Ever since California adopted the nation’s first breach notification law in 2002, companies that have suffered a data breach have focused on whether and how to notify their customers, employees and others of the nature and extent of the breach. California’s law has been amended multiple times, and has been followed by breach notification laws in almost every state, as well as the notification requirements under the Health Insurance Portability and Accountability Act (“HIPPA”). As these laws developed, a tandem requirement has emerged: the obligation to take reasonable steps to protect data, and companies are, increasingly focused on taking steps to ensure the security of their data.
Recent breaches, however, have made it clear that these efforts do not address what might be the most pressing problem facing businesses: how to recover from a malicious attack. As data security attacks have evolved, firms must recognize an entirely different set of risks.
In the past, most hackers have focused on obtaining financial or personal information for profit. Thus, the most publicized data breaches – Wyndham and Target, as examples – were directed at obtaining credit card information which could be sold on the dark web. While these incidents can be expensive, they rarely threaten the existence of a firm; indeed, most consumers are so inured to the likelihood that their credit card information may be stolen that they take a blasé attitude and assume, correctly, that their personal losses will be small, typically limited to the inconvenience of getting a new credit or debit card. Similarly, as more and more companies recognize the likelihood of a loss and, in response, adopt breach notification policies backed by cybersecurity insurance, the impact has become incorporated into the cost of doing business.
This attitude began to change with the increased incidence of ransomware. Rather than seek financial or personal data, ransomware exploits technical or, more often, human vulnerabilities to encrypt data and hold it hostage in return for payment of ransom. There have been highly publicized incidents, including hospitals, hotels, law enforcement agencies and other entities, that paid ransom in return for access to their data. While paying ransom has been almost universally criticized, many firms felt they had no choice; they did not have adequate backups, and the only possible means of continuing business was to pay a relatively modest payment.
With the recent Petya virus attacks, however, that calculus has changed. It has become more and more apparent that this virus, while claiming to be ransomware, was actually much more destructive; researchers increasingly believe that the malware was “wiperware” with the objective of permanently destroying data, and the perpetrators of the virus had no intention of freeing the data. The researchers analyzing Petya (sometimes called PetyaWrap, NotPetya, and ExPetr) have speculated the ransom note left behind in the attack was a hoax intended to capitalize on media interest sparked by the May Wannacry ransomware attack. Continue reading