victim company will obtain from the attacker a working key to rescue their data. The FBI is aware of cases where either the attackers fail to hand over the correct decryption key or are unwilling to comply with the original ransomware demands after payment is received. According to Trend Micro research, nearly 33 percent of firms that pay the ransom when attacked by ransomware fail to get their data back. The FBI also urges ransomware victims to report ransomware attacks immediately and seek help from the FBI in handling the situation.
Along similar lines, during an emergency meeting to address the WannaCry ransomware attacks, Tom Bossert, then-Homeland Security Advisor to President Donald Trump, discussed the perils of ransomware payment, and warned that victims could still lose access to files even after making a payment:
“Well, the U.S. government doesn’t make a recommendation on paying ransom, but I would provide a strong caution. You’re dealing with people who are obviously not scrupulous, so making a payment does not mean you are going to get your data back.”
Law Enforcement and Ransomware: The Unofficial View
In some public settings, the FBI has warned that, without paying a ransom, victim companies may not be able to unlock their kidnapped data from ransomware attackers who use Cryptolocker, Cryptowall and other potent malware strains.
“The ransomware is that good,” said Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in its Boston office. “To be honest, we often advise people to just pay the ransom . . . The amount of money made by these criminals is enormous and that’s because the overwhelming majority of institutions just pay the ransom.”
Indeed, the Ponemon Institute reported in a 2016 study that 48% of businesses victimized by ransomware paid the ransom (average ransomware payment being $2,500), while a similar IBM Security study found that 70 percent of business victims paid the ransom during that same period.
Cottage Industry of Facilitators
While the FBI might be of little help when it comes to ransomware, the private sector has stepped up, becoming remarkably inventive. Hence the genesis of a new and cottage industry of so-called “ransomware payment facilitators,” typically data recovery, digital forensics, or other incident response firms who, by negotiating and transacting with the ransomware attackers, will attempt to recover ransomware victim’s files for a fee.
While the practice of ransomware payment facilitation can raise a slew of legal and regulatory questions, it is also a practice that has become tacitly acknowledged as a necessity, and a genuine life-saver for ransomware victims who would otherwise have nowhere else to turn.
Thus, in cases where a particular ransomware attack cannot be fully mitigated, which is the norm these days, an experienced digital forensics firm can broker and validate a solution that minimizes the cost of recovery and prevents further extortion from the attacker.
Paying off the ransomware attackers typically entails: 1) sending the secret ransomware key file now stored on the victim’s computer; 2) uploading that file (or data string) to the attackers together with a bitcoin payment; and 3) awaiting a decryption key or a tool a victim can use to undo the encryption on the victim company files. This is a complex and challenging process.
First off, a digital forensics firm can help a ransomware victim navigate the maze of setting up an account to handle bitcoin, getting it funded, and figuring out how to pay others with it. A digital forensics examiner may even be able to construct a payment scheme where rendering ransomware payments is conditional.
By using cryptocurrency features to ensure that ransomware attackers cannot receive their payment unless they deliver a key, there can exist some added level of security and reliability upon the transaction. One ransomware response expert notes:
“ . . A ransomware developer could easily perform payment via a smart contract script (in a system like Ethereum) that guarantees the following property: This payment will be delivered to the ransomware operator if and only if the ransomware author unlocks it — by posting the ransomware decryption key to the same blockchain.”
Ransomware attackers can transform the entire ransomware payment process into what seems like an ordinary business transaction than an international extortion scheme. In fact, some recent ransomware attackers purportedly even offer a victim company a discount if the victim company transmits the infection to other companies, just like referral programs of Uber or Lyft.
Responsible ransomware facilitators can also orchestrate a payment process that will satisfy the due diligence of any reimbursing insurance companies, who may be supporting the victim corporation and recompensing them for any ransomware payments and expenses pursuant to a ransomware cyber-insurance policy.
However, while a ransomware payment process may seem straightforward and rudimentary, the reality is far more complicated and rife with challenges. No ransomware payment process can guarantee that the ransomware attacker will provide a decryption key. The ransomware scheme may be nothing more than a social engineering ruse, more like an old fashioned Nigerian Internet scam than a malware infection – and the payment could end up being all for naught.
Indeed, ransomware attackers may no longer have the encryption key or may just opt to take a ransom payment, infect a company’s system, and flee the crime scene entirely. Not only is the system of paying in untraceable bitcoin risky, but the transaction in its entirety is so risky, it hardly seems palatable. Nonetheless, the number of victim companies that pay ransomware demands continues to grow at an alarming rate, as high as 70% of the time, perhaps even higher.
Ransomware Notification/Disclosure Requirements: Ambiguous at Best
No one truly knows the magnitude of the current ransomware outbreak. This is because many ransomware victims do not report or disclose the ransomware incident to anyone – preferring instead to keep the “unpleasantness” to themselves and move on.
Given that ransomware attacks typically involve locking up data (rather than accessing or exfiltrating data), notification responsibilities relating to a ransomware attack do not neatly align with other cybersecurity-related notification obligations and triggers. Ransomware differs from most cyber-attacks in that the perpetrators of ransomware schemes do not typically abscond with sensitive customer data. Rather, ransomware attackers may merely prevent access to customer data or company systems, without doing any direct harm to any individual or theft of individual data.
For instance, if a ransomware attacker encrypts a company’s data but never accesses or exfiltrates that data, and then the ransomware attackers decrypt the data after receiving a ransom payment, there arguably never occurred any actual or specific customer harm.
In other cases, ransomware combines with other malware, such as when attackers plant a data-stealing Trojan virus in a system which can steal login credentials, and then use the credentials to encrypt data or systems or even just sell the credentials to other cyber attackers. Other times, attackers not only encrypt the victim’s data, but threaten to post the data publicly online, causing even more havoc. Ransomware variants and iterations are infinite with each type creating thorny regulatory notification requirements, replete with loopholes and vague incident definitions.
Meanwhile, disclosure of the ransomware attack can certainly inflict damage upon a company’s reputation and invite future attacks – or even prompt regulatory (or plaintiff’s bar) scrutiny for weak cybersecurity, such as having inadequate patching practices or antiquated data protection systems. Thus, if not legally required, it is not surprising that a victim company would be reluctant to disclose the ransomware attack to anyone.
State Versus Federal Notification
There is no single U.S. national data breach notification law that governs all information the same way as state data breach laws do. Thus, ransomware victim companies must determine which state privacy laws apply to them and analyze their notification obligations within each state.
However, there are also federal laws that require disclosure of data security incidents in certain instances, and usually these laws are “industry specific.” Examples of federal laws that require data breach notification are two laws governing the health care industry – the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). Another example of a federal data breach notification requirement is found within the Gramm-Leach-Bliley Act (GLBA), which governs companies engaged in financial services.
In the United States, 54 jurisdictions (including 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands) have enacted some version of a data breach notification law. Under these laws, notification may be required for any customer whose personally identifiable information (PII) was acquired or accessed, or reasonably likely to have been acquired or accessed.
Security breach laws typically have provisions regarding who must comply with the law (e.g., businesses, data/ information brokers, government entities, etc.); definitions of “personal information” (e.g., name combined with SSN, driver’s license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information). While most states require some form of disclosure to their residents of a data breach, depending on applicable legal standards, some states also require notification to public agencies, such as the state attorney general.
With respect to ransomware in particular, the threshold issue is a technological one, based on the educated guesswork of digital forensic and malware reverse-engineering experts, to determine the full scope of attacker activity. For instance, if the data is encrypted or otherwise “locked” through an automated process (where there is no viewing, copying, relocating or altering data), companies could argue that no disclosure is required.
However, if the malware strain deployed by the ransomware attacker also comes packaged with other types of malware designed to steal data, disclosure obligations could trigger.
For example, “RAA” and “Betabot” are ransomware strains that also swipe usernames and passwords from logins on to financial institutions, e-commerce sites, online payment platforms, and social networks. The Betabot malware masks itself as the “User Account Control” message box, but when you click on this box, it will infect your computer (see “betabox” snapshot).
None of the state breach notification statutes includes a definition of “acquisition,” but the term is commonly understood to imply a “taking,” where cyber-attackers actually “take” unencrypted PII from a computer system, moving the data from one place to another, where it can be sold or otherwise. In stark contrast, a ransomware purveyor is merely encrypting the data on the victimized system, not selling any of it, but rather rendering it unusable by the system owner. Thus, counsel for a ransomware victim may sign off on keeping the incident quiet, and not disclosing the ransomware attack to any particular state.
Perhaps states will become more aggressive with respect to ransomware disclosure – it is difficult to say for sure. For example, North Carolina’s Attorney General Josh Stein and Rep. Jason Saine proposed legislation designed to strengthen the state’s identity theft protection law, adding ransomware attacks as security breaches which require organizations to “notify both the people affected and the Attorney General’s office. If the breached entity determines that no one was harmed, it must document that determination for the Attorney General’s office to review.”
Healthcare Organizations (Such as Hospitals and Other Medical Service Facilities)
One of the only regulators to have issued explicit guidance regarding ransomware notification issues is the U.S. Department of Health and Human Services (HHS). Yet, principally, most ransomware incidents that occur at hospitals may not trigger notification.
By way of background, in July 2016, HHS issued informal guidance specifically addressing the notification obligations of healthcare providers and other businesses covered by the Health Information Portability and Accountability Act (HIPAA) in the event of a ransomware incident. The HHS Ransomware Guidance aims to provide healthcare organizations with information about ransomware attack prevention and recovery from a healthcare sector perspective, including how HIPAA breach notification processes should be managed in response to a ransomware attack.
Under HIPAA, covered entities are generally required to notify HHS in the event of any breach of unsecured protected health information (PHI). The HIPAA rules define a “breach” as the unauthorized “acquisition, access, use, or disclosure of PHI” that “compromises the security or privacy of the PHI.” The HHS Ransomware Guidance distinguishes ransomware from other malware, as “its defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data … until a ransom is paid.”
Overall, according to the HHS Ransomware Guidance, in order to demonstrate that there is a low probability that the PHI has been compromised because of a ransomware attack, healthcare organizations have to conduct a risk assessment considering at least four of the following factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether the PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
Thus, the HHS ransomware Guidance states that any ransomware attack affecting PHI can qualify as a breach because the encryption implies that the PHI has been “acquired” by attackers. On this view, the attacker’s encryption of the data alone could qualify as an “acquisition” — even if the data is never viewed or stolen by the attacker. However, whether ransomware’s data encryption clearly crosses that legal threshold can be challenging to determine, which is why ransomware attacks and other data security incidents at health care organizations often go unreported.
Indeed, given that some ransomware strains do not communicate with a command and control server after installation, often times not even the ransomware attackers even gain access to the PHI. In such cases, the PHI clearly remains confidential and secure — in fact, it is arguably even more secure and secret since it is now encrypted — and therefore would not require disclosure to HHS.
Consumer Banks and Loan Companies
Passed in 1998, the Gramm-Leach Bliley Act (GLBA) is a comprehensive package of banking and financial legislation, which includes significant data privacy and security requirements. Banks, brokers, mortgage companies, lenders, and financial advisers all fall under this law’s data obligations. Specifically, GLBA requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.
GLBA requires various federal agencies — including the Federal Trade Commission, the Federal Reserve, Treasury Department, and the Securities and Exchange Commission (SEC) — to write their own specific data security regulations, known as safeguards rules, for protecting customer data and to “establish standards relating to administrative, technical, and physical safeguards to ensure the security, confidentiality, integrity and the proper disposal of customer information.”
Per the GLBA, when a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, such as a ransomware attack, the institution should conduct an investigation to determine the likelihood that the information has been or will be misused. If there is a determination that the misuse has occurred or is reasonably possible, the institution must notify the affected customer as soon as possible, unless there is a law enforcement determination that notification will interfere with a criminal investigation.
U.S. Public Companies
For U.S. public companies, there is always some wiggle room when it comes to ransomware attack disclosure to shareholders.
By way of background, in 2000, the SEC issued its data safeguards interpretation of GLBA known as Regulation S-P (17 CFR 248.30) for brokers, dealers, investment companies and investment advisors. The SEC safeguards regulations have no requirement for data breach notification. Similar to the FTC’s rules, companies falling under the SEC’s GLBA related data regulations should have breach response as part of a security program, and should issue breach notifications to relevant authorities and individuals.
However, on Oct. 13, 2011, the SEC released its first ever staff guidance pertaining exclusively to the cybersecurity- related disclosure obligations of public companies, including data security incidents such as a ransomware attack. The SEC then followed up just recently on February 21, 2018, issuing a second round of similar public company cybersecurity disclosures.
The SEC guidance covers a public company’s reporting responsibilities both just after a cyberattack as a “material” event, and before as a “risk factor.” The SEC does not differentiate ransomware attacks from cyber-attacks but that does not seem relevant – because the type of attack is not necessarily relevant. What is relevant is whether the data security incident – be it cyber-attack or ransomware demand – is material.
From the SEC’s perspective, the requirements outlined in its guidance introduce nothing new but, instead, merely clarify the SEC’s long-standing requirement that public companies report “material” events to their shareholders, i.e., important developments or events that “a reasonable investor would consider important to an investment decision.”
What precisely renders an event material has plagued securities lawyers for years and has been the subject of countless judicial decisions, SEC enforcement actions, law review articles, law firm guidance and the like. With the 2011 Guidance and the 2018 Guidance, the SEC officially added cybersecurity into the mix of disclosure by putting every public company on notice that cyber-attacks and cybersecurity vulnerability fall squarely within a public company’s reporting responsibilities.
With respect to ransomware attacks, companies do not appear to be reporting them — probably because they are deemed not material. Given the increasingly complex and tricky nature of recent ransomware attacks, the SEC staff is also probably allowing public companies some latitude, giving companies a chance to get their arms around a situation before mandating the filing of any sort of disclosure. In fact, the SEC has only filed one enforcement action (involving Yahoo’s disclosure failures concerning its 2014 data breach) alleging any data security incident disclosure failure, let alone a disclosure relating to ransomware.
Financial Firms (Such as Brokers- Dealers)
With respect to the 3,800 broker-dealer firms licensed by the Financial Industry Regulatory Authority (FINRA), notification of FINRA concerning a ransomware attacks is not always clear and there exists no specific rule or official FINRA Notice to Members.
However, there are several references to the issue of cyber-attack disclosure on FINRA’s website, including on its “Cybersecurity Topic Page” page (with similar guidance found on FINRA’s Checklist for Compromised Accounts page) stating:
“In case of a disruptive attack or a breach: Firms should get to know their local Federal Bureau of Investigation (FBI) and proactively plan for a cybersecurity attack or breach. In case your firm is the victim of a disruptive attack or breach, for instance your data has been accessed or your customers cannot do business, you should immediately report the incident to your local FBI field office, and FINRA Regulatory Coordinator (RC).”
Given that notification to FINRA of a ransomware attack could trigger for cause examinations from the SEC and from FINRA, victim companies will probably remain reluctant to notify them. In this light, a FINRA-regulated entity’s concerns for establishing an unnecessary (and unduly burdensome) precedent and expectation also make sense, especially if the nature of their relationship with FINRA is solid and notification would be highly unusual.
Although the regulatory landscape is changing and FINRA expectations with respect to notification of cybersecurity incidents has become more acute, there exists no requirement or standard to apply – so there is certainly latitude in the least to pause. And while a ransomware victim’s lack of disclosure could possibly draw the ire of FINRA (sparking enhanced regulatory oversight or investigation), that lesser risk might be preferable to the more likely and far greater risk of a for cause FINRA compliance exam.
Given the lack of any specific FINRA rule, with respect to determining FINRA disclosure obligations after a ransomware attack, the only disclosure responsibility left falls under the implicit disclosure rule of candor with one’s regulator and the public service obligation of letting regulators and law enforcement know about a particular threat to financial markets. The key is to engage in a robust discussion about notification issues, and for a firm’s internal compliance executives to contribute to a thoughtful and reasonable recommendation.
The same approach probably applies to the SEC’s supervision of broker-dealers (as well as investment advisors, mutual funds and other SEC-registered firms). In fact, the SEC’s recent advisory about ransomware for SEC-regulated entities says nothing about disclosure. Instead, the May 17, 2017 Risk Alert published by the SEC’s Office of Compliance Inspections and Examinations (OCIE) focused on providing guidance and information that financial firms may wish to consider when addressing cybersecurity risks and response capabilities.
Once again, more wiggle room for the reluctant ransomware victim who would rather not disclose the unpleasantness, preferring to move on (and do so quietly).
When A Ransomware Attack May Also be a Regulatory Failure
If a ransomware attack brings to light significant regulatory failures, material weaknesses or possible securities regulation violations, or is of the type of conduct that was of concern as reflected in a prior SEC or FINRA deficiency letter, then analysis shifts to a far different paradigm. Under such circumstances, the general approach will likely be one of candid disclosure in hope of getting credit when an enforcement or administrative action is ultimately filed or ordered.
Having said that, however, early disclosure is no guarantee that a company will receive any credit or good will — and in fact, the reluctance of SEC and FINRA staff to give “informal cooperation credit” is a common gripe of SEC and FINRA defense attorneys. The collective perception is that cooperation is not seriously considered and is too often given only short shrift – and unless done perfectly, done fully; and done early, are not always given adequate consideration.
Thus, ransomware attack disclosure to SEC or FINRA might NOT be appropriate if the ransomware attack is:
- Not very different or unusual relative to other attacks a firm has investigated;
- Not anywhere near a cataclysmic or critical event for the global financial marketplace; the firm; its customers; its affiliates; etc.; and
- Being handled thoughtfully and professionally and in accordance with robust policies, practices and procedures; and “par for the course” among financial firms and all public companies.
If the above criteria is met, a firm can opt to alert FINRA or the SEC when FINRA or the SEC next visits for an inspection or examination — in the same manner a firm would alert FINRA or the SEC of significant customer complaints; employee misconduct; technological mishaps; or other similar routine incidents – and that disclosure may never become public.
U.S. Banks and Bank Holding Companies
The Federal Reserve and U.S. Treasury Department have been working out the details of their GLBA-required safeguards standards and in 2005, they jointly issued Interagency Guidelines Establishing Standards for Safeguarding Customer Information.
Per the Interagency Guidelines, financial companies that are covered by these agencies– including bank holding companies, private bankers and investment banks — may have important notification/disclosure responsibilities relating to ransomware attacks. These regulated entities “have an ‘affirmative duty’ to protect their customer’s data against unauthorized use or access, and notifying the customers is a key part of that duty.” (emphasis added). The company, however, must first determine whether misuse of the information has occurred or is reasonably possible.
In the case of a ransomware attack, whether encryption alone is considered a misuse of data under Treasury or Federal Reserve guidelines is not clear – and may not trigger a notification to customers. Clearly, the spirit of the various GLBA safeguard rules would lean toward disclosure, but whether there exists a strict obligation to do so remains a matter of interpretation and judgment.
DOJ’s Best Practices for Victim Response and Reporting of Cyber Incidents, is an official government publication which encourages companies to engage with law enforcement when a data security incident occurs (including ransomware), but there is no legal requirement to do so. The guidance states:
“If an organization suspects at any point during its assessment or response that the incident constitutes criminal activity, it should contact law enforcement immediately. Historically, some companies have been reticent to contact law enforcement following a cyber incident fearing that a criminal investigation may result in disruption of its business or reputational harm. However, a company harboring such concerns should not hesitate to contact law enforcement. The FBI and U.S. Secret Service place a priority on conducting cyber investigations that cause as little disruption as possible to a victim organization’s normal operations and recognize the need to work cooperatively and discreetly with victim companies. They will use investigative measures that avoid computer downtime or displacement of a company’s employees. When using an indispensable investigative measure likely to inconvenience a victim organization, they will do so with the objective of minimizing the duration and scope of any disruption.”
Interestingly, the DOJ’s Guidance reminds companies of one of the benefits of federal law enforcement notification of a cyber-attack such as a ransomware attack: a possible temporary reprieve from state reporting obligations. The DOJ Guidance states:
“ . . . [M]any [state] data breach reporting laws allow a covered organization to delay notification if law enforcement concludes that such notice would impede an investigation. State laws also may allow a victim company to forgo providing notice altogether if the victim company consults with law enforcement and thereafter determines that the breach will not likely result in harm to the individuals whose personal information has been acquired and accessed. Organizations should consult with counsel to determine their obligations under state data breach notification laws. It is also noteworthy that companies from regulated industries that cooperate with law enforcement may be viewed more favorably by regulators looking into a data breach.”
While notification to federal law enforcement of a ransomware attack may be expected by the regulators, shareholders, customers, partners and the many other constituencies potentially impacted by a ransomware attack, many corporate ransomware victims may still opt to remain quiet about the incident.
On the one hand, a ransomware victim is being unlawfully extorted and needs federal help, protection and advice. Moreover, a ransomware victim will want to demonstrate that they are availing themselves of all available resources to protect against the potentially ongoing or future harm from the ransomware attackers.
But on the other hand, notification to federal law enforcement may never become public – and it can have costly and complicated ramifications. For example, law enforcement agencies may: seek from the victim company forensic images of affected systems; request to attach a recording appliance to a victim company’s network in hope of capturing traces of possible future attacker activity; ask to receive briefings of all findings from any incident response efforts; and want a range of other information, technological data and interviews.
These resulting requests are not only costly, burdensome and disruptive but they also raise a host of legal issues, including whether providing information to law enforcement could violate customer privacy or inadvertently waive the attorney-client privilege.
Historically, the U.S. Federal Trade Commission (FTC) has been the most active with respect to privacy protections arising from a cyber-attack, and its jurisdiction continues to expand. However, with respect to ransomware attack disclosure, the FTC’s position is foggy at best.
Previously the subject of some controversy and confusion, the FTC’s jurisdiction was reinforced (in what some commentators cited as a sea-change) when the Third Circuit Court of Appeals affirmed a federal district court’s decision, FTC v. Wyndham Worldwide Corp., holding that the FTC has authority to regulate a company’s inadequate cybersecurity practices.
In addition, the FTC (and other federal agencies that regulate financial institutions, including the Federal Reserve Board, the National Credit Union Administration, the Office of the Comptroller of Currency and the SEC) has issued regulations to implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which, together with the Fair Credit Reporting Act (FCRA), protects information used in credit, insurance and employment decisions. The FTC also, in 2002, finalized their GLBA-required Safeguards Rule (16 CFR 314), which covers financial companies offering consumer lending and consumer investment advice. These companies are required to have a program in place for “detecting, preventing and responding to attacks, intrusions, or other systems failures.”
Though none of the FTC’s regulations mandate disclosure/notification for ransomware attacks, the FTC’s official publication, Data Breach Response: A Guide for Business, states that companies should report data security incidents (presumably including incidents involving ransomware) to law enforcement as follows:
“Call your local police department immediately. Report your situation and the potential risk for identity theft. The sooner law enforcement learns about the theft, the more effective they can be. If your local police aren’t familiar with investigating information compromises, contact the local office of the FBI or the U.S. Secret Service.”
In May 2015, the FTC published a blog post in which it explained how important it views reporting of cybersecurity incidents to law enforcement:
“We’ll also consider the steps the company took to help affected consumers, and whether it cooperated with criminal and other law enforcement agencies in their efforts to apprehend the people responsible for the intrusion. In our eyes, a company that has reported a breach to the appropriate law enforcers and cooperated with them has taken an important step to reduce the harm from the breach. Therefore, in the course of conducting an investigation, it’s likely we’d view that company more favorably than a company that hasn’t cooperated.”
In short, the FTC requires companies such as financial firms that offer consumer lending and consumer investment advice to have a program in place for “detecting, preventing and responding to attacks, intrusions, or other systems failures.” However, there is no explicit data breach notification requirement in the FTC’s regulations, including for ransomware attacks.
Pursuant to the European Union’s new General Data Protection Regulation (GDPR), effective May 25, 2018, there is a requirement to notify the supervisory authority and affected data subjects when “personal data” is accessed, without undue delay (no later than 72 hours) after becoming aware of a data breach, unless it is unlikely to cause a risk to the affected individuals.
With respect to a ransomware infection that occurs in a considerable number of workstations and servers that are centric to processing personal data, the attack could constitute a breach under the GDPR.
However, there is a glitch: the GDPR applies a harm-based threshold to its criterion, which arguably creates a significant exception for ransomware. For example, per Article 34 (1) of the GDPR, notice is not required if “the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons,” a phrase that will undoubtedly offer data protection officers and their outside counsel opportunities to debate the necessity of notification and arguably avoid notification conditions altogether.
With respect to notification to “affected data subjects,” there is also an explicit string of exceptions. The GDPR provides exceptions to this additional requirement to notify data subjects in the following circumstances: (1) the controller has “implemented appropriate technical and organizational protection measures” that “render the data unintelligible to any person who is not authorized to access it, such as encryption”; (2) the controller takes actions subsequent to the personal data breach to “ensure that the high risk for the rights and freedoms of data subjects” is unlikely to materialize; or (3) when notification to each data subject would “involve disproportionate effort,” in which case alternative communication measures may be used.
The bottom-line: Just like every other law enforcement and regulatory authority, given that ransomware attacks typically do not involve the purloining of data, the GDPR offers flexibility of interpretation, and will be very dependent on specific circumstances. Moreover, given its overall opacity, some organizations may decide that the risk of being hit with a GDPR fine far outweighs the risk of not disclosing a ransomware attack.
A Matter of Contract
Failure to notify law enforcement or anyone else about a ransomware attack might not just be a matter of self-preservation for corporate ransomware victims, it may also be a matter of contract (albeit an illegal and unenforceable one).
Consider the recent rants of the notorious cyber-attacker (or perhaps gang) known as the “Dark Lord,” known for targeting banks, healthcare insurance firms, plastic surgery clinic, media giants like Netflix, Steve Harvey’s Funderdome TV show.
Per recent reports, the group has gone as far as leaking student data and sent death threats (see above snapshot) to an Iowa based Johnston Community School District forcing it to close some of its schools. The messages were sent to parents via text included physically harming their kids and even killing them.
According to Motherboard, in an announcement published on Pastebin, the Dark Overlord points to several different insurers and legal firms, claiming specifically that it hacked Hiscox Syndicates Ltd, Lloyds of London, and Silverstein Properties.
The stolen data according to the group includes emails, non-disclosure agreements, liability analysis, retainer agreements, defense formations, litigation strategies, settlements, collection of expert witness testimonies, testimonies, communications with government officials in countries all over the world, voice mails, dealings with the FBI, USDOJ, DOD and other confidential communication.
The stolen data apparently relates to the 9/11 related-work of law firms representing a slew of different plaintiffs and defendants, including: first responders seeking compensation for exposure to contaminants at the site, the owner of the towers looking to collect from the airlines that let the hijackers on board, victims looking to haul the government of Saudi Arabia into U.S. court, and others.
According to the Dark Overlord’s Pastebin post, Hiscox is well aware of the attack and paid the initial ransom but breached its agreement by involving law enforcement authorities. The Pastebin posting states:
“This involvement with law enforcement became clear to us months later through a source of ours disclosing details of the client to us that we never informed the source about. We were absolutely appalled by this transgression against our agreement. We decided to offer this company a second chance to repent, accept responsibility, and satisfy our penalty request. They declined to accept our offer, so we’re here today . . . If a full public release happens in the near future, we’ll guarantee that we’re going to withhold only the most highly confidential and sensitive documents for private sale. For the rest of you: don’t worry, there’s thousands of documents still to go around . . . If you’re one of the dozens of solicitor firms who was involved in the litigation, a politician who was involved in the case, a law enforcement agency who was involved in the investigations, a property management firm, an investment bank, a client of a client, a reference of a reference, a global insurer, or whoever else, you’re welcome to contact our e-mail below and make a request to formally have your documents and materials withdrawn from any eventual public release of the materials. However, you’ll be paying us.”
To prove their hack, the Dark Overlord hackers also published 16 screenshots of one victim’s internal communications. It also published a download link apparently containing 10GB of encrypted data whose decryption keys will be published later on their official Twitter account or on a Dark Web form called “KickAss.”
Ransomware attacks can trigger a litany of anticipated and unanticipated consequences for victim companies – including millions of dollars in related costs and expenses; unquantifiable potential liabilities; overwhelming management drag; and significant operational and reputational damage. Meanwhile the ransomware industry seems to be thriving, with ransomware payment demands growing in size and audacity and malware sophistication growing in intricacy and efficacy.
No doubt that the ease, anonymity and speed of crypto-currency payments such as bitcoin has revolutionized the ransomware industry, prompting its extraordinary growth. Bitcoin not only makes it easier to remain anonymous, but bitcoin also enables a pseudo-anonymous payment mechanism where the extorted funds can be immediately transferred into criminal hands.
Transactions in cryptocurrencies like bitcoin lack a discernable audit trail, operate outside of regulated financial networks and are alarmingly unregulated. There is no central issuer of bitcoins, nor a Federal Reserve of Bitcoins monitoring and tracking transactions or controlling their value. In short, government surveillance and regulation of cryptocurrency is virtually nonexistent (no pun intended) and so long as cryptocurrency payment schemes exist (and back-up systems fail), ransomware attacks and iterations will likely continue to thrive.
Though too early to tell, there may emerge some form of bitcoin regulation via Executive Order No. 13,694 (April, 2015, later amended on December 29, 2016, Executive Order 13,757), which expands sanctions to include “blocking” the property of persons engaging in “Signiﬁcant Malicious Cyber-Enabled Activities.”
The order declares a “national emergency” to deal with cyber-enabled threats and extends to the assets of those who “have materially assisted, sponsored, or provided ﬁnancial, material, or technological support for, or goods or services in support of, any malicious cyber-enabled activities.” These activities cover significant compromises of a critical infrastructure sector, disruptions of computers or computer networks, or misappropriation of funds, trade secrets, or other information for commercial advantage. (Through the December 2016 amendment, then-President Obama took “additional steps” to deal with such malicious cyber activities in view of their increasing use “to undermine democratic processes or institutions.”)
Given that ransomware bitcoin payments are made to cyber criminals, per Executive Order 13,694, the U.S. Secretary of the Treasury, the U.S. Attorney General and/or the U.S. Secretary of State could freeze or “block” assets of any participant in the bitcoin financial chain. Such dramatic government intervention could discourage the purveyors of ransomware attacks, who depend on bitcoin for receiving payments.
Clearly, any governmental intervention should begin at the “front end,” to deprive cybercriminals of access to financial channels, and financial penalties and end at the “back end,” particularly asset forfeiture, to recover the proceeds of criminal activity. The government could also take additional steps to combat ransomware such as:
- Providing financial incentives for private investment in ransomware prevention and remediation technologies;
- Bringing more enforcement actions (as both criminal actions and FinCEN regulatory actions);
- Speaking more boldly to discourage ransomware payments that monetize crime, perhaps via the Financial Crimes Enforcement Network(FinCEN) or via a task force of state and federal law enforcement agencies. U.S. defense and intelligence agencies, FinCEN in particular, pride themselves on the U.S. government’s ability to track and disrupt the illicit financial networks that work through traditional banks and finance channels and are more than up to the task of stepping up enforcement and regulatory efforts; or
- Adding more ransom ware attackers to terrorist lists. For example, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions on two Russian individuals for engaging in malicious cyber-enabled activities. One of the individuals was responsible for the development and use of Cryptolocker, a form of ransomware, which infected over 120,000 U.S. victims. According to OFAC, he and his group are responsible for taking over $100 million from financial institutions and government agencies.
- Creating new legal penalties for ransomware payments in a manner similar to the FCPA, rendering the option of paying ransom costlier, thus nudging firms toward choosing greater security.
But these government measures remain somewhat theoretical and even if implemented, might still fail to sojourn the dramatic growth of ransomware. The reality is that when it comes to ransomware attacks, the government seems idle and relatively powerless, which means ransomware victims are often on their own. So what should companies do to manage the increasing risk of the current ransomware crime wave?
Be prepared (e.g. deploy offsite back-ups, disaster recovery plans and the like); Be thoughtful (e.g. use professionals to implement preemptive measures and help handle the response); and Be vigilant (e.g. don’t underestimate the impact of ransomware and don’t take the threat lightly).
But even under the best-case scenario, where ransomware victims company have maintained archives and can keep their businesses alive, they will still incur significant remedial costs, business disruptions and exhaustive management drag. Moreover, having a back-up storage solution in place is not always ideal; not only can outside storage of data create additional cybersecurity risks, but sometimes data archives are more like the proverbial roach motels, where data checks in but it can’t check out.
The only guarantees during a ransomware attack are the feelings of fear, uncertainty, vulnerability and dread inevitably experienced by the corporate victim. Someone needs to stop the madness – or in the least, start talking about it. Right now, the silence is deafening.
John Reed Stark is president of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He has taught most recently as Senior Lecturing Fellow at Duke University Law School Winter Sessions and is teaching a cyber-law course at Duke Law in the Spring 2019 semester. Mr. Stark also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of global data breach response firm, Stroz Friedberg, including three years heading its Washington, D.C. office. Mr. Stark is the author of, “The Cybersecurity Due Diligence Handbook.”