In 2016, a major NASCAR racing team fell victim to a ransomware attack. The team said publicly that it paid the...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
ransom and that the data held hostage was worth millions more than the actual ransom demand. Is it wise for an organization like this NASCAR team to divulge that information? If an organization decides to pay, should it tell the public? What are some best practices for reporting ransomware attacks from that standpoint?
In July 2003, California passed a law that requires notification "to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." Currently, there are 47 states that have similar data breach notification statues in the United States.
The question is whether ransomware constitutes a breach that requires disclosure. The California law states that a breach means "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business."
While it's subject to interpretation, ransomware does not compromise the security, confidentiality or integrity of personal information. It prevents the organization access to this information unless given the decryption key in with payment to the attacker. The attackers do not have access to the data. They do not modify, view or use the data to break security protections. Technically, ransomware attacks are not a breach, as defined by disclosure laws. As a result, reporting ransomware attacks to government or regulatory bodies may not be required.
Arguably, many security pundits believe that security would have had to have been breached to gain access to install the ransomware and if it is a breach, the enterprise would have to disclose it. However, most ransomware encrypts critical data. This data may not be personally identifiable information (PII) or Payment Card Industry (PCI) data. If ransomware has been determined to be a breach, then not only do customers need to be notified, but enterprises need to report these to their respective State agency -- the Attorney General or Consumer Reporting Agency.
Most cybersecurity experts recommend not paying the ransom. But in a practical sense, given the criticality of the asset, the enterprise might have to. If proper backups are not available to make the ransomware an inconvenience rather than a business-altering event, paying the ransom may be the only option. But is reporting ransomware necessary?
From an enterprise perspective, I would rather not share that the ransom was paid. It shows our internal control structure had vulnerabilities, allowing the hacker to break into our environment, and lacked sufficient backup and recovery processes to mitigate the impact of ransomware. It would possibly have caused a major business disruption, loss of revenue, clients, reputation and new business. The CISO could also be collateral damage. However, if the data that was encrypted with the ransomware was sensitive date -- like PCI, HIPAA or PII -- and if the enterprise is in a disclosure state, reporting ransomware attack details is unavoidable.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Learn how to prevent ransomware or recover from it
Find out how employees can help with ransomware detection
Check out some ransomware prevention tools
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Mike O. Villegas
Privacy and information security can often be at odds with each other in enterprises. Expert Mike O. Villegas explains how C-levels can help to get ...continue reading
Effective CISO communications are key to fostering a healthy relationship with the cybersecurity staff. Expert Mike O. Villegas reviews some ways to ...continue reading
The brief tenure of a federal CISO in the U.S. government recently came to an end. Expert Mike O. Villegas discusses the effect this has on the U.S. ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.