Ransomware is more prevalent than ever, and it is getting worse. Rare is the organization that has not either experienced a network extortion event or dealt with another that has. Yet most organizations are ill prepared when hit with ransomware, losing precious time, and thereby increasing legal risk, all because of a failure to adequately plan for the potential disruptions that a ransomware attack may bring. Even after the attack subsides, the legal repercussions of ransomware can often dwarf the attack itself, considering such things as reporting duties, investigations, indemnification claims, and lawsuits.

Organizations are best served by preparing for these challenges in advance and honing the appropriate legal tools for use in an attack before the attack occurs. These tools include, amongst others, an Incident Response Plan keyed to the organization's specific regulatory concerns; appropriate third-party relationships to provide support in a ransomware attack; and a thorough risk management analysis, addressing everything from risk transfer strategies, such as insurance, to the all-important question of whether or not to pay a ransom demand, if such payment is even possible.

Developing an Appropriate Incident Response Plan

Incident Response Plans have been familiar in highly regulated industries, such as health care and financial services, for years. Only recently, however, have they become a requirement for the masses, with many organizations facing recent statutory or regulatory mandates to adopt a plan. Case in point, the recently implemented N.Y. SHIELD Act, which added a new §899-bb to the General Business Law, requiring any person or business that owns or licenses the computerized private information of a New Yorker to "develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of [such] information including, but not limited to, disposal of data." See N.Y. Gen. Bus. Law §899-bb(2).