Ransomware from Your Lawyer's Perspective

Three good reasons why your incident response team's first call after a data breach should be to outside counsel.

Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice, Woods Rogers Vandeventer Black

June 16, 2020

5 Min Read
Dark Reading logo in a gray background | Dark Reading

Many cyber operations teams are surprised that as outside counsel, I fret about ransomware. They ask questions like: Why would counsel care that our systems are locked in place? And, why would we need to give notice to consumers or employees in a ransomware event?

The reason is because data breach statutes do not distinguish based on the types of cyber events, and I am often left trying to piece together whether notice is legally required based on scant evidence of what may or may not have left the network. Not only that, but additional liability can arise depending on the industry. As a lawyer, my job is to navigate and mitigate those risks on behalf of the client. Here's what I've learned:

1. What happens in the first few hours after discovering ransomware is mission critical to my legal analysis. When the call comes to me, the first question I always ask is: Have we preserved the logs? Whether there is a log aggregator in place or not, it is incredibly important to begin pulling log information from every location so that it can be analyzed for malicious traffic. This traffic analysis — whether data left the network — is critical to the legal analysis determining whether or not the company must give notice to consumers, employees, or regulators.

If personal identifying information left the system, the company is obligated under a myriad of state statutes to give notice to affected individuals. That notice clock is 72 hours to make certain notifications in Europe under the General Data Protection Regulation. The definition of personal identifying information varies wildly based on the state or regulation affected. As counsel, my first questions center on whether data left the network. If it did, my next questions in the next few hours begin revolving around how we piece together what data left or whether data was accessed on the network. But the first step is making certain we have the evidence in place to make that legal analysis. Without logs, I am left with circumstantial evidence — a fancy legal phrase meaning inferences — to make the call as to whether notice must be given. It's not ideal and requires a lot of legal experience to get to a defensible conclusion.

2. Do we negotiate with the cyber terrorists? Even with a backup, sometimes the event is so catastrophic that the timeline to restore from backup is not ideal. Or maybe you learn that the backup that you thought was being made was not actually being made. In a ransomware event, inevitably the conversation will shift to consideration of engaging with the attackers and potentially paying a ransom. I have found as outside cyber counsel that you should never say never to any scenario, although to date I have not paid a ransom. But having a bitcoin wallet prepared in the event you needed to pay a ransom is always a good idea. At least then you are not wasting precious days waiting on the KYC (know your customer) analysis in order to fund the wallet and make a payment.

Based on my experience, law enforcement will not encourage or discourage engagement with cybercriminals. That is a question left to the company or municipality alone. Also, the ransoms are getting larger — not 3 Bitcoin, but 30. With a discount offered for speedy payment, even criminals are suffering in a global pandemic and ensuing economic crisis. Whatever the case, engagement with cybercriminals needs to be done delicately and with counsel's involvement.

3. Be ready to work with law enforcement and to know whom to engage. I've had the pleasure of engaging with a number of federal agencies, federal investigators, and state investigators. In some cases, based on your industry, you may not get the choice as to whether you engage with law enforcement or not. In others, that's a call you should let your outside counsel make. Even in ransomware events, it can be beneficial to work with law enforcement, but you need to know which entity to call. Placing a call to your local FBI field office can be beneficial — but directly engaging with the FBI cybercrimes unit can expedite your getting in touch with the FBI office in charge of fielding ransomware inquiries based on that variant. I recently worked on the first case of the Pysa in the United States as outside counsel. Knowing the rules of engagement with law enforcement and who to reach out to can help you find out whether there are known decryption tools in place for that particular variant.

Like any cyber event, with ransomware, your incident response team's first call should be to outside counsel. As counsel, our job is to help bring order to the chaos but mostly to work through the legal liabilities and risks associated with the cyber event.

Related Content:

 

 

 

 

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register

About the Author

Beth Burgin Waller

Chair, Cybersecurity & Data Privacy Practice, Woods Rogers Vandeventer Black

As chair of the Cybersecurity & Data Privacy practice at Woods Rogers Vandeventer Black (WRVB), Beth's practice is fully devoted to cybersecurity and data privacy. Clients ranging from local government and state agencies to mid-market firms and Fortune 200 companies depend on Beth for advice and counsel. Beth's credentials in the field are extensive. She is a certified Privacy Law Specialist by the International Association of Privacy Professionals (IAPP), which is accredited by the American Bar Association. In addition, she is a Certified Information Privacy Professional with expertise in both US and European law (CIPP/US & CIPP/E) and a Certified Information Privacy Manager (CIPM), also from the IAPP. In 2022, the governor of Virginia appointed Beth to the Commonwealth of Virginia’s first Cybersecurity Planning Committee, a committee tasked with increasing the cybersecurity posture of public bodies and local governments in Virginia.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights