Ransomware (cyber attack software that holds its targets’ data for ransom) has become an increasing danger to businesses and institutions this year.
This presentation will explore the nature and extent of the problem, legal options for and regulatory obligations of victims of ransomware, and emergent insurance options for dealing with the fallout from ransomware attacks.
3. • Malware that locks a user’s computer or files until user performs
actions demanded by the software
• Demands range from annoying-but-benign—e.g. forcing user to
complete a survey—to actual ransom, i.e. payment of funds, typically
via Bitcoin
• Unlike conventional privacy breaches, goal isn’t to steal / leak info; it’s
to prevent user from accessing it—typically, no-one else ever sees it
• No guarantee access will be restored once demands are met
WHAT IS RANSOMWARE?
3
4. • February 2016:
• Hollywood Presbyterian Medical Centre—access to email, electronic patient
records paralyzed for over a week; $3.6M in Bitcoin demanded
• March 2016:
• First-ever successful attack on an iOS (Apple) computer
• Ottawa Hospital—infected 4 hospital computers; IT able to remediate without
paying ransom; no patient info affected
• Norfolk (Ontario) General Hospital—virus pushed out from hospital website to
visitor computers (including hospital patients and staff)
RANSOMWARE IN THE NEWS
4
5. • June 2016:
• University of Calgary
– Encrypted the University’s email server
– U Cal paid $20K ransom
– Decryption successful; no files leaked to public (they think)
RANSOMWARE IN THE NEWS
5
6. • First-ever (we think) ransomware attack:
• 1989—pre-Internet, distributed by 5 1/4” floppy disk by mail
• Sent to AIDS researchers, by a disgruntled AIDS researcher
• Virus demanded users send $189 by cheque / money order to P.O. box in
Panama
• Early attacks targeted random individuals for small sums of
money—pay the ransom or you’ll never be able to access your
photos, personal files
• CAFC received 2,800 reports of CryptoLocker attacks in 2013
HISTORY OF RANSOMWARE
6
7. • Typically, virus gains access when user clicks on unfamiliar
links, opens email attachments from strangers
• More recently: virus is downloaded via infected copies of
legitimate applications
• e.g. March 2016 iOS attack was downloaded via tainted copy of legitimate
peer-to-peer file sharing program, downloaded from the app developer’s own
website, and bearing a genuine Apple developer’s certificate
• And: latest generation includes “ransomware worms”—virus
that can self-replicate onto network drives, USB keys, etc.
HOW DO ATTACKS HAPPEN?
7
8. • Not just a Windows problem anymore—hackers have adapted
software to attack Android and iOS machines
• More sophisticated attack vectors (e.g. downloaded from
authentic-but-infected apps from legitimate sources)
• More attacks on public institutions
• Higher ransoms
RECENT DEVELOPMENTS
8
9. • Increasingly targeting businesses rather than individuals
• Hackers transitioning from “opportunistic extortion” to
“market-based” approach, i.e.:
• Hackers are targeting profitable businesses, not random individuals / entities
• “Soft-targeting” of specific personnel—e.g. human resources / hiring managers
• Targeting not just companies /firms with high-value data—e.g. legal,
accounting, architectural / engineering, intellectual property
• Hackers are tailoring the amount of ransom demand to the size and profitability
of the corporate targets (“cyber-surge pricing”—like Uber)
RECENT DEVELOPMENTS
9
10. • Estimating there will be 90 million ransomware attacks in 2016
alone—400 raids every minute
• Estimated cost to victims: $1 billion in 2016 alone (up from
estimated $24 million in 2015)
• 93% of all phishing attacks contained ransomware (March 2016
sample), and phishing attack volume increased 789% from 2015
• Increased attacks on cloud-based apps (especially Dropbox,
Office 365 and Google Apps)
2016 ROUND-UP
10
11. • Targeting the IoT:
• Brick your whole car
• Hack your pacemaker—pay or we shut it down
• Record from your webcam, blackmail to release the video / images
• “Human life as leverage”—more hospitals, EMS, critical
infrastructure (e.g. water treatment plants”)
• Critical asset targeting—focus on key / vulnerable systems
• Source code injection—infect all the machines at the source
RANSOMWARE 2017?
11
12. • Lost profit, productivity due to temporary / permanent loss of
data
• Loss of current / potential customers; reputational loss
• Liability to customers / third parties whose data is lost
• Possible liability for directors and officers where prudent steps
to prevent attacks aren’t taken
CONSEQUENCES OF
RANSOMWARE ATTACKS
12
13. • Little prospect for recovery
• Can’t sue them if you can’t find them
• Usual enforcement issues if you do find and sue them—they’re probably not in
Canada
• Little chance of seeing hackers brought to justice
• FBI still searching for Russian hacker indicted for CryptoLocker attack (not the
one they nabbed in Prague)
• But: Russia, China cracking down on hackers from time to time
• You may have reporting obligations to public bodies
LEGAL RECOURSE AND
OBLIGATIONS
13
14. Securing Personal Information
PIPEDA creates very general requirements to safeguard Personal
Information:
• Personal information must be protected by security safeguards
appropriate to the sensitivity of the information, and intended to
protect against loss or theft, as well as unauthorized access,
disclosure, copying, use, or modification.
• The Commissioner has looked to industry standards such as the
PCI DSS in assessing what constitutes an “appropriate” level of
security.
Data Protection
14
15. Breach of Security Safeguards:
“the loss of, unauthorized access to or unauthorized disclosure of
personal information resulting from a breach of an organization’s security
safeguards … or from a failure to establish those safeguards.”
Privacy Breaches
15
16. Securing Personal Information
Suffering a breach does not always indicate that Personal
Information was not afforded the requisite protection.
In a 2014 decision, a service provider was found in
compliance when an unknown ‘zero-day exploit’ lead to a
breach despite safeguards.
Data Protection
16
17. Securing Personal Information
The Organization’s protection included:
• Firewalls;
• Hashing and encryption for sensitive information;
• Separate storage and obfuscation for encryption keys;
• Multiple intrusion detection systems (which detected the breach).
Data Protection
17
In response to the breach, the organization added further security including
salted hashing, stronger encryption and further isolation for sensitive data.
18. Breach Notification
The Commissioner has provided key steps when responding
to a breach:
0. Detect the breach
1. Contain and assess the breach
2. Evaluate the risk
• What information and individuals was affected?
• What was the cause and extent of the breach?
• Foreseeable harm?
3. Notifying the individuals
4. Develop a prevention plan
Privacy Breaches
18
19. Breach Notification
Soon PIPEDA will require notification where a breach of security
safeguards creates a real risk of significant harm to an individual.
Whether there is a “real risk” of “significant harm” must be
determined considering:
• The sensitivity of the information involved
• The probability the information has been or will be misused
“Significant Harm” will include bodily harm, humiliation, damage to
reputation or relationships, loss of employment, business or
professional opportunities, financial loss, identity theft, negative
effects on the credit record and damage to or loss of property.
Privacy Breaches
19
20. Breach Notification
If there is a real risk of significant harm to an individual,
notification will need to be given to:
•the Commissioner,
•directly to the affected individuals, and
•any other organizations or government institutions that may
be able to reduce risk to the affected individuals
Privacy Breaches
20
The form and required content of the Notices will be set out in regulations.
21. The Commissioner’s recommendation on report content:
•Name and contact information of the organization;
•The circumstances of the breach (individuals and information
affected, date and nature of the breach);
•Assessment of the risk of harm;
•Whether the individuals or other organizations have been notified;
•Mitigation implemented; and
•The organization’s security safeguards.
Privacy Breaches
21
22. When mandatory breach notification is in
force, PIPEDA will also require organizations
to retain a record of all security breaches that
involve personal information. Even in the
absence of a real risk of significant harm.
• Date and nature of the breach,
• Circumstances of the breach,
• Information involved, and
•Risk assessment leading to decision whether to
notify.
Breach Records
22
Facilitates Commissioner oversight.
23. • Not all cyber losses will be insurable
INSURANCE ISSUES
23
24. • First-party losses
1. Data breach response
2. Crisis management costs
3. Lost income
4. Online defamation
5. Regulatory defence costs and fines
6. Cyber-extortion
INSURABLE CYBER LOSSES
24
25. • Third-party losses
1. Customer or client losses resulting from data breach
2. Invasion of privacy claims
3. Client losses resulting from inability to access systems
INSURABLE CYBER LOSSES
25
26. • Damage to reputation/brand
• Loss of goodwill
• Loss of future earnings
• Opportunity cost
UNINSURABLE CYBER LOSSES
26
27. • E&O
• CGL
• D&O
• Cyber/tech
WHERE COULD LOSSES BE
COVERED ?
27
28. • Damages or losses that insured legally obligated to pay as a
result of a “claim”
• Ordinarily tied to “wrongful act” or negligence arising from
delivery of “professional services”
• May contain privacy/data breach exclusion
E&O
28
29. • Damages or losses that insured legally obligated to pay as a
result of a “claim”
• Claim arising from decisions and actions taken on behalf of the
corporation
D&O
29
30. • ‘Bodily injury' or 'property damage’
• Caused by an 'occurrence,'
• ‘Advertising injury' or 'personal injury'
CGL
30
31. • In 2001, Insurance Services Office (U.S.) revised its standard
CGL policy form to exclude “electronic data” from the definition
of “property damage”
• In 2005, Insurance Service Bureau of Canada followed suit
CGL
31
32. • Zurich American Insurance Company v Sony Corporation of
America, (NY Sup Ct, Feb 21 2014)
• Sony’s online systems breached by hackers
• Personal data of 77 million users stolen
• Approximately 12 million credit card numbers stolen
• Estimated $2 billion in losses
• 55 class actions commenced
• Sony claimed under CGL and excess policies
• Sony’s CGL policy included coverage for “oral or written publication, in
any matter, of material that violates a person’s right of privacy”
CGL
32
33. • Zurich v Sony, cont’d
• Zurich argued that “publication” required an intentional act on the part of
the insured
• Court agreed with Zurich and denied coverage; the acts of third-party
hackers did not satisfy the “publication” requirement in the CGL policy
• Sony decision was appealed, but case settled out of court before
decision released by the appeal court
• More recent case of Portal Healthcare, Travelers ordered to provide
defence under CGL to health care provider in class action regarding lack
of security of private health information
CGL
33
34. • Notification costs
• Credit monitoring
• Regulatory fines/penalties
• Cyber extortion
• Privacy liability
• Third party losses from failure of network security
CYBER POLICY
34
35. • Remains to be seen how Courts will interpret various coverage
issues
• Businesses should be aware of the scope of cyber risks and
proactively assess insurance coverage
• Businesses should not assume that CGL/D&O/E&O policies will
be sufficient to cover all losses associated with a cyber event
CONCLUSIONS RE INSURANCE
35
37. gowlingwlg.com
Gowling WLG (Canada) LLP is a member of Gowling WLG, an international law firm which consists of independent and
autonomous entities providing services around the world. Our structure is explained in more detail at gowlingwlg.com/legal
CONTACT
Christopher Oates
Associate
chris.oates@gowlingwlg.com
416-369-7333
Editor's Notes
Most from Scott Scheferman, Cylance
Securing Personal Information
Suffering a breach does not always indicate that Personal Information was not afforded the requisite protection.
In a 2014 decision, a service provider was found in compliance when an unknown ‘zero-day exploit’ lead to a breach despite safeguards which included:
the use of firewalls,
the hashing and encryption of sensitive information,
separate storage and obfuscation of encryption keys, and
multiple intrusion detection systems
Securing Personal Information
Suffering a breach does not always indicate that Personal Information was not afforded the requisite protection.
In a 2014 decision, a service provider was found in compliance when an unknown ‘zero-day exploit’ lead to a breach despite safeguards which included:
the use of firewalls,
the hashing and encryption of sensitive information,
separate storage and obfuscation of encryption keys, and
multiple intrusion detection systems
Breach Notification
The federal Privacy Commissioner has published voluntary guidelines regarding responding to security breaches. The guidelines state four key steps when responding to a breach:
Contain the breach by taking immediate steps to stop any further information from being disclosed. Undertake a preliminary assessment of the situation;
Evaluate the risk associated with the breach by considering the sensitivity of the information involved, whether it was encrypted, how it may be used, and the risks to the individual resulting from that use;
Notifying the individuals if the privacy breach creates a real risk of harm to the individual; and
Develop a plan for the prevention of future breaches.
Breach Notification
If there is a real risk of significant harm to an individual, notification will need to be given to:
the affected individuals,
the Commissioner, and
any other organizations or government institutions that may be able to reduce the risk to the affected individuals
The content of the notifications will be specified in regulations that are not yet published.
It will be a criminal offense to knowingly fail to report breaches, punishable by fines of $100,000 on indictment or $10,000 on summary conviction.
Breach Notification
If there is a real risk of significant harm to an individual, notification will need to be given to:
the affected individuals,
the Commissioner, and
any other organizations or government institutions that may be able to reduce the risk to the affected individuals
The content of the notifications will be specified in regulations that are not yet published.
It will be a criminal offense to knowingly fail to report breaches, punishable by fines of $100,000 on indictment or $10,000 on summary conviction.