Is a ransomware attack a reportable data breach?

Ransomware involves the denial of access to a user’s data; often, a hacker encrypts an organization’s data with a key known only to the hacker coupled with a demand for payment in order to provide the encryption code. Ransomware can be deployed through phishing messages, spam, websites, email attachments or direct installation by a hacker. The attack may also destroy data or transfer it from the organization’s information systems to a remote location controlled by the hacker.

In the urgent response to avoid business interruptions upon a ransomware attack, the immediate reaction may be to pay the ransom, which is not recommended. An organization must implement a prompt and coordinated response to restore data through forensic remedial actions or backed-up information. It may be easy to overlook another vital consideration – whether the ransomware attack constitutes a reportable breach to regulators or individuals under applicable federal, state and international data-protection laws, as well as to partners or vendors under the terms of business contractual relationships where data is shared.

Under the Rhode Island Identity Theft Protection Act, a ransomware attack may not be actionable. The act defines a “breach of the security of the system” to mean “unauthorized access or acquisition of unencrypted, computerized data information that compromises the security, confidentiality or integrity of personal information maintained by the municipal agency, state agency or person.” Notification requirements are imposed when there has been a disclosure of any personal information or breach of the security of the system, which poses a significant risk of identity theft to any resident of R.I. whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person or entity.

Legislative efforts are ongoing … to strengthen the data-protection provisions.

Upon a ransomware attack, the necessity and required scope of legal notifications require a careful organizational and forensic examination of whether the attacker was able to “access” or “acquire” the data, and whether the attack resulted in a “substantial risk of identity theft.” Companies should not jump to conclusions that the attacker’s motives and methods were purely designed to cripple a system in exchange for a ransom payment, when the attacker may have also covertly accessed or taken data. Regardless, the entity should consider erring on the side of caution and provide the legally required notices, empowering the affected person and the Attorney General’s Office to determine the risk of harm – not the breached organization. Further, the reporting of the ransomware incident to federal and state law enforcement is a highly recommended step.

- Advertisement -

The notification analysis may extend the Rhode Island Identity Theft Protection Act, depending upon the residences of all persons who are the data subjects of the entity’s information and the type of data affected by the attack. Each of our 50 states has a data-protection law, with notice requirements varying significantly in scope, content and timing. Further, the laws are not static, as legislative efforts are ongoing across the country to strengthen the data-protection provisions, including efforts to legislate explicitly that a ransomware attack constitutes a “security breach” subject to notification requirements.

To protect against the threat of ransomware, precautionary measures must be continually reevaluated and updated, including updating software and operating systems with the latest patches, educating the workforce to never click on links or attachments in unsolicited emails, backing up data on a regular basis on separate devices stored offline and following common sense safe practices when browsing the internet.

Steven M. Richard is a trial and appellate lawyer at Nixon Peabody LLP in Providence.