Runaway Ransomware in 2018? Look for Enforcers to Take Notice

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Ransomware attacks on companies are on the rise, opening the door to federal and state enforcement actions based on regulators’ claims of inadequate corporate cybersecurity.

The attacks are launched by hackers who encrypt computer data and threaten not to release a decryption key unless ransom is paid, generally in the form of cryptocurrency, such as bitcoin.

“Regulators are going to heighten their ransomware focus in 2018 and hammer companies on data security and cybersecurity shortcomings,” Paul Ferrillo, cybersecurity and litigation counsel at Weil, Gotschal & Manges LLP in New York, told Bloomberg Law.

The Federal Trade Commission, the Securities and Exchange Commission, and the Department of Health and Human Services are likely to be the most active federal enforcers in 2018, as ransomware strikes cause more actual and reputational damage, cybersecurity attorneys said.

Attorneys general in California and New York, who have been active in data security enforcement and have strong data security guidelines in place, are likely to lead ransomware enforcement efforts by the states, cybersecurity attorneys predicted. To date, there have been no federal or state ransomware enforcement actions, Bloomberg Law data show.

“Ransomware has hit a critical mass from an aggregate global cyberthreat perspective across key critical infrastructures,” Peter Tran, general manager and senior director in the worldwide advanced cyber defense practice at RSA Security in Boston, told Bloomberg Law. The threat has reached the “top of mind” for regulators, and industry will “likely see increased policy, regulatory compliance and enforcement focus and pushes in 2018,” he said.

The attacks will increasingly focus on U.S. companies, according to the Sophos Lab 2018 threat report. Across the world, 17 percent of all ransomware attacks in 2017 hit the U.S., the report showed. U.S. companies, especially those in the healthcare, financial services, and government contracting industries, “will continue to be heavily targeted with ransomware,” according to the report.

System Lockdown

Ransomware attacks have been hitting more large companies than individuals, a trend that will likely expand in 2018, Dmitri Alperovitch, co-founder and chief technology officer at threat intelligence company CrowdStrike Inc. in Sunnyvale, Calif., said.

Hackers will continue to focus ransomware attacks on companies in 2018 because it is a great business model, U.S. Deputy Attorney General Rod J. Rosenstein said at a recent event. Ransomware payments are quickly approaching $1 billion annually, he said. These attacks are “more sophisticated and targeted attacks that focus on particular businesses or sectors,” he said.

One reason is that cybercriminals now sell their software as a service to hackers. Ransomware as a service allows less-sophisticated hackers to launch crippling strikes with a lower entry cost while the software developers reap the profits, according to the Sophos report.

Ransomware attacks show that hackers can “hold entire networks hostage while demanding millions of dollars in ransom from businesses who need to get their operations back up and running,” Alperovitch said.

The 2017 Not-Petya global ransomware attack cost FedEx Corp. $300 million, the U.S.-based shipping giant said in its first quarter fiscal year 2018 earnings report.Companies, especially critical infrastructure operators such as telecommunications stalwart AT&T Inc., gas conglomerate Exxon Mobil Corp., and health-care service provider Kaiser Permanente, stand to lose millions of dollars in revenue, including lost profits, business continuity costs, and ransomware payments. Companies can also face a drop in stock valuation from direct harm stemming from ransomware strikes. The reputations of businesses hit with ransomware attacks can also be damaged if federal or state authorities spotlight alleged lax data security practices, cybersecurity attorneys said.

Reputational damage can be disastrous for a company that is seen as indifferent to or failing to respond and protect consumers after a ransomware attack, attorneys said.

Federal Enforcers

An increasing number of federally regulated companies in the U.S. are being caught up in ransomware attacks, and regulators have put companies on notice that they will be pursuing enforcement actions in 2018, Joseph Moreno, cybersecurity partner at Cadwalader, Wickersham & Taft LLP in Washington told Bloomberg Law.

“Regulators will take a tough approach as they try to break the economic relationship between cybercriminals and businesses,” Mark Sangster, vice president at cybersecurity company eSentire Inc. in Kitchener, Ontario, told Bloomberg Law.

Although there has been little direct ransomware guidance from federal regulators, that doesn’t mean they aren’t watching how companies prepare for and respond to ransomware attacks, cybersecurity attorneys said. Federal regulators will rely on general data security standards and past enforcement actions as the basis for ransomware data security actions in 2018, the attorneys said.

Federal regulators have “given fair warning” to companies that lax data security leading to ransomware strikes can result in an enforcement action, Moreno, a former special assistant U.S. attorney and counsel in the Justice Department’s national security division, said.

For example, the SEC’s 2011 cybersecurity breach notification guidance, the lessons learned from dozens of FTC data security enforcement actions, as well as HHS’s 2017 ransomware fact sheet, could be the basis for regulatory investigations into whether companies adequately protected consumer data or properly reported ransomware attacks, Moreno said.

States on Alert

Like the feds, state regulators and attorneys general will likely use existing general data security standards, including data breach notification requirements, to investigate corporate security following a ransomware attack.

California’s standard for reasonable data security and the New York Department of Financial Services’ cybersecurity rules would come into play in 2018 ransomware enforcement, Norma Krayem, co-chair of the privacy team at Holland & Knight LLP in Washington, told Bloomberg Law.

Other states will be looking to the California and New York standards as a basis to create their own cybersecurity standards in 2018, she said. New York’s financial sector cybersecurity rules are “just the tip of the spear of what we may see in 2018,” she said.

The confluence of increasing ransomware threats and regulator interest in 2018 and beyond will make next year, at a minimum, a dangerous one for companies that don’t strive to maintain reasonable security.

“Ransomware attacks aren’t going away anytime soon,” Alperovitch said.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bloomberglaw.com

To contact the editor responsible for this story: Donald Aplin at daplin@bloomberglaw.com

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security