7 steps to protect against ransomware-related lawsuits

International ransomware gangs aren’t the only people after your enterprise’s money. Long after a ransomware attack fades into gloomy history, your organization could face another potentially devastating financial threat: lawyers filing action lawsuits on behalf of clients who may have lost confidential personal or business information to the attackers.

Data breach legal actions aren’t going away, as bad actors continue to exploit weaknesses in corporate IT systems and gain access to personal data, says David Balser, an attorney and leader of King & Spalding’s trial and global disputes practice. “As cases evolve, plaintiffs are advancing novel theories of causation and damages, even when no harm to consumers has occurred,” he notes.

Ted Kobus, practice chair for digital assets and digital management at law firm BakerHostetler, believes that the ransomware lawsuit landscape is rapidly changing. “Historically, we have seen consumers filing these lawsuits,” he says. “However, due to the increase in the number of supply chain attacks, we may see downstream companies attempting to create a class seeking indemnification for business interruption, incident response costs, and other damages.”

Fortunately, a ransomware attack doesn’t have to expose an enterprise to potential lawsuits. It’s up to the CISO to minimize the risk of ransomware attacks and, if one occurs, to immediately take the steps necessary to limit the damage.

Here are seven actions CISOs can take to protect their enterprise against ransomware-related legal actions.

1. Assess the risk

The likelihood of a lawsuit is primarily dependent upon the type of ransomware attack, as well as what information was stolen—if any. “For instance, if you operate a consumer-facing website that’s frozen due to ransomware, but no consumer information is extracted, the likelihood of a class action is minimal,” says Jeff Dennis, a partner at law firm Newmeyer & Dillion. However, if the ransomware attack led to the extraction of mass amounts of consumer data, then the chances of facing a class action lawsuit may increase dramatically. “Additionally, if you are a company that stores or manages data for a number of other companies and you are ransomed, you may face a class action lawsuit brought by those companies if they cannot access their data for a significant period of time,” he notes.

A proper risk assessment will tell you where your weak points are in network access permissions, network monitoring and visibility, backup systems, and staff training. Include your connected business partners in the assessment process, too, to ensure that they have deployed strong security technologies and practices.

2. Adopt ransomware prevention best practices

The best way for an organization to protect itself against a financially devastating lawsuit is to take reasonable steps to avoid becoming a ransomware attack victim. Such steps include conducting cybersecurity education and awareness activities, creating an incident response plan, controlling and ranking user access privileges, monitoring for potential malware exposures, and deploying effective network monitoring and visibility tools.

3. Build a recovery plan

Since a ransomware attack can occur anytime, anyplace, and to any type of enterprise, it’s important to be fully prepared. A disaster recovery plan will help an organization victimized by ransomware to get back on its feet as quickly as possible with minimal impact on customers and business partners.

Many organizations follow the “3-2-1” backup and recovery rule. This strategy requires creating three file backups, with two backups placed on different types of storage media and another copy located offsite (but not in the cloud, which might also be affected by an attack). The recovery plan should also address backup frequency (generally at least daily) and regular backup testing.

4. Practice good security hygiene

If a CISO follows generally accepted security best practices, it’s likely that the organization will be recognized for its good faith efforts and less likely to be viewed as negligent.

A first step toward ensuring that critical files are ransomware resistant is requiring two-factor authentication for access, notes Ron Gula, president of venture capital and private equity firm Gula Tech Adventures. Other steps to take include encrypting data, setting backup drive files to read-only once the write process has been completed, and unmounting the drive the moment a backup is completed.

Additional common-sense security measures include keeping system and application software up to date, using segmented network technology, and educating management and staff on generally recommended security practices. “Ransomware testing must be continuous as well,” Gula warns. “Just like wearing masks and getting vaccines for COVID, protecting your files and data from ransomware is the new normal.”

In essence, prevention is the best protection. An enterprise that’s committed to following best security practices and updating its strategy and tactics as the ransomware battlefield evolves, should be able to successfully defend itself against aggrieved parties today and for years to come. “The law regarding customers suing for data breaches is far from clear, with some federal courts making … plaintiffs prove significant harm while others have said that the threat of future harm, such as through identity theft, is sufficient to provide legal standing,” says Steven J.J. Weisman, an attorney and college professor who teaches courses on white collar crime at Bentley University. “Regardless, it can be expected that companies will in the future be held to greater standards in regard to protecting their data.”

5. Encourage top-down management support

Senior management commitment is critical to a cybersecurity compliance program’s success, says Braden Perry, a litigation, regulatory, and government investigations attorney at law firm Kennyhertz Perry. “This commitment is shown when management … provides the compliance department with the authority to implement, communicate, and improve compliance policies and procedures.”

Even the best security policies and practices will ultimately fail without the full support of enterprise leaders. It’s crucial to have direct-line access to the CEO and the organization’s oversight committees, Perry says. “The CISO should be part of senior management, with sufficient resources and staff to oversee and manage the compliance structure,” he advises. Forward-thinking enterprises view and treat their compliance departments as an asset, not a cost, which can be the key to creating buy-in from the top down.

6. Support transparency

Once a ransomware attack has been confirmed, the CISO should immediately begin working with management colleagues on ways to minimize the event’s impact on external parties. Kobus suggests focusing response efforts on clearly and honestly communicating with all affected individuals or business partners. “In the more than 15 years I have been working on these types of matters, there has been one constant—clear and transparent communication is the best way to assure affected parties that you conducted a responsible and appropriate investigation … and you have taken steps to ensure that this type of incident does not happen again.” 

Enterprises that are transparent with their customers, actively engage with them, and generally try to do the right thing, stand the best chance of either avoiding or winning a ransomware lawsuit, Dennis says. Being open about the attack’s scope and impact, as well as detailing the steps that were taken to protect confidential customer data, can go a long way toward defusing the anger that many class action attorneys relish, he notes.

7. Consider insurance coverage

Depending on the policy acquired, general liability insurance may be able to protect an enterprise against some or all lawsuit costs. “The insurance company will ordinarily cover the investigation, litigation—including attorney fees—and judgments/settlement,” Perry says. Be sure to check the policy carefully, however, including any recent updates or amendments. Given the recent rise in ransomware attacks, most insurance carriers are beginning to reevaluate their coverage options.

There’s also an important downside to relying on general liability insurance as a financial shield. “There are disadvantages, as your litigation strategy is put into the insurance company’s hands and they control who they hire, and the strategy/settlement negotiations,” Perry explains. He also warns that insurance policies generally won’t cover punitive damages or intentional acts.

Perry also cautions against relying on errors and omissions (E&O) or professional liability insurance, since such policies are limited to service provided. “This is questionable coverage for ransomware attacks, so an enterprise may be stuck with traditional liability coverage,” he notes.