Ransomware Strike: What Impact on Corporate Liability?

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo, George R. Lynch and Daniel R. Stoller

The worldwide ransomware attack that affected banks, hospitals and other companies heightens corporate regulatory and litigation risks, privacy attorneys told Bloomberg BNA.

Companies may face scrutiny from regulators or consumer litigation regarding the standard of care taken—or not taken—to prevent ransomware attacks, attorneys told Bloomberg BNA.

The cybercriminals who perpetuated the “WannaCry” ransomware attack face penalties and possible jail time if apprehended. But companies may face scrutiny from regulators on both sides of the Atlantic, as well as consumer class actions if they failed to provide adequate levels of security before and after the attack, attorneys said.

The real question in ransomware cases is “who knew what when,” Chris Dore, privacy partner at Edelson PC in Chicago said. “If companies failed to take steps” to protect its networks and knew about Microsoft’s patch “then there could be liability,” he said. Companies may also face a litigation risk if they “promised customers that they provided industry standard security,” but failed to prevent the ransomware attack, he said.

The cost of the ransomware attack is still unknown, Lloyd’s of London CEO Inga Beale said in a May 15 statement. But it is a “wake-up call for everyone,” and staying ahead of the curve “is one of the biggest challenges when it comes to cyber risk,” she said. Even without knowing the ultimate cost of WannaCry, the tab for cyberattacks to the global economy may reach $1 trillion annually, according to Bloomberg Intelligence.

Standard of Care

Marcy Wilder, a privacy and cybersecurity partner at Hogan Lovells (U.S.) LLP in Washington, told Bloomberg BNA May 15 that the likelihood of regulatory enforcement actions depends on the sector. Health-care institutions should be mindful that the Department of Health and Human Services Office for Civil Rights (OCR) has taken the position that a ransomware attack may be considered a data breach in certain situations, Wilder said.

In a July 2016 guidance, OCR said that most ransomware attacks on hospitals are data breaches that may trigger investigations and reporting requirements. However, under the guidance, health-care providers wouldn’t have to report ransomware attacks if the health data were encrypted by the owner and unreadable to the intruder.

Elliot R. Golding, a data privacy and cybersecurity partner at Squire Patton Boggs (U.S.) LLP in Washington, told Bloomberg BNA May 15 that although there is no such thing as 100 percent security, companies should look to see if they have taken steps to implement “reasonable security.” For many regulators, including the Federal Trade Commission, “security reasonableness is fact-dependent,” Golding said.

Companies under the FTC’s jurisdiction—from internet giants Amazon.com Inc. and Facebook Inc. to smaller businesses such as LabMD Inc.—have struggled with what level of data security they must provide to convince the nation’s main data security and privacy enforcement agency that their efforts to protect personal data are reasonable. The FTC tells companies that the data security standard can be parsed by looking at the lessons learned from numerous FTC consent decrees with alleged Section 5 violators, as well as agency guidance.

According to Wilder, OCR is probably most likely to launch regulatory enforcement actions as a result of WannaCry, and it is also possible that state attorneys general will investigate. The FTC could launch enforcement actions, but it’s not as likely, Wilder said.

Lisa M. Ropple, a cybersecurity partner at Jones Day in Boston, told Bloomberg BNA May 15 that, although she can’t speak for what regulators may do, it is “neither fair nor sensible to try to hold accountable the victim of a ransomware attack.” Ropple added that “regulators shouldn’t look to victim companies, who were not responsible for creating the software or the ransomware, to remedy the problem.”

When reached for comment, the FTC referred Bloomberg BNA to a blog post on WannaCry.

Litigation Risk?

Many major cyberattacks lead to consumer class actions stemming from the security incident. Yahoo! Inc., Target Corp., the Home Depot Corp., among other companies, have faced such litigation. Dore said that many of the suits are brought under consumer protection statutes or theories of negligence or breach of contract.

Scott L. Vernick, head of the data security and privacy practice at Fox Rothschild LLP in Philadelphia, told Bloomberg BNA that he doesn’t expect similar activity to arise out of the WannaCry ransomware attack. “At the moment there won’t be consumer class actions,” but this could change depending on the specific facts of any future class suit, he said.

Steve M. Puiszis, litigation partner at Hinshaw & Culbertson LLP in Chicago, agreed that there isn’t “much liability to companies” in this instance. Companies won’t likely face consumer class actions because personally identifiable information, or other consumer data, “wasn’t stolen or put on the deep web” to be sold. Puiszis wasn’t directing his comments toward any specific company.

Vernick said that companies may run into regulatory risks stemming from the ransomware attack if they “haven’t been following best practices and haven’t been up front about it.” In this instance, best practices would have been to “patch, patch, patch” because “most regulators would say that routine patching needs to be done and would consider it the standard of care,” he said.

Companies need to have “strong and workable backups,” Vernick said. It is not just a matter of backing up the data, but rather about readily being able to access the information, he said.

EU Technical Measures

European companies infected with WannaCry are at risk of lawsuits and regulatory enforcement action if they haven’t adopted appropriate technical and organizational measures, privacy professionals told Bloomberg BNA.

Organizations that don’t implement such measures and are subject to a ransomware attack could be seen as breaching a legal obligation, and be open to lawsuits from affected individuals seeking compensation, Eduardo Usturan, privacy and cybersecurity partner at Hogan Lovells LLP in London, told Bloomberg BNA May 15.

Rafi Azim-Khan, a data privacy partner at Pillsbury, Winthrop, Shaw & Pittman LLP in London, said companies that have failed to put in security measures in place could face “liability and exposure to enforcement action for those businesses affected by this ransomware attack.”

In the U.K., where many National Health Service (NHS) hospitals were hit by the ransomware, the U.K.'s privacy regulator, the Information Commissioner’s Office (ICO), could bring enforcement actions, attorneys told Bloomberg BNA.

The largest fine the the ICO has ever issued resulted from an organization that was hacked after failing to update its software, Ustaran said.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com; George R. Lynch in Washington at glynch@bna.com; and Daniel R. Stoller in Washington at dStoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security