As we have seen recently with Maze, Sodinokibi and other ransomware actors, the latest criminal trend in cybercrime is to extort enterprise victims not only by denying them access to their own corporate data but also by threatening to dump that data in the public domain. While that presents the danger of leaking IP that could be useful to competitors, it also puts the enterprise at risk of running afoul of legislation designed to protect consumer data as well as from litigation by affected customers.
The situation presents a number of difficulties for organizations regarding data breach notification laws. Do companies have to report a data breach? Who do you have to report a data breach to? When do you have to report a data breach and under what circumstances? In this post, we’ll cover these questions and discuss the challenges of handling a data breach incident.
What are Data Breach Notification Laws?
Widely referred to as Security breach notification laws or Data breach notification laws, these are legal requirements based on either state or governmental legislature that require an organization to inform customers or other affected parties about a breach of data and to take action specified in the legislation to remedy the situation.
In 2018, the EU introduced GDPR, which affected all firms trading with the European community and processing information of EU residents. In the U.S., the similar California Consumer Privacy Act (CCPA) became effective on 1st January 2020, but such laws have been around for nearly two decades, in some form or another. However, the rapidly rising number of breaches along with the increasing amount of personally identifiable information (PII) stored by organizations has led to more widespread enactment and rapid evolution of these laws. Despite this, the actual requirements placed on organizations differ from one jurisdiction to another.
This great disparity is also one of the reasons the DOJ is calling congress to enact a uniform, nationwide legislation concerning data breach disclosure laws.
Is a Ransomware Attack a Data Breach Incident?
We’re midway through 2020 and the ransomware epidemic is far from subsiding. After causing estimated damages of over $7.5 billion in 2019, ransomware operators have continued to target organizations even during the COVID019 pandemic and have even stepped up their game to ensure a ransom payout. Attackers are also targeting everyone from small business enterprises to the largest MSPs. The latest Data Breach Investigations report shows that ransomware is “the third most common Malware breach variety” and the “second most common Malware incident variety”.
Their latest tactic? In addition to encrypting the data that resides inside the organization, ransomware strains like Sodinokibi and Maze exfiltrate files to remote resources under the attacker’s control. At this point, they can not only demand money to decrypt the data on compromised endpoints but also extort the victim in return for not leaking the exfiltrated data to the public.
Do Companies Have to Report a Data Breach?
To notify or not to notify? It’s no longer a question. Until now, ransomware victims were faced with the challenges of gaining access to their data and the dilemma of whether to pay the criminals. Now, they have another concern: companies are obliged by law to report the data breach.
In some incidents, ransomware victims have been able to recover encrypted data without having to succumb to the demands of the malware authors. In those cases, it is quite plausible to assume that the data was not exposed to outsiders, and therefore no breach notification was necessary. But recent campaigns are not so lenient. Even if the data residing on the victims’ network is safely restored (decrypted, or restored from backup) and the extortionist never publishes the stolen data, the victims are no longer exempt from notifying the authorities, their clients or both that data has been stolen.
When Do You Have to Report A Data Breach?
Both private and governmental organizations are required by legislation to inform individuals of a data breach involving PII (personally identifiable information). The ‘trigger’ for notification changes from one state to another depending on the type of stolen PII, but these generally include breach of names, and one other unique identifier such as SSNs (Social Security Numbers), drivers license or state ID, account numbers, credit card numbers and sometimes medical information.
In California, for example, organizations are required to inform affected parties with a “Notice of Data Breach” that should provide answers to questions such as what happened, what information was involved, what the organization is doing about it, and what, if any, action the individual can or should take.
In addition to informing individuals, some state legislation (e.g., Florida) require that the state’s Department of Legal Affairs is informed of any breach affecting 500 or more individuals.
Crucially, organizations need to be aware that there are laws related to the timing of notice (i.e., the time between the detection of the breach and the notification of potential victims) as well as the number of affected individuals, and that these can vary from state to state. Since GDPR came into effect, many companies have struggled with the 72-hour notice provision while still trying to understand the nature of the incident.
In the U.S, the exact requirements of the law can differ widely depending on the state. For example, Texas requires businesses to notify affected individuals within 60 days of determining that a breach occurred, while Illinois and Oregon require to notify the state attorney. A guide to the different requirements in all 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands can be found here.
Companies Need to Keep Up with Changing Data Breach Laws
It’s also important that your organization keeps up with the latest changes, as Data breach notification laws are constantly changing to adapt to the new breach-rich environment. New data breach laws came into effect in Texas, Illinois, and Oregon on January 1st, 2020. Meanwhile the District of Columbia (D.C) updated its Data Breach Notification law on March 26, 2020, and the State of Vermont followed by updating its own data breach law.
D.C. requires organizations to report the breach if it affects 50 D.C. residents or more, Oregon and Texas require businesses to report a breach if 250 customers or more are affected, while the threshold for reporting in Illinois is any breach which has an impact on 500 people or more. Since there is no universal law here, every organization needs to identify the law relevant to the location of its operations and plan accordingly.
Who Do You Have to Report a Data Breach To?
What all that means is that if your organization has customers in multiple states, there may be multiple regulations that you have to comply with, and multiple authorities to report to. If your organization is trading in non-US jurisdictions, there may well be local legislation there that you have to comply with as well, in order to avoid fines or other legal sanctions.
For example, companies that process the information of EU citizens could also fall under the GDPR regulation. On May 25, 2018, new data breach notification laws came into force across Europe. Between May 2018 and March 2019, over 59,000 personal data breaches had been notified to regulators, with the Netherlands, Germany and the UK leading the list. Some of the fines were substantial; for example, British Airways were fined £183.39m (approx. $223 million) for a data breach affecting 500,000 customers, and Marriott International were fined more than £99m (approx. $122 million) for exposing 339 million guest records, out of which 31 million were residents of the EU.
Other breach notification laws exist in Israel, China, Hong Kong and Singapore, and some of these could be relevant for US companies.
Under What Circumstances Do You Have to Report a Data Breach?
But the real problem may not be when to report or even to whom. When your entire database (and sometimes your servers and endpoints) have been encrypted in an attack, preventing you from accessing them, you may have no idea what data may have been exposed. You might also have no idea whether data was merely encrypted or also exfiltrated.
This is a serious cause of concern for companies that handle masses of private data. Should you assume the data has been compromised and notify all the potential victims? Should you wait for the criminals to dump your data, sift through it and only notify the people who are listed there? Should you assume that no PII has been stolen and that the data will be safely released, and report to no one?
That is a risky course of action, since that sensitive data could be out there, making the enterprise liable to fines and lawsuits. To date, hundreds of companies have been fined under the EU GDPR, and this number will only increase. And the worse part is that when ransomware hits, you don’t have the time so sit and evaluate the situation: the clock is ticking and if you fail to meet the notification deadline, you risk being fined in one jurisdiction or more.
Recommendations for Dealing With Data Breaches
As the above discussion makes clear, the legal duties imposed on enterprises are complex and various. Before a data breach happens, have your legal team assess which jurisdictions you would be required to report to, under what circumstances and within what timeframe. Make sure that this assessment is conducted periodically to check for changes both in your business operations and changes to legislation. Ensure that you have a business disaster recovery plan; many businesses from small to large have been forced to go out of business due their inability to recover from cyber attacks. In some cases, these forced closures were a consequence of breach costs and unrecoverable data loss.
The ultimate preparation, of course, is to ensure that your organization is protected from ransomware, malware, and intrusions by a proven security platform. Many of the victims of recent attacks from ransomware to APT groups believed they were protected, only to find out that legacy AV Suites are no real hindrance to modern cybercriminals.
As if ransomware wasn’t bad enough by itself, and the damages it incurred for organizations were limited to downtime and other ‘local’ costs, contemporary ransomware forces companies to deal with the breach and its impacts, including the uneasy necessity of dealing with authorities and angry customers who insist on being informed about what has happened to their data. As always, an ounce of prevention and a robust endpoint security solution is worth a ton of explaining and reacting.