Since Friday, May 12, over 200,000 companies from over 150 countries have become victims of a massive cyber-attack from the ransomware variant WannaCry (also known as WCry or WanaCryptor). The attackers demanded payment of $300 in Bitcoin from each victim to restore access to files that the ransomware encrypted. The attackers stated that the price of file retrieval would elevate to $600 after a short period of time, and if the company-victim refused to pay, the files would be permanently deleted. Notably, this particular ransomware appears to have been propagated primarily due to a failure to patch a Windows software vulnerability known as EternalBlue, and potentially gave the attackers access to the files they encrypted. Organizations large and small, domestic and international, are among the victims.
The WannaCry attack is a stark reminder of the need to have comprehensive information governance and incident response plans in place. Planning for such an attack can be just as important, if not more so, than the response itself, and can block the threat or mitigate the damage, disruption, and liability suffered in the event the organization is a victim of a successful attack.
Implement a Written Information Security Program.
Knowing how to mitigate the effects of a breach and how to respond upon notice of a breach starts with taking stock of your company’s information security practices and the sensitive data your company holds by developing and implementing a written information security program (“WISP”) (also known as an information security program). The WISP is a comprehensive inventory of a company’s sensitive information and data security practices, and provides the basis for creating effective administrative, technical, and physical safeguards for the protection of that sensitive information. This process includes evaluating the access, collection, storage, use, transmission, and protection of all sensitive information to determine the appropriate method to safeguard it.
Although a WISP is only required by a limited number of jurisdictions, such as Massachusetts and New York (for regulated entities under the Department of Financial Services), it serves as the baseline for reasonable data security practices regardless of where the organization’s operations are located. Creating and implementing a successful WISP includes review and analysis of the size, scope, and type of business, the resources available to the company, the volume of data the company processes, and the need for security and confidentiality regarding the processed data. It is essential that the organization implement a reasonable and appropriate WISP that the company follows, rather than creating a policy that is impracticable or that sits on the shelf.
Execute an Incident Response Plan.
After conducting an assessment of the company’s data and security practices and putting in place reasonable policies, it is important to plan for the inevitable incident. Drafting and routinely updating an incident response plan is an effective way to address the challenges of responding to an incident before it happens. The process of creating an incident response plan requires the company to carefully assess who should be included on the internal incident response team, including key company executives, legal and compliance officers, communications professionals, outside counsel, and other internal and external stakeholders relative to the company and business. The process also involves an assessment of key constituencies with whom it will be important to have a working relationship should the company experience an incident (e.g., law enforcement, regulators, and breach response service providers). Developing these relationships takes time, and requires advance planning that yields significant benefits and efficiencies in the event of an incident. Once drafted, the incident response plan gives the company the opportunity to run a table-top exercise, revise the plan, and then provide employee training around particular procedures and protocols. Further, from a business perspective, the development and implementation of an incident response plan establishes an internal resource dedicated to breach preparedness and data privacy.
The WannaCry attack has victimized individuals and organizations globally and highlights the need for prior proper planning for effective data security. Trusted counsel can assist your organization in developing appropriate and reasonable policies and procedures to govern the use of sensitive data and mitigate the damage and disruption in the event an incident occurs.