Many cyber operations teams are surprised that as outside counsel, I fret about ransomware. They ask questions like: Why would counsel care that our systems are locked in place? And, why would we need to give notice to consumers or employees in a ransomware event?
The reason is because data breach statutes do not distinguish based on the types of cyber events, and I am often left trying to piece together whether notice is legally required based on scant evidence of what may or may not have left the network. Not only that, but additional liability can arise depending on the industry. As a lawyer, my job is to navigate and mitigate those risks on behalf of the client. Here's what I've learned:
1. What happens in the first few hours after discovering ransomware is mission critical to my legal analysis. When the call comes to me, the first question I always ask is: Have we preserved the logs? Whether there is a log aggregator in place or not, it is incredibly important to begin pulling log information from every location so that it can be analyzed for malicious traffic. This traffic analysis — whether data left the network — is critical to the legal analysis determining whether or not the company must give notice to consumers, employees, or regulators.
If personal identifying information left the system, the company is obligated under a myriad of state statutes to give notice to affected individuals. That notice clock is 72 hours to make certain notifications in Europe under the General Data Protection Regulation. The definition of personal identifying information varies wildly based on the state or regulation affected. As counsel, my first questions center on whether data left the network. If it did, my next questions in the next few hours begin revolving around how we piece together what data left or whether data was accessed on the network. But the first step is making certain we have the evidence in place to make that legal analysis. Without logs, I am left with circumstantial evidence — a fancy legal phrase meaning inferences — to make the call as to whether notice must be given. It's not ideal and requires a lot of legal experience to get to a defensible conclusion.
2. Do we negotiate with the cyber terrorists? Even with a backup, sometimes the event is so catastrophic that the timeline to restore from backup is not ideal. Or maybe you learn that the backup that you thought was being made was not actually being made. In a ransomware event, inevitably the conversation will shift to consideration of engaging with the attackers and potentially paying a ransom. I have found as outside cyber counsel that you should never say never to any scenario, although to date I have not paid a ransom. But having a bitcoin wallet prepared in the event you needed to pay a ransom is always a good idea. At least then you are not wasting precious days waiting on the KYC (know your customer) analysis in order to fund the wallet and make a payment.
Based on my experience, law enforcement will not encourage or discourage engagement with cybercriminals. That is a question left to the company or municipality alone. Also, the ransoms are getting larger — not 3 Bitcoin, but 30. With a discount offered for speedy payment, even criminals are suffering in a global pandemic and ensuing economic crisis. Whatever the case, engagement with cybercriminals needs to be done delicately and with counsel's involvement.
3. Be ready to work with law enforcement and to know whom to engage. I've had the pleasure of engaging with a number of federal agencies, federal investigators, and state investigators. In some cases, based on your industry, you may not get the choice as to whether you engage with law enforcement or not. In others, that's a call you should let your outside counsel make. Even in ransomware events, it can be beneficial to work with law enforcement, but you need to know which entity to call. Placing a call to your local FBI field office can be beneficial — but directly engaging with the FBI cybercrimes unit can expedite your getting in touch with the FBI office in charge of fielding ransomware inquiries based on that variant. I recently worked on the first case of the Pysa in the United States as outside counsel. Knowing the rules of engagement with law enforcement and who to reach out to can help you find out whether there are known decryption tools in place for that particular variant.
Like any cyber event, with ransomware, your incident response team's first call should be to outside counsel. As counsel, our job is to help bring order to the chaos but mostly to work through the legal liabilities and risks associated with the cyber event.