Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
RANSOMWARE:RANSOMWARE:
PREVENTION,PREVENTION,
PRIVACY AND YOURPRIVACY AND YOUR
OPTIONS POST-OPTIONS POST-
BREACHBREACH
GOW...
2
AGENDA
Topic Speaker
Ransomware—Nature and Scope of Threat Brent Arnold
Privacy Implications and Reporting Obligations C...
• Malware that locks a user’s computer or files until user performs
actions demanded by the software
• Demands range from ...
• February 2016:
• Hollywood Presbyterian Medical Centre—access to email, electronic patient
records paralyzed for over a ...
• June 2016:
• University of Calgary
– Encrypted the University’s email server
– U Cal paid $20K ransom
– Decryption succe...
• First-ever (we think) ransomware attack:
• 1989—pre-Internet, distributed by 5 1/4” floppy disk by mail
• Sent to AIDS r...
• Typically, virus gains access when user clicks on unfamiliar
links, opens email attachments from strangers
• More recent...
• Not just a Windows problem anymore—hackers have adapted
software to attack Android and iOS machines
• More sophisticated...
• Increasingly targeting businesses rather than individuals
• Hackers transitioning from “opportunistic extortion” to
“mar...
• Estimating there will be 90 million ransomware attacks in 2016
alone—400 raids every minute
• Estimated cost to victims:...
• Targeting the IoT:
• Brick your whole car
• Hack your pacemaker—pay or we shut it down
• Record from your webcam, blackm...
• Lost profit, productivity due to temporary / permanent loss of
data
• Loss of current / potential customers; reputationa...
• Little prospect for recovery
• Can’t sue them if you can’t find them
• Usual enforcement issues if you do find and sue t...
Securing Personal Information
PIPEDA creates very general requirements to safeguard Personal
Information:
• Personal infor...
Breach of Security Safeguards: 
“the loss of, unauthorized access to or unauthorized disclosure of
personal information re...
Securing Personal Information
Suffering a breach does not always indicate that Personal
Information was not afforded the r...
Securing Personal Information
The Organization’s protection included:
• Firewalls;
• Hashing and encryption for sensitive ...
Breach Notification
The Commissioner has provided key steps when responding
to a breach:
0. Detect the breach
1. Contain a...
Breach Notification
Soon PIPEDA will require notification where a breach of security
safeguards creates a real risk of sig...
Breach Notification
If there is a real risk of significant harm to an individual,
notification will need to be given to:
•...
The Commissioner’s recommendation on report content:
•Name and contact information of the organization;
•The circumstances...
When mandatory breach notification is in
force, PIPEDA will also require organizations
to retain a record of all security ...
• Not all cyber losses will be insurable
INSURANCE ISSUES
23
• First-party losses
1. Data breach response
2. Crisis management costs
3. Lost income
4. Online defamation
5. Regulatory ...
• Third-party losses
1. Customer or client losses resulting from data breach
2. Invasion of privacy claims
3. Client losse...
• Damage to reputation/brand
• Loss of goodwill
• Loss of future earnings
• Opportunity cost
UNINSURABLE CYBER LOSSES
26
• E&O
• CGL
• D&O
• Cyber/tech
WHERE COULD LOSSES BE
COVERED ?
27
• Damages or losses that insured legally obligated to pay as a
result of a “claim”
• Ordinarily tied to “wrongful act” or ...
• Damages or losses that insured legally obligated to pay as a
result of a “claim”
• Claim arising from decisions and acti...
• ‘Bodily injury' or 'property damage’
• Caused by an 'occurrence,'
• ‘Advertising injury' or 'personal injury'
CGL
30
• In 2001, Insurance Services Office (U.S.) revised its standard
CGL policy form to exclude “electronic data” from the def...
• Zurich American Insurance Company v Sony Corporation of
America, (NY Sup Ct, Feb 21 2014)
• Sony’s online systems breach...
• Zurich v Sony, cont’d
• Zurich argued that “publication” required an intentional act on the part of
the insured
• Court ...
• Notification costs
• Credit monitoring
• Regulatory fines/penalties
• Cyber extortion
• Privacy liability
• Third party ...
• Remains to be seen how Courts will interpret various coverage
issues
• Businesses should be aware of the scope of cyber ...
QUESTIONS?
36
gowlingwlg.com
Gowling WLG (Canada) LLP is a member of Gowling WLG, an international law firm which consists of independen...
Ransomware: Prevention, privacy and your options post-breach
Upcoming SlideShare
Loading in …5
×

Ransomware: Prevention, privacy and your options post-breach

203 views

Published on

Ransomware (cyber attack software that holds its targets’ data for ransom) has become an increasing danger to businesses and institutions this year.

This presentation will explore the nature and extent of the problem, legal options for and regulatory obligations of victims of ransomware, and emergent insurance options for dealing with the fallout from ransomware attacks.

Published in: Law
  • Be the first to comment

  • Be the first to like this

Ransomware: Prevention, privacy and your options post-breach

  1. 1. RANSOMWARE:RANSOMWARE: PREVENTION,PREVENTION, PRIVACY AND YOURPRIVACY AND YOUR OPTIONS POST-OPTIONS POST- BREACHBREACH GOWLING WLG, NOVEMBER 2ND , 2016
  2. 2. 2 AGENDA Topic Speaker Ransomware—Nature and Scope of Threat Brent Arnold Privacy Implications and Reporting Obligations Christopher Oates Insurance Issues Belinda Bain
  3. 3. • Malware that locks a user’s computer or files until user performs actions demanded by the software • Demands range from annoying-but-benign—e.g. forcing user to complete a survey—to actual ransom, i.e. payment of funds, typically via Bitcoin • Unlike conventional privacy breaches, goal isn’t to steal / leak info; it’s to prevent user from accessing it—typically, no-one else ever sees it • No guarantee access will be restored once demands are met WHAT IS RANSOMWARE? 3
  4. 4. • February 2016: • Hollywood Presbyterian Medical Centre—access to email, electronic patient records paralyzed for over a week; $3.6M in Bitcoin demanded • March 2016: • First-ever successful attack on an iOS (Apple) computer • Ottawa Hospital—infected 4 hospital computers; IT able to remediate without paying ransom; no patient info affected • Norfolk (Ontario) General Hospital—virus pushed out from hospital website to visitor computers (including hospital patients and staff) RANSOMWARE IN THE NEWS 4
  5. 5. • June 2016: • University of Calgary – Encrypted the University’s email server – U Cal paid $20K ransom – Decryption successful; no files leaked to public (they think) RANSOMWARE IN THE NEWS 5
  6. 6. • First-ever (we think) ransomware attack: • 1989—pre-Internet, distributed by 5 1/4” floppy disk by mail • Sent to AIDS researchers, by a disgruntled AIDS researcher • Virus demanded users send $189 by cheque / money order to P.O. box in Panama • Early attacks targeted random individuals for small sums of money—pay the ransom or you’ll never be able to access your photos, personal files • CAFC received 2,800 reports of CryptoLocker attacks in 2013 HISTORY OF RANSOMWARE 6
  7. 7. • Typically, virus gains access when user clicks on unfamiliar links, opens email attachments from strangers • More recently: virus is downloaded via infected copies of legitimate applications • e.g. March 2016 iOS attack was downloaded via tainted copy of legitimate peer-to-peer file sharing program, downloaded from the app developer’s own website, and bearing a genuine Apple developer’s certificate • And: latest generation includes “ransomware worms”—virus that can self-replicate onto network drives, USB keys, etc. HOW DO ATTACKS HAPPEN? 7
  8. 8. • Not just a Windows problem anymore—hackers have adapted software to attack Android and iOS machines • More sophisticated attack vectors (e.g. downloaded from authentic-but-infected apps from legitimate sources) • More attacks on public institutions • Higher ransoms RECENT DEVELOPMENTS 8
  9. 9. • Increasingly targeting businesses rather than individuals • Hackers transitioning from “opportunistic extortion” to “market-based” approach, i.e.: • Hackers are targeting profitable businesses, not random individuals / entities • “Soft-targeting” of specific personnel—e.g. human resources / hiring managers • Targeting not just companies /firms with high-value data—e.g. legal, accounting, architectural / engineering, intellectual property • Hackers are tailoring the amount of ransom demand to the size and profitability of the corporate targets (“cyber-surge pricing”—like Uber) RECENT DEVELOPMENTS 9
  10. 10. • Estimating there will be 90 million ransomware attacks in 2016 alone—400 raids every minute • Estimated cost to victims: $1 billion in 2016 alone (up from estimated $24 million in 2015) • 93% of all phishing attacks contained ransomware (March 2016 sample), and phishing attack volume increased 789% from 2015 • Increased attacks on cloud-based apps (especially Dropbox, Office 365 and Google Apps) 2016 ROUND-UP 10
  11. 11. • Targeting the IoT: • Brick your whole car • Hack your pacemaker—pay or we shut it down • Record from your webcam, blackmail to release the video / images • “Human life as leverage”—more hospitals, EMS, critical infrastructure (e.g. water treatment plants”) • Critical asset targeting—focus on key / vulnerable systems • Source code injection—infect all the machines at the source RANSOMWARE 2017? 11
  12. 12. • Lost profit, productivity due to temporary / permanent loss of data • Loss of current / potential customers; reputational loss • Liability to customers / third parties whose data is lost • Possible liability for directors and officers where prudent steps to prevent attacks aren’t taken CONSEQUENCES OF RANSOMWARE ATTACKS 12
  13. 13. • Little prospect for recovery • Can’t sue them if you can’t find them • Usual enforcement issues if you do find and sue them—they’re probably not in Canada • Little chance of seeing hackers brought to justice • FBI still searching for Russian hacker indicted for CryptoLocker attack (not the one they nabbed in Prague) • But: Russia, China cracking down on hackers from time to time • You may have reporting obligations to public bodies LEGAL RECOURSE AND OBLIGATIONS 13
  14. 14. Securing Personal Information PIPEDA creates very general requirements to safeguard Personal Information: • Personal information must be protected by security safeguards appropriate to the sensitivity of the information, and intended to protect against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. • The Commissioner has looked to industry standards such as the PCI DSS in assessing what constitutes an “appropriate” level of security. Data Protection 14
  15. 15. Breach of Security Safeguards:  “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards … or from a failure to establish those safeguards.” Privacy Breaches 15
  16. 16. Securing Personal Information Suffering a breach does not always indicate that Personal Information was not afforded the requisite protection. In a 2014 decision, a service provider was found in compliance when an unknown ‘zero-day exploit’ lead to a breach despite safeguards. Data Protection 16
  17. 17. Securing Personal Information The Organization’s protection included: • Firewalls; • Hashing and encryption for sensitive information; • Separate storage and obfuscation for encryption keys; • Multiple intrusion detection systems (which detected the breach). Data Protection 17 In response to the breach, the organization added further security including salted hashing, stronger encryption and further isolation for sensitive data.
  18. 18. Breach Notification The Commissioner has provided key steps when responding to a breach: 0. Detect the breach 1. Contain and assess the breach 2. Evaluate the risk • What information and individuals was affected? • What was the cause and extent of the breach? • Foreseeable harm? 3. Notifying the individuals 4. Develop a prevention plan Privacy Breaches 18
  19. 19. Breach Notification Soon PIPEDA will require notification where a breach of security safeguards creates a real risk of significant harm to an individual. Whether there is a “real risk” of “significant harm” must be determined considering: • The sensitivity of the information involved • The probability the information has been or will be misused “Significant Harm” will include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. Privacy Breaches 19
  20. 20. Breach Notification If there is a real risk of significant harm to an individual, notification will need to be given to: •the Commissioner, •directly to the affected individuals, and •any other organizations or government institutions that may be able to reduce risk to the affected individuals Privacy Breaches 20 The form and required content of the Notices will be set out in regulations.
  21. 21. The Commissioner’s recommendation on report content: •Name and contact information of the organization; •The circumstances of the breach (individuals and information affected, date and nature of the breach); •Assessment of the risk of harm; •Whether the individuals or other organizations have been notified; •Mitigation implemented; and •The organization’s security safeguards. Privacy Breaches 21
  22. 22. When mandatory breach notification is in force, PIPEDA will also require organizations to retain a record of all security breaches that involve personal information. Even in the absence of a real risk of significant harm. • Date and nature of the breach, • Circumstances of the breach, • Information involved, and •Risk assessment leading to decision whether to notify. Breach Records 22 Facilitates Commissioner oversight.
  23. 23. • Not all cyber losses will be insurable INSURANCE ISSUES 23
  24. 24. • First-party losses 1. Data breach response 2. Crisis management costs 3. Lost income 4. Online defamation 5. Regulatory defence costs and fines 6. Cyber-extortion INSURABLE CYBER LOSSES 24
  25. 25. • Third-party losses 1. Customer or client losses resulting from data breach 2. Invasion of privacy claims 3. Client losses resulting from inability to access systems INSURABLE CYBER LOSSES 25
  26. 26. • Damage to reputation/brand • Loss of goodwill • Loss of future earnings • Opportunity cost UNINSURABLE CYBER LOSSES 26
  27. 27. • E&O • CGL • D&O • Cyber/tech WHERE COULD LOSSES BE COVERED ? 27
  28. 28. • Damages or losses that insured legally obligated to pay as a result of a “claim” • Ordinarily tied to “wrongful act” or negligence arising from delivery of “professional services” • May contain privacy/data breach exclusion E&O 28
  29. 29. • Damages or losses that insured legally obligated to pay as a result of a “claim” • Claim arising from decisions and actions taken on behalf of the corporation D&O 29
  30. 30. • ‘Bodily injury' or 'property damage’ • Caused by an 'occurrence,' • ‘Advertising injury' or 'personal injury' CGL 30
  31. 31. • In 2001, Insurance Services Office (U.S.) revised its standard CGL policy form to exclude “electronic data” from the definition of “property damage” • In 2005, Insurance Service Bureau of Canada followed suit CGL 31
  32. 32. • Zurich American Insurance Company v Sony Corporation of America, (NY Sup Ct, Feb 21 2014) • Sony’s online systems breached by hackers • Personal data of 77 million users stolen • Approximately 12 million credit card numbers stolen • Estimated $2 billion in losses • 55 class actions commenced • Sony claimed under CGL and excess policies • Sony’s CGL policy included coverage for “oral or written publication, in any matter, of material that violates a person’s right of privacy” CGL 32
  33. 33. • Zurich v Sony, cont’d • Zurich argued that “publication” required an intentional act on the part of the insured • Court agreed with Zurich and denied coverage; the acts of third-party hackers did not satisfy the “publication” requirement in the CGL policy • Sony decision was appealed, but case settled out of court before decision released by the appeal court • More recent case of Portal Healthcare, Travelers ordered to provide defence under CGL to health care provider in class action regarding lack of security of private health information CGL 33
  34. 34. • Notification costs • Credit monitoring • Regulatory fines/penalties • Cyber extortion • Privacy liability • Third party losses from failure of network security CYBER POLICY 34
  35. 35. • Remains to be seen how Courts will interpret various coverage issues • Businesses should be aware of the scope of cyber risks and proactively assess insurance coverage • Businesses should not assume that CGL/D&O/E&O policies will be sufficient to cover all losses associated with a cyber event CONCLUSIONS RE INSURANCE 35
  36. 36. QUESTIONS? 36
  37. 37. gowlingwlg.com Gowling WLG (Canada) LLP is a member of Gowling WLG, an international law firm which consists of independent and autonomous entities providing services around the world. Our structure is explained in more detail at gowlingwlg.com/legal CONTACT Christopher Oates Associate chris.oates@gowlingwlg.com 416-369-7333

×