Taking Data Hostage—Who is Liable When Ransomware Strikes?

By: Chris Gavrielidis

Ransomware is on the rise, and no one is safe.  From hospitals to law firms, hackers have begun to seize data and offer their victims an encryption key in exchange for “ransom.”  It is typically accompanied by a warning to the effect that any attempt to remove or damage the ransom software would result in a destruction of the “hostage” data.  By charging a certain sum of money (which varies depending on the financial stability of the victim), this new phenomenon is the latest method used by attackers to make a quick buck.

Last year, California law firm Ziprick & Cramer fell victim to a ransomware attack.  More recently, in February of this year, Hollywood Presbyterian Hospital in Los Angeles paid $17,000 to regain access to its own systems, including sensitive data.  And in late March, MedStar Health in DC lost control of its systems in the face of an $18,500 ransom demand.  According to FireEye, a top U.S. cybersecurity firm, ransomware “is something we are seeing more of.”  Although ransomware attacks are not a very common occurrence, they occur more often than one might think.  In fact, many cases of corporate hacks in general go unreported because of the risk of embarrassment, along with the public’s loss of confidence in the company.

So far, the FBI is baffled by the attacks.  The current state of the Information Technology (IT) world’s defense against ransomware is also uncertain at best.  In lieu of a successful counterattack against these hackers, one thing these victims need to be concerned about is liability.

With ransomware, more than mere cybersecurity is at stake.  When hospitals are at the receiving end of the hack, the immediate implications are clear: interference with the day-to-day operation of vital services, and perhaps a delay in receiving and transmitting vital patient information.  This begs the question—can the hospitals afford to say no?  For firms, the immediate implications maybe less critical in the short-term.  This has led to some—as in the case of Ziprick & Cramer—to stand their ground in opposition.  However, private client information is still at stake, and a firm’s productivity declines as its ability to perform is cut at the knees.  Not only this, but when data breaches lead to privacy issues, liability is sure to follow.  As a result, some have suggested that cyber attacks—including ransomware hacks—ought to be included in a business’s enterprise risk management (ERM) plan.

In Ziprick & Cramer’s case, the firm refused to negotiate.  As they boldly asserted: “Our firm did not and will not pay any such ransom.”  But by choosing not to “encourage and fund such criminals in their illegal activities,” as they put it, have they breached client confidentiality?  Even if one assumes the hackers do not personally access client information, does the firm breach a fiduciary duty by failing to pay the ransom, where doing so would be the firm’s only viable option?  When considering liability, it is important to remember why firms become targets.  Like a real hostage situation, ransomware takes advantage of the target’s weakness.  For law firms in particular, that weakness is often in the email serves.  Because of the sheer volume of incoming correspondence, firms are more likely to accept incoming attachments than other organizations.

Who is liable in the event of a data breach, and will liability extend to companies which encompass cyber-attacks in their ERM plans?  What role will insurance play in the future?  Furthermore, how does a firm’s approach to ransomware impact its fiduciary duties to its clients?  In other words, how will a firm’s decision to pay (or not pay) a ransom be analyzed with respect to the principal-agent relationship between the lawyer and the client?  These are questions that must be considered if and when ransomware becomes a more widespread threat.  Regardless of the answers, one thing is certain: as hackers become more sophisticated, so must our response.

Print Friendly, PDF & Email