Ransomware attacks used to be limited to movie studios, governments, or grandparents on their “Win95” computer, clicking any link that looks like it may have come from million-dollar giveaway clearance houses.
Not anymore. Data breaches and ransomware attacks are hitting our largest corporations and our smallest businesses. Even companies with well-staffed IT departments and the financial resources to maintain secure IT systems are getting hit with ransomware attacks. A ransomware attack can happen at any time, to any business with a computer and an internet connection.
In recent years, ransomware attacks on small and medium sized businesses have increased in an alarming proportion. Media reports indicate that the rate of ransomware attacks across the globe in 2021 has doubled over the same period in 2020.
In 2018, the National Association of Insurance Commissioners reported that 70 percent of ransomware attacks were targeted toward small businesses.
Small businesses are easy targets because they often have less to spend on strong, reputable IT security, web service providers, and equipment. Hackers and thieves know how easy it is to trick an employee of any business, often by a email phishing scheme, whose IT structure lacks top shelf security. The hackers then gain access and take over a business’ website, servers, databases, and information technology systems.
Hackers don’t just attack a business directly, they attack your web and IT service providers. As we saw in early July 2021, ransomware attacks originating with web, cloud and internet based vendors and service providers, are affecting our businesses and customers.
The costs of ransomware attacks go far beyond the actual ransom demanded. A hacked business suffers the loss of important business records and data; compromised IT systems; costs of reconstruction or restoration of data and systems, lost work hours and production, investigations, identification of affected parties; and the public relations quagmire of managing a data breach while re-establishing trust of customers, employees and business partners.
Importantly, a ransomware attack is a data breach that exposes
a business to legal obligations and potential liabilities.
A business that suffers a ransomware attack may have legal obligations to its customers, employees, website users and visitors, vendors, service providers, any party whose data was collected, held, or maintained in your business’ IT systems, or by your web service providers.
WHAT SHOULD YOU DO IF YOUR BUSINESS IS THE VICTIM OF A RANSOMWARE ATTACK/DATA BREACH?
If your business is a victim of a ransomware attack, you may not know where to begin. You’ll have your hands full trying to secure your IT system, locate and restore back up databases, email accounts, user accounts, financial and other confidential or sensitive data. Even the task of changing user account passwords will be a time-consuming and frustrating battle without access to your data, website or IT system.
One of your very first steps should be to contact your property insurer who may cover some aspects of property loss, possibly the loss of data or use of affected computer and server hardware.
If you don’t have a property insurance policy, business loss policy, or a cyber security policy, you may find yourself without much assistance. Even with insurance, it is highly likely that a hacked business will suffer a time period in which it is unable to operate. If you have a business with significant IT or web-based operations, you may lose everything or be worried that you are about to lose everything.
Be aware that paying a ransom is no guarantee you will recover your data. As we head into the second half of 2021, there is increased reporting of hacked businesses paying the ransom, only to be extorted again, pay again and still not recover their data. Further, those businesses who “recover” their data, often can’t confirm it hasn’t been leaked to the dark web, that it hasn’t in some way been altered or compromised, or that their system isn’t still vulnerable to ransomware attacks.
On top of all of this, you have a legal obligation to notify any California resident whose personal information has been accessed or compromised in your ransomware attack/data breach. Even if you don’t have a physical presence in California.
LEGAL CONSIDERATIONS IF YOUR BUSINESS SUFFERS
A RANSOMWARE ATTACK OR A DATA BREACH
From the legal perspective, almost all businesses that suffer a data breach, ransomware attack or any unauthorized access of stored digital data have obligations to their customers and clients, employees and vendors: anyone whose personal information may have been obtained, collected, or stored by the business. California has strong notification laws that protect its residents.
As of January 1, 2021, California Civil Code §1798.82 (the “California Data Breach Notification Law”) requires a business to notify any California resident whose personal information was acquired, or reasonably believed to have been acquired, by an unauthorized person.
Under California’s Data Breach Notification Law, any business that suffers a data breach has notice and reporting obligations to California residents (individuals, customers, employees, vendors, even companies) whose confidential, sensitive or personal information was breached/stolen.
In many instances, notice and reporting to the Attorney General may also be required.
DO YOU, OR YOUR SERVICE PROVIDERS ON YOUR BEHALF, COLLECT OR HOLD “PERSONAL INFORMATION” OF CALIFORNIA RESIDENTS?
Under the California Data Breach Notification Law, Personal Information includes:
- The name of an individual, customer, client, employee or vendor (including businesses and companies) in combination with information fitting into one or more of eight (8) specific categories of data, when either the name or the data are not encrypted.
- A user name or email address, in combination with a password or security question and answer that would permit access to an online account.
Once you establish that the Personal Information of California residents may have been accessed in your data breach, the manner in which your business (or your vendor) stores that information matters.
Notice is required:
In most cases of ransomware or data breach, it will be reasonable to believe that Personal Information collected or stored by your business, for your business if you use a service provider, or provided to your business (including through your website, by email, or otherwise through your IT network/system) has been acquired in the data breach/ransomware attack. If you do business in California, or have website visitors or account users from California, it is likely that you will need to prepare and deliver at least one kind of statutorily required Notice of Data Breach.
Businesses-located anywhere-that obtain, collect, store or maintain Personal Information of a California resident must notify the California resident of any data security breach, if the California resident’s Personal Information was, or is reasonably believed to have been, acquired by an unauthorized person.
If you cannot disprove hackers acquired California resident Personal Information from your system, a prudent business owner will err on the side of caution and comply with the law’s notification requirements rather than risk potential liability.
Note, there are exceptions. Certain businesses meet an exception under the California’s Data Breach Notification Law including businesses which have more stringent notification obligations related to personal information under other state and federal laws, such as health care businesses, businesses governed by HIPPA, financial businesses subject to the California Financial Information Privacy Act. Because these kinds of businesses already have more stringent notice requirements under other law, their notice obligations are governed by such laws.
Assuming you have an obligation to provide notice of the data breach, under the California Data Breach Notification Law, the contents of your Notice must meet specific statutory requirements, which may vary, depending on the type of Personal Information breached.
CALIFORNIA LAW DATA BREACH NOTICE REQUIREMENTS
Under the California Data Breach Notification Law, a valid data breach notification must be written in plain language, in a font size 10pt or greater. It must be titled “Notice of Data Breach” and include specific information, as detailed in the statute. If you have customers, partners, vendors, or an online presence in other states, there may be additional state and federal obligations for your notices.
The method of delivery also depends on the kind of breach. For example, if online customer/user account credentials, including any email address, are compromised, the California Data Breach Notification Law prohibits the delivery of your notice to the email address connected to the compromised user account.
Under the California Data Breach Notification Law, any person or business that is required to issue a Notice of Data Breach to more than 500 California residents must electronically submit a sample copy of that notification to the Attorney General. Additionally, there may be circumstances when a Substitute Notice may be the appropriate means of notice. Contact Furton Legal to learn more.
If your business is a victim of data breach, ransomware or cybercrime, Furton Legal can provide you with Notices of Data Breach legally required to be delivered to California residents who are website users, account holders, customers, employees and vendors.
If only your website has been hacked, and only website user accounts breached (California resident usernames, email addresses, account, passwords, security questions and answers, and no other Personal Information), your business can purchase a form “Notice of Data Breach-Website User Accounts” from The Document Lawyer.
WHAT ELSE CAN YOU DO?
There are some important things you can do to reduce your risk of a ransomware attack. Consider the following important preventative measures:
- Update and increase the security of your information technology infrastructure. Keep your IT equipment and server systems up-to-date and work with a reputable IT professional. Update computer operating systems. Consider updating your business continuity plan and seek advice regarding best computer practices and policies for your business.
- Train your employees in computer/cyber security. This is a MUST! Many ransomware attacks begin with an unknowing employee accidentally clicking a nefarious link. There are many companies which can provide your employees with web safety training, most have online training seminars. Along with a training program in cyber-safety best practices, a strong information technology policy is critical for any business.
- Negotiate a strong service agreement with your IT vendors, one that might include indemnification for loss or attacks that are caused by their services or equipment under their service. Although many businesses still prioritize IT services as economically as possible, in this day and age the security of your IT system is as important as securing your physical business location. When your data is hacked you need an IT vendor who can and will drop everything to help you restore your data and systems.
- Add cyber-extortion coverage to your insurance policies. Today’s cyber security insurance policies, including cyber-extortion coverage for ransomware, are as important as your CGL “slip and fall” coverage. Good cyber-extortion coverage may not restore your stolen data, but it may cover business interruption costs, ransom payments, the cost of hiring experts to negotiate with hackers, computer forensics experts, restoration of lost data or equipment replacement and some even provide attorneys who can guide you in the steps to reduce risk of legal liability to your customers, employees and vendors.
If you need legal assistance with your business continuity plan, IT policy, negotiating your IT service agreements or reviewing your existing insurance coverage, contact Furton Legal for help.