Recently, ransomware has taken to the forefront in national news.  The most prevalent ransomware attack, the one perpetrated against Colonial Pipeline by the now-defunct "Dark Side" hackers, has served to remind businesses about the risks of ransomware.   What happened to Colonial Pipeline? What should businesses do to learn from Colonial Pipeline's response? What should a business avoid?

What happened to Colonial Pipeline?

Colonial Pipeline, a Georgia based operator of fuel pipelines, had its billing software compromised by Dark Side's ransomware attack.¹  Following this, Colonial Pipeline took proactive measures to (1) shut down their systems; (2) evaluate the issue; and (3) safely brought systems back on line after ensuring that they were not compromised.

Following this, Colonial Pipeline did eventually pay the 4.4 million dollar ransom demand from Dark Side.  What it got in return was a decryption key, as promised, which ended up being slower than Colonial Pipeline's own backups.²  The ultimate result of this event being an initial cost of $4.4 million, in addition to lost profits, additional security costs, reputational costs, and litigation costs as consumers had filed a class-action lawsuit to hold Colonial Pipeline accountable for their perceived lapse in security.³  Further, the fall-out from Colonial Pipeline had prompted additional cybersecurity efforts and changes by the Biden administration, including proposed regulations requiring pipeline companies to inform the Department of Homeland Security of cybersecurity incidents within 12 hours, in addition to keeping a cybersecurity coordinator on staff at all times, and reviews of current security measures.

How to Respond to Ransomware Attacks.

While no business would ever want to deal with ransomware attacks, Colonial Pipeline's efforts give a basic outline on how to address a ransomware attack, in addition to giving information that can be used to glean out improvements.

1. Be proactive.  Even if it is not currently required, the best security against ransomware attacks are internal training and ongoing evaluation of security.
2. Plan how to still operate after being hit by a ransomware attack. This is mainly done by establishing reliable backup systems and a backup routine, to ensure that continued operations can occur.
3. Do not pay the attackers. While the hacker can provide the decryption key or will refrain from leaking the materials, it is not guaranteed.  Further, the Treasury Department had issued an advisory stating that the payment of ransomware demands may result in sanctions, though prompt reporting of a ransomware attack could be determined to be a mitigating factor.⁴
4. Inform the relevant authorities.  While this clearly includes federal groups, such as those named in the Treasury's ransomware advisory, some localities have a cyber crime division, such as the California Orange County Sherriff's department.

How We Can Help.

Ransomware attacks will only increase in the future, as an attack against JBS, the world’s largest meat supplier, has recently shown. The Privacy and Data Security Team at Newmeyer Dillion stands ready to assist you in preparing for any cyber incident, including the very real threat of ransomware.  As ransomware continues to spread, the need for proactive and preventative measures increases, especially as the attention of regulatory parties is shifting more towards mitigating these attacks in the future.  We can assist with a wide range of activities, including:

• Cyber Risk Management
• Employee Training
• Incident Response Planning
• Disaster Recovery Planning
• Breach Coaching and Recovery
• Cyber Liability Insurance Placement

Our Data Privacy & Security attorneys are available for consultation by contacting our office at 949-854-7000.

¹ https://www.cnn.com/2021/05/12/politics/colonial-pipeline-ransomware-payment/index.html

² https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom

³ https://www.pacermonitor.com/public/case/40304998/Dickerson_v_CDPQ_Colonial_Partners,_LP_et_al

⁴ Generally, the OFAC may impose civil liability based on strict liability, so a failure to know whether the action was not prohibited is not necessarily a factor that can remove civil liability.  Instead, the existence, nature, and adequacy of sanctions compliance programs are factors that OFAC may consider when determining what action to take, including the levying of sanctions.