This week on Lock and Code, we speak to cybersecurity and privacy attorney Jake Bernstein about ransomware attacks that don’t just derail a company’s reputation and productivity, but also throw them into potential legal peril.
In 2020, the cybersecurity community noticed a worrying trend from ransomware operators. No longer satisfied with just demanding a ransom payment to unlock their victims’ encrypted files, some ransomware gangs employed a new device to squeeze their targets: after initially breaching a business, they would pilfer sensitive data and then threaten to publish it online.
These are the so-called “double extortion” attacks, in which ransomware operators can hit the same target two times over—we’ve not only locked your files, which will cost money to decrypt, we’ve also stolen your data, which will cost money to keep private. But this threat doesn’t stop there. For companies hit with these attacks, not only do they often rebuild their databases, not only can they lose days or even weeks of work, not only are their reputations pummeled if their sensitive data is published online, but, depending on how much data is leaked, and what kind, they could also get into legal trouble.
“This is a big deal, and it is a legal issue,” Bernstein said. “It is not just an IT problem.”
Tune in to learn about these ransomware attacks, what state laws get triggered, how new privacy laws affect legal compliance, and why Bernstein does not expect any federal legislation to standardize this process, on the latest episode of Lock and Code, with host David Ruiz.