Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

6/16/2020
02:00 PM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Ransomware from Your Lawyer's Perspective

Three good reasons why your incident response team's first call after a data breach should be to outside counsel.

Many cyber operations teams are surprised that as outside counsel, I fret about ransomware. They ask questions like: Why would counsel care that our systems are locked in place? And, why would we need to give notice to consumers or employees in a ransomware event?

The reason is because data breach statutes do not distinguish based on the types of cyber events, and I am often left trying to piece together whether notice is legally required based on scant evidence of what may or may not have left the network. Not only that, but additional liability can arise depending on the industry. As a lawyer, my job is to navigate and mitigate those risks on behalf of the client. Here's what I've learned:

1. What happens in the first few hours after discovering ransomware is mission critical to my legal analysis. When the call comes to me, the first question I always ask is: Have we preserved the logs? Whether there is a log aggregator in place or not, it is incredibly important to begin pulling log information from every location so that it can be analyzed for malicious traffic. This traffic analysis — whether data left the network — is critical to the legal analysis determining whether or not the company must give notice to consumers, employees, or regulators.

If personal identifying information left the system, the company is obligated under a myriad of state statutes to give notice to affected individuals. That notice clock is 72 hours to make certain notifications in Europe under the General Data Protection Regulation. The definition of personal identifying information varies wildly based on the state or regulation affected. As counsel, my first questions center on whether data left the network. If it did, my next questions in the next few hours begin revolving around how we piece together what data left or whether data was accessed on the network. But the first step is making certain we have the evidence in place to make that legal analysis. Without logs, I am left with circumstantial evidence — a fancy legal phrase meaning inferences — to make the call as to whether notice must be given. It's not ideal and requires a lot of legal experience to get to a defensible conclusion.

2. Do we negotiate with the cyber terrorists? Even with a backup, sometimes the event is so catastrophic that the timeline to restore from backup is not ideal. Or maybe you learn that the backup that you thought was being made was not actually being made. In a ransomware event, inevitably the conversation will shift to consideration of engaging with the attackers and potentially paying a ransom. I have found as outside cyber counsel that you should never say never to any scenario, although to date I have not paid a ransom. But having a bitcoin wallet prepared in the event you needed to pay a ransom is always a good idea. At least then you are not wasting precious days waiting on the KYC (know your customer) analysis in order to fund the wallet and make a payment.

Based on my experience, law enforcement will not encourage or discourage engagement with cybercriminals. That is a question left to the company or municipality alone. Also, the ransoms are getting larger — not 3 Bitcoin, but 30. With a discount offered for speedy payment, even criminals are suffering in a global pandemic and ensuing economic crisis. Whatever the case, engagement with cybercriminals needs to be done delicately and with counsel's involvement.

3. Be ready to work with law enforcement and to know whom to engage. I've had the pleasure of engaging with a number of federal agencies, federal investigators, and state investigators. In some cases, based on your industry, you may not get the choice as to whether you engage with law enforcement or not. In others, that's a call you should let your outside counsel make. Even in ransomware events, it can be beneficial to work with law enforcement, but you need to know which entity to call. Placing a call to your local FBI field office can be beneficial — but directly engaging with the FBI cybercrimes unit can expedite your getting in touch with the FBI office in charge of fielding ransomware inquiries based on that variant. I recently worked on the first case of the Pysa in the United States as outside counsel. Knowing the rules of engagement with law enforcement and who to reach out to can help you find out whether there are known decryption tools in place for that particular variant.

Like any cyber event, with ransomware, your incident response team's first call should be to outside counsel. As counsel, our job is to help bring order to the chaos but mostly to work through the legal liabilities and risks associated with the cyber event.

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register

Beth Burgin Waller is a lawyer who knows how to navigate between the server room and the board room. As chair of the cybersecurity & data privacy practice at Woods Rogers, she advises clients on cybersecurity and on data privacy concerns. In this capacity, she ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4396
PUBLISHED: 2020-08-04
IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 1...
CVE-2020-4410
PUBLISHED: 2020-08-04
IBM Jazz Foundation and IBM Engineering products could allow an authenticated user to send a specially crafted HTTP GET request to read attachments on the server that they should not have access to. IBM X-Force ID: 179539.
CVE-2020-4459
PUBLISHED: 2020-08-04
IBM Security Verify Access 10.7 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 181395.
CVE-2020-4525
PUBLISHED: 2020-08-04
IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 1...
CVE-2020-4542
PUBLISHED: 2020-08-04
IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-force ID: 1...