The FTC has become the most recent regulator to take a closer look at ransomware and its impact on consumers. During the FTC’s September 7, 2016, Fall Technology Series on Ransomware, Chairwoman Edith Ramirez announced that the FTC will soon release guidance to businesses on how to protect against ransomware.
Ransomware is a malicious software (“malware”) designed to encrypt information on a computer system, which can only be decrypted upon the payment of a sum of money (the ransom) to the attackers. Ransomware has been used against businesses and government agencies to render sensitive information unavailable and to disrupt normal business functions. As the FTC Chairwoman mentioned in her rollout, the healthcare industry, including hospitals, has been specifically targeted by ransomware attacks. In response, the Office of Civil Rights within the Department of Health and Human Service announced in July that it considers the encryption of PHI by ransomware a “breach” subject to HIPAA notification requirements.
The increased use of ransomware by hackers has similarly prompted the FTC to issue the forthcoming guidance to organizations on their responsibilities to protect their systems and consumer data from ransomware attacks. In addition, the FTC Chairwoman made clear that the FTC intends to bring Section 5 enforcement actions against companies that fail to protect personal data from ransomware attacks, possibly even when there is no evidence of data loss or theft. Currently, the FTC expects companies to implement reasonable security measures, including deploying current antivirus tools, to mitigate against data breaches as a result of known malware and other malicious activity; whether additional security measures are expected with respect to ransomware may be made more clear once the guidance has been released.