Ransomware: Legal Cheat Sheet for Breach Notification

You respond to a ransomware attack in many of the same ways you would to any other cyber attack. In short: have plans in place to analyze the malware, contain the damage, restore operations if need be, and notify any regulatory or enforcement authorities.

And your legal, IT, and communications team should be working together in all your response efforts. Legal meet IT, IT meet legal.

So far so good. But ransomware is a different animal.

Unlike in just about any other cyber attack, the hackers announce what they’re doing: it’s called a ransom note.

The discovery process therefore happens far more quickly, not as is often the case, months later.

And the hackers’ goal is to leave the data on site, encrypted of course, so there’s no immediate concern of credit card or account theft.

I suppose those are some minor pluses to ransomware. However, this raises a big legal question.

Since the data is just accessed, but not exposed to outsiders, does this mean that the victim won’t have to notify authorities and consumers as required by the few US data laws and regulations that have breach notification language?

We thought it was an interesting question as well.

And that’s why we wrote a white paper on this important (if somewhat obscure) legal topic.

The paper provides essential background on the data security laws that many US companies will have to deal with: Health Insurance Portability and Accessibility Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), state laws, and the EU’s own data laws.

It’s a great read for those directly involved in a breach response. But to spare the casual IT person from all the legalese,  we’ve mercifully put together this cheat sheet.

Breach Notification Rules for Ransomware

The real issue to investigate is whether unauthorized access alone triggers a notification to customers. In effect, that is what ransomware is doing – accessing your PII without your permission.

We present for your ransomware breach response edification the following:

1. Healthcare – HIPAA’s Breach Notification rules requires covered entities (hospital, insurers) to notify customers and the Department of Health and Human Services (HHS) when there’s been unauthorized access to protected health information (PHI). This is the strictest federal consumer data laws when it comes to a ransomware breach response. There are, though, some exceptions so read the paper to learn what they are!
2. Consumer banks and loan companies – Under GLBA, the Federal Trade Commission (FTC) enforces data protection rules for consumer banking and finance through the Safeguards Rule. According to the FTC, ransomware (or any other malware attack) on your favorite bank or lender would not require a notification. They recommend that these financial companies alert customers, but it’s not an explicit obligation.
3. Brokers, dealers, investment advisors – The Securities and Exchange Commission (SEC) has regulatory authority for these types of investment firms. Under GBLA, the SEC came up with their own rule, called Regulation S-P, which does call for a breach response program. But there’s no explicit breach notification requirement in the program. In other words, it’s something you should do, but you don’t have to.
4. Investment banks, national banks, private bankers – With these remaining investment companies, the Federal Reserve and various Treasury Department agencies jointly came up with their own rules. In this case, these companies have “an affirmative duty” to protect against unauthorized use or access, and notification is part of that duty. In the fine print it says, though, that there has to be a determination of “misuse” of data. Whether ransomware’s encryption is misuse of the data is unclear. In any case, the rules spell out what the notification must contain — a description of the incident and the data that was accessed.
5. US state laws – Currently, there are 48 states that have consumer breach notification laws. However, only two states, New Jersey and Connecticut, require a breach notification on access alone, thereby covering a ransomware attack. But there’s additional fine print that may allow companies to avoid reporting the breach to affected consumer in their state.
6. EU data laws – Under the Data Protection Directive (DPD), there isn’t a breach notification requirement. Some countries such as Germany, though, have added it in their national data laws. (And ISPs and telecoms under the EU’s e-Privacy Directive already have their own breach reporting rule.) But the new EU General Data Protection Regulation, which will go into effect in 2018, does have a 72-hour rule requiring notification to local data protection authorities (DPAs) and consumers when “personal data” is accessed. However, a harm-based threshold is applied – the breach would have to “result in a risk to the rights and freedoms” of consumers. Notification for a ransomware attack would be very dependent on specific circumstances, and we’ll likely have to wait for more clarification from the regulators.

That’s the cheat sheet. However, the white paper provides a lot more context, and also goes into a few of the subtleties, particularly involving HIPAA .

Our view?

Always report a ransomware breach to the appropriate agencies and law-enforcement authorities.

For IT people who want to impress their peers in the legal department, and for legal eagles who need some quick background on ransomware, this white paper covers it all. Download it today!