By now, many of you are aware of the malware virus that is spreading rapidly around the world. Taft's Technology group has prepared the following short summary of questions and answers about this ransomware attack, which in effect locks out users from accessing their files unless a ransom is paid via bitcoin.
Q: I have been hit with a ransomware attack, what are my options?
A: You can pay the ransom with the hopes of getting your data back, or you can wipe your network clean and rely on the last backup to reinstall your data. The ransomware attack is designed to lock you out of your system until you pay the ransom. If you have a recent backup of your data and do not feel that any data that you have created since your last backup is critical data, then you can wipe your system clean and reinstall from the uncorrupted backup.
If you do not have a backup that is recent or you have data that cannot be replaced that is locked, then you may want to pay the ransom. There will likely be instructions provided on the ransom screen as to where to send the payment and how long you have to pay it. The payment will likely be required in bitcoin or another digital currency. If you have cyber insurance, you may have to check with your cyber insurance carrier to see if there are any special notice provisions to make sure the ransom is covered. If the ransom is a modest amount (e.g., $300), it may be faster and more expedient to simply pay the ransom.
However, paying the ransom is not a guarantee that you will regain access to your system or that your system is free from any other malicious code. You are dealing with criminals. Even if access to your system is regained, you need to have your system analyzed to make sure they were not able to access or take any information from you and have not left anything to potentially lock you out again.
Q: What is bitcoin?
A: Bitcoin is a digital currency that is not controlled or backed by any government. Its value fluctuates much like a stock and can be volatile. It is the preferred method of payment for ransomware attacks because it generally cannot be traced back to the person receiving the payment.
Q: Is bitcoin legal?
A: Yes. Despite being associated with criminal activities, bitcoin is legal.
Q: If I open an account and give them my payment information, am I at risk for identity theft?
A: There is no more risk than with any other transaction you perform on the internet if you research where you buy the bitcoin. Also, if the ransom is tens of thousands of dollars, you may run into some restrictions about purchasing that much in the timeframe required. Taft has relationships with bitcoin vendors that can help clients procure large sums of bitcoin quickly.
Q: We have data that is subject to HIPAA. As a covered entity or business associate, what are our reporting obligations?
A: Under HIPAA, a ransomware attack must be reported as a breach within 60 days. The exception is if the client can prove that their data was not compromised because it was encrypted.
Q: What legal liabilities am I now facing?
A: Click here to view an article on potential liabilities.
In summary, you may have data breach reporting obligations for allowing an unauthorized user to access your data. You could be facing liability from regulators (e.g., state attorneys general, FTC, OCR) and class action lawsuits. And the regulators you deal with will depend on the classification of data in which you operate. Forty-eight states have data breach reporting obligations — Taft's Technology group can guide you and provide the required notifications.