According to Statista, 2020 saw 304 million ransomware attacks worldwide, a 62 percent increase from the previous year. IT service providers, their customers and other companies have fallen victim tomalware, often hidden as an attachment in a cleverly designed misleading email, that restricts or prevents access to data and systems.A ransom is then demanded to decrypt or release the data and systems—which is why such malware is called ransomware. Unfortunately, only half of those who pay the ransom ever get their data back, according to Heimdal Security. Moreover, ransomware is now available as an open source program and also as “ransomware as a service,” a subscription-based model that opens the door to criminals with little or no coding experience. Payment is then made through cryptocurrency, which makes the traceability of payment flows even more difficult. As a result, prosecution of ransomware attacks often looks unpromising, so businesses should focus on preventive measures and have a plan to limit damage in the event of an attack.
Recent examples of ransomware attacks
Ransomware attacks are generally carried out against companies, governments and public institutions, but private individuals can also become victims. Since the May 2021 ransomware attack on the American Colonial Pipeline (the largest oil pipeline in the United States), ransomware has been the hot topic of the summer. The attack resulted in a complete shutdown of the pipeline for almost a week, causing fuel-supply bottlenecks across the Southeastern and Eastern United States.
In early July, the hacker group REvil carried out a ransomware attack on a number of managed service providers (MSPs) by exploiting a vulnerability in their software, which was developed by IT services provider Kaseya. The attack affected not only the MSPs, but also as many as 1,500 of their clients worldwide, some of which are globally operating IT companies. To respond to the situation, Kaseya temporarily stopped its cloud service, warned clients, and eventually provided a fix.
At the beginning of July 2021, a hacker attack in Anhalt-Bitterfeld (Germany) led to parts of the district administration being paralyzed. Here, too, an extortion attempt was made. The incident triggered the first cyber disaster in Germany.
Five steps to prevent a ransomware attack and minimize damage if it happens
Due to the considerable business loss and liability risks, preventive measures against ransomware attacks are essential, in particular, technical and organizational cyber security measures. However, the choice and implementation of these security measures (especially in cyber security policies and procedures) must be based, among other things, on legal requirements and obligations.
In addition, companies should also approach this topic from a company law perspective, in order to set up the compliance structure as well as the risk provisioning and risk management structure. Insufficient compliance structures in this respect can result in liability risks—especially on a management level.
Key preventive measures to consider from the legal perspective include:
- Understand the cyber security regulatory requirements for “critical infrastructure” in your country and ensure that you comply.
Cyber security law is not centrally regulated. Rather, the requirements result from different sets of regulations.
For example, in Germany, the recently updated IT Security Act 2.0, supplemented by guidelines and specifications, provides the key requirements of the regulator. The law provides an initial indication of applicable preventive measures for critical infrastructure sectors determined in the Ordinance on the Designation of Critical Infrastructures. Previous critical infrastructure sectors included energy, information technology and telecommunications, transport and traffic, health, water, food, and finance and insurance. Now, new sectors include manufacturers of IT products used in critical infrastructure or so-called “companies in the special public interest.” The IT Security Act 2.0 adds new obligations to those already existing under the law. For example, operators of critical infrastructure are obliged to register the critical infrastructure with the German Federal Office for Information Security (BSI). In particular, obligations are imposed on operators of critical infrastructure in connection with the use of critical components. These include, for example, the obligation to obtain a declaration from the manufacturer of the critical components about its trustworthiness before using the critical component.
Furthermore, sector-specific regulations may apply, for example, in Germany, the Energy Industry Act, the Atomic Energy Act, the Telecommunications Act or the Second Payment Services Directive (PSD II).
A good starting point to understand cyber security laws in your country is to go through overviews and handouts provided by governmental agencies, for example, the BSI in Germany or the US National Institute of Standards and Technology (NIST).
Furthermore, questions of labor law arise. This concerns both the individual employment relationship and the requirements of company co-determination. In the employment relationship, for example, the employee’s obligations to act in order to comply with cyber security guidelines must be anchored to the employment contract. In Germany, the introduction of mandatory online training on cyber security guidelines or the use of technical defense measures also may raise questions of labor law. In particular, German labor law requires the employer to involve the works council (if any) in the process of implementing, e.g., mandatory online training on cyber security guidelines or the use of technical defense measures. This is called “co-determination of the works council.”
2. Review your compliance with applicable data protection laws.
The General Data Protection Regulation (GDPR) sets out a number of obligations, in particular:
- Appropriate technical and organizational measures must be taken as per Article 32 of the GDPR.
- Data protection must be ensured through technology design or through data protection-friendly default settings, as per Articles 24 and 25.
- A data protection impact assessment must be carried out, for example, when introducing new technologies, as per Article 35.
In addition, the ePrivacy Regulation, which is expected soon, is also likely to introduce further obligations here (e.g. anti-spam measures).
3. Check where you are in respect of outsourcing, cloud computing and big data.
When outsourcing certain IT services, generally, specific cyber security requirements apply (e.g. those stemming from IT security or data protection law). In addition, and in particular in the area of digital finance and insurance solutions, regulatory issues also arise, for example in the use of cloud solutions or big data. Banks and insurance companies are typically subject to specific regulatory requirements in this respect. For example, in Germany, the German Banking Act stipulates that financial institutions must comply with organizational and technical obligations and contingency plans when outsourcing IT services because cyber-attacks or IT system failures may result in a collapse of business activities. Also, specific requirements may apply in your country when using cloud computing services and big data.
4. Have clear instructions for the management of the company, legal and compliance, IT, PR and HR in the event of a ransomware attack.
It is essential that, as soon as the company becomes aware of a ransomware attack, a crisis management plan is rolled out within minutes, and all critical employees—senior management, legal and compliance, IT, PR and HR—know what to do.
From a legal perspective, when preparing this plan the following issues must be considered:
- The company should document the individual steps; this enables potential legal prosecution later on. There may be notification and/or reporting obligations. For example, under German law, these may be information obligations under applicable IT security or data protection laws.
- There may also be information obligations toward insurance companies and business partners, for example arising from contractual obligations.
- The responsible law enforcement authorities should be informed, according to the recommendation of the German BSI. In some cases, this is not done because prosecution in the case of ransomware attacks often looks unpromising.
5. Model response scenarios for data recovery in advance and together with your legal team.
The choice of damage limitation measures in case of a ransomware attack – whether you decide to pay ransom, or recover the damaged data in another way – should be legally assessed in advance.
From various points of view, paying the ransom is not a positive option, although the affected company may see it as the best-possible solution. In particular, if rebuilding the systems and restoring the data is impossible or disproportionately more expensive than paying the ransom, companies are inclined to comply with the ransom demand.
However, the fact that the ransom payment is no guarantee for a release of the encrypted data or locked systems speaks against this. As mentioned above Heimdal Security, half of ransomware victims, who pay the ransom, never get their data back.
Another argument against paying the ransom is that it can be illegal or punishable in individual cases. For example, money laundering offences or embargoes must be avoided. Ransom payments may also be prohibited due to contractual obligations towards suppliers or customers. The company’s management should legally assess these aspects before making any ransom payment.