Incidents of ransomware are on the rise and it’s a growing concern for all of us. We have been well versed on what not to open or click on. But it is equally important to be informed on what actions you need to take if you fall victim to a ransomware attack.
If your business falls under breach notification rules, here is a cheat sheet that presents information without all the legalese.
Breach Notification Rules for Ransomware
The real issue to investigate is whether unauthorized access alone triggers a notification to customers. In effect, that is what ransomware is doing – accessing your PII without your permission.
We present for your ransomware breach response edification the following:
- Healthcare– HIPAA’s Breach Notification rules requires covered entities (hospital, insurers) to notify customers and the Department of Health and Human Services (HHS) when there’s been unauthorized access to protected health information (PHI). This is the strictest federal consumer data laws when it comes to a ransomware breach response. HHS has put out a helpful guideline explaining more of the complexities involved in a determination of a PHI breach.
- Consumer banks and loan companies– Under GLBA, the Federal Trade Commission (FTC) enforces data protection rules for consumer banking and finance through the Safeguards Rule. According to the FTC, ransomware (or any other malware attack) on your favorite bank or lender would not require a notification. They recommend that these financial companies alert customers, but it’s not an explicit obligation.
- Brokers, dealers, investment advisors– The Securities and Exchange Commission (SEC) has regulatory authority for these types of investment firms. Under GBLA, the SEC came up with their own rule, called Regulation S-P, which does call for a breach response program. But there’s no explicit breach notification requirement in the program. In other words, it’s something you should do, but you don’t have to.
- Investment banks, national banks, private bankers– With these remaining investment companies, the Federal Reserve and various Treasury Department agencies jointly came up with their own rules. In this case, these companies have “an affirmative duty” to protect against unauthorized use or access, and notification is part of that duty. In the fine print it says, though, that there has to be a determination of “misuse” of data. Whether ransomware’s encryption is misuse of the data is unclear. In any case, the rules spell out what the notification must contain — a description of the incident and the data that was accessed.
Green, Andy. “Ransomware: Legal Cheat Sheet”. Inside Out Security Blog – Data Security, January 2017