National Ransomware Reporting Requirements


2022 Report on Technology Transactions and Data Privacy

Data breach notification laws in the United States have historically focused on notifying individuals, regulators, and others in situations in which personal information has been accessed or acquired. Ransomware attacks, while incredibly disruptive, don’t always involve accessing or acquiring data and, as such, aren’t always reported. As ransomware attacks increase in frequency and severity, law enforcement and industry regulators are seeking greater visibility into these incidents and, through the release of new guidelines and amended notification laws , are starting to demand more reporting.

How does ransomware work?

Ransomware refers to a special type of malware that uses encryption to limit access to content on an affected device until payment is made to the threat actor in exchange for a password. decryption.

Encryption is a legitimate utility for data security and works by turning plain text into cipher text using an algorithm that usually has only one known solution. Ciphertext can only be converted back to plaintext by using the solution, often referred to as a decryption key. When used responsibly, encryption is a great way to protect the privacy of data at rest and in transit.

Often, ransomware is not very complex malware; in some cases, a ransomware attack can even be carried out by exploiting built-in encryption utilities such as BitLocker. Simplistic and often legitimate uses of encryption software make ransomware extremely difficult to detect until it’s too late. Additionally, threat actors are constantly exploring new attack vectors, making complete protection impossible.

State Breach Notification Laws

By default, all entities domiciled in the United States are subject to national privacy laws. California passed the first data breach notification law in 2003, and since then every US state has adopted its own breach notification law. Further, the applicability of each state’s privacy law is not based on the domicile of the entity, but rather the domicile of the data subject. Thus, an entity domiciled in California but holding data about individuals anywhere in the United States will generally be subject to the privacy law of each state where a data subject is domiciled.

Although the trigger for notification varies from state to state, all state data breach notification laws contain requirements that affected individuals be notified in a manner consistent with the state’s notification rules. ‘Forum status. In addition to notice to affected individuals, many states also require notice to state attorneys general, consumer credit reporting agencies (for example, Experian, TransUnion, and Equifax), and law enforcement. .

The mere fact that a ransomware incident has occurred does not necessarily trigger a notification obligation under national breach notification laws. On the contrary, most states require either effective access to personal information or the exfiltration of such information. In contrast, automated data encryption will generally not in itself trigger a notification obligation.

Industry-specific privacy regulations

Privacy regulation in the United States is based on an industry model; Simply put, different rules may apply depending on the industry in which the affected entity operates. Industry regulations exist at the state and federal levels as well as in self-regulated industries.

Common examples of federal industry-specific privacy regulations include the Health Insurance Portability and Accountability Act (HIPAA) for healthcare providers, the Gramm-Leach-Bliley Act (GLBA) for financial institutions, and the Educational Rights and Privacy Act of 1974 (FERPA) for educational institutions.

At the state level, some industries are subject to additional regulations; for example, many state insurance departments (DOIs) require notification to the DOI in the event of a service disruption involving entities regulated by the DOI. These regulations are particularly stringent, in some cases requiring notice within forty-eight hours of initial discovery of a security incident.

Finally, many industries require compliance with certain privacy frameworks that have not been enacted by law. For example, most companies that accept payment cards (e.g. Visa or Mastercard) are required to comply to some degree with the Payment Card Industry Data Security Standard (PCI-DSS). , a set of security standards developed by major payment card processors. Similarly, entities that directly contract or contract with the federal government may be required to comply with cybersecurity standards promulgated by the National Institute of Standards and Technology (NIST).

Trends in ransomware reporting requirements

Based on the trends seen in 2021, we can make some predictions about the future of ransomware breach reporting requirements. First, we expect the timelines for reporting data breaches to continue to shorten. For example, the FDIC, Federal Reserve, and Treasury Department issued a rule in November, with compliance effective May 1, 2022, that requires banks and their service providers to notify their primary federal regulator in thirty-six hours of a computer security incident reasonably likely to disrupt bank operations. Notably, this rule does not presuppose notification of data access or acquisition, which means that entities may need to promptly notify their regulators of ransomware events even if there has been no such access. or acquisition.

Second, many breach notification frameworks allow notification upon discovery of a breach, in other words, notification will not be triggered until the entity reasonably should know that there has been access to it. personal information. However, some regulators are beginning to place more emphasis on finding an incident.

Although the distinction is narrow, the implications are important. In the case of ransomware incidents, businesses can be taken offline for weeks and, in many incidents, cannot restore access to sensitive information. Even if access to data is restored, it can take weeks to determine the nature and extent of the incident and determine which people, if any, exposed sensitive personal information. In many cases, ransomware victims are forced to choose between reporting on a speculative basis due to lack of information or the risk of a sanction by a regulator or private action for not reporting in timely.

Despite the challenges associated with quickly sending notification to the appropriate individuals and regulators, we continue to see “point of incident” notification triggers gaining popularity. For example, in 2017, the National Association of Insurance Commissioners (NAIC) issued a model rule requiring notification to the state insurance commissioner within 72 hours of discovery of a cybersecurity event, which includes disruption or misuse of an information system. Since its release in 2017, the NAIC Model Rule has been adopted in about 10 states, however, we expect additional states to adopt the rule, in part or in full, in 2022.

Finally, we expect to see additional ransom payment requirements soon. Historically, from a legal standpoint, the only substantial obstacle to paying a ransom has been the OFAC Sanctions List. Although it is never acceptable to pay a threat actor, paying a ransom for immediate decryption may be necessary in certain circumstances, such as when there is a risk of bodily harm, such as in the case of a health care provider. Entities are generally free to pay a ransom as long as the threat actor has not been specifically blacklisted by OFAC.

However, as ransomware has entered the public discourse, more attention is paid to the consequences of ransomware incidents. The Biden administration recently expanded its use of sanctions to target cryptocurrency markets that make payments to threat actors. Law enforcement agencies routinely seek information regarding ransomware negotiations and payouts in their post-mortem investigations of ransomware incidents and the Treasury Department has said it will investigate whether an organization has notified and cooperated with the law enforcement agencies to decide what action to take against entities that inadvertently make a payment to an individual or entity on the OFAC list.

In light of the growing threat of ransomware, we anticipate that we will see additional and more formal reporting requirements regarding ransomware events and ransom payments. Presumably, this data would aid law enforcement in their efforts to apprehend threat actors and perhaps recover ill-gotten funds.

Recommendations for companies

The best way for a business to protect itself against ransomware is to create a strong culture around cybersecurity. Security is a continuous exercise; while no system is impregnable, the vast majority of ransomware incidents we observe exploit a combination of the same five vulnerabilities, such as open remote desktop protocol ports, unpatched or outdated software, and system failures. Layer 8. Security controls should be constantly evaluated for vulnerabilities, misconfigurations, and proper functioning.

Second, many companies don’t realize the sprawling nature of the data under their control until an incident occurs. Sensitive information should be segmented appropriately and, if possible, encrypted both in transit and at rest. Developing a detailed data feed, for both internal and vendor data, is an essential step in ensuring a rapid response to a ransomware incident.

Finally, a solid incident response plan is essential and, in many cases, required. The incident response plan should include, at a minimum, backup validation procedures, key incident response contacts, and forensic artifact preservation procedures. As breach notification rules become more stringent, an incident response plan is invaluable in ensuring compliant response and recovery.

© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume XII, Number 40


Comments are closed.