Beyond Breach Notification

cursor-clicks-red-VIRUS-button-300x225

Ever since California adopted the nation’s first breach notification law in 2002, companies that have suffered a data breach have focused on whether and how to notify their customers, employees and others of the nature and extent of the breach.  California’s law has been amended multiple times, and has been followed by breach notification laws in almost every state, as well as the notification requirements under the Health Insurance Portability and Accountability Act (“HIPPA”).  As these laws developed, a tandem requirement has emerged:  the obligation to take reasonable steps to protect data, and companies are, increasingly focused on taking steps to ensure the security of their data.

Recent breaches, however, have made it clear that these efforts do not address what might be the most pressing problem facing businesses:  how to recover from a malicious attack.  As data security attacks have evolved, firms must recognize an entirely different set of risks.

In the past, most hackers have focused on obtaining financial or personal information for profit.  Thus, the most publicized data breaches – Wyndham and Target, as examples – were directed at obtaining credit card information which could be sold on the dark web.  While these incidents can be expensive, they rarely threaten the existence of a firm; indeed, most consumers are so inured to the likelihood that their credit card information may be stolen that they take a blasé attitude and assume, correctly, that their personal losses will be small, typically limited to the inconvenience of getting a new credit or debit card.  Similarly, as more and more companies recognize the likelihood of a loss and, in response, adopt breach notification policies backed by cybersecurity insurance, the impact has become incorporated into the cost of doing business.

This attitude began to change with the increased incidence of ransomware.  Rather than seek financial or personal data, ransomware exploits technical or, more often, human vulnerabilities to encrypt data and hold it hostage in return for payment of ransom.  There have been highly publicized incidents, including hospitals, hotels, law enforcement agencies and other entities, that paid ransom in return for access to their data.  While paying ransom has been almost universally criticized, many firms felt they had no choice; they did not have adequate backups, and the only possible means of continuing business was to pay a relatively modest payment.

With the recent Petya virus attacks, however, that calculus has changed.  It has become more and more apparent that this virus, while claiming to be ransomware, was actually much more destructive; researchers increasingly believe that the malware was “wiperware” with the objective of permanently destroying data, and the perpetrators of the virus had no intention of freeing the data.  The researchers analyzing Petya (sometimes called PetyaWrap, NotPetya, and ExPetr) have speculated the ransom note left behind in the attack was a hoax intended to capitalize on media interest sparked by the May Wannacry ransomware attack.

Even if Petya was “true” ransomware, the broad destruction it caused – companies have announced reduced earnings and some firms have not yet recovered from the attack – should cause us to rethink how to approach data breaches.  There is no reason to expect that a hacker will actually unencrypt data after payment; the hacker has no incentive to do so. While existing law requires companies to address notification and compensation issues, firms should be focused on how they can recover from a catastrophic attack.  After all, the most compliant, complete and effective breach notification response will not recover data.

Instead, companies should make it a priority to do the following:

  • Evaluate Risk. Part of the risk analysis for a company has to be its ability to recover from a catastrophic attack. It is still surprising how many companies do not regularly backup their data.  However, ransomware and wiperware makes it clear – you cannot expect to recover encrypted or destroyed data.  A company can only be sure of recovering data from its own resources.  Not preparing to do so is increasing a risk that can, instead, be reduced.
  • Create an Effective Backup System. A backup isn’t simply files copied onto a hard drive. Thought has to be given to where the data is held, how often it is backed up, and the procedure for recovery.  Files on a hard drive connected to a server are likely to be as vulnerable as the corrupted or destroyed data.  An effective backup system requires engaging experts who can design an effective recovery method.
  • Test the System. Testing a backup protocol when data has been destroyed or lost is not an effective practice. The system needs to be tested in advance so that the company will understand what it actually recovers and, importantly, how long it takes.  Much of the criticism toward firms infected with Wannacry and Petya was directed to their inability to give meaningful advice as to when they would be online.  Testing a system is the only way to identify its vulnerabilities and be prepared to implement it in an emergency.
  • Don’t Go It Alone. A backup recovery system that works is not typically within the expertise of a firm’s IT department; firms should spend the time and resources to obtain specialized expertise to analyze the company’s vulnerabilities and needs, and to design a system that will ameliorate the impact of a malicious breach.
  • Adopt a Company Culture of Security. It remains the case that one of the most serious vulnerabilities of any firm is the human element. Hackers are able to insert malware primarily because of their ability to obtain credentials through human weakness.  The human firewall has to be hardened to help avoid the problem to begin with.

We have entered into a new and dangerous phase of what seems to be an eternal battle against hackers.  It is no longer enough to know that an attack can, and probably will, happen; the focus needs to be on how to recover from the attack.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.