Ransomware and its Legal Considerations
Cybersecurity is a matter of serious concern for all businesses, including municipalities, and state and federal government entities. In fact, numerous school districts across the country have been hit by ransomware in recent years. School districts are vulnerable because, when they are deprived of access to their computer systems, officials may feel a sense of urgency that will tempt them to pay the ransom. Recent attacks appear to be financially driven; the use of ransomware has been called “digital extortion.”1 Ransomware is defined as malware that locks your keyboard or computer to prevent you from accessing your data until you pay a ransom. Ransomware can be placed on a myriad of computer hardware such as desktops, laptops, and smartphones. The typical means of attack is through email; a message can appear legitimate but, when the recipient clicks on an attachment or URL site, a ransomware code is released that infects the device.2
Although deliberately releasing this kind of malware into a computer system is likely a violation of the Computer Fraud and Abuse Act, originally enacted under the Comprehensive Crime Control Act of 1984,3 most of the prosecutions under the law have been of employees and/or independent contractors. The most likely reason that hackers have not been prosecuted under this law is that it is extremely difficult to identify hackers, especially those that are from foreign jurisdictions.4 Thus, Congress chose to provide tools for defending against the infiltrations of the malware by enacting the Cybersecurity Information Sharing Act (CISA), which provides for the voluntary sharing of threat information.5 Congress has attempted to assuage fears of liability under other laws, such as the Electronic Communications Privacy Act, the Freedom of Information Act, anti-trust laws, and other privacy laws and even (in some cases) a waiver of attorney-client privilege or similar protections.6 CISA contains preemption language to permit sharing of threat information over other federal and state statutes which may prohibit the same. It also permits information sharing concerning cyber threats from federal, state, and local entities. Regardless, many entities remain reticent to share information due to persisting liability concerns.7
In late September, the U.S. Senate passed the “DHS Cyber Hunt and Incident Response Teams Act” (S.315) to authorize the Department of Homeland Security (DHS) to maintain cyber hunt and incident response teams to assist private and public entities in defending against cyber attacks. There has been no reported progress on the bill since the Senate action.
The Federal Bureau of Investigation (FBI) has issued some guidance in the event of a ransomware attack that can be found at https://pdf.ic3.gov/Ransomware_Trifold_e-version.pdf. The guidance asks entities to: (1) implement an awareness and training program informing employees how they are targeted; (2) patch operating systems, software and firmware on devices, which may be made more manageable through a centralized patch management system; (3) ensure anti-virus and anti-malware solutions are set to do automatic updates; (4) be cautious with administrative access and keep use to an as-needed basis; (5) configure access controls, including the file directory and network permissions, with least privilege in mind; if a user only needs to view certain files they should not have “write” access to those files; (6) disable macro scripts from office files transmitted by email; and, (7) implement Software Restriction Policies to prevent programs from executing from common ransomware locations.
The FBI also recommends regular backups and verification of the integrity of the backups. The FBI cautions that businesses should secure backups, making sure they are not connected to the computers and systems that are being backed up. This may be the best means of data recovery.
The FBI does not support paying the ransom. It does not guarantee recovery of the data, because, after paying the ransom, some victims were never provided with the decryption key. Paying the ransom also inspires the hacker to repeat the offense.
The FBI encourages victims to immediately contact the local FBI office to report an attack. New Jersey public school districts are also asked to contact their respective county superintendent office to report an attack. Districts can purchase cyber insurance which can cover the costs incurred in such an attack. Cyber insurance can also cover the cost of restoring data and potential legal liabilities, such as the cost of claims made against the district for exposing personal data.8
School districts, with the assistance of technology professionals, should develop and implement district-wide policies that educate district technology users concerning malware. Policies may also look to incorporate other procedures recommended by the FBI. In the event that a school district is struck with ransomware, administration should contact the board attorney for assistance in carrying out all recommended procedures, to gain access to the system, protect the district from loss of private information, as well as liability.
1 40 Seattle U.L. Rev. 937.
3 18 U.S.C.A. § 1030.
4 40 Seattle U.L. Rev. 937.
5 CISA was passed as part of the Consolidated Appropriations Act of 2016, Pub. L. No. 114-113, 129 Stat. 2242 ( Dec. 18, 2015).
6 40 Seattle U.L. Rev. 937 at 962.
7 Id. at 963.
8 Lisa N. Thompson, New Hampshire Municipal Association, “Cybersecurity Best Practices for Municipalities.” https://www.nhmunicipal.org/town-city-article/cybersecurity-best-practices-municipalities