Ransomware variants shifting tactics to include extortion may be cause for organizations to treat them as data breaches and, therefore, quickly notify affected parties.
Being the victim of a ransomware attack isn’t something an organization wants to publicize; the change in public perception of some companies from such an attack is enough to impact customer retention, revenue, and shareholder interest. So, we’ve traditionally seen stories of successful ransomware attacks reference the attack occurring months after reading about it.
But recent changes in ransomware attacks that now include data theft for the purposes of extorting the ransom or face public posting of the stolen data recategorize ransomware as a data breach instead of simply a malware infection-turned-decryptor. And it’s this change in attack tactics that brings us to the issue of data breach notification.
Many U.S. states already have data breach notification laws on the books, with some laws requiring forms of notification in as little as 5 business days after breach discovery. Add to this GDPR, which requires notification in just 72 hours (“where feasible” according to the regulation), and the protection provided to Californian consumers with CCPA (that falls subject to California Civil Code 1798:29 and 1798:80 for breach notification guidelines)
Given that ransomware attacks fully make themselves known the moment they have a bunch of your data held hostage, the idea of needing to address breach notification issues when you’re still in the middle of trying to remediate the ransomware attack (remember, the average number of days to address an attack is 7.3 days) is going to be a challenge at best.
But is a ransomware attack a data breach?
Let’s look at it from a few perspectives: Looking first at it legally (keeping in mind I’m not a lawyer and don’t play one on TV), when ransomware crime gangs demonstrate data has been stolen in order to extort ransom payment, it becomes a question of what data has been taken and is it subject to regulation. Looking at it practically, they took data – so, yes, it’s a data breach. And looking at it from an industry perspective, the Verizon Data Breach Investigations Report (one of the most respected reports in the industry) shows Ransomware being responsible in 27% of malware-related data breaches.
In short: it’s tough to not call the latest variants of ransomware attack a data breach.
So then, do you need to report a data breach?
The answer lies in the regulations your organization is subject to. And it’s important for organizations to keep up with new and updated laws; new data breach notification laws have come into effect just this year, with others being updated this year. Each law specifies who needs to be notified. In some cases, it’s the affected customers, consumers, partners, employees, etc. whose data has been breached. In other cases, laws specify that a governing body also needs to be notified – check your applicable laws, as your mileage may vary.
Also, there’s the question of whether data has actually been exfiltrated. There have been many cases where cyber criminals share a portion of the data they claim to have; and it’s reasonable to assume that if they have some, they could have all. But, if there’s no extortion, it may still be prudent to err on the side of caution, as the cyber criminals monetization strategy may not be extortion, but simply selling the data in addition to collecting a hefty ransom. Many notification laws stipulate needing to determine the scope of a breach – this may prove difficult, as you may never fully know what data was taken.
Dealing with Ransomware: It's a Data Breach
The addition of stealing data to extort the ransom adds insult to injury; you’re already in the middle of a cyber mess caused by the ransomware malware and now you need to deal with determining whether data was stolen, what was taken, and whether you need to begin the notification process. It’s the new reality of ransomware attacks, so the best approach is to modify ransomware response and remediation plans to mimic your data breach response with the added steps of needing to decrypt or recover data, and remediate infected systems.