Post on 20-Jan-2017
RANSOMWARE: RANSOMWARE: PREVENTION, PREVENTION, PRIVACY AND YOUR PRIVACY AND YOUR OPTIONS POST-OPTIONS POST-BREACHBREACH
GOWLING WLG, NOVEMBER 2ND, 2016
2
AGENDA
Topic SpeakerRansomware—Nature and Scope of Threat Brent Arnold
Privacy Implications and Reporting Obligations Christopher Oates
Insurance Issues Belinda Bain
• Malware that locks a user’s computer or files until user performs actions demanded by the software
• Demands range from annoying-but-benign—e.g. forcing user to complete a survey—to actual ransom, i.e. payment of funds, typically via Bitcoin
• Unlike conventional privacy breaches, goal isn’t to steal / leak info; it’s to prevent user from accessing it—typically, no-one else ever sees it
• No guarantee access will be restored once demands are met
WHAT IS RANSOMWARE?
3
• February 2016:
• Hollywood Presbyterian Medical Centre—access to email, electronic patient records paralyzed for over a week; $3.6M in Bitcoin demanded
• March 2016:
• First-ever successful attack on an iOS (Apple) computer
• Ottawa Hospital—infected 4 hospital computers; IT able to remediate without paying ransom; no patient info affected
• Norfolk (Ontario) General Hospital—virus pushed out from hospital website to visitor computers (including hospital patients and staff)
RANSOMWARE IN THE NEWS
4
• June 2016:
• University of Calgary
– Encrypted the University’s email server
– U Cal paid $20K ransom
– Decryption successful; no files leaked to public (they think)
RANSOMWARE IN THE NEWS
5
• First-ever (we think) ransomware attack:
• 1989—pre-Internet, distributed by 5 1/4” floppy disk by mail
• Sent to AIDS researchers, by a disgruntled AIDS researcher
• Virus demanded users send $189 by cheque / money order to P.O. box in Panama
• Early attacks targeted random individuals for small sums of money—pay the ransom or you’ll never be able to access your photos, personal files
• CAFC received 2,800 reports of CryptoLocker attacks in 2013
HISTORY OF RANSOMWARE
6
• Typically, virus gains access when user clicks on unfamiliar links, opens email attachments from strangers
• More recently: virus is downloaded via infected copies of legitimate applications
• e.g. March 2016 iOS attack was downloaded via tainted copy of legitimate peer-to-peer file sharing program, downloaded from the app developer’s own website, and bearing a genuine Apple developer’s certificate
• And: latest generation includes “ransomware worms”—virus that can self-replicate onto network drives, USB keys, etc.
HOW DO ATTACKS HAPPEN?
7
• Not just a Windows problem anymore—hackers have adapted software to attack Android and iOS machines
• More sophisticated attack vectors (e.g. downloaded from authentic-but-infected apps from legitimate sources)
• More attacks on public institutions
• Higher ransoms
RECENT DEVELOPMENTS
8
• Increasingly targeting businesses rather than individuals
• Hackers transitioning from “opportunistic extortion” to “market-based” approach, i.e.:
• Hackers are targeting profitable businesses, not random individuals / entities
• “Soft-targeting” of specific personnel—e.g. human resources / hiring managers
• Targeting not just companies /firms with high-value data—e.g. legal, accounting, architectural / engineering, intellectual property
• Hackers are tailoring the amount of ransom demand to the size and profitability of the corporate targets (“cyber-surge pricing”—like Uber)
RECENT DEVELOPMENTS
9
• Estimating there will be 90 million ransomware attacks in 2016 alone—400 raids every minute
• Estimated cost to victims: $1 billion in 2016 alone (up from estimated $24 million in 2015)
• 93% of all phishing attacks contained ransomware (March 2016 sample), and phishing attack volume increased 789% from 2015
• Increased attacks on cloud-based apps (especially Dropbox, Office 365 and Google Apps)
2016 ROUND-UP
10
• Targeting the IoT:
• Brick your whole car
• Hack your pacemaker—pay or we shut it down
• Record from your webcam, blackmail to release the video / images
• “Human life as leverage”—more hospitals, EMS, critical infrastructure (e.g. water treatment plants”)
• Critical asset targeting—focus on key / vulnerable systems
• Source code injection—infect all the machines at the source
RANSOMWARE 2017?
11
• Lost profit, productivity due to temporary / permanent loss of data
• Loss of current / potential customers; reputational loss
• Liability to customers / third parties whose data is lost
• Possible liability for directors and officers where prudent steps to prevent attacks aren’t taken
CONSEQUENCES OF RANSOMWARE ATTACKS
12
• Little prospect for recovery
• Can’t sue them if you can’t find them
• Usual enforcement issues if you do find and sue them—they’re probably not in Canada
• Little chance of seeing hackers brought to justice
• FBI still searching for Russian hacker indicted for CryptoLocker attack (not the one they nabbed in Prague)
• But: Russia, China cracking down on hackers from time to time
• You may have reporting obligations to public bodies
LEGAL RECOURSE AND OBLIGATIONS
13
Securing Personal InformationPIPEDA creates very general requirements to safeguard Personal Information:
• Personal information must be protected by security safeguards appropriate to the sensitivity of the information, and intended to protect against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.
• The Commissioner has looked to industry standards such as the PCI DSS in assessing what constitutes an “appropriate” level of security.
Data Protection
14
Breach of Security Safeguards:
“the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards … or from a failure to establish those safeguards.”
Privacy Breaches
15
Securing Personal Information
Suffering a breach does not always indicate that Personal Information was not afforded the requisite protection.
In a 2014 decision, a service provider was found in compliance when an unknown ‘zero-day exploit’ lead to a breach despite safeguards.
Data Protection
16
Securing Personal InformationThe Organization’s protection included:
• Firewalls;
• Hashing and encryption for sensitive information;
• Separate storage and obfuscation for encryption keys;
• Multiple intrusion detection systems (which detected the breach).
Data Protection
17
In response to the breach, the organization added further security including salted hashing, stronger encryption and further isolation for sensitive data.
Breach NotificationThe Commissioner has provided key steps when responding to a breach:
0. Detect the breach1. Contain and assess the breach2. Evaluate the risk
• What information and individuals was affected?• What was the cause and extent of the breach?• Foreseeable harm?
3. Notifying the individuals4. Develop a prevention plan
Privacy Breaches
18
Breach NotificationSoon PIPEDA will require notification where a breach of security safeguards creates a real risk of significant harm to an individual. Whether there is a “real risk” of “significant harm” must be determined considering:
• The sensitivity of the information involved
• The probability the information has been or will be misused
“Significant Harm” will include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
Privacy Breaches
19
Breach NotificationIf there is a real risk of significant harm to an individual, notification will need to be given to:
•the Commissioner,
•directly to the affected individuals, and
•any other organizations or government institutions that may be able to reduce risk to the affected individuals
Privacy Breaches
20
The form and required content of the Notices will be set out in regulations.
The Commissioner’s recommendation on report content:
•Name and contact information of the organization;
•The circumstances of the breach (individuals and information affected, date and nature of the breach);
•Assessment of the risk of harm;
•Whether the individuals or other organizations have been notified;
•Mitigation implemented; and
•The organization’s security safeguards.
Privacy Breaches
21
When mandatory breach notification is in force, PIPEDA will also require organizations to retain a record of all security breaches that involve personal information. Even in the absence of a real risk of significant harm.• Date and nature of the breach, • Circumstances of the breach,• Information involved, and •Risk assessment leading to decision whether to notify.
Breach Records
22
Facilitates Commissioner oversight.
• Not all cyber losses will be insurable
INSURANCE ISSUES
23
• First-party losses1. Data breach response
2. Crisis management costs
3. Lost income
4. Online defamation
5. Regulatory defence costs and fines
6. Cyber-extortion
INSURABLE CYBER LOSSES
24
• Third-party losses1. Customer or client losses resulting from data breach
2. Invasion of privacy claims
3. Client losses resulting from inability to access systems
INSURABLE CYBER LOSSES
25
• Damage to reputation/brand
• Loss of goodwill
• Loss of future earnings
• Opportunity cost
UNINSURABLE CYBER LOSSES
26
• E&O
• CGL
• D&O
• Cyber/tech
WHERE COULD LOSSES BE COVERED ?
27
• Damages or losses that insured legally obligated to pay as a result of a “claim”
• Ordinarily tied to “wrongful act” or negligence arising from delivery of “professional services”
• May contain privacy/data breach exclusion
E&O
28
• Damages or losses that insured legally obligated to pay as a result of a “claim”
• Claim arising from decisions and actions taken on behalf of the corporation
D&O
29
• ‘Bodily injury' or 'property damage’
• Caused by an 'occurrence,'
• ‘Advertising injury' or 'personal injury'
CGL
30
• In 2001, Insurance Services Office (U.S.) revised its standard CGL policy form to exclude “electronic data” from the definition of “property damage”
• In 2005, Insurance Service Bureau of Canada followed suit
CGL
31
• Zurich American Insurance Company v Sony Corporation of America, (NY Sup Ct, Feb 21 2014)• Sony’s online systems breached by hackers
• Personal data of 77 million users stolen
• Approximately 12 million credit card numbers stolen
• Estimated $2 billion in losses
• 55 class actions commenced
• Sony claimed under CGL and excess policies
• Sony’s CGL policy included coverage for “oral or written publication, in any matter, of material that violates a person’s right of privacy”
CGL
32
• Zurich v Sony, cont’d• Zurich argued that “publication” required an intentional act on the part of
the insured
• Court agreed with Zurich and denied coverage; the acts of third-party hackers did not satisfy the “publication” requirement in the CGL policy
• Sony decision was appealed, but case settled out of court before decision released by the appeal court
• More recent case of Portal Healthcare, Travelers ordered to provide defence under CGL to health care provider in class action regarding lack of security of private health information
CGL
33
• Notification costs
• Credit monitoring
• Regulatory fines/penalties
• Cyber extortion
• Privacy liability
• Third party losses from failure of network security
CYBER POLICY
34
• Remains to be seen how Courts will interpret various coverage issues
• Businesses should be aware of the scope of cyber risks and proactively assess insurance coverage
• Businesses should not assume that CGL/D&O/E&O policies will be sufficient to cover all losses associated with a cyber event
CONCLUSIONS RE INSURANCE
35
QUESTIONS?
36
gowlingwlg.com Gowling WLG (Canada) LLP is a member of Gowling WLG, an international law firm which consists of independent and
autonomous entities providing services around the world. Our structure is explained in more detail at
gowlingwlg.com/legal
CONTACT
Christopher OatesAssociate
chris.oates@gowlingwlg.com
416-369-7333