Ransomware: Legal Cheat Sheet for Breach Notification

You respond to a ransomware attack in many of the same ways you would to any other cyber attack. In short: have plans in place to analyze the malware, contain...
Michael Buckbee
3 min read
Last updated October 21, 2021

You respond to a ransomware attack in many of the same ways you would to any other cyber attack. In short: have plans in place to analyze the malware, contain the damage, restore operations if need be, and notify any regulatory or enforcement authorities.

And your legal, IT, and communications team should be working together in all your response efforts. Legal meet IT, IT meet legal.

Get the Free Essential Guide to US Data Protection Compliance and Regulations

So far so good. But ransomware is a different animal.

Unlike in just about any other cyber attack, the hackers announce what they’re doing: it’s called a ransom note.

The discovery process therefore happens far more quickly, not as is often the case, months later.

And the hackers’ goal is to leave the data on site, encrypted of course, so there’s no immediate concern of credit card or account theft.

I suppose those are some minor pluses to ransomware. However, this raises a big legal question.

Since the data is just accessed, but not exposed to outsiders, does this mean that the victim won’t have to notify authorities and consumers as required by the few US data laws and regulations that have breach notification language?

We thought it was an interesting question as well.

And that’s why we wrote a white paper on this important (if somewhat obscure) legal topic.

The paper provides essential background on the data security laws that many US companies will have to deal with: Health Insurance Portability and Accessibility Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), state laws, and the EU’s own data laws.

It’s a great read for those directly involved in a breach response. But to spare the casual IT person from all the legalese,  we’ve mercifully put together this cheat sheet.

Breach Notification Rules for Ransomware

The real issue to investigate is whether unauthorized access alone triggers a notification to customers. In effect, that is what ransomware is doing – accessing your PII without your permission.

We present for your ransomware breach response edification the following:

  1. Healthcare – HIPAA’s Breach Notification rules requires covered entities (hospital, insurers) to notify customers and the Department of Health and Human Services (HHS) when there’s been unauthorized access to protected health information (PHI). This is the strictest federal consumer data laws when it comes to a ransomware breach response. There are, though, some exceptions so read the paper to learn what they are!
  2. Consumer banks and loan companies – Under GLBA, the Federal Trade Commission (FTC) enforces data protection rules for consumer banking and finance through the Safeguards Rule. According to the FTC, ransomware (or any other malware attack) on your favorite bank or lender would not require a notification. They recommend that these financial companies alert customers, but it’s not an explicit obligation.
  3. Brokers, dealers, investment advisors – The Securities and Exchange Commission (SEC) has regulatory authority for these types of investment firms. Under GBLA, the SEC came up with their own rule, called Regulation S-P, which does call for a breach response program. But there’s no explicit breach notification requirement in the program. In other words, it’s something you should do, but you don’t have to.
  4. Investment banks, national banks, private bankers – With these remaining investment companies, the Federal Reserve and various Treasury Department agencies jointly came up with their own rules. In this case, these companies have “an affirmative duty” to protect against unauthorized use or access, and notification is part of that duty. In the fine print it says, though, that there has to be a determination of “misuse” of data. Whether ransomware’s encryption is misuse of the data is unclear. In any case, the rules spell out what the notification must contain — a description of the incident and the data that was accessed.
  5. US state laws – Currently, there are 48 states that have consumer breach notification laws. However, only two states, New Jersey and Connecticut, require a breach notification on access alone, thereby covering a ransomware attack. But there’s additional fine print that may allow companies to avoid reporting the breach to affected consumer in their state.
  6. EU data laws – Under the Data Protection Directive (DPD), there isn’t a breach notification requirement. Some countries such as Germany, though, have added it in their national data laws. (And ISPs and telecoms under the EU’s e-Privacy Directive already have their own breach reporting rule.) But the new EU General Data Protection Regulation, which will go into effect in 2018, does have a 72-hour rule requiring notification to local data protection authorities (DPAs) and consumers when “personal data” is accessed. However, a harm-based threshold is applied – the breach would have to “result in a risk to the rights and freedoms” of consumers. Notification for a ransomware attack would be very dependent on specific circumstances, and we’ll likely have to wait for more clarification from the regulators.

That’s the cheat sheet. However, the white paper provides a lot more context, and also goes into a few of the subtleties, particularly involving HIPAA .

Our view?

Always report a ransomware breach to the appropriate agencies and law-enforcement authorities.

For IT people who want to impress their peers in the legal department, and for legal eagles who need some quick background on ransomware, this white paper covers it all. Download it today!

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

What is a Brute Force Attack?
A brute force attack (also known as brute force cracking) is the cyberattack equivalent of trying every key on your key ring, and eventually finding the right one. The most basic brute force attack is a dictionary attack, where the attacker works through a dictionary of possible passwords and tries them all.
Top 5 Remote Work Security Threats
COVID-19 threw us all a curveball, and attackers are rushing to take advantage of the increased attack surface. Varonis can help protect your remote workforce and data now and in better times.
Phishing Attacks: Types, Prevention, and Examples
Phishing attacks use fraud to trick users into revealing information or opening malware. They are a popular attack technique among many types of threat actors.
What is a Whaling Attack?
A whaling attack specifically targets senior management in an organization such as the CEO, CFO, or other executives, hoping to leverage their authority to gain access to sensitive data. Discover everything you need to know about this attack including tips for avoiding one with our guide.