The FTC has become the most recent regulator to take a closer look at ransomware and its impact on consumers. During the FTC’s September 7, 2016, Fall Technology Series on Ransomware, Chairwoman Edith Ramirez announced that the FTC will soon release guidance to businesses on how to protect against ransomware.

Ransomware is a malicious software (“malware”) designed to encrypt information on a computer system, which can only be decrypted upon the payment of a sum of money (the ransom) to the attackers. Ransomware has been used against businesses and government agencies to render sensitive information unavailable and to disrupt normal business functions. As the FTC Chairwoman mentioned in her rollout, the healthcare industry, including hospitals, has been specifically targeted by ransomware attacks. In response, the Office of Civil Rights within the Department of Health and Human Service announced in July that it considers the encryption of PHI by ransomware a “breach” subject to HIPAA notification requirements.

The increased use of ransomware by hackers has similarly prompted the FTC to issue the forthcoming guidance to organizations on their responsibilities to protect their systems and consumer data from ransomware attacks. In addition, the FTC Chairwoman made clear that the FTC intends to bring Section 5 enforcement actions against companies that fail to protect personal data from ransomware attacks, possibly even when there is no evidence of data loss or theft.  Currently, the FTC expects companies to implement reasonable security measures, including deploying current antivirus tools, to mitigate against data breaches as a result of known malware and other malicious activity; whether additional security measures are expected with respect to ransomware may be made more clear once the guidance has been released.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Ashden currently serves as a Judge Advocate in the
U.S. Army Reserve.