The recent data breach suffered by Equifax served as a reminder to businesses everywhere of the omnipresence of cybercriminals and the damage they can cause. While the Equifax data breach was reportedly caused by hackers exploiting a security vulnerability, cybercriminals use an arsenal of weapons to infiltrate companies’ networks and access their business data. Ransomware is currently one of the most commonly used.
Ransomware is a form of malicious software that infiltrates a computer system, locks the data stored on the computer system by encrypting it with a password, and keeps the data locked until a ransom is paid. Businesses are particularly ripe targets for ransomware attacks because they need access to their electronic files to operate efficiently, and therefore are more willing, and able, to pay the ransom to regain access to their computer systems.
Earlier this year, a strain of ransomware named “WannaCry” infiltrated the computer networks of businesses across the world, eventually impacting over 100,000 organizations in more than 150 countries, including the United Kingdom’s National Health Service, a Spanish telecommunications company, and an international delivery services company. Shortly thereafter, another strain of ransomware spread through the U.S. and Europe, disrupting several major businesses, and other strains of ransomware have since been reported.
Although the sheer size of these attacks made headlines, ransomware attacks on businesses are common. In 2016, a U.S. government interagency report stated that on average more than 4,000 ransomware attacks have occurred daily since January 1, 2016. The Department of Justice also revealed that since 2005, the FBI’s Internet Crime Complaint Center (IC3) has received 7,694 ransomware complaints, totaling $57,602,032.72 in ransoms.
Depending on the types of data impacted by the ransomware attack, the attack may trigger legal obligations. The following provides considerations for employers when human resource data is involved in a ransomware attack.
Notification Obligations
If files containing employee social security numbers, driver’s license numbers, or financial account information are involved it could possibly trigger a notification obligation under a state’s data security breach notification law.
Other than Alabama and South Dakota, every state has a data security breach notification law. These laws require entities that experience theft of unencrypted computerized data that contains an individual’s personal information to notify the affected individual. Determining whether a ransomware attack meets this definition requires a careful analysis, but this presents a real challenge, as it is impossible for a business to determine what a ransomware attacker is doing with its data while the data is being held for ransom, because the business is locked out.
Companies should, however, seek to obtain answers to the following questions:
- Was employees’ personal information involved in the ransomware attack?
- Was the personal information accessed and/or acquired (for instance, removed) from the company’s system by the attacker? And,
- If the information was accessed and/or acquired, is there a material risk of harm to the employees who are the subject of the personal information?
Each state defines “personal information” differently, but all breach notification laws include the following categories of information, which are frequently collected by HR and stored by employers:
- An individual’s first name or first initial plus the individual’s last name, plus one or more of the following (collectively “Trigger Data”):
- Social Security number;
- Driver’s license number or state identification number;
- Financial account information accompanied by a security code, access code, or password that would permit access to the account.
Every state’s breach notification law provides a safe harbor for Trigger Data that is encrypted. However, companies with encrypted data should not automatically assume they are shielded by this encryption exemption, particularly given that newer strains of ransomware are being reported to access and steal data items. Companies should still ensure that the ransomware attack did not result in the cybercriminals penetrating the company’s encrypted data while it was locked.
Of course, breach notification can be a costly proposition, but failing to inform employees of a breach can be even more costly. Breach notification laws allow for civil penalties, and many permit the state’s attorney general to bring a civil action against the entity that suffered the breach, which the Massachusetts Attorney General recently announced she intends to do against Equifax. Also, in recent years, class action lawsuits alleging harm suffered as a result of a data breach have become more common. It is therefore important for companies that suffer a ransomware attack to gather as much information as possible (as quickly as possible) and carefully analyze whether to notify impacted employees.
When It Becomes a HIPAA Incident
If group health plan data is involved, a HIPAA security incident has occurred that may need to be reported to the Department of Health and Human Services (HHS) as a breach.
An employer’s insured or self-insured group health plan is a HIPAA-covered entity. In 2016, the HHS, the entity that enforces the Health Insurance Portability and Accountability Act (HIPAA), released a “Fact Sheet” on ransomware for HIPAA-covered entities. The Fact Sheet confirms the following three points.
1. A group health plan that suffers a ransomware attack has suffered a security incident.
HIPAA defines a “security incident” as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” A covered group health plan that suffers a ransomware attack has, at a minimum, suffered a security incident. HIPAA requires that covered group health plans implement policies and procedures explaining how employees should respond and report security incidents, such as ransomware attacks, that must be followed. In addition, covered group health plans are required to document the ransomware attack and its outcome.
2. A group health plan may still need to inform employee-participants of a ransomware attack even if the data involved in the attack is encrypted.
HIPAA’s Breach Notification Rule applies only to “unsecured” protected health information (PHI), which is defined as health information that is not rendered unusable, unreadable, or indecipherable. If health information is encrypted (in accordance with HHS’s encryption standards) it is “secured,” and so, if it is subject to unauthorized disclosure through a ransomware attack, it may not need to be reported as a breach.
However, HHS’s guidance conveys that just because data is properly encrypted, does not mean that a business does not need to notify impacted individuals.
As discussed above in relation to determining whether a breach has occurred under state data breach laws, businesses must conduct a careful analysis to determine whether encryption made the PHI unreadable, unusable and indecipherable.
3. A group health plan may have to inform employee-participants of a ransomware attack if the data involved in the attack is not encrypted, unless the plan can demonstrate a “low probability that the PHI has been compromised.”
HIPAA presumes that when a covered group health plan that has not encrypted its protected health information suffers a ransomware attack, a breach is presumed to have occurred. In order to overcome this presumption, the plan must be able to demonstrate that its analysis of the ransomware attack revealed that there is a “low probability that the [PHI] has been compromised” based on a risk assessment involving various factors, including whether the PHI was actually acquired or viewed, the extent to which the risk to the PHI has been mitigated, the nature and extent of the PHI, and the unauthorized person to whom the disclosure was made.
As ransomware attacks and other forms of cyberattacks continue to impact businesses, it is incumbent upon companies to develop security incident response plans, and train employees on how to respond to a security incident. Companies should also take inventory of the data stored on their systems, and the access controls to that data.