July 22, 2019

July 19, 2019

Subscribe to Latest Legal News and Analysis

FTC Announces it will Provide Guidance on Ransomware

The Federal Trade Ccommission has become the most recent regulator to take a closer look at ransomware and its impact on consumers. During the FTC’s September 7, 2016, Fall Technology Series on Ransomware, Chairwoman Edith Ramirez announced that the FTC will soon release guidance to businesses on how to protect against ransomware.

Ransomware is a malicious software (“malware”) designed to encrypt information on a computer system, which can only be decrypted upon the payment of a sum of money (the ransom) to the attackers. Ransomware has been used against businesses and government agencies to render sensitive information unavailable and to disrupt normal business functions. As the FTC Chairwoman mentioned in her rollout, the healthcare industry, including hospitals, has been specifically targeted by ransomware attacks. In response, the Office of Civil Rights within the Department of Health and Human Service announced in July that it considers the encryption of PHI by ransomware a “breach” subject to HIPAA notification requirements.

The increased use of ransomware by hackers has similarly prompted the FTC to issue the forthcoming guidance to organizations on their responsibilities to protect their systems and consumer data from ransomware attacks. In addition, the FTC Chairwoman made clear that the FTC intends to bring Section 5 enforcement actions against companies that fail to protect personal data from ransomware attacks, possibly even when there is no evidence of data loss or theft.  Currently, the FTC expects companies to implement reasonable security measures, including deploying current antivirus tools, to mitigate against data breaches as a result of known malware and other malicious activity; whether additional security measures are expected with respect to ransomware may be made more clear once the guidance has been released.

© 2019 Covington & Burling LLP


About this Author

Catlin Meade, Cybersecurity lawyer, Covington

Catlin Meade advises clients across a broad range of cybersecurity and government contracts matters, including government and internal investigations, compliance with cybersecurity and data breach regulations, and SAFETY Act applications.

Representative Matters

  • Counsel to multiple companies in responding to data and cybersecurity incidents.
  • Advised a leading defense contractor on a multi-million-dollar prime-subcontractor dispute in connection with a NATO contract.
  • Key member of team that successfully represented a large government...
Ashden Fein, Litigation attorney, Covington Burling

Ashden Fein advises clients on cybersecurity and national security matters, including government and internal investigations, regulatory, and complex litigation matters.

For cybersecurity matters, Mr. Fein specifically counsels clients on preparing for and responding to cyber-based attacks, assessing their security controls and practices for the protection of data and systems, developing and implementing cybersecurity programs, and complying with federal and state regulatory requirements. Mr. Fein also has been the lead investigator and crisis manager for multiple complex cyber and data security incidents, including data security breach matters involving millions of affected consumers, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, and destructive attacks.