Ransom Notice: Data Breach Notification Policies Evolve for Ransomware Attacks
On May 8, 2021, Colonial Pipeline Co., the operator of one of the largest gas pipelines in the United States, disclosed that it was the target of a major ransomware attack. Colonial had to shut down 5,500 miles of its pipeline in response to the cyberattack, “throttling gasoline supplies across the eastern US.” Early news reports suggest that Colonial received assistance from both private-sector companies and government agencies to disrupt the ransomware attack, prevent stolen data from reaching its intended destination and potentially mitigate some of the damage caused by the breach. Colonial reportedly paid a nearly $5 million ransom.
Colonial’s case highlights a policy question that regulators and experts are currently debating: Should victims of ransomware attacks be required to disclose when they become targets of a ransomware attack, and when they pay up? Regulators are becoming increasingly focused on the now all-too-common phenomena of ransomware attacks, which have hit everything from Colonial’s gas pipeline to hospitals, public schools and police departments.
For a basic overview of ransomware, consider our previous publication on minimizing the risk of ransomware attacks.
Recent Regulatory Responses
On March 31, 2021, Secretary of the Department of Homeland Security (DHS) Alejandro Mayorkas stated unequivocally that ransomware “poses a national security threat,” and he pledged that DHS would “call out” foreign nations that enable ransomware attacks initiated within their borders. DOJ’s new task force on ransomware expressed similar sentiments in an internal memorandum, stating that ransomware “jeopardizes the safety and health of Americans.” DOJ’s ransomware task force is charged with targeting the “root causes” of ransomware, and its memo suggested various means of curtailing ransomware attacks, including through prosecution, disruption of ongoing attacks and termination of certain online services that enable attacks.
On May 12, 2021, President Joe Biden issued a new that aims to strengthen American cyber-defenses. Specifically, the Order requires government IT contractors to promptly disclose any “cyber incident involving a software product or service provided to [federal agencies] or involving a support system for a software product or service provided to such agencies.” The Executive Order also established a Cybersecurity Safety Review Board—modeled after the National Transportation Safety Board—to review cyber incidents.
A nonprofit entity, the Institute for Security and Technology, also recently convened a task force to create a concrete set of proposals for dealing with ransomware. The task force, which includes representatives from various government agencies, academia and the tech sector, released a report outlining 48 specific suggestions to combat ransomware. Its proposals are wide-ranging, including subjecting the cryptocurrency industry to greater oversight, and—our focus here—updating US data breach disclosure laws to require victims to disclose when they make extortion payments to perpetrators of ransomware attacks.
The Institute’s report suggests that data breach disclosure laws should be updated “to include a ransom payment disclosure requirement [in order to] help increase the understanding of the scope and scale of the crime, allow for better estimates of the societal impact of these payments and enable better targeting of disruption activities.” Receiving this notice would enable law enforcement to intervene on behalf of the victim. The nonprofit’s task force further recommended that such disclosures, if required, should not “form the basis for a regulatory or other enforcement action.”
This would be a change for some regulators. For instance, in October 2020, the Office of Foreign Assets Control (OFAC) issued an advisory about ransomware that made clear that any ransomware payments to a designated group or individual would constitute a sanctions violation, no matter the circumstances—even if the intruder’s status as a designated person is not known to the victim at the time of payment. Indeed, OFAC’s guidance may represent a real challenge to ransomware victims, as it can be difficult to ascertain the identity of cybercriminals who intrude onto an individual’s or company’s system. And while a victim may seek permission in the form of a specific license from OFAC authorizing an otherwise prohibited payment, OFAC has made clear that such licenses will not be guaranteed. Instead, OFAC will review such requests on a case-by-case basis, with a presumption of denial.
Regulators such as the Federal Trade Commission (FTC) or state Attorneys General (with whom the FTC is increasingly seeking partnership) also may view a ransomware attack as a cybersecurity failure. The FTC has come to be regarded as “America’s de facto consumer cybersecurity regulator,” having issued orders that require companies to implement comprehensive cybersecurity programs. Without the protection that the Institute’s task force suggests for ransomware attack disclosures, there is some risk that regulators like the FTC would pursue civil enforcement actions against companies that fall victim to ransomware attacks, and thus fall short of their privacy and security promises to stakeholders.
Victims are not the only ones who risk enforcement action by paying a ransom demand. So, too, might the companies that process those payments for victims, which often must be converted to virtual or cryptocurrency in order to satisfy the attacker’s wishes. On the same day that OFAC issued its guidance, the Financial Crimes Enforcement Network explained that companies that facilitate or process ransom payments might, depending on the facts and circumstances, be engaged in money laundering under 18 USC § 1956 for facilitating illegal activity.
* * *
The reporting of a ransomware attack has some clear benefits. For instance, in the Colonial pipeline example, it appears that Colonial may have received assistance from government agencies after disclosing the attack. But under current US law, the benefits of disclosing ransomware payments are less clear. In fact, that decision may prove dicey, since payments made pursuant to a ransomware attack may run afoul of US sanctions regulations or lead to other enforcement actions. Given the increased attention this issue has garnered from regulators and other government officials, we can expect ransomware guidance to evolve over the next few years—if not months. Companies should stay abreast of the regulatory landscape, ensure that their cybersecurity protocols are in compliance with applicable regulations and seek counsel should they fall victim to a ransomware attack.
For questions about ransomware payments, US sanctions law or broader national security issues, please reach out to the authors or any of their colleagues in Arnold & Porter’s National Security or White Collar Defense & Investigations practice groups.
© Arnold & Porter Kaye Scholer LLP 2021 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.