A Guide to Ransomware Legal Implications and Ransomware Insurance Policy Considerations

One of the most dangerous cybersecurity threats nowadays is Ransomware. Ransomware attacks have increased in emphasis, sophistication, expense, and frequency in recent years, especially during the pandemic. Companies must decide whether to cooperate with threat actors and/or pay the ransom depending on strategic considerations and risk assessment as ransomware techniques change.

Sophos reports that in the past year, ransomware attacks affected 51% of the companies examined. According to Cybersecurity Ventures, a ransomware assault targeting a firm could cause up to $20 billion in harm every 11 seconds by the end of 2023.

Whether or not the organization will pay the threat actor is the most important legal concern following a ransomware attack. Despite the fact that more than 60% of firms paid the ransom, doing so could have serious legal implications.

Legal Aspects of a Major Cybersecurity Incident

Immediate Response Actions/Crisis Management
Internal Incident Response and Investigation
Vulnerability Disclosures
Forensics and Technical Investigation
Post-Mortem Analysis and Enhancements
Insurance Coverage Review
Notifications to Individuals and Regulators
Customer/Partner Inquiries and Relations
Public Relations and Internal Communication
Coordination with Law Enforcement/Info Sharing
SEC Query or Investigation
Consumer Protection/Data Protection Authorities Inquiries and Investigations
Other Regulatory Inquiries and Investigations
Legislative Investigation and Inquiries

What data do organizations have?

Personal Information
- Personally Identifiable Information (PII): Such as name, address, contact information, and date of birth
- Personal Information (SPI): Such as PHI, payment card information, financial accounts, SSNs, and government-issued IDs

Sensitive and proper Information
- Intellectual Property (IP): Such as patented technology, trade secrets
- Competitive Information: Such as market analyses, financial reports, marketing strategies, new product development, and customer lists

Ransomware Insurance Policy Considerations:

Law enforcement at the Federal Trade Commission (FTC): “A company’s inability to protect its networks against ransomware can cause significant harm to the consumers (and employees) whose personal data is hacked,” the FTC wrote in a blog post. Furthermore, in certain situations, a company’s incapacity to continue running its regular business activities in the midst of a ransomware assault may prevent people from having vital access to services like medical care in an emergency. The Federal Trade Commission (FTC) has observed that a business may be in violation of Section 5 of the FTC Act if it neglects to patch vulnerabilities in its systems and update its applications. The Federal Trade Commission (FTC) has observed that a business may be in violation of Section 5 of the FTC Act if it neglects to patch vulnerabilities in its systems and update its applications. The FTC has shown that it is prepared to file Section 5 enforcement actions against businesses that encounter data security incidents brought on by malware taking advantage of vulnerabilities in a number of enforcement actions.
Breach Notification Laws: Laws in the United jurisdictions, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands mandate that in the event that personal information is obtained or accessed without authorization, notice be sent to the affected parties and, in certain jurisdictions, regulators. Notification of some breaches of covered information is also required by certain federal laws, such as the Health Insurance Portability and Accountability Act (“HIPAA“), and more and more breach notification regulations are being implemented globally. In the event that a ransomware attack leads to the unapproved acquisition or access of protected data, relevant breach notification regulations may require impacted organisations to notify the relevant parties.
Litigation: Litigation is another possible danger in the event that ransomware causes a breach of covered information. Plaintiffs’ attorneys are still actively pursuing noteworthy breaches, even if it is becoming more difficult to win cases against impacted entities because companies are reaching sizable settlements with impacted individuals. Affected companies frequently fight insurance over reimbursement of attack-related expenditures, and they may also be sued by business partners whose data is compromised. Companies also need to be aware of shareholder derivative litigation related to cyber attacks, which frequently follow disastrous security breaches.
Laws pertaining to data security: Numerous states in the United States have passed legislation requiring organisations that hold specific kinds of personal information about their citizens to comply with general information security standards about that information. These laws generally require companies that own or licence personal information about state residents to put reasonable security procedures and practices in place to guard the data against unauthorised access, destruction, use, modification, and disclosure. One example of such a practice is Section 1798.81.5 of the California Civil Code. Should a ransomware assault arise due to a disregard for appropriate precautions, impacted organisations can face legal ramifications under pertinent state security legislation.
Agency Directives: Government authorities are always coming out with suggestions to assist businesses in responding to ransomware attacks because of the way these attacks are changing. For instance, an information sheet offering guidance to healthcare organisations on how to stop, look into, and recover from ransomware attacks was released by the Office for Civil Rights of the Department of Health and Human Services, which oversees HIPAA compliance. Additionally, the FBI has created tools for ransomware aimed at CEOs and Chief Information Security Officers. To help prevent and recover from ransomware attacks, as well as to comprehend the possible criminal and enforcement ramifications of such assaults, this information should be carefully reviewed.

Although the most well-publicized attack to date was the recent worldwide one, ransomware is becoming a bigger problem and is a part of a larger trend in the changing threat landscape. When attempting to avoid, investigate, and recover from these disruptive assaults, businesses and other organisations need to keep the aforementioned legal considerations in mind.

Obligations and Costs

There are common elements that determine an entity’s obligations during a cyberattack that can impact cost, regardless of which specific laws and contractual requirements apply. Among them are:

Requirements for notification: In order to notify individuals, regulators, and, in some situations, the media and other third parties, entities must pay. This is less simple than it may seem because different laws have varying rules on what must (and must clearly not) be mentioned. Additionally, the regulations stipulate different requirements for the notification form, including when a physical letter is required and acceptable ways to reach impacted parties using a “substitute notice.”
Credit monitoring services and identity restoration: Depending on the sensitive nature of the personal information involved, state and federal regulations may mandate that impacted parties be offered free credit monitoring services for one to two years. In order to lessen possible injury to persons, entities may also choose to pay extra fees for identity restoration (and maybe minimise the likelihood of litigation).
Regulator investigations and inquiries: Regulators are vested with extensive powers to carry out formal investigations or informal queries concerning cyberattacks. For instance, the HHS Office for Civil Rights (OCR) is required to conduct an inquiry into HIPAA-regulated companies if a cyberattack causes notice of a data breach to be sent to more than 500 affected individuals. It can take months or years to respond to written inquiries and requests for documents, and investigations frequently go from the details of a particular cyberattack to the larger cybersecurity programme and risk management techniques.
Penalties: Violators of certain laws may be subject to severe penalties, which may not always be mutually exclusive. The same cyberattack may result in sanctions from several regulators.
Litigation: In response to suspected cyberattacks, class-action attorneys are still coming up with creative ways to pursue lawsuits. Prior to the passage of the California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), which provide statutory damages of up to $750 per individual (or actual damages if greater), smaller cyberattacks were rarely the subject of legal action. Following cyberattacks, publicly traded firms may also be subject to shareholder lawsuits and securities litigation, with the latter charging mismanagement of the cybersecurity programme or failure to respond to cyberattacks.

How organizations assess risk and get prepared for it:

Conduct exercises to assess preparedness
Confirm adequate safeguards are in place
Plan response
Conduct periodic risk assessments
Have the right people in place
Set the tone from the top
Develop policies and governance mechanisms
Evaluate insurance coverage

Every company should respond right away and contact the appropriate authorities; however, this can vary slightly based on the industry or the severity of the impacted systems. It is preferable to abide by the rules that the law has established because failing to disclose the attack or paying the ransom can result in severe fines and penalties.

The federal government views ransom payments as a sort of transaction, even though it lacks clear, comprehensive regulations pertaining to ransomware. Due to this technicality, communicating with the attacker is prohibited and could carry serious consequences. Most of these instances are under the jurisdiction of the Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury.

Strict guidelines against foreign financial involvement are found in the Trading with the Enemy Act (TWEA) and the International Emergency Economic Powers Act (IEEPA). Any person or organisation included on the OFAC’s Specially Designated Nationals and Blocked Persons list is prohibited from doing business with. Dealing with people who are subject to an embargo is illegal as well.

Organizations should get in touch with the appropriate authorities rather than paying the ransom. All vital national infrastructure organisations are required by the 2022 Strengthening American Cybersecurity Act (SAC) to report ransomware attacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours or risk fines. The victim’s time window is reduced to 24 hours if they pay a ransom.

However, CISA’s presence is merely the starting point. They should also get in touch with the FBI’s cyber task force, OFAC’s sanctions and compliance evaluation division, and the Department of Homeland Security. These organizations are well-versed in handling ransomware assaults since they deal with them frequently.

When businesses discover that a malicious paywall has been used by an attacker to lock down their data, most of them panic. Meeting their demands is still the worst course of action. An organization can avoid paying hundreds of thousands of dollars for breaking the Strengthening American Cybersecurity Act, TWEA, or IEEPA, even if it may suffer security and privacy fines once it reports a violation to law enforcement.

Furthermore, it’s critical to keep in mind that strong internal controls—which every company ought to be putting in place—cannot be replaced by insurance. Some of the best defences against these kinds of attacks include frequent (and numerous) encrypted backups, sophisticated email detection, password change procedures, and staff training initiatives.