We’re back with another entry in the Data Connections Blog!  Did you miss us? I have to admit that between enjoying some much needed break time and prepping for fall semester classes, the hiatus lasted longer than initially expected.

So, what has motivated me to write a new entry? 

On July 18^th, Ohio’s capital city of Columbus was hit by a major ransomware attack. The claimed attacker, the ransomware group Rhysida, threatened to sell or leak large quantities of sensitive data (emails, payroll information, personnel records, private meeting notes, etc.) if the city did not make a payment acceptable to Rhysida. Rhysida reportedly wanted 30 bitcoins, or about $2 million, for return of the data it took from Columbus. Report after report on this matter reflected not only concern for the data that was lost, but also concern over how the city handled the data in addition to how it responded to the attack (in providing notifications, data protection services, etc.).

Can you imagine if you woke up one day and someone had stolen all your memories? You still have your brain… but you cannot connect to any of your personal data/memories. How would or could you function? It is like one of those old sitcoms where someone hits their head and suddenly has amnesia… one of my favorites is an episode on MacGyver where after getting shot AND falling through a window our hero gets a form of amnesia that somehow does not impact his secret agent skills - an unlikely scenario that makes for good television, I guess. 

The impact of a ransomware attack is like cyber amnesia for a business or entity, and don’t count on retaining your secret agent skills in this scenario. Undoubtedly, there is clear and potentially serious impact on the ability of an attacked entity to function in the event of a ransomware or other cyberattack. But, potentially of equal impact, there is a loss of confidence by those who deal with the attacked entity: customers, vendors, employees, shareholders, etc. Such a loss of confidence can and does have an impact on a business’ success. 

We frequently hear about cybersecurity incidents. But hearing about these attacks and their impact is not necessarily the same as understanding what is going on.  Recently, I was talking with a group of my running friends and realized that most people who don’t deal with data matters regularly understood clearly that a cyberattack is bad. However, they were less clear on details as to why.  So, let’s step back and try to get a better understanding of cybersecurity and the challenges of both avoiding attacks and avoiding liability for attacks. Yes, the victim of a cyberattack can easily find themselves liable for not handling it correctly.

Simply put, cybersecurity deals with the protection of data  from attack or loss and it is an important data matter. The four legs of the data stool that I examined in Blog 6 include protecting against loss or theft of data, especially sensitive data including personal information or trade secrets.  This is a big deal and the cybersecurity consulting firm Cybersecurity Ventures estimates cybercrimes will cost the world economy $10.5T by 2025.1  

A ransomware attack is a malware-based type of cyberattack on data.  As the name suggests, a ransomware attack is typically one where a user’s data is maliciously taken or blocked (or both) by a third party  after harmful code has been secretly installed on the victim’s computer or computer system. As we have all learned in our “mandatory” cyber training classes, this secret code is installed when a user at the target company innocently clicks on a link  (see the cute kitten video!) in an email, etc. The user’s data is then locked down and held until a payment is made to the attacker.  

Historically, ransomware attacks started with attacks on individual users (pay up or I’ll post all your bad hair day photos… oh, and all your financial information!). Over time, these attacks have targeted schools, hospitals, airlines, businesses and government entities like Columbus, Ohio.  

There are at least two serious consequences of these attacks. One is that the sensitive data of people associated with the attacked entity can be compromised. Bank account numbers, medical information, personal messages … all these and more can be sold by the attacker and/or lost by the victim.  

The other is that the attacked entity cannot access or use its data. In the case of attacks on entities like airlines and schools, people can be seriously inconvenienced. Worse yet, in the case of attacks on entities like hospitals, lives can be compromised when medical professionals cannot access the information that they need to provide lifesaving or life sustaining treatment. 

Sounds pretty serious, right?  Well…there’s more. Ransomware attacks are just one type of malware based cyberattack.  Below is an overview of the more complete picture that I use with my Data Law class:

It is not the victim’s fault when they are hit by a cyberattack. However,  it is not acceptable in today’s high risk world for entities to be unprepared for these attacks, especially If you are entrusted with the sensitive data of those customers, shareholders, vendors and employees I previously mentioned.  So, what are the rules of the road for protection of data? Well, like the other areas of data law that we have explored to date, there is no easy path to compliance.  

As with privacy and AI, there are a hodge podge of sectoral laws/enforcement actions to deal with for cybersecurity compliance in the US.  These include:

• Consumer protection regulations in the US (by the Federal Trade Commission) which lead to enforcement actions related to bad data security; 
• The European Union’s (EU) General Data Protection Regulation (GDPR) requirements for safe data storage of personal information that apply to US companies doing business with citizens of the EU;
• The Health Insurance Portability and Accountability Act’s (HIPAA) heightened security requirements for medical information;
• Financial Institutions’ heightened obligations to protect non-public personal information under Gramm-Leach-Bliley (1501 USC S. 6801 et seq); and
• Various US State Laws on data breach which are similar to each other and the sectoral regulations above in some ways, but inconsistent in others like notice/reporting requirements.

What can be done to not only try to thwart cyberattacks but to also comply  with applicable laws? Unfortunately, there is no one size fits all approach, but there are things you can do.

To start, you can look at and implement recommendations from thought leaders like the National Institute of Standards and Technology (NIST) under the Department of Commerce. The NIST Cybersecurity Framework 2.0 specifies outcomes, but not means of achieving cybersecurity protections, based on the following functions:

Source:  NIST Cybersecurity Framework 2.0

This is a great starting point for cyber professionals, regardless of industry.

Also, while there is no uniformity of cyber requirements across industries at the federal and state level, there are some commonalities in approach that can provide guidance.  

For example, we know that disclosure of loss to people whose data might be impacted (there is an increasingly lower bar for how loss is defined) is required under almost any applicable law and is required in all 50 States.2  Also, an actual impact of the loss on those potentially impacted is usually not a factor in whether a disclosure of the potential loss is required. However, public disclosure of a data loss is triggered by an increasingly expanding definition of personal information.3  That said, an inadvertent and internal-only disclosure of data has usually not a trigger for disclosure of a loss… though this may be changing.4  

The mechanics of disclosure also vary.  Sometimes a state’s attorney general needs to be notified of a data loss. That notice of data loss can be required in as little as 3 days. However, notice of a data loss is not required at all in some states if the impacted data was encrypted or anonymized (and the encryption cannot be reversed by a key or the like).5

Also, a private cause of action is available to those whose data was exposed in 1/3 of the US States.  For those of us living in Ohio, there is a safe harbor against liability if the entity suffering a breach has demonstrated good data security practices (written, implemented plan, etc.).6  This is where using the NIST guidelines in building a plan can really pay off.

There is no way to completely demystify cybersecurity in a blog entry. Ransomware and other cyberattacks pose a serious threat to an entity’s reputation and ability to operate successfully. As a result, there is a real need for them to sort through the hodgepodge of sectoral laws that exist (again!) and to use industry standard approaches to build a cybersecurity program. The rewards can be significant both in potentially getting safe harbor protections against being sued … and also in protecting an entity’s reputation. It is always best to get help from experts in building your cyber plan and to get that help as early as possible! 

We are far from done on our discussions of data law.  I hope you’ll be back next time as we continue to explore these issues and learn more about data connections!

If you have questions about your data and your legal compliance programs for data, Mortinger & Mortinger LLC can help! Contact me directly at: steve@mortingerlaw.com

Footnotes:

1. https://www.nasdaq.com/press-release/cybercrime-to-cost-the-world-%2410.5-trillion-annually-by-2025-2020-11-18
2. Jon M. Garon, A Short and Happy Guide to Privacy and Cybersecurity (2020), page 194.
3. For example, under the California Consumer Privacy Act, personal information includes any data that identifies, relates to, or could reasonably be linked to you or your household, directly or indirectly. See:  https://privacy.ca.gov/protect-your-personal-information/what-is-personal-information/#:~:text=Fortunately%2C%20California%20law%20gives%20us,your%20household%2C%20directly%20or%20indirectl
4. The Federal Communications Commission recently made it clear that an accidental breach regarding sensitive personal infomration must be disclosed. See: https://www.federalregister.gov/documents/2024/02/12/2024-01667/data-breach-reporting-requirements.
5. See Garon at page 200. For the ransomware attack in Columbus, Ohio the Mayor reported that “The personal data that the threat actor published to the dark web was either encrypted or corrupted, so the majority of the data came by the threat actor is unusable” https://statescoop.com/columbus-ohio-ransomware-data-unusable/. While that is very helpful for the people whose data is held by the city, it still does not enable the city to perform its essential functions using the data that has been taken in the ransomware attack.
6. See: https://iapp.org/news/a/analysis-ohios-data-protection-act/