As ransomware attacks continue to proliferate, organizations are facing increasingly complex practical and legal considerations. Ransomware threats can range from simple Ransomware-as-a-Service models to sophisticated attacks with network-wide impacts. In many cases, ransomware attacks involve not only encryption but also data exfiltration with accompanying regulatory and contractual notification obligations. Ransomware attacks are now so pervasive that they were deemed “a direct threat to our economy” by a Treasury Department Press Release. The resulting governmental focus on ransomware will create new and evolving regulatory challenges for organizations experiencing an attack.

Ransomware in 2021

If 2020 initiated a new era of ransomware threat due to pandemic-related shifts to remote work and the associated security risks, 2021 proved that this threat is only likely to increase in 2022, as the toxic mix of host nations accommodating ransomware gangs, the widespread ability of businesses to pay ransomware under insurance policies, the decreasing technical barriers to entry for attackers, and the ready availability of often untraceable cryptocurrency all remain strong. High-profile ransomware attacks in 2021 included the Colonial Pipeline attack, which interrupted gas supplies along the East Coast of the United States and the attack on JBS Food, one of the world’s largest meat producers, which caused panic buying by some consumers. As with other cybersecurity threats, supply chains were also exploited, with the REvil ransomware gang leveraging unauthorized access to Kaseya’s IT administrator software infrastructure to push out a fake software update containing ransomware. In that instance, the FBI was able to provide some assistance by obtaining encryption keys, but victims of future attacks may not be so fortunate.Continue Reading Ransomware Threat Continues to Explode with New Legal and Regulatory Risks

In 2021, the U.S. Security and Exchange Commission (SEC) continued to stake its claim as a lead regulator for cybersecurity. Going into 2022, we expect the SEC will continue to aggressively scrutinize and pursue enforcement actions related to cybersecurity disclosures by public companies and cybersecurity practices of SEC-regulated entities like broker-dealers and investment advisers.  Moreover, Chair Gensler has announced that the SEC is currently working on a proposal for clearer cybersecurity governance rules, including topics such as “cyber hygiene and incident reporting.”

In many cases, the alleged faults that the SEC has found in the cybersecurity disclosures and practices of these entities go beyond the requirements of any other state or federal cybersecurity regulations. By making itself a leader in its expectations from regulated businesses, the SEC may become the agency that sets industry standard guidance for cybersecurity risk through the SEC mandates formed during its investigations and enforcement actions.Continue Reading The Future of SEC Cybersecurity Enforcement

In the wake of major cybersecurity incidents, it is becoming increasingly common for shareholders to bring derivative lawsuits alleging that the officers or board members failed to exercise proper governance over cybersecurity. Some companies have paid settlements to resolve such matters, but few derivative actions have ended in judgment on the merits in favor of plaintiffs, largely because plaintiffs are rarely able to show that directors failed to execute their oversight responsibilities. A recent ruling by the Delaware Court of Chancery dismissing a derivative lawsuit against Marriott International, Firemen’s Ret. Sys. of St. Louis v. Sorenson, No. 2019-0965-LWW (Del. Ch. Oct. 5, 2021), reiterates that directors who monitor cybersecurity governance, work to mitigate cyber risks, and seek outside advice on data protection issues will usually not face liability.
Continue Reading Marriott Data Breach Ruling Puts Corporate Boardrooms on Notice

Digital LockOn Friday, December 4, 2020, H.R. 1668, the Internet of Things (IoT) Cybersecurity Improvement Act of 2020, was signed into law. The bipartisan bill was sponsored by Senators Mark Warner (D-VA) and Cory Gardner (R-CO) in the Senate and Representatives Robin Kelly (D-IL), and Will Hurd (R-TX) in the House. The new law will require IoT devices “owned or controlled” by the federal government to meet minimum security standards that address network vulnerabilities, and it may have significant implications for government contractors. It was introduced in response to a series of distributed denial of service (DDoS) attacks in 2016, in which the Mirai malware variant was used to compromise tens of thousands of IoT devices, causing a severe disruption in commercial web services.Continue Reading Meet the US’s New Federal IoT Cybersecurity Law