Defending Against Ransomware: How Lawyers Help Fight Cyber Threats
Legal advice from data security attorneys
By Jessica Glynn | Reviewed by Canaan Suitt, J.D. | Last updated on August 21, 2023 Featuring practical insights from contributing attorneys Kenneth N. Rashbaum and Lisa J. SottoUse these links to jump to different sections:
- The Rise of Ransomware Threats
- To Pay or Not Pay a Hacker’s Ransom Demand
- Have an Incident Response Plan in Place
- Engage in Ransomware Prevention
- Stay Up-to-Date with New Data Privacy Laws
- Find an Experienced Data Privacy Attorney
It was a typical, busy week for attorney Lisa J. Sotto.
While putting out multimillion-dollar ransomware fires, she was navigating an onslaught of Bitcoin demands from a denial-of-service group that had launched a series of cybercriminal attacks to show how it could cripple businesses.
“It’s been bad for a few years,” she says. “It’s getting worse.”
The Rise of Ransomware Threats
A partner at Hunton Andrews Kurth and a leader in data breach work since 2005, Sotto says she’s never seen a more malicious threat environment.
“And while I know law enforcement is very active in this space,” she says, “it still seems we’re not quite keeping up with the threat actors. They’re staying one step ahead of us. It’s really frustrating. I would like to see arrests. And extradition.”
Until that happens, screens will continue to lock up, and ransomware infection messages such as the following will continue to appear: “We have taken control of your systems. Apologies.”
And that’s when the race begins.
To Pay or Not Pay a Hacker’s Ransom Demand
“Even if you don’t pay, it’s useful to start to negotiate as a delay tactic because you want to know if you can restore the operating system,” Sotto says.
“You ask for proof of life—evidence they have your data and can decrypt it. They call themselves businesspeople, and they negotiate the way any legitimate business might. If you settle on a price, you need to transfer money over and exchange dollars for cryptocurrency. The choice of late is Monero. It’s a private currency, harder to trace.”
In Sotto’s experience, a small percentage of companies pay the ransomware threat. Reasons not to pay include:
- Moral ones against extortion;
- The risk that the decryption might not work; and
- The fact that paying a party a ransom payment on the Office of Foreign Assets Control sanctions list puts the company at legal risk.
“Companies pay in two circumstances,” she says:
- “First, when they have no backups of the encrypted files or their data backups are corrupted, and they are simply not able to get their systems up and running again, and they know they’ll turn to dust as a company if they don’t pay.
- The second circumstance is where ransomware is coupled with the exfiltration of important files. For some companies, the data is so sensitive that they’re willing to pay to buy some measure of peace.”
Have an Incident Response Plan in Place
Barton’s Kenneth N. Rashbaum says that’s what happened with the Colonial Pipeline and JBS attacks. “For years, the FBI was advising people not to pay, but we saw the effect of locking down the systems was so dramatic on these companies,” he says. “Part of the calculus in paying was fear and uncertainty. We have our backups, but we don’t know what else is at risk. It’s a form of cyber terrorism.”
Rashbaum says far-sighted companies war-game the scenario.
“They have a plan in place,” he says. “It’s written. It’s been tested. They know who the senior executive is who triggers the plan and their backup contact information, and when to contact law enforcement. All this should be thought of in advance. The time to come up with the plan is not when you’ve seen the big red skull on your screen.”
Engage in Ransomware Prevention
Some safeguards against cyber threats Rashbaum recommends include frequent patches to malware defense antivirus software and backup systems that can come online quickly. He warns that the exposure for not planning properly is more than financial—it’s legal.
“There have been reports, particularly in the healthcare space, of agencies penalizing organizations following a cyberattack—not because they were attacked but for not having the plan in place, not having trained the staff, all of which are required by HIPAA and other regulations,” Rashbaum says. “All 50 states have data-breach notification laws, so a lot of what the lawyers do is advise on who to notify.”
Stay Up-to-Date with New Data Privacy Laws
Because navigating that 50-state patchwork of laws and their different notification triggers is so complicated, in-house technology attorney Liberty T. McAteer says lawyers in this space watch closely for new data privacy legislation and court interpretations.
“It’s only a matter of time before there starts to be mega-litigation over this recent spate of hacks,” he says, adding that more than 200 companies were attacked in June 2021 alone.
“Even five years ago, you could be a small mom-and-pop operator and not need to worry about having an information security program. Now, everyone is on notice… There’s no door that can’t be broken down, no computer that can be 100 percent secure except for one left on the bottom of the ocean floor.
“If a person has to use it, it can be hacked.”
Find an Experienced Data Privacy Attorney
If your company has been the victim of a ransomware attack and your cyber-security team is engaged in real-time response, consult a data privacy attorney as soon as possible to assess the legal implications of a data breach and next steps.
Alternatively, if your company is crafting protocols against possible future attacks and vulnerabilities, it’s wise to consult an expert in this legal area as well. Get legal advice before you ever receive a suspicious email attachment or have an infected computer or mobile device.
For more information about this area of law and the legal services that attorneys provide, see our overview of technology transactions and related legal content.
What do I do next?
Enter your location below to get connected with a qualified attorney today.Additional Technology Transactions articles
- What Is Technology Transactions Law?
- Defending Your Business Against Ransomware: Strategies to Minimize Risk
- New Tech, Old Law: How Legal Expertise Helps Technology Transactions Succeed
- How Tech Transaction Lawyers Help Clients Comply with Data Privacy Laws
- Protecting Your Intellectual Property in a Technology Transaction Agreement
- How Has Work-From-Home Emboldened Hackers and Phishers?
- Deepfakes in Business: How Can You Protect Your Reputation?
- Can You File an Insurance Claim for a Data Security Breach?
- How Much Cybersecurity Does My Business Need?
- Does My Business Need Cyber Insurance?
- Legal Steps to Take When Your Company is Hacked
- How Technology Platforms Are Categorized Shapes Their Regulation
- What New Legal Issues Are Media Companies Facing?
- Is a Contract with a Computer Program Enforceable?
- Can I Sue for a Data Security Breach?
- The Fear of Data Theft: How Lawyers Navigate Cybersecurity Challenges
- Is Technology Outpacing the Law?
- How to Prevent Software License Disputes: Upfront Legal Review
State Technology Transactions articles
Related topics
At Super Lawyers, we know legal issues can be stressful and confusing. We are committed to providing you with reliable legal information in a way that is easy to understand. Our legal resources pages are created by experienced attorney writers and writers that specialize in legal content in consultation with the top attorneys that make our Super Lawyers lists. We strive to present information in a neutral and unbiased way, so that you can make informed decisions based on your legal circumstances.
Attorney directory searches
Helpful links
Find top lawyers with confidence
The Super Lawyers patented selection process is peer influenced and research driven, selecting the top 5% of attorneys to the Super Lawyers lists each year. We know lawyers and make it easy to connect with them.
Find a lawyer near you