December 14, 2019

December 13, 2019

Subscribe to Latest Legal News and Analysis

December 12, 2019

Subscribe to Latest Legal News and Analysis

Ransomware Attacks: Prevention and Preparedness

Several years ago, cyber criminals developed a profitable form of malware, now known as ransomware. A “ransomware” attack occurs when a hacker takes control of the victim’s information systems and encrypts its data, preventing the owner from accessing it unless the victim pays a sum of money, usually in the form of bitcoins.

The FBI reported that ransomware attacks jumped from 1,000 a day in 2015, to 4,000 a day in 2016. In the middle of May 2017, criminals using tools believed to have been used by the U.S. National Security Agency unleashed a global ransomware attack against governments and companies in nearly 100 countries around the globe.

Beyond the absurd number of attacks in 2016 and 2017 is the amount of money organizations and individuals have paid with the hope of decrypting and retrieving their data. Reports estimate close to one billion dollars in ransom payments in 2016.

Although it is tempting to simply pay the ransom, obtain the decryption keys, and move on, there are serious risks to this approach. And there is no guarantee that, upon receipt of the ransom payment, the hacker will provide all the applicable decryption keys allowing your organization to regain full access to its data.

The rapid growth in ransomware attacks and their potential damage on organizations is frightening. Organizations may not be able to prevent all attacks, but there are steps they could take to minimize the chance and impact of a successful attack, and to be prepared to respond.

Before an Attack

1. Build the right team

  • Ensure you have an IT team in place, whether internal or through a third-party vendor, well-versed to handle ransomware and other forms of malware.  

2. Secure the systems

  • Conduct a risk assessment and penetration test to understand the potential for exposure to malware.

  • Implement technical measures and policies that can prevent an attack, such as endpoint security, email authentication, regular updates to virus and malware definitions/protections, intrusion prevention software and web browser protection, and monitor user activity for unauthorized and high risk activities.

3. Make your employees aware of the risks and steps they must take in case of an attack

  • Educate employees on how to recognize phishing attacks and dangerous sites — say it, show them, and do it regularly. This includes instructing them to use caution when clicking directly on links in emails, even if the sender appears to be known — verify web addresses independently. Be particularly wary of compressed or ZIP file attachments.

  • Employees should avoid revealing personal or financial information about themselves or other employees and customers in email, and avoid responding to email solicitations for this information.

  • Direct employees to pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).

  • Instruct employees on what to do immediately if they believe an attack has occurred (e.g., notify IT, disconnect from network, and other measures).

  • Instruct employees on what not to do (e.g., deleting system files, attempting to restore the system to an earlier date, and the like).

4. Maintain backups

  • Backup data early and often.

  • Keep backup files disconnected from the network.

5. Develop and practice an “Incident Response Plan”

  • Identify the internal team (e.g., leadership, IT, general counsel, and HR).

  • Identify the external team (e.g., insurance carrier, outside legal counsel, forensic investigator, and public relations).

  • Outline steps for organizational continuity — using backup files and new equipment, safeguarding systems, and updating employees.

  • Plan to involve law enforcement (e.g., FBI, IRS, Office of Civil Rights, and so on).

  • Plan to identify, assess, and comply with legal and contractual obligations.

  • Practice the response plan with the internal and external teams, reviewing and updating the plan to improve performance.

After an Attack

6. Secure your systems

  • Review and follow your Incident Response Plan.

  • Avoid compromising your investigation! This includes being careful to preserve firewalls, network and other access and activity logs and artifacts on the system that could have valuable information needed to confirm whether or not a breach occurred.

  • Determine whether all malware has been removed and systems are protected from future attacks, including whether the attack is completed or ongoing, and, if ongoing, how to contain it.

  • Evaluate feasibility of restoring the affected systems for normal use, mindful of the need to preserve information necessary for a forensic investigation, litigation defense, and enforcement agency inquiry.

  • Monitor restored systems for a period of time.

7. Consult legal counsel and other key vendors

  • Ransomware attacks can trigger obligations under federal and state privacy laws, such as HIPAA and data breach notification laws.

  • Recovering encrypted data can be complex and uncomfortable for the organization, particularly if negotiating and making a ransom payment is necessary.

  • Members of IT staff may not have sufficient experience with the latest cybersecurity tools and ransomware attack methodologies to provide competent direction.

  • Consulting with your insurance broker or cyber-insurance carrier is important not only to confirm applicable coverage, but also because the insurance contact may provide valuable early guidance.

8. Investigate the incident

  • Determine what happened, when, and the method the hackers used to carry out the attack.

  • Identify which systems were affected and the nature of the data affected (e.g., protected health information (“PHI”)).

  • Identify the total number of individuals (in each state of residence) whose data was affected.

  • Confirm whether evidence shows that the affected data was accessed, acquired, and/or exfiltrated to the outside of your systems.

  • Evaluate what mitigation measures were in place (e.g., were the affected files encrypted, extent of data backup, and so on).

9. Provide notifications, if needed

  • Determine whether state or federal laws require notification to affected individuals.

  • Federal and state agencies and credit monitoring bureaus may need to be notified based on a number of factors, including the states of residence of the persons affected and the number of persons affected.

  • Contract and ethical obligations may exist requiring notification.

  • Credit monitoring, call center, and other services also may be required or appropriate under the circumstances.

10.  Lessons learned

  • Prepare an Incident Response Report including the Who? What? Where? When? Why? How?

  • Review the Incident Response Report with all internal and external team members to learn from and prevent future attacks.

Jackson Lewis P.C. © 2019


About this Author


Joseph J. Lazzarotti is a Principal in the Morristown, New Jersey, office of Jackson Lewis P.C. He founded and currently helps to co-lead the firm's Privacy, e-Communication and Data Security Practice, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals.

In short, his practice focuses on the matrix of laws governing the privacy, security and management of data, as well as the impact and regulation of social media. He also...

973- 538-6890
Jason C. Gavejian, Employment Attorney, Jackson Lewis, Principal, Restrictive Covenants Lawyer

Jason C. Gavejian is a Principal in the Morristown, New Jersey, office of Jackson Lewis P.C. and a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals.

Mr. Gavejian represents management exclusively in all aspects of employment litigation, including restrictive covenants, class-actions, harassment, retaliation, discrimination and wage and hour claims in both federal and state courts. Additionally, Mr. Gavejian regularly appears before administrative agencies, including the Equal Employment Opportunity Commission, the Office for Civil Rights (OCR), the New Jersey Division of Civil Rights, and the New Jersey Department of Labor. His practice also focuses on advice/counseling employers regarding daily workplace issues.

Mr. Gavejian represents companies with respect to inquiries from the HHS/OCR, state attorneys general, and other agencies alleging wrongful disclosure of personal/protected information. Mr. Gavejian negotiates vendor agreements and other data privacy and security agreements, including business associate agreements. His work in the area of privacy and data security includes counseling and coaching clients through the process of investigating and responding to breaches of the personally identifiable information (PII) or protected health information (PHI) they maintain about consumers, customers, employees, patients, and others, while also assisting clients in implementing policies, practices, and procedures to prevent future data incidents.

Mr. Gavejian’s litigation experience, coupled with his privacy practice, provides him with a unique view of many workplace issues and the impact privacy, data security, and social media may play in actual or threatened lawsuits.

Mr. Gavejian regularly provides training to both executives and employees and regularly speaks on current privacy, data security, monitoring, recording, BYOD/COPE, biometrics (BIPA), social media, TCPA, and information management issues. His views on these topics have been discussed in multiple publications, including the Washington Post, Chicago Tribune, San Francisco Chronicle (SFGATE), National Law Review, Bloomberg BNA,, @Law Magazine, Risk and Insurance Magazine, LXBN TV, Business Insurance Magazine, and

Mr. Gavejian is the Co-Chair of Jackson Lewis’ Hispanic Attorney Resource Group, a group committed to increasing the firm’s visibility among Hispanic-American and other minority attorneys, as well as mentoring the firm's attorneys to assist in their training and development. Mr. Gavejian also previously served on the National Leadership Committee of the Hispanic National Bar Association (HNBA) and regularly volunteers his time for pro bono matters.

Prior to joining Jackson Lewis, Mr. Gavejian served as a judicial law clerk for the Honorable Richard J. Donohue on the Superior Court of New Jersey, Bergen County.

(973) 538-6890
Frank J. Fanshawe, Jackson Lewis, Hospital Payment System Lawyer, public policy issues attorney

Frank J. Fanshawe is a Principal in the Albany, New York, office of Jackson Lewis P.C. His practice focuses on health care law and privacy and data security. He has 25 years of experience, including significant real-world legal and executive-level experience with a nationally recognized health insurer in the northeastern United States.

Mr. Fanshawe previously served as a senior adviser to the New York State Senate Health Committee chair on legislative and public policy issues in connection with New York's deregulation of the hospital payment...


Nicky Jatana is a Principal in the Los Angeles, California, office of Jackson Lewis P.C. Her practice focuses on employment litigation, as well as on advising employers regarding daily workplace issues. She is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals (IAPP).

Ms. Jatana has experience with litigation involving wrongful termination, discrimination, harassment, breach of contract, wage and hour, preventive advice and training, and other labor and employment-related matters. She has litigated...

Marlo Johnson Roebuck, Jackson Lewis Law firm, Labor Employment Attorney
Office Managing Principal

Marlo Johnson Roebuck is the Office Managing Principal of the Detroit and Grand Rapids, Michigan, offices of Jackson Lewis P.C. She represents employers on the myriad of laws governing the workplace, including but not limited to Title VII, the Age Discrimination in Employment Act, and the Americans with Disabilities Act.

With almost two decades of legal experience, Ms. Roebuck's representation includes employment advice and counseling as well as employment litigation. She has successfully represented employers in the health care, financial and professional...