“Data held hostage.” Years—even months—ago, the concept may have sounded absurd. Today, it is becoming all too common. Ransomware has quickly become a household term, due, in part, to the recent WannaCry attack. When a ransomware attack strikes, most users’ number one priority is to save their data and free their computers. However, for many businesses, rescuing data is merely the beginning. Businesses that store personally identifiable information (PII) may also have an actionable data breach on their hands. This article offers guidance on how to identify whether a ransomware attack is also a data breach that may require notification to customers, patients, and governmental agencies.
What Is Ransomware?
Ransomware is a form of malicious software, or malware, that infects a computer system, preventing the user from accessing data on that system and in some cases threatening to delete data if the user does not pay a ransom in a short period of time. Ransomware usually infects computer systems when a user opens an e-mail attachment or cloud-based document received from an unknown source. Opening the attachment allows the ransomware to access the computer’s (or any attached network’s) files to hold them hostage. It also gives the perpetrator the ability to view, copy, and delete files on those systems.
Ransomware is a burgeoning cybersecurity threat. According to Verizon’s 2017 Data Breach Incident Report, 72% of malware incidents in the health care industry in 2017 were ransomware incidents. As with other cybersecurity threats, the best way to address a ransomware attack is to prevent it. Numerous articles have been published recently on this topic, including the U.S. Department of Justice’s, “How to Protect your Networks from Ransomware.”
The Risks Of Ransomware
For individuals, the primary threat of ransomware is the loss of valuable data like family photos. This threat is often sufficient to coerce individuals into paying ransoms.
For businesses, the ransomware threat is more complicated. First, businesses also face the loss of valuable data. Second, ransomware interrupts businesses’ work-flow by preventing employees from accessing data. This can result in significant losses in revenue. For example, in 2015, ransomware attacked the computer systems of a small Rhode Island-based law firm. Ultimately, the firm was able to unlock its data by paying a $25,000 ransom, but the cost was apparently much greater. The attack resulted in a three month interruption in the firm’s work-flow and caused a claimed $700,000 in lost revenue.
Businesses that deal with sensitive personal information also face another set of risks from a ransomware attack. A ransomware attack may be considered a data breach under federal or state law. While attempting to unlock and save its data, a victim of a ransomware attack may have an obligation to enact its data breach protocol and notify individuals whose data is affected by the attack.
Ransomware And Your Data
Not all ransomware operates in the same manner and new ransomware threats are constantly appearing. In the context of a potential data breach, it is important to understand how ransomware functions. This includes understanding what access the perpetrator has to a computer’s systems. Has the malware copied any data from the system? Does it permit the perpetrator to view data on the system? Or has the malware only limited users’ access to their data? These are essential questions. As soon as a ransomware attack occurs, the victim must simultaneously attempt to regain access to its data while acquiring a complete understanding of whether the ransomware perpetrator has viewed, accessed, or taken PII.
It is impossible to determine if a business needs to treat a ransomware attack as a data breach unless it can determine if the attack fits within the definition of a data breach under applicable federal and state laws.
Sampling of Data Breach Standards
Depending on a business’s location, its customers, and the nature of data stored, multiple federal and state laws could apply. Nearly every state has laws that may apply to data breaches, and several federal laws cover wide swaths of entire industries like finance and health care. Below are descriptions of two typical laws and of what constitutes a data breach under them.
Massachusetts: Mass. Gen. Laws c. 93H
- What data is covered? A person’s first name or initial and last name, when combined with a Social Security Number, other government identification number, or financial account information.
- To what entities does the law apply? Any persons or entities that own, license, maintain, or store PII of Massachusetts residents.
- What constitutes a data breach? “…the unauthorized acquisition or unauthorized use of …[PII]… that creates a substantial risk of identity theft or fraud against a resident of the commonwealth.”
- When is action required? If a person or entity knows or has reason to know a breach of security occurs or unauthorized use or acquisition of PII has occurred.
Under Massachusetts law, a ransomware attack is not necessarily an actionable data breach. Whether the attack constitutes a breach depends on the type of data affected, whether the attacker was able to access or acquire the data, and whether the attack resulted in a “substantial risk of identity theft or fraud” against a Massachusetts resident. The answer to this question under Massachusetts law—and any other applicable laws—will depend on the functionality of the malware that attacks the computer system.
Health Information Portability and Accountability Act (“HIPAA”): 42 USC §1320d et seq.
Rules enacted under HIPAA at 45 C.F.R. 164.400-414 establish requirements for data breach reporting.
- What data is covered? “Health information,” any information relating to a person’s medical condition or treatment, including payment, created by any person or entity involved in the diagnosis, treatment, or payment process.
- To what entities does the law apply? Health care providers, health insurers, nursing homes, pharmacies, health care billing services, and others.
- What constitutes a data breach? “Breach means the acquisition, access, use, or disclosure of protected health information [PHI] in a manner not permitted under [the statute] which compromises the security or privacy of the protected health information.”
- When is action required? Notification to affected individuals must occur on the first day the entity knows or has reason to know of the breach.
Because a breach means acquisition, access, use, or disclosure, it is quite likely that a ransomware attack constitutes a breach under HIPAA rules. In fact, a recently released Department of Health and Human Services fact sheet states that a breach is presumed to have occurred unless the covered entity “can demonstrate that there is a ‘… low probability that PHI has been compromised.’” Determining whether a “low probability” of compromise exists involves assessing: 1) the nature of the PHI involved; 2) who accessed or used the PHI; 3) whether the PHI was actually acquired or viewed; and 4) the extent to which the risk to the PHI has been mitigated.
HIPAA and the Massachusetts data breach statute are only two of the many data breach laws in effect. Businesses need to be aware of all laws that may apply to them and data in their possession. And they should be aware before an attack occurs.
Be Ready To Act If Ransomware Strikes
Since activating data breach protocols can be extremely time consuming and expensive, businesses should be prepared to assess immediately whether a ransomware attack constitutes a data breach. Ultimately, how a piece of ransomware affects a company’s data will determine if the attack is also an actionable data breach. Preparation, however, can shorten the time required to make that determination. Four categories of information influence whether a ransomware attack constitutes an actionable data breach: 1) the type of data affected; 2) the applicable legal framework; 3) the status of that data; and 4) the mechanics of the specific ransomware. The first two considerations can be assessed in advance, while the final two will be assessed based on the circumstances of the attack. Below are some relevant considerations and questions:
Type of Data: What type of PII does the business maintain?
- Healthcare, financial, social security numbers, other biographical information?
Legal Framework: What data breach laws apply?
- Where does the company do business?
- Where is PII stored?
- What type of PII does the company maintain?
- Where do the individual subjects of the PII reside?
Status of Data: How and where is the affected PII stored?
- One location or multiple locations?
- Internal networks, local computers, cloud?
- Is PII stored in an encrypted manner? What level of encryption?
- Is the PII backed up?
How does this particular ransomware function?
- Are IT professionals able to see if data has left the affected computer system?
- Has the data been viewed or accessed?
- How did the malware get into the system?
- How does the malware move to other computers and networks?
- Is the malware merely holding data hostage?
- Is there a large volume of data moving to and from the perpetrator?
With these considerations in mind, ransomware victims can assess whether a data breach has occurred and begin taking action if necessary.
The evolving field of cybersecurity continually presents new challenges. Ransomware is one of those challenges. Even businesses that employ ideal cybersecurity practices may not be able to prevent a ransomware attack. As a result, businesses should be prepared to assess whether a ransomware attack constitutes a data breach. This can decrease response time and put businesses in position to comply with all applicable laws if a ransomware-related data breach occurs.