December 14, 2018

December 13, 2018

Subscribe to Latest Legal News and Analysis

December 12, 2018

Subscribe to Latest Legal News and Analysis

December 11, 2018

Subscribe to Latest Legal News and Analysis

WannaCry: Are Your Security Tools Up to Date?

The effects of the massive cyberattack using ransomware known as “Wanna Cry” are still being felt all over the world. Tens of thousands of organizations have been infected, including the UK’s National Health Service, which ran some services on an emergency-only basis the day the attack began in earnest. Some security experts surmise that the virus is activated using a malware worm that, once activated, travels automatically between computers. Businesses with numerous partners and suppliers that connect to their network were especially at risk. If and when Wanna Cry is contained, the attack will fade from the public’s view, but legal repercussions may follow for affected users.

Wanna Cry, also known as “Wanna Decryptor,” is a hacking tool thought to be developed by the U.S. National Security Agency (NSA). Wanna Cry exploits a vulnerability in Windows operating systems that allows the ransomware to spread automatically across multiple networks. The attack is the first incidence of self-spreading ransomware that cannot be stopped once it infects a network.

Microsoft issued a patch on March 14, 2017, to fix the hole in Windows. However, many organizations failed to apply the patch and found themselves susceptible to Wanna Cry over the last couple weeks. Indeed, in some regions, a large proportion of affected users were using pirated copies of Windows. Unusually, Microsoft has even released patches for such systems.

The damage caused by the Wanna Cry attack was both predictable and possibly preventable. In April 2017, a group calling themselves the Shadow Brokers released onto the web what they claimed where NSA-developed hacking tools (report here). Many security experts predicted it was only a matter of time before the Shadow Brokers’ tools were exploited on a large scale.

There are several lessons apparent at the outset:

First, organizations and individuals should update their systems frequently. Organizations both large and small sometimes wait before applying security patches issued by major software providers. Reasons may include other priority IT initiatives, concerns about the compatibility of specialized or legacy software, a lack of understanding of the seriousness of the vulnerability that the patch is intended to address, or simply manpower limits. The Wanna Cry attack, however, illustrates the importance of implementing patches and updates promptly to avoid falling prey to an attack that takes advantage of the unpatched vulnerability. Businesses should also bear in mind that failure to keep systems updated can result not only in disruption of business, but in the potential for theft of confidential company, client, and employee information, and could lead to lawsuits or regulatory enforcement actions alleging a lack of due diligence. While no protection or patch can be foolproof, systematic application of updates is a key security imperative in an increasingly integrated world.

Backing up crucial files on a separate server is also helpful in case the main network becomes compromised.

All businesses should have a breach response plan in place before an attack occurs, especially in the event of a ransomware attack that paralyzes internal systems and blocks access to data until a ransom is paid. Assessing an organization’s data collection and security practices, assembling a breach response team, and identifying legal obligations, law enforcement contacts, and forensics experts before an event occurs can help ensure an effective and timely response if, despite precautions, a company becomes the target of a data breach or ransomware demand. Regular training for directors, employees, and contractors is also important to raise awareness throughout the organization and mitigate risks. Automating updates and patching through your system can also help.

You don’t want to wait for the next wave of attacks to plan to protect your business, your employees, and your customers.

© 2018 Keller and Heckman LLP

TRENDING LEGAL ANALYSIS


About this Author

Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney
Partner

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies,...

202-434-4646
Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer
Partner

Tracy Marshall joined Keller and Heckman in 2002. She assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and commercial e-mail messages, contests and sweepstakes, endorsements and testimonials, marketing to children, and data breach notification. Ms. Marshall also helps clients establish best practices for collecting, storing, sharing, and disposing of data, and manage outsourcing arrangements and transborder data flows. In addition, she assists with drafting and implementing internal privacy, data security, and breach notification policies, as well as public privacy policies and website terms and conditions. 

202-434-4234