Legal aspects of fighting cybercrime appearing in the form of ransomware and data hacks
While business email compromise frauds might be on the decline, businesses are increasingly impacted by ransomware and data hacks. Just in the past few months, the press have reported on a number of large-scale ransomware attacks targeting both private and public entities. The impact of the attacks is always huge: disrupted operations, leaks of trade secrets and personal data, losses to reputation.
It should be highlighted the reported cases are only the tip of the iceberg. Most cyber incidents go unreported.
In our practice may observe an increase in businesses falling victim to this type of cybercrime. The cyber gangs behind these attacks are no longer merely focusing on blocking access to IT networks. Before executing malware blocking access to IT systems, criminals infiltrate the IT systems to conduct due diligence on the financial standing of the victim and extract valuable data. This gives the criminals additional leverage when they demand ransom. The ransom is supposed to be paid not only for unlocking the IT systems, but also for not disclosing confidential data.
The decision whether to negotiate with the criminals and pay the ransom is always difficult. On the individual level, payment of the ransom might be the quickest solution to restore operations and avoid legal liability and embarrassment. But on a larger scale, this only fuels the cyber criminals. Ransomware attacks are proliferating at great speed. Ransomware is offered by skilled hackers as a service to those without technical skills, in exchange for a share in the ransom payment. Cyber gangs are also targeting IT supply chains, with the view to increase the impact of their attacks. Thanks to this tactic, a single attack can impact thousands of businesses. This is what happened in the recent attack on Kaseya, an American company that makes software for managing IT systems and infrastructure.
What can businesses do to become more resistant to this type of cyber threat? Every business must be aware that it can be affected by a ransomware attack, and needs to adopt prevention and response plans.
In terms of IT supply chains, businesses should make sure they cooperate with credible partners that take adequate cybersecurity measures. They should also ensure that contractual risk is properly regulated and hedged. In this context, businesses should be aware that the internet ecosystem is highly centralised these days, and reliance on just one supplier might result in greater damage. Businesses should thus consider contracting alternative backup suppliers in case of an emergency. Every business should also examine its IT networks. Are they properly secured against unauthorised access and activity? A study by Microsoft found that more than 99% of all cyberattacks could have been prevented if multi-factor authentication were deployed.
A ransomware incident usually triggers a lot of different considerations, i.e. the need to ensure that hackers no longer have access to the IT network, that operations can be quickly restored, that digital tracks are preserved, and that legal reporting obligations are discharged. In case data are leaked, it may be needed to adopt a strategy for taking down the hacked data from the web. Hackers usually deploy sophisticated techniques to sell or disseminate hacked data. It is possible to pursue criminal or civil actions aimed at taking down hacked content. In this regard there is also a possibility to target webhosting providers or cloud computing providers, or consider obtaining a web-blocking injunction. The law provides a range of different causes of action for redressing the impact of data hacks, but the practical reality is that it is difficult to take down mushrooming content harming your organisation and your employees.
Our advice to clients, and their conduct in such circumstances, may cover three issues: identifying the culprits, taking down the leaked data, and sometimes litigation involving those harmed by the leak—partners, employees etc. Each of those usually requires initiating legal procedures against foreigners and international entities in various jurisdictions, which seems to be a condition for mitigating the damage. The simplest measure for taking down disclosed data is submitting a formal report of abuse with a request to terminate the affected services. However, without court orders or other forms of state coercion, it is always difficult to achieve this. It is also crucial to inform law enforcement and data protection authorities.
For these reasons, the client may need to take action in different jurisdictions discharging its reporting obligations and taking actions aimed at taking down hacked data which might be proliferating in different places in the Internet.
Łukasz Lasek, adwokat, Disute Resolution & Arbitration practice, Wardyński & Partners
The content of this article is a part of Episode 7 of the programme News from Poland – Business & Law. You can watch the episode here >>>