If hackers steal your credit card info, they can ruin your day. If they steal your Social Security number, they can wreak financial havoc for years.
But if they freeze or steal your computer data, they can ruin your life or threaten your company’s very existence.
Pay the money and your computer won’t be hurt
“I’m feeling like we have a lot less control [over protecting data],” says privacy lawyer Lisa Sotto of Hunton & Williams. “I was on a panel recently and there wasn’t a whole lot of optimism among the speakers about business’ ability to manage the current cybersecurity threat environment. The hackers have made quite a splash.”
In January 2015, Alina Simone wrote in The New York Times about helping her terrified mother pay a $500 extortion fee in Bitcoins to hackers who had seized control of the woman’s computer and encrypted all her files. The hackers used a malicious virus called CryptoWall that’s infected thousands of computers through spam or booby-trapped websites.
“That's exactly how I see it going: companies and individuals paying ransomware demands, because they generally have no choice,” Sotto says.
Such payments, she says, are already common. “I do not believe there is a heck of a lot of negotiation involved. … Hackers who are operating in the ransomware space are not asking for exorbitant amounts, so, for the most part, what I hear is, people are paying.”
It’s understandable for individuals to believe they wouldn’t be targeted, says Melinda McLellan, a privacy and data protection law expert at Baker & Hostetler. Understandable and misguided.
“A private citizen might think, ‘What information do I have on my computer that would interest a hacker?” she says. “OK, but what if a criminal deleted your entire email account?
Destruction of a Gmail archive, replete with receipts, frequent flier numbers, even financial records and last messages from deceased loved ones, could be devastating. She warns about the increasing incidence of so-called “data terrorism,” enabled in part by the growing centralization of critical information.
“Data is easily the most valuable commodity on earth. For many companies, it’s worth far more than cash. And the black market for personal data outstripped everything—including the illegal drug trade—years ago,” McClellan says. “Hackers are nothing new, but we’ve never seen this level of aggregation of valuable information by so many entities around the world.”
It’s hard to overstate the impact of the 2014 Sony incident, which proved hackers could not only embarrass a company but derail a major product release.
“I can imagine the hacktivist community targeting a particular company, gaining access to that company’s internal emails, and publishing potentially damaging material in an attempt to stop, say, the launch of a pharmaceutical product,” McClellan says.
What can you do?
So what can companies—and individuals—do? It begins with a broader assessment of what data is critical, says Hadas Weisman, an intellectual property lawyer with her own practice.
“[Valuable data] can vary tremendously from one business to another,” she says. “Obviously if there is some secret sauce ... you start there and try to identify additional tiers of sensitive information.”
Tax returns or R&D documents might deserve the highest level of security. Perhaps you encrypt them. Maybe you don’t even store them on your computer. The worst time to decide what’s important—be it old family photos or chatty emails from executives—is after criminals have stolen the data.