Arabic Arabic Chinese (Simplified) Chinese (Simplified) Dutch Dutch English English French French German German Italian Italian Portuguese Portuguese Russian Russian Spanish Spanish
| (844) 627-8267

Ransomware Attacks – Harmless Annoyances Or Catastrophic Events? – Trade Secrets | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware



To print this article, all you need is to be registered or login on Mondaq.com.

Ransomware attacks have become one of the most common and
pervasive cybercrimes perpetrated against U.S. companies. A bad
actor, often from overseas, will gain access to upload malware onto
a company’s network storage or application platforms that
encrypts all files it can access. A message or text file is usually
left with instructions on how to contact the attacker to pay a
ransom for the decryption key. In the worst case, a ransomware
attack can freeze the business operations by effectively removing
access to the company’s critical systems and rendering them
useless. Aside from the business impact, what legal implications
are created by a ransomware attack?

Privacy

The greatest legal concern is one of privacy. By definition,
ransomware attacks gain access to the internal systems maintained
or owned by a business. However, not all ransomware attacks are
created equal and privacy obligations differ from one attack to
another.

The most harmless ransomware attack is one that encrypts data on
an identifiable location that is confirmed to not contain any
personal information for employees or customers, and which can be
easily restored from clean backups. Assuming information that meets
the definition of personal data (including PII or PHI) is affected,
then further legal analysis is required in order to determine
whether or not the business has further legal responsibilities. In
that evaluation, the availability of reliable system logs, network
traffic and other information becomes critical. For example, some
state data breach notification laws do not require notification to
potentially affected individuals unless information was obtained by
the unauthorized attacker. In other words, unless data was copied
or exfiltrated by the attacker, there is not a breach. However,
other states define a data breach as the unauthorized acquisition
or access to certain categories of protected information. In states
that include “access” in their definition of a breach, a
ransomware attacker who is able to remotely browse through a
network environment and select the target systems of files for an
attack has obtained access. If the malware operates independently
and there was no external access outside the execution of the
computer code, it is arguable that there has been no unauthorized
access by a person. It can be difficult to gain concrete
information as to whether the attack resulted in the loss of
data—but mere encryption, without more, is a arguably a
“better case scenario” compared to one involving the loss
or removal of information.

Hackers have caught on to this. In some cases, a ransomware
assailant will provide proof that they have accessed personal
information and can publish it on the dark web. These “proof
of life” attacks provide a snippet of the personal
information—for example, one of many social security numbers
stored on the now-encrypted database—and hackers will
threaten to publish all of the personal information if their
demands are not met. Unfortunately, even though ransomware
attackers when paid almost always live up to their end of the
bargain by providing decryption keys and deleting exfiltrated data,
the fact that information has been obtained by unauthorized
individuals is unquestionably a breach, even if the attackers agree
to delete it. This means, if personal information is involved, an
attack that includes exfiltration is most likely going to trigger a
reporting obligation.

Congress has introduced several bills that would require the
reporting of a ransomware attack to the Department of Homeland
Security within a certain time frame, usually 24-72 hours, with
certain mandatory reporting obligations for certain industries
already in place. It is unclear, however, what obligations will be
incurred by the attacked party or whether the exfiltration of
personal information will modify those obligations.

Intellectual Property

Many companies maintain their “secret sauce” as a
trade secret. Whether a company develops software, manufactures
adhesive, or trades on Wall Street, trade secret protection is
paramount for the intangible assets of a company that are not
patented. A ransomware attack can result in the exfiltration of the
trade secret and possible publication of the trade secret—an
act that would eliminate any protection for the trade secret at
hand. And victims of such attacks are surprised to learn that their
cyber insurance often does not cover such loss. Indeed, important
trade secrets should be kept under proverbial lock and key to
protect against exploitation or publication by ransomware
attackers.

Ransomware attacks take many forms. Many involve the
exfiltration or unauthorized access to employee or customer
personal information or trade secrets, which can lead to
catastrophic loss for a company with a large privacy or trade
secret footprint. In addition to practicing good network and data
security, employee training, and record retention to minimize the
impact of attacks, it is imperative (and in some states required)
that businesses have a written information security response
program for the management and remediation of cyberattacks. In the
investigation and response to an incident, it is important to
determine what type of ransomware attack has occurred so that a
company can determine the resulting privacy notification and
intellectual property loss associated with the attack.

We strongly recommend consultation with capable outside legal
counsel and experienced computer forensic experts in the response,
remediation and investigation of a ransomware incident. The
reasonableness of a business’ safeguards, the adequacy of its
investigation, and the speed of its remediation response could all
be subject to scrutiny in the event of litigation or a regulatory
investigation. A proper team of internal stakeholders, counsel and
forensic investigators should collaborate in addressing the
investigation, documentation, remediation, insurance, customer and
governmental notifications, law enforcement and public relations
questions in swift – and where necessary, legally privileged
discussions. Companies can also mitigate their risk by securing
personal information or trade secrets behind updated network
controls; employing encryption; conducting regular training and
anti-phishing exercises; and deploying more secure multi-factor
identification for workers and external users.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Intellectual Property from United States

2022 Trade Secrets Webinar Series: Takeaways & Recordings

Seyfarth Shaw LLP

Throughout 2022, our dedicated Trade Secrets, Computer Fraud & Non-Compete practice group hosted a series of CLE webinars that addressed significant trade secret and restrictive covenant issues facing companies today.

Trademarks Comparative Guide

Obhan & Associates

Trademarks Comparative Guide for the jurisdiction of India, check out our comparative guides section to compare across multiple countries

——————————————————–


Click Here For The Original Source.

National Cyber Security

FREE
VIEW