Ransomware – Privacy law, sanctions, and the pandemic

April 22, 2021 | David Krebs, Daniel Kiselbach, Thomas Ghag

It is trite to say that no matter the sector, size, or location of an organization, cyberattacks can be devastating. As we have seen throughout 2020 and this year in Canada and elsewhere, data breaches and operational interruptions caused by these attacks, and ransomware attacks in particular, have had dire consequences on the affected organizations, their constituents, and the public.

There have been numerous high profile breaches over the past twelve months and they appear to be escalating in 2021, with the Solarwinds and Microsoft vulnerabilities offering fertile soil for cybercriminals. In a previous article, entitled “Privacy and cybersecurity during COVID-19 – Tips for Canadian organizations,” we discussed how to ward against, prepare for and meet the challenges of an attack. In this article, we will describe key practical and legal considerations as they relate to ransomware attacks in the context of the current environment, including the considerations surrounding the ransom payment itself, such as Canadian and other international sanctions.

Ransomware Attack in a Nutshell

In a ransomware attack, criminals typically gain unauthorized access to systems (via phishing or other tactic) and monitor data flows and escalate privileges within the system before striking by encrypting files and posting a ransom note. The threat actors then usually ask for a ransom to be paid in exchange for decryption keys to be provided to the victim organization. The additional threat that data was not only encrypted but also stolen is now commonplace. Even if restoration is possible without the decryption keys, an organization must consider the risks associated with data potentially being published, sold, or misused, irrespective of ransom being paid. Additionally, whether to pay the ransom is not a decision that is taken lightly by many organizations. While usually not illegal (see discussion below), there are ethical, cultural, and business-related considerations at play. Importantly, this “two-barreled” approach has turned most ransomware attacks into potential data breaches, or, at a minimum, the investigation must take this possibility into account.

Context

The Pandemic. The reality is, we are still smack in the middle of a global pandemic. It is not “business as usual.” Relevant to our current topic, the novel coronavirus has forced vast increases in remote working environments, including in those workplaces that previously had little to no remote activity. This has led to more mobile devices being used, more data being sent across networks, and fewer  personal live interactions; all of these factors increase cybersecurity and data security risk, not to mention our human preoccupation during these times, which can lead to increased opportunities for attackers to exploit our lack of attention to detail – for instance, to recognize a phishing campaign, in particular when the subject matter relates to a current topic such as appointments for vaccines.

Value of Data and Connectivity. The next reality is that data has become an increasingly valuable asset and many operations are automated and connected, even in sectors that were not traditionally data driven. Criminals are exploiting known vulnerabilities and many are highly sophisticated and organized. Threat actors are able to plan and tailor their attacks to their targets and strike where maximum impact is expected. “RaaS” (Ransomware as a service) is not fiction, but a grim truth of how malware is proliferated and used by a distributed network of cyber gangsters.

Stronger Privacy Laws. In this context, we must remember that data protection laws are being strengthened on a global basis. The federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) currently carries maximum fines of up to $100,000 for failing to comply with the data breach notification and record keeping requirements contained in the law, but these fines will be dwarfed by those contemplated in Bill C-11, which is the law that is intended to modernize Canadian privacy law while keeping pace with European data protection law (among others). Bill C-11, as described in a recent blog article, will enact the Consumer Privacy Protection Act (“CPPA”) and establish a new governance and oversight model through the Personal Information and Data Protection Tribunal Act. The CPPA will enable strict enforcement, including significant fines, while establishing additional and more specific obligations as it relates to the use, collection, and disclosure of personal information. The CPPA will also impact the legal and financial risks associated with data breaches. The CPPA is not in force yet, and for Canadian organizations the current legal environment continues to be PIPEDA and its provincial counterparts in Alberta, BC, and Quebec, as well as health and sector-specific legislation, not to mention foreign laws that might apply, such as the US State law or the General Data Protection Regulation (“GDPR”). But while the CPPA might still only be making its way through the legislative process,  organizations should already be taking the increased risks and obligations into consideration for long-term planning.

Sanctions. Last but not least, targets of ransomware attacks must navigate complex sanctions respecting the possible payment of the “ransom”. Canadian sanctions provisions under the United Nations Act and the Special Economic Measures Act may impose significant penalties where a payment is made to an individual or entity on a designated list. This can pose particular difficulties where the payor is unable to ascertain the identity of the attackers. Further, entities making such payments may also have reporting obligations to the Financial Transactions and Reports Analysis Centre of Canada. In the US, in contrast, attention must be given to the sanctions administered by the Office of Foreign Assets Control (“OFAC”).

Key Considerations

  • Preparing for and guarding against attacks[1] should be on the agenda for every organization who would be at risk for attack – which is most organizations, no matter the sector, be it technology, manufacturing, health care, education or the financial sector.
  • Consider the impact of remote working arrangements and the pandemic on your cybersecurity posture (technical and organizational). Consider what playbooks will and will not work in the current environment.
  • It is essential that organizations, with the help of breach counsel/coach and forensics experts, conduct an informed assessment of the attack and its impact on personal and other confidential information. Failing to report a data breach in Canada can lead to a breach of PIPEDA or provincial law, resulting in fines and other regulatory action. Failing to notify impacted individuals can also lead to regulatory action, such as investigations and fines, as well as to litigation risk and public relations issues. Even where the attack did not result in a “real risk of significant harm” (RRoSH) to any individual, organizations may still be required to record the incident in a breach register[2], a requirement under PIPEDA.
  • Ransomware attacks are crimes under the Criminal Code. While there are financial and ethical considerations at play, paying a ransom to a criminal is, generally speaking, not illegal in Canada. However, it is a crime to give financial aid to designated individuals and organizations that are deemed terrorists or otherwise on applicable sanctions lists or from embargoed countries. Entities considering paying a ransom should conduct due- diligence and contemporaneously document their findings in order to show that they undertook reasonable steps to ascertain the identity of the attackers. Most penalties for violating Canadian sanctions include knowledge qualifiers, so payors should be in a position to demonstrate the steps they took to ensure that a ransom payment did not violate such provisions. In the United States, OFAC released guidance on this issue, and Canadian organizations with ties to the US should be acutely aware of the risks and expectations.

[1] Learn how to protect your organization from attacks in our blog article, “Practical Strategies for Responding to a Cyber-Attack”

[2] See the findings from the Canadian Privacy Commissioner’s data breach register inspections, in our blog article “40% of data breach records insufficient – Canadian Privacy Commissioner releases findings on data breach register inspections

Disclaimer

This blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of this blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.