lolloj - Fotolia
In 2016, a major NASCAR racing team fell victim to a ransomware attack. The team said publicly that it paid the ransom and that the data held hostage was worth millions more than the actual ransom demand. Is it wise for an organization like this NASCAR team to divulge that information? If an organization decides to pay, should it tell the public? What are some best practices for reporting ransomware attacks from that standpoint?
In July 2003, California passed a law that requires notification "to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." Currently, there are 47 states that have similar data breach notification statues in the United States.
The question is whether ransomware constitutes a breach that requires disclosure. The California law states that a breach means "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business."
While it's subject to interpretation, ransomware does not compromise the security, confidentiality or integrity of personal information. It prevents the organization access to this information unless given the decryption key in with payment to the attacker. The attackers do not have access to the data. They do not modify, view or use the data to break security protections. Technically, ransomware attacks are not a breach, as defined by disclosure laws. As a result, reporting ransomware attacks to government or regulatory bodies may not be required.
Arguably, many security pundits believe that security would have had to have been breached to gain access to install the ransomware and if it is a breach, the enterprise would have to disclose it. However, most ransomware encrypts critical data. This data may not be personally identifiable information (PII) or Payment Card Industry (PCI) data. If ransomware has been determined to be a breach, then not only do customers need to be notified, but enterprises need to report these to their respective State agency -- the Attorney General or Consumer Reporting Agency.
Most cybersecurity experts recommend not paying the ransom. But in a practical sense, given the criticality of the asset, the enterprise might have to. If proper backups are not available to make the ransomware an inconvenience rather than a business-altering event, paying the ransom may be the only option. But is reporting ransomware necessary?
From an enterprise perspective, I would rather not share that the ransom was paid. It shows our internal control structure had vulnerabilities, allowing the hacker to break into our environment, and lacked sufficient backup and recovery processes to mitigate the impact of ransomware. It would possibly have caused a major business disruption, loss of revenue, clients, reputation and new business. The CISO could also be collateral damage. However, if the data that was encrypted with the ransomware was sensitive date -- like PCI, HIPAA or PII -- and if the enterprise is in a disclosure state, reporting ransomware attack details is unavoidable.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Learn how to prevent ransomware or recover from it
Find out how employees can help with ransomware detection
Check out some ransomware prevention tools
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Mike O. Villegas
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading
Yahoo reportedly rejected a forced password reset after numerous data breaches compromised user data. Expert Mike O. Villegas discusses whether this ... Continue Reading