Last week, the Federal Trade Commission convened a ransomware workshop to discuss the rising epidemic of attacks against U.S. businesses and individuals. In a ransomware attack, a malicious actor tricks a user into downloading malware that encrypts all of their files, and then demands payment in exchange for the decryption key. In the current climate, ransomware attacks appear to be a question of “when,” not “if,” especially given The Department of Homeland Security’s July report that there have been an average of 4,000 ransomware attacks per day since January 1, 2016.
As we recently discussed, in light of recent guidance from Health and Human Services Office of Civil Rights, ransomware attacks may create a data breach notification event, and organizations subject to an attack should investigate thoroughly and consider whether an expert forensic analysis support is necessary. The FTC reinforced the seriousness of ransomware and the need to be vigilant at last week’s workshop, signaling that preventable ransomware attacks – ones that exploit known vulnerabilities – may violate Section 5 of the FTC Act. Specifically, Chairwoman Edith Ramirez explained: “A company’s unreasonable failure to patch vulnerabilities known to be exploited by ransomware might violate the FTC Act.” What constitutes an “unreasonable failure,” is not entirely clear, and the FTC has not provided more detail. However, review of past enforcement actions suggest that failure to address “pervasive security bugs” that leave systems vulnerable to malware will be a key factor in the FTC’s decision to open an investigation or pursue an enforcement action.
This recent statement by the Chairwoman should reinforce that companies can no longer treat ransomware attacks as just a question of business disruption. Rather, organizations should proactively conduct vulnerability assessments to identify potential security weaknesses and gaps that ransomware attackers could exploit, and develop a structured mechanism to stay abreast of the most recent ransomware variants and the means by which attackers are injecting malware into the enterprise’s network. And, of course, in the aftermath of a ransomware attack, organizations are well-counseled to consider whether a forensic investigation is necessary or appropriate, and to analyze notification duties under any applicable sector-specific and state laws.