Responding to WannaCry
*This post was originally distributed as a privacy and cybersecurity client alert on Monday, May 15, 2017. Sign up for our privacy and cybersecurity distribution list here.
As you likely will have heard, there is an ongoing major cyber-attack involving the WannaCry ransomware. It is affecting businesses across the world and across sectors, including financial services firms, healthcare entities and even manufacturers. We are actively advising clients on cybersecurity matters, and we have recently guided clients through ransomware attacks. We have also recently authored a major report on improving transatlantic cybersecurity in collaboration with the US Chamber of Commerce.
Following the WannaCry attack, many companies and their counsel will need to consider and coordinate the following:
React to the attack if directly affected by WannaCry:
Affected entities and their legal teams will need to work with third party forensic providers to contain and investigate the attack, implement incident response plans, preserve legal privilege, liaise with law enforcement and insurers, and comply with any breach notification obligations.
Respond to their customers or suppliers affected by WannaCry:
Entities that are customers or suppliers of other companies affected by WannaCry may wish to undertake cybersecurity diligence, contract reviews and technical audits relating to such affected companies. In turn, such customer and supplier entities that have been attacked will need to work with counsel to prepare for such diligence, reviews and audits.
Ransomware attacks do not necessarily involve unauthorized acquisition or access to the data by the attacker, but they may nonetheless warrant consideration for legal notifications to law enforcement and regulators, or notice to business partners or customers as may be required under contract.
Consider cybersecurity issues pro-actively:
Even if not affected by WannaCry, pro-actively consider cybersecurity compliance — e.g., under long standing privacy or security laws for your sector, the EU’s General Data Protection Regulation (GDPR), Cyber Security Directive and Second Payment Services Directive, UK Financial Conduct Authority Rules, or existing and emerging US State laws, such as the New York Department of Financial Service’s Cybersecurity Regulations. This will entail review of overall cybersecurity compliance, contractual risk allocation, general data privacy compliance, and incident response plans.
Prepare for possible legal defense:
Affected entities may face myriad claims if individuals or other businesses allege they were adversely impacted. Companies should consider documenting their responses to the attack, and begin a privileged investigation of their pre-attack status.