White House Guidance on Ransomware

Butler Snow LLP

Butler Snow LLP

Ransomware has become the fastest growing type of cybercrime facing businesses today. In 2021, loss values were estimated to have reached at least 57 times those in 2015, exceeding $20 billion. Data and privacy issues are so prevalent, that it is estimated today that a ransomware attack takes place every 11 seconds. It is essential for businesses to understand the risk of ransomware attacks as data privacy and security cannot be prioritized without a plan to combat potentially damaging cybercrime.

Nashville-based company SmileDirect is a recent victim of a high-cost ransomware attack. The company paid no ransom, but manufacturing and product delivery systems were disrupted. Local governments have also become vulnerable to ransomware attacks. In 2019, Louisiana declared a state of emergency after a cyberattack affected their government servers and “many state websites and emails” after they took extremely protective measures to combat the ransomware attack.

In response to the rise in and because of several recent high profile ransomware attacks, the White House recently issued an open letter detailing five data security best practices. Butler Snow believes these are important in legal circumstances as these threats can become a liability for companies who manage private consumer information if a data breach occurs.

Ransomware damages on the rise

The open letter details 5 best practices, outlined here:

  • Backup company data and test regularly while keeping backups offline
  • Promptly update and patch systems
  • Create and test your incident response plan
  • Check your security team’s work and test defense capabilities
  • Segment your networks to limit exposure in the event of an attack

These recommendations come at a time where ransomware attacks are much more common and businesses must protect themselves now. The Institute for Security and Technology has also released recommendations to combat ransomware.

Since this issue has become more prevalent, it is also imperative to understand the associated data security legal issues. Not only can ransomware attacks shut down or disrupt business operations; if a ransomware attack is considered a data breach, it could require data breach notification to customers and clients and lead to data breach class action lawsuits.

The laws around data breaches continue to evolve. However, if a ransomware attack exposes consumer data, it would typically be considered a data breach. In this case, businesses must notify potentially impacted parties and the company is subject to litigation, regulatory action, hefty fines and reputational damage. Given the legal implications of ransomware attacks businesses should partner with legal counsel proactively, not in the event of an attack.

It is important for companies to have clear direction on how data privacy law may impact them. Specific to ransomware, an important step the White House laid out was testing an incident response plan. You cannot test an incident response without first having the plan in place. It is crucial to include your legal counsel in plan creation in order to consider the implications of cyber attacks on data security and because there is not a one-size-fits-all solution for every business. Each incident response plan must be hyper individualized because no business has the same exact systems, data or processes.

It is important for businesses to adequately plan and prepare for ransomware threats.  This starts with a clear understanding of the legal risks, a company’s individual network, and a robust incident response plan that is regularly tested.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Butler Snow LLP | Attorney Advertising

Written by:

Butler Snow LLP

Butler Snow LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide