As we have seen recently, the latest criminal trend in cybercrime is to extort enterprise victims not only by denying them access to their own corporate data but also by threatening to dump that data in the public domain. While that presents the danger of leaking IP that could be useful to competitors, it also puts the enterprise at risk of running afoul of legislation designed to protect consumer data as well as from litigation by affected customers.
The situation presents a number of difficulties for organizations regarding data breach notification laws. Do companies have to report a data breach? Who do you have to report a data breach to? When do you have to report a data breach and under what circumstances? In this post, we’ll cover these questions and discuss the challenges of handling a data breach incident.
What are Data Breach Notification Laws?
Widely referred to as Security breach notification laws or Data breach notification laws, these are legal requirements based on either state or governmental legislature that require an organization to inform customers or other affected parties about a breach of data and to take action specified in the legislation to remedy the situation.
Is a Ransomware Attack a Data Breach Incident?
We’re midway through 2020 and the ransomware epidemic is far from subsiding. After causing estimated damages of over $7.5 billion in 2019, ransomware operators have continued to target organizations even during the COVID-19 pandemic and have even stepped up their game to ensure a ransom payout. Attackers are also targeting everyone from small business enterprises to the largest MSPs. The latest Data Breach Investigations report shows that ransomware is “the third most common Malware breach variety” and the “second most common Malware incident variety”.
Their latest tactic? In addition to encrypting the data that resides inside the organization, ransomware strains like Sodinokibi and Maze exfiltrate files to remote resources under the attacker’s control. At this point, they can not only demand money to decrypt the data on compromised endpoints but also extort the victim in return for not leaking the exfiltrated data to the public.
Do Companies Have to Report a Data Breach?
To notify or not to notify? It’s no longer a question. Until now, ransomware victims were faced with the challenges of gaining access to their data and the dilemma of whether to pay the criminals. Now, they have another concern: companies are obliged by law to report the data breach.
In some incidents, ransomware victims have been able to recover encrypted data without having to succumb to the demands of the malware authors. In those cases, it is quite plausible to assume that the data was not exposed to outsiders, and therefore no breach notification was necessary. But recent campaigns are not so lenient. Even if the data residing on the victims’ network is safely restored (decrypted, or restored from backup) and the extortionist never publishes the stolen data, the victims are no longer exempt from notifying the authorities, their clients or both that data has been stolen.
Under What Circumstances Do You Have to Report a Data Breach?
But the real problem may not be when to report or even to whom. When your entire database (and sometimes your servers and endpoints) have been encrypted in an attack, preventing you from accessing them, you may have no idea what data may have been exposed. You might also have no idea whether data was merely encrypted or also exfiltrated.
This is a serious cause of concern for companies that handle masses of private data. Should you assume the data has been compromised and notify all the potential victims? Should you wait for the criminals to dump your data, sift through it and only notify the people who are listed there? Should you assume that no PII has been stolen and that the data will be safely released, and report to no one?
That is a risky course of action, since that sensitive data could be out there, making the enterprise liable to fines and lawsuits. To date, hundreds of companies have been fined under the EU GDPR, and this number will only increase. And the worst part is that when ransomware hits, you don’t have the time so sit and evaluate the situation: the clock is ticking and if you fail to meet the notification deadline, you risk being fined in one jurisdiction or more.
Recommendations for Dealing with Data Breaches
As the above discussion makes clear, the legal duties imposed on enterprises are complex and various. Before a data breach happens, have your legal team assess which jurisdictions you would be required to report to, under what circumstances and within what timeframe. Make sure that this assessment is conducted periodically to check for changes both in your business operations and changes to legislation. Ensure that you have a business disaster recovery plan; many businesses from small to large have been forced to go out of business due their inability to recover from cyber-attacks. In some cases, these forced closures were a consequence of breach costs and unrecoverable data loss.
The ultimate preparation, of course, is to ensure that your organization is protected from ransomware, malware, and intrusions by a proven security platform. Many of the victims of recent attacks from ransomware to APT groups believed they were protected, only to find out that legacy AV Suites are no real hindrance to modern cybercriminals.
As if ransomware wasn’t bad enough by itself, and the damages it incurred for organizations were limited to downtime and other ‘local’ costs, contemporary ransomware forces companies to deal with the breach and its impacts, including the uneasy necessity of dealing with authorities and angry customers who insist on being informed about what has happened to their data. As always, an ounce of prevention and a robust endpoint security solution is worth a ton of explaining and reacting.