What Can Be Done About Ransomware Attacks?

Use these links to jump to different sections:

• What is Ransomware?
• Formulate a Response Plan Before You’re a Victim of Ransomware
• Purchase Liability Insurance for Cyber Threats
• Have a Cybersecurity Attorney at the Ready
• Get Legal Help from a Technology Transaction Attorney

In November 2022, a ransomware attack shut down schools in two Michigan counties for multiple days. From classroom technologies to the heating, the schools’ critical operating systems were rendered nonfunctional.

James J. Giszczak, co-president and co-chair of the Data Privacy and Cybersecurity Practice Group at McDonald Hopkins in Bloomfield Hills, sees business operations incapacitated virtually every day. “We probably get three to five ransomware calls per day from clients that need help,” he says. “In many cases, the business is completely shut down. They can’t do anything.”

What is Ransomware?

Ransomware is a malicious software, also called malware, designed to disable computer systems and capture sensitive data until the victim pays a ransom to the perpetrator.

Although the first known ransomware attack happened in 1989, the problem came to the fore at the onset of the pandemic in early 2020, when threat actors proliferated.

“It was a combination of things that came together during Covid-19,” Giszczak says. “Part of it was that some companies, given the economics of things, may not have had their security where it needed to be. Companies were struggling.”

The threat hasn’t receded.

“Many companies have misconceptions and say, ‘I’m not a big organization’ or ‘If I get attacked, it’s not a big deal. I don’t have a lot of sensitive information.’ The problem is that the threat actors are attacking any and all organizations. If your systems are all shut down, and you can’t communicate or operate, it will severely disrupt your business,” Giszczak says.

Given the stakes, businesses need to be proactive against ransomware threats.

Formulate a Response Plan Before You’re a Victim of Ransomware

Whether a company is large or small, it should have a response plan in place—waiting until after a threat actor has struck means the fallout from the attack will likely be exponentially worse.

“The first 24 to 48 hours [after a cyberattack] are critical,” says John J. Rolecki, a data privacy and cybersecurity attorney at Varnum in Grand Rapids.

“A ransomware plan will help you respond so much more effectively and efficiently. The last thing a business wants is to be caught flatfooted. Everyone knows cyberattacks are on the rise, so make the effort to form an incident response plan. And make it a management- or a board-level issue so that it has visibility throughout the organization. It will pay dividends.”

Among the primary objectives of the response and recovery plan is to designate roles for company employees.

“It establishes accountability and visibility for the process,” Rolecki says. “Everyone in the company knows who the core team is, who has ownership of the situation. For example, so-and-so will contact the attorney; another person will contact the insurer if that’s relevant.”

Purchase Liability Insurance for Cyber Threats

It’s imperative for companies to carry cyber liability insurance, as costs can mount quickly following a ransomware attack. This, too, should be incorporated into the response plan.

“Get the appropriate coverage,” Giszczak says. “Depending on the limits of your policy, they’re typically going to be picking up the costs associated with forensics, the legal firm, any notification of individuals, a class action lawsuit if there ends up being one. It’s really critical.”

Rolecki says that although many companies are still relatively lax about putting safeguards in place, the business community is waking up to the threat.

“I’ve seen greater receptivity to developing a response plan,” Rolecki says. “An ounce of prevention is worth a pound of cure, right?”

Have a Cybersecurity Attorney at the Ready

In the wake of an attack, a law firm that is well-versed in ransomware is indispensable. The firm, in fact, can play a role in crafting the response plan beforehand.

“We get on board [after an attack] and do a triage call to find out what’s happening and figure out if we need to bring in other vendors, like a forensics or a crisis communication vendor or a call center or mail house,” Giszczak says. “We’re quarterbacking the whole situation.”

The regulatory landscape can be particularly complex to navigate, especially if sensitive data has been stolen.

“The first benefit is we’re going to cloak the investigation with attorney-client privilege, which becomes very important,” Giszczak says. “More and more, we’re seeing litigation arise out of these data security incidents. We want to make sure the organization is being legally compliant, such as with state laws dealing with breach notification.”

Adds Rolecki, “There’s a quilt-work of regulatory requirements across the country. Unlike in other countries, there isn’t a comprehensive reporting law. There are certain buckets of information that require different notification requirement laws. What kind of data are we processing? What states are we operating in? What types of personal information are we gathering?”

Get Legal Help from a Technology Transaction Attorney

With the proliferation of hackers, cybercrime, and types of ransomware, plus an evolving regulatory landscape around data privacy, it’s increasingly wise to seek legal advice on your company’s vulnerabilities and action points sooner rather than later.

If your company has been the victim of a ransomware infection or data breach, or you are formulating the terms of a new ransomware prevention or data backup plan, consider speaking with an experienced data privacy and cybersecurity attorney.