On May 12, 2017, a massive ransomware attack began affecting tens of thousands of computer systems in over 100 countries. The ransomware, known as “WannaCry,” leverages a Windows vulnerability and encrypts files on infected systems and demands payment for their release. If payment is not received within a specified time frame, the ransomware automatically deletes the files. A wide range of industries have been impacted by the attack, including retailers and other businesses, hospitals, utilities and government entities around the world.
These types of incidents can have significant legal implications for affected entities and industries for whom data access and continuity is critical (health care and finance are particularly vulnerable). As affected entities work to understand and respond to the threat of ransomware, below is a summary of key legal considerations:
- FTC Enforcement. In a November 2016 blog entry, the FTC noted that “a business’ failure to secure its networks from ransomware can cause significant harm to the consumers (and employees) whose personal data is hacked. And in some cases, a business’ inability to maintain its day-to-day operations during a ransomware attack could deny people critical access to services like health care in the event of an emergency.” The FTC also noted that “a company’s failure to update its systems and patch vulnerabilities known to be exploited by ransomware could violate Section 5 of the FTC Act.” In various FTC enforcement actions (including those against Wyndham Worldwide Corporation and ASUSTeK Computer, Inc.), the FTC has demonstrated its willingness to bring Section 5 enforcement actions against companies who experience data security incidents resulting from malware exploitations of vulnerabilities. In the event of a security compromise, the FTC also may consider the accuracy of consumer promises an organization has made regarding the security of its systems. The FTC has used the unfairness and deception doctrines to pursue companies that misrepresented the security measures used to protect consumers’ personal information from access by unauthorized parties. Nearly all data security actions brought by the FTC have been settled and have resulted in comprehensive settlement agreements that typically impose obligations for up to 20 years.
- Breach Notification Laws. In the U.S., 48 States, the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands have laws that require notification to affected individuals (and in some states, regulators) in the event of unauthorized acquisition of or access to personal information. Certain federal laws, such as the Health Insurance Portability and Accountability Act (“HIPAA”), also require notification for certain breaches of covered information, and there is an increasing number of breach notification laws being adopted internationally. To the extent a ransomware attack results in the unauthorized acquisition of or access to covered information, applicable breach notification laws may impose notification obligations on affected entities.
- Litigation. In the event that ransomware results in a breach of covered information, litigation is another potential risk. Despite the difficulty in bringing successful lawsuits against affected entities, plaintiffs’ lawyers continue to actively pursue newsworthy breaches, as businesses are paying significant amounts in settlements with affected individuals. Affected entities also may face lawsuits from their business partners whose data is involved in the attack, and often battle insurers over coverage of costs associated with the attack. Businesses must also be cognizant of cyber-related shareholder derivative lawsuits, which increasingly follow from catastrophic security breaches.
- Data Security Laws. A number of U.S. states have enacted laws that require organizations that maintain certain types of personal information about state residents to adhere to general information security requirements with respect to that personal information. As a general matter, these laws (such as Section 1798.81.5 of the California Civil Code) require businesses that own or license personal information about state residents to implement and maintain reasonable security procedures and practices to protect the information from unauthorized access, destruction, use, modification or disclosure. To the extent a ransomware attack results from a failure to implement reasonable safeguards, affected entities may be at risk of legal exposure under the relevant state security laws.
- Agency Guidance. Given the evolving nature of ransomware attacks, government agencies are continuously developing recommendations to help businesses respond. For example, the Department of Health and Human Services Office for Civil Rights, which enforces HIPAA, published a fact sheet advising health care entities on methods for preventing, investigating and recovering from ransomware attacks. The FBI has also developed ransomware resources directed towards Chief Information Security Officers and CEOs. This guidance should be carefully considered to help prevent and recover from ransomware attacks and to understand the potential criminal and enforcement implications of such attacks.
Ransomware is a growing concern, and while the recent global attack has been the most high-profile attack to date, it is part of an overall trend in the evolving threat landscape. Retailers and other organizations should take into account the above legal considerations in their efforts to prevent, investigate and recover from these disruptive attacks.