On February 22, 2023, Gross McGinley Managing Partner and Business Services Attorney Jack Gross participated in a panel discussion along with Apogee Insurance Group and EZ Micro Solutions. The event was geared toward educating business owners on the risks, liability, and requirements for Cyber Insurance. In his portion of the presentation, Attorney Gross spoke to the risks that businesses take on in the digital age and how they need to legally protect themselves from ransomware attacks.The following are the key points from Jack’s presentation as well as a video of his talk. You can also find more insights on the linked videos and presentations below from the other presenters of the day.Recognizing the RiskIntroduction\tBased on a penetration test by an IT consultant, 93% of business networks were susceptible to penetration\t\u00a0In excess of 99% of US businesses are small businesses (up to $40 million annual revenue)\tMost mid to large-size businesses are taking at least some of the required steps to prevent penetration.\tSmall businesses are starting to understand the riskStatistics\tFirst 6 months of 2022 \u2013 an estimated 236.1 million ransomware attacks globally.\tThere were 623.3 million ransomware attacks globally in 2021.\tRansomware accounted for around 20% of all cyber-crimes in 2022.\t20% of ransomware costs are attributed to reputation damage.\t93% of ransomware are Windows-based executables.\tThe most common entry point for ransomware is email phishing.Example One\tLaw Firm\/Title Agency in central Pennsylvania.\t$900,000 sale of a personal residence.\tInvolved paying off a $600,000 mortgage to Wells Fargo.\tDay before closing, Sellers\u2019 realtor emailed wiring instructions for the mortgage payoff to Title Agent.\tAfter closing, Law Office wired $600,000 to Wells Fargo based on wiring instructions.\t45 days after closing, Sellers get a notice from Wells Fargo that their mortgage is in default.\tSometime in the month before the closing, the realtor\u2019s network was compromised, likely through a phishing attack\tCriminal did nothing in the account but monitor it.\tDay before closing, the criminal took control of the realtor\u2019s email to send an email to the Title Agent with payoff wiring instructions for a Wells Fargo account\tTitle Agent did not verify the wiring instructions, no one noticed anything because the payoff amount was correct, and the sale closed\t$600,000 wire was sent to what appeared to be a Wells Fargo account. In reality the wire information was false, and the money was sent to the Cyber Criminals, who then emptied the account and transferred money to overseas accounts.\tBy the time incident was discovered, the money was gone and could not be recovered.\tLawyer\/Title Agent spoke to his title insurance company and E&O company \u2013 both explained that they would either refuse coverage or pay the claim and sue him to recover their loss.\tLawyer was threatened by Sellers because he was a fiduciary and agreed to use sale proceeds to payoff the mortgage.\tTotal loses from incident was approximately $650,000.\tDecision \u2013 close the business or pay the $650,000 (lost money plus expenses) from personal funds.\tLawyer\/Title Agent mortgaged his home and business property to pay the amounts and stay in business.Legal Basics\tPersonally identifiable information (PII), is any data that could potentially identify a specific individual.\tIn the U.S., no single federal law regulates the protection of PII. Instead:\tfederal and state laws\u00a0\tsector-specific regulations\tcommon law principles\tindustry self-regulatory programs\tPennsylvania definition of PII – first name or first initial and last name in combination with any one or more of the following when not encrypted or redacted\t(1) Social Security number;\t(2) driver\u2019s license number or state ID card number\t(3) financial account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual\u2019s financial account;\t(4) medical information;\t(5) health insurance information;\t(6) a username or email address, in combination with a password or security question and answer that would permit access to an online account.\tAlphabet Soup of federal government agencies and laws – Partial list of Federal laws that could apply – Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Telephone Consumer Protection Act (TCPA); Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM); Children’s Online Privacy Protection Act (COPPA); Fair Credit Reporting Act (FCRA); and Electronic Communications Privacy Act (ECPA) and the Computer Fraud and Abuse Act (CFAA).\tProtected Health Information (PHI) \u2013 part of the HIPAA Privacy Rule \u2013 DHHS has rules.\tFinancial Information that is PII \u2013 SEC has rules\tIf there is an incident that involves actual or potential disclosure of PII, including PHI, the legal consequences are significant, and requirements complicated.Example Two\tHealthcare provider within excess of 100,000 patients in its 30+ years in operation (not Lehigh Valley or Eastern PA based company)\tImplemented multi-factor ID for login but made exceptions for certain individuals\tPhishing or spearing phishing attack targeted an individual who logged in without using multi-factor ID\tRansomware shut down the entire system for 2 weeks. Doctors returned to paper charts and calendars to see patients\tNo billing for services during lock-out; Claim was insured and ultimately a ransom in excess of $1 million was paid\tFBI was notified and has a unit dedicated to investigating these cases, but you should not expect they will be able to recover your data\tAlthough often no evidence of improper use in ransomware attacks, the unauthorized access to the PHI requires notice to patients and the Office of Civil Rights of DHHS\tNotifications had to be sent to all 100,000 patients\tDHHS is conducting its own investigation of the provider\tPotentially of all other related business associates.\tThe patient notice process in this case cost in excess of $200,000.\tIt is impossible to measure reputation damage.\tGrowing trend of class action litigation involving data breaches.\tDespite recovering data, the entire computer system needed to be rebuilt and, a year later, data integrity issues continue.Enforcement \u2013 What happens if you don\u2019t follow the Law\tCriminal Penalties\tOctober 2022 \u2013 Former CSO of Uber was convicted of federal crimes for covering up a data breach\tCSO was responsible to supervise response to the breach and to the FTC investigation of the breach\tJudge found that CSO\u2019s actions were designed to prevent disclosure of breach\tUber paid ransom to hackers\tUber obtained NDAs from the hackers\tHackers were caught and are also facing federal prisonCivil Penalties – SEC\tCETERA ADVISORS\tSEC investigated Cetera Advisors related to an unauthorized access to approximately 4500 customer accounts involving disclosure of PII.\tCetera had not followed its own policies regarding protecting customer accounts.\tCetera sent notifications to customers, but they were misleading about the incident.\tCetera agreed to a $300,000 SEC fine and agreed to additional SEC requirements.Civil Penalties – FTC\tCafePress\tOnline Retailer\tThe FTC alleged that it failed to implement reasonable security measures before an incident\tAfter an incident, FTC discovered its systems contained plain text Social\tSecurity numbers, inadequately encrypted passwords, and answers to password reset questions.\tFTC seeking an order requiring it to bolster its data security and require its former owner to pay $500,000 in compensationInternational Issues\tGeneral Data Protection Regulation (GDPR) \u2013 EU DAT Protection Regulation\tUK Data Protection Act of 2018Other resourcesEZ Micro Solutions Video Presentation – Click HereEZ Micro Solutions PDF Presentation – Click HereApogee Insurance Group Video Presentation – Click HereApogee Insurance Group PDF Presentation – Click HereAttorney Jack Gross is the Managing Partner of Gross McGinley, LLP practicing in the Business Services Group as well as they Municipal and Real Estate Groups. With over 20 years of service, Jack has honed knowledge and expertise in the industries of Insurance, Banking, Manufacturing, Media and Publishing, and more.