June 24, 2021

Volume XI, Number 175

Advertisement

June 23, 2021

Subscribe to Latest Legal News and Analysis

June 22, 2021

Subscribe to Latest Legal News and Analysis

June 21, 2021

Subscribe to Latest Legal News and Analysis

Lessons from the Colonial Pipeline Ransomware

Thankfully, it appears that the Colonial Pipeline ransomware attack is behind us and the panic over gas lines and hoarding can subside. But after an episode like this, it is helpful to take stock and search for what we can learn.

To start, everyone has now heard of ransomware, but to give a bit fuller background, this kind of malicious software is delivered into an information system—such as a computer or a database—and then renders all of the information inaccessible. Backups can sometimes help restore functionality unless the ransomware's operator or programs decided to wait to activate the malicious software for long enough that it is in the backups. Once the information is rendered inaccessible, the person or group behind the malicious software demands payment in exchange for returning the information. Recently, there has even been reporting that the person or group behind a ransomware attack will begin calling the clients and consumers whose information was exposed as a pressure tactic to get the business to pay up.

Events like the shutdown of Colonial Pipelines, which generate a torrent of media attention, can create a false impression that it is only large or geopolitically sensitive businesses are at risk of these kinds of attacks. This is simply not true. In his 2020 Data Breach Report, North Carolina Attorney General Josh Stein found that there were over 1600 security breaches reported to the North Carolina Department of Justice. Compromising email constituted 40% of all security breaches reported, and ransomware constituted 22% of all security breaches reported. So there is a wide array of businesses in North Carolina that are susceptible to these issues, and small businesses are getting caught up in the mess.

For example, last year, the News and Observer reported that the Food Bank of Central & Eastern North Carolina was the victim of a widespread data breach, and just this past April, WCNC reported that a Charlotte parking app had a serious data breach exposing users' personal information.

However, while no business can ever prevent all possibility for data breaches, there are steps that any business can take to prepare themselves, and relative to the cost of a breach, these steps have a significant return on investment. For example, making sure a business avoids compliance failures can sidestep significant cost increases in the event of a breach. Identifying an incident response team, creating an incident response plan, and testing both can give certainty and ensure that a business responds as rapidly to an incident as possible. And aligning a business's internal practices with an established cybersecurity framework can decrease the risk that the business experiences and give strong arguments against any regulatory investigations that suggest the business was negligent.

That being said, cybersecurity and compliance expertise are critical to making sure that these plans do what they are meant to do. 

© 2021 Ward and Smith, P.A.. All Rights Reserved.National Law Review, Volume XI, Number 137
Advertisement
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement
Advertisement

About this Author

Peter N. McClelland Cybersecurity Attorney Ward and Smith
Attorney

Peter is an attorney and a Certified Information Privacy Professional/US (CIPP/US) who assists clients in a range of privacy, data security, cyber supply chain and technology matters.

He regularly counsels on the legal requirements and risks associated with the collection, storage, transfer, use, protection, and disposal of data. Businesses and individuals rely on his privacy and data security expertise for structuring and operationalizing privacy compliance programs, data breach response and planning, contract and vendor management, and...

919-277-9157
Advertisement
Advertisement