ransomwareWhat To Do If A Ransomware Incident Means Your Business Cannot Avoid Paying Ransom: OFAC Weighs In

What To Do If A Ransomware Incident Means Your Business Cannot Avoid Paying Ransom: OFAC Weighs In

While ransomware was already a growing global issue before the pandemic, COVID-19 has thrown jet-fuel on that fire.  As a result, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory statement on October 1, 2020.  The advisory specifically details the risk of sanctions related to paying a ransom and reflects the greater reality that as new wrinkles in attacks become common, including exfiltration of data for later extortion or deletion back up files, more businesses than ever are considering ransom payment.  OFAC wants your business to remember that paying ransom to certain groups is a sanctionable event.  

Beckage is very familiar with many ways to avoid paying ransom, but we remain informed of all the regulations and advisory guidance related to ransom payment.

A high-level review of a ransomware event can provide perspective on what role OFAC and its advisory mean to your business:

The Incident

Ransomware is a type of malicious software that infiltrates computer networks, locking and blocking access unless a ransom is paid.  When your business encounters ransomware, your Incident Response Plan (IRP) should direct leadership to immediately initiate contact with previously identified parties whose work is focused on just this sort of matter, including counsel such as Beckage, and your cybersecurity insurance carrier.

Common Questions

In the first minutes and hours after ransomware is detected, we hear common questions, such as: Is paying ransom a viable path forward?  Is it allowed?  And if there are no other options for remediation and restoring from backups, how is it done?

The Response to Ransom Demands

Depending on the situation, ransoms are sometimes paid.  This is not a default position, but can be the necessary and most logical step in response to a ransomware incident.  Your business does not suddenly have to figure out how to pay an unknown party the ransom; your tech lawyers will be familiar with third parties that specialize in incident response, including investigating the background of the threat actor and exploring payment.  Such a third-party will take steps to secure cryptocurrency, such as Bitcoin, for paying a ransom, work with counsel to understand how anti-money laundering laws apply to a transaction, and gauge whether the actor behind the ransomware is a sanctioned group or tied to a sanctioned group. 

OFAC’s Impact

The OFAC advisory reminds us that the U.S. Government does not qualify ransom payment as illegal, but ransom payments are not favored resolutions.  The advisory serves as a reminder of existing practices and policies:

  • Fines can follow any violation of the International Emergency Economic Powers Act (IEEPA), Trading with the Enemy Act (TWEA), Specially Designated Nationals and Blocked Persons List (SDN List) or embargoes with jurisdictions such as Iran, North Korea, and Syria. Your counsel, insurers and third parties involved in ransom. payment should all be familiar with the requirements therein.
  • Businesses are encouraged to implement and maintain a compliance program to avoid sanction-related violations, which can help mitigate civil monetary penalties in the event of a sanctions-related violation.
  • Businesses should routinely review with their insurers and brokers if and how the ransom payment process is impacted by this and any future advisory.
  • Sharing ransomware incident information with relevant government agencies, including OFAC and the FBI, is highly encouraged but not required.  Cooperation is critical to not only threat actor identification efforts, but, like a formal compliance program, can mitigate penalty in the event of an enforcement action for a sanctions-related violation.

The Result

OFAC’s advisory continues an established narrative of best practices for any company affected by ransomware, and those are the practices of our firm.  If your company finds itself under attack, look to experienced incident response lawyers, like Beckage, to help.  As noted in the advisory, “there was a 37 percent annual increase in reported ransomware cases [from 2018 to 2019] and a 147 percent annual increase in associated losses from 2018 to 2019,” and these numbers are expected to continue to rise.  By looking to experienced tech lawyers in incident response, you help your business mitigate risks associated with ransomware, including business interruption, reputational harm, and non-compliance with government standards for ransom payment.

Have your technology and incident response lawyers help establish, formalize, and update your corporate Information Security Practices and Incident Response Plan, to address legal requirements and changes in the law and to help your business avoid ransomware, or at least be fully prepared to respond to an incident.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

Data BreachBreach Response Checklist

Breach Response Checklist

Having handled numerous headline-making data breaches, we are often asked what are some of the key considerations in incident response.  Below are a few key considerations, but each incident should be evaluated on a case-by-case basis with experienced legal counsel with technology backgrounds.

First Engage Your In-House and Outside Counsel

Legal counsel plays an important role in any data incident, including maintaining the confidentiality of the investigation, protecting applicable internal communication under the attorney-client privilege and work product protections, and anticipating litigation and other legal risks. Counsel will assist in identifying your legal obligations following a data incident, including any customer notification requirements or reporting to government and other authorities. Time is of the essence in any incident response so it’s important to act quickly and engage legal counsel as soon as becoming aware of an incident.

Notify Insurance Broker/Cyber Insurance Carrier

Legal counsel can assist in reviewing insurance policies, determining when notification is needed to preserve coverage rights, and making reports to carriers as appropriate. Insurance will have their own questions and requirements and it is important to provide accurate and timely information as necessary.

Execute Your Data Incident Response Plan

Every organization should have an incident response plan, and test that plan regularly.  Assemble your pre-identified incident response team as soon as there is a reasonable belief that a breach may have occurred.  The incident response team is responsible for managing the organization’s response and mitigation efforts and executing the organization’s incident response plan.  When investigating an incident, the incident response team should make sure legal counsel is part of any communications wherein legal advice is sought in order to help protect the attorney-client privilege and confidentiality.

Once sufficient information about the incident is recorded, deploy your communications team to control internal and external messaging in accordance with your incident response plan. Internal and external communications should be clear, concise, and consistent with other reporting – so be sure legal counsel has reviewed.

Investigate the Incident

At the direction of legal counsel, your designated incident response team member should identify and collect information about the incident, including interviewing involved personnel and documenting the forensic position of the organization (i.e., was any data viewed, modified, or exfiltrated; what personal information was compromised; what measures are necessary to restore the system, etc.).

Mitigate risks by determining whether you have any security gaps or risks, or whether other systems are under threat of immediate danger.  Companies should take steps to address and remediate the source of the breach and evaluate additional protection measures needed to contain the breach and prevent future damage.

Satisfy Any Legal Obligations To Provide Notice To Consumers or Report To Agencies

As of 2018, all 50 states have data breach notification laws with various legal requirements.  Certain states require notification of law enforcement when there is a security breach.  Determine the location of any impacted customers, employees, and/or systems affected by the incident to determine the impact and involvement of various jurisdictional laws.

Learn From the Incident

Data incidents expose the vulnerabilities in an organization’s computer systems. Those vulnerabilities should be addressed to prevent the systems from being exploited in a similar manner in the future. Address any identified weaknesses and determine whether any changes need to be made in your incident response plan or other policies and practices.

About Beckage

If you have questions about creating a legally defensive Incident Response Plan contact sophisticated tech counsel, we would be happy to help. Beckage is a law firm focused only on tech, data security and privacy. Its lawyers are also technologist and former tech business owners. Beckage is also proud to be a certified Minority and/or Women Owned Business Enterprise (MWBE).

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

Breach ResponseRecent Court Decisions Warns Companies To Not Engage Incident Response Tech Firms Without First Engaging Legal Counsel

Recent Court Decisions Warns Companies To Not Engage Incident Response Tech Firms Without First Engaging Legal Counsel

In any data incident the first question is – who do I call first? Well a recent court decision reminds companies that the first call should be legal counsel.

Data breaches are a risk to any company collecting personally identifiable information. When an incident occurs, companies should carefully consider the possibility that the incident may result in litigation, including a data breach class action brought by any impacted consumers, and therefore take appropriate steps to preserve privilege over any post-breach analysis and work product. A recent court decision serves as a warning for companies who want to utilize the privilege doctrine to shield their post breach work product from disclosure during post breach litigation.  

Capital One

In 2015, Capital One hired Mandiant to provide cybersecurity consulting services. The master service agreement executed between the parties was occasionally supplemented by various Statements of Work for Mandiant to provide additional specified services. In March 2019, Capital One experienced a data breach. Capital One immediately retained outside counsel to provide legal advice regarding the incident. Thereafter outside counsel, Mandiant, and Capital One executed a Letter Agreement pursuant to which Mandiant would provide incident response, forensic and remediation services in relation to the incident.  

After conducting its analysis, Mandiant provided a forensic report regarding the incident to outside counsel. The forensic report was subsequently distributed to Capital One’s legal team, board of directors, various employees, regulators, and Capital One’s accounting firm. In post-breach litigation following the incident, Capital One asserted that the forensic report was privileged and protected by the work product doctrine.  

The court held that despite the fact that the report was prepared at the direction of outside counsel, Capital One failed to satisfy its burden of proving that the report would not have been prepared but for anticipated litigation and thus fell outside the scope of protected attorney work product.

District Court Affirms

Not surprisingly, Capital One appealed the Court’s ruling, arguing that the magistrate judge misapplied the controlling law and improperly relied on Capital One’s business uses of the report. On June 25, 2020, the District Court affirmed the decision, ordering Capital One to produce the report. On appeal, the Court focused on “the driving force behind the preparation of the report” and whether it was compiled in anticipation of litigation. The Court found that Capital One failed to prove that there were any differences between Mandiant’s report and what would have been prepared in the ordinary course of business, absent anticipated litigation or legal counsel.

Lessons from the Decision

This conclusion brings into question best practices following a data security incident. At least according to this decision, companies should consider the following guidance points offered by the decision when preparing for potential data security incidents.

1. Legal vs. Business Advice

An important factor considered by the court in Capital One was whether the report in question was prepared in order to provide legal advice or business advice.  In general, the attorney client privilege does not apply in situations where the attorney acts merely to provide business advice. (Aetna Cas. & Sur. Co. v. Sup. Ct., 153 Cal. App. 3d 467 (1984)).  

In Capital One the court placed the burden on Capital One to prove that the forensic report was prepared for the purpose of anticipated litigation and concluded that they failed to provide sufficient evidence. The court found that hiring outside counsel alone was insufficient.  Companies should therefore consider ways to memorialize the fact that a forensic report is being prepared for legal advice—and specifically disclaim that the report is not for business purposes.

2. Distinguish Post-Breach Relationships from Preexisting Relationships

Even though Capital One found that hiring outside counsel alone was insufficient to establish privilege, it is still an important factor in proving that a forensic company’s work is done in anticipation of litigation. Capital One distinguished its circumstances from a previous case, In re Experian Data Breach Litig., where the court held that a similar report was privileged in part because Experian hired outside counsel first, and that counsel retained the cybersecurity firm to prepare a forensic report.

In the event of a preexisting relationship with a cybersecurity firm, in light of the Capital One decision, companies should distinguish the post-breach services from those of a previous business relationship. The post-breach agreement should make it clear that the work is being done at the direction of outside counsel in anticipation of potential litigation.  The post-breach work should be limited in scope and any non-litigation work should be outlined on a different agreement.

3. Legal Expense

The Capital One court put emphasis on the fact that Capital One designated Mandiant’s retained as a “business critical” expense and not a legal expense at the time it was paid. Companies should therefore always pay for a third-party forensic firm’s work out of its legal budget.

4. Limit Dissemination of Post-Breach Forensic Report

Another important distinction between Capital One and Experian was that in Experian the full report was not shared with the company’s incident response team.  In contrast, in Capital One the post-breach report was widely disseminated to internal groups and third-party regulators. Companies should limit the distribution of post-breach reports and consider including confidentiality instructions to maintain privilege.  

Conclusion

The cases are varied in their approach to the use of incident response tech law firms. But all decisions make clear that legal counsel should be engaged at the outset of a breach.

Companies confronted with a data breach should carefully consider the guidance offered in Capital One. Hiring experienced data breach counsel to help preserve applicable privileges and leverage their industry experience may prove extremely helpful during any post-breach litigation.  Recent increases in data breach class actions brought under the California Consumer Protection Act (CCPA) highlight the importance of being prepared for post-breach litigation.

The team at Beckage has extensive experience in data security incident response and understanding of the steps necessary in order to preserve privilege. If your company believes it is experiencing a data breach, call our 24/7 breach response line at 844.502.9363. One of our tech breach coach lawyers would be happy to assist you.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.