February 24, 2020

February 24, 2020

Subscribe to Latest Legal News and Analysis

Relaxed Legal Ransomware: Give Me Back My Files!

If Ron Howard were to remake his 1996 film Ransom today, instead of Mel Gibson passionately screaming, “Give me back my son!” in response to the kidnapper’s demands, he very well could have Gibson scream, “Give me back my files!” in response to a cybercriminal’s demands for ransomware. What is “ransomware”? Assume you are reading email on your personal computer, tablet, or smartphone and you click on an attachment from an unfamiliar source. Within seconds, your device is encrypted and you are locked out of your applications and files. You may have unwittingly fallen victim to a cybercriminal’s trap. Unless you provide payment in a certain amount of time for the decryption key to unlock the device, your personal information will be gone forever.

This form of cyber-attack—known colloquially as a “ransomware” attack, in which a cybercriminal unleashes malware on a company’s computing infrastructure and blackmails the company for access to its own systems—is on the rise. There are a number of different versions of this attack, but common forms include Cryptolocker and Cyrptowall. A recent report by Intel Corp.’s McAfee Labs predicts that ransomware attacks in 2016 will only continue to grow in number and sophistication.[1]

Ransomware’s Impact on the Health Care Industry

Health care organizations, in particular, are susceptible to ransomware attacks because their employees are public facing and it may be part of their jobs to open emails from unknown sources. Further, because the health care industry lags behind other regulated industries in terms cybersecurity, employees may not be trained to spot fraudulent messages, and their networks may not be configured to stop the infection before it reaches the company’s file system.

For health care organizations, the stakes are extremely high. A hospital subject to a ransomware attack could lose access to certain computer systems, preventing it from exchanging electronic communications regarding the care of its patients. Ultimately, the hospital might have no choice but to pay tens of thousands of dollars in ransom to obtain the decryption key and regain access to its systems and administrative functions. Losing access to its electronic medical record system for even one day, let alone multiple days, could also harm a hospital’s reputation.

Equally troubling is the prospect that a health care organization subject to a ransomware attack learns that its patient protected health information (“PHI”) and/or employee personally identifiable information (“PII”) was accessed by the hackers. Failure to take adequate steps to protect this information can lead to legal liability. Health care organizations that handle PHI are required by the Health Insurance Portability and Accountability Act (“HIPAA”) to adopt administrative, technical, and physical safeguards to protect the confidentiality of PHI. In addition, various state and federal laws establish affirmative duties of employers to protect non-HIPAA-covered sensitive information in a secure manner. Finally, as illustrated by the cyber-attack on Sony Pictures Entertainment,[2] employers may be susceptible to negligence and state law statutory claims by employees whose PII may be stolen or accessed as part of these attacks.

In the wake of these high-profile ransomware attacks, health care organizations should take a series of steps to protect their patients, customers, employees, and corporate information. As an initial matter, companies should conduct a risk assessment and penetration test to determine their network’s vulnerabilities and ensure proper network segmentation is in place to isolate an infection if it occurs. Such review allows businesses to identify and address their most pressing needs before these vulnerabilities can be exploited by cybercriminals and to contain the infection when it does occur.

What Should Your Business Do in the Face of Ransomware?

Because ransomware attacks leave companies unable to access their systems, businesses should implement comprehensive and routine procedures to back up important, confidential, and sensitive information. That way, even if ransomware leaves the systems themselves inoperative for a period of time, such an attack will not completely cripple a company’s ability to continue doing business and serving its patients and/or customers.

Simple administrative and physical safeguards also can aid companies in preventing and limiting the impact of ransomware attacks. Employees should be granted access to workstations, electronic media, and the network only to the extent necessary to perform their jobs or as otherwise permitted by law. Further, because ransomware is generally initiated by an end user, companies should conduct phishing training so that employees are in a better position to spot fraudulent messages that could contain malware.

In the event of a ransomware or other cyber-attack, companies should contact law enforcement and appropriate experts in the field to formulate an immediate, but reasoned, response to the attack. A number of states have enacted legislation subjecting victims of cyber-attacks to various disclosure requirements, and any victims should be familiar with their duties under applicable law.

[1] McAfee Labs, 2016 Threat Predictions, available at http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf.

[2] Corona v. Sony Pictures Entertainment Inc., C.D. Cal., No. 2:14-cv-9600.

©2020 Epstein Becker & Green, P.C. All rights reserved.


About this Author

Adam S. Forman, Epstein Becker Green, Workforce Management Lawyer, Chicago, Detroit, Social Media Issues Attorney

ADAM S. FORMAN is a Member of the Firm in the Employment, Labor, and Workforce Management practice, based in Chicago and Detroit (Metro). As noted in the 2015 edition of Chambers USA, Mr. Forman “is a renowned expert in social media issues relating to the workplace” and also “focuses on litigation, training and preventive advice on the employment side.” A frequent writer and national lecturer on issues related to technology in the workplace, such as social media, Internet, and privacy issues facing employers, Mr. Forman is often interviewed by...

Nathaniel M. Glasser, Epstein Becker, Labor, Employment Attorney, Publishing

NATHANIEL M. GLASSER is a Member of the Firm in the Labor and Employment practice, in the Washington, DC, office of Epstein Becker Green. His practice focuses on the representation of leading companies and firms, including publishing and media companies, financial services institutions, and law firms, in all areas of labor and employment relations.

Mr. Glasser’s experience includes:

  • Defending clients in employment litigation, from single-plaintiff to class action disputes, brought in federal court, state court, and arbitration tribunals involving claims of unlawful discrimination, harassment, retaliation, breach of contract, defamation, alleged violation of the FLSA and state wage and hour laws, and whistleblowing

  • Representing clients facing charges at the U.S. Equal Employment Opportunity Commission, the U.S. Department of Labor, the District of Columbia Commission on Human Rights, the New York State Division of Human Rights, the New York City Commission on Human Rights, and other administrative agencies at the federal, state, and local levels