By Jennifer C. Archie, Serrin Turner and Marissa Boynton

Ransomware is one of the most prevalent cybersecurity threats afflicting businesses today. When an attack hits, a victim company must confront the difficult question whether to pay the ransom demanded in order to regain access to the company’s files and restore business operations. But there is an additional question the company may face: does the incident need to be disclosed? The answer may not be straightforward. When sensitive data has been encrypted by ransomware, has it been “accessed” or “acquired” by an unauthorized actor as those terms are used in relevant breach notification statutes? What risks are there that the attacker will use the information in a way that harms the individuals whose data is affected? Our Client Alert discusses these questions as well as other legal and technical issues a company should consider in addressing notification in the wake of a ransomware attack.

What Is Ransomware?

Ransomware is a type of malicious software designed to block access to a computer system — typically by encrypting the data on it — until a sum of money is paid to the attacker. Because ransomware allows hackers to easily monetize their attacks, it has quickly become the malware of choice for many cybercriminals. According to the FBI, ransomware attacks tripled in 2016, with an average of 4,000 attacks occurring per day.1 The attacks are generally cheap to execute and highly lucrative: ransomware payments are estimated to generate more than US$1 billion in annual revenue for the online underworld.

There are hundreds of known ransomware variants in circulation today, many of which can be purchased online in the form of exploit kits or crimeware-as-a-service packages, available on hacker forums or other websites that cater to cybercriminals. Attackers frequently infect their victims through phishing emails or other social engineering techniques. Following the infection, the victim is presented with a screen indicating that the data on the infected system has been encrypted and that, in order to obtain the decryption key, a ransom must be paid — in the form of Bitcoins or other anonymous cryptocurrency — within a certain time period. Otherwise, the decryption key will be destroyed and the files will be rendered permanently inaccessible.

Read the full Client Alert.