Recent comments by FTC Chairwoman Edith Ramirez suggest that a company’s failure to take preventative measures to address ransomware could result in an enforcement action by the FTC, even if a company is never actually subject to a ransomware attack. The Chairwoman’s comments reflect a growing concern among US government agencies regarding ransomware and may foreshadow additional FTC action, building upon a developing trend of US regulators engaging in pre-breach enforcement action.
Recent Ransomware Attacks
A ransomware attack is one in which malware holds hostage a victims’ files or computer systems, typically through use of encryption. These attacks are an increasingly common cybersecurity threat to companies across industries. For example, in February 2016, Hollywood Presbyterian Medical Center was hit with a ransomware attack and ultimately paid approximately $17,000 in exchange for the release of system resources and data files held hostage by the attackers. In April 2016, Lansing Board of Water & Light (“BWL”), the third largest electric utility in Michigan, was hit with a ransomware attack. While the attack did not involve customer information or impact the delivery of water and electricity, BWL was forced to lock down all of its corporate systems to combat the attack. One report indicates that BWL incurred nearly $2 million in legal, information technology, and cybersecurity expenses in response to the attack.
US Federal Government Ransomware Guidance
The US federal government has been active in providing guidance to address ransomware. For example, noting reports that “global ransomware infections were at an all-time high” in early 2016, the Federal Bureau of Investigation issued an alert on September 15, 2016 that urged victims of ransomware to report infections to federal law enforcement and provided several prevention and continuity measures to reduce the risk of a successful attack. This alert is consistent with the guidance it issued in April 2016 for CISOs and CEOs. The HHS Office of Civil Rights also issued guidance in June 2016 for HIPAA Covered Entities and Business Associates.
FTC Ransomware Comments
FTC Chairwoman Ramirez recently addressed the topic of ransomware in her opening remarks to the FTC Fall Technology Series event on Ransomware on September 7, 2016:
The ransomware threat is becoming more pernicious because of the dramatic increase in the number of attacks, the lucrative nature of the threat, the many ways in which criminals are infecting targets, and the potential for causing significant harm to both consumers and businesses alike.
Ramirez noted that the FTC has “long addressed the harm caused by malware, including the challenges it poses to securing consumer data,” by providing guidance to consumers and business. She also pointed to the FTC’s championing of “good cyber hygiene and network security,” including through the approximately 60 enforcement actions it has brought against companies that “failed to reasonably secure consumer data on their networks.” As Ramirez sees it, “[t]hrough [its] enforcement, [the FTC] aim[s] to ensure that companies make truthful representations about their privacy and security practices and that they provide reasonable security for consumer information.”
Ramirez also stressed that:
One component of reasonable security is that companies have procedures in place to address vulnerabilities as they arise, including malicious software. A company’s unreasonable failure to patch vulnerabilities known to be exploited by ransomware might violate the FTC Act.
Although left unstated, Ramirez’s comments suggest that failing to patch vulnerabilities exploited by ransomware could result in FTC enforcement actions against companies, even if a company never faces an attack. The Chairwoman’s comments are consistent with the FTC’s approach in pursuing and settling with ASUS in February 2016 regarding the security it provided for its home routers and cloud services, even in the absence of a security breach. (We have noted the development of a pre-breach enforcement trend within the Federal Government earlier this year.)
To help guard against FTC enforcement, companies may wish to assess the reasonableness of their cybersecurity policies and practices and take actions to remediate any gaps that are identified in the assessment – particularly with respect to ransomware preparedness. In assessing their cybersecurity program, at a minimum, companies may wish to consider the recent advice from the FBI and relevant regulators, such as HHS. Companies may also wish to consider broader cybersecurity guidance, such as the FTC’s recent guidance applying the NIST Cybersecurity Framework.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.