RANSOMWARE: RANSOMWARE: PREVENTION, PREVENTION, PRIVACY AND YOUR PRIVACY AND YOUR OPTIONS POST-OPTIONS POST-BREACHBREACH

GOWLING WLG, NOVEMBER 2ND, 2016

2

AGENDA

Topic SpeakerRansomware—Nature and Scope of Threat Brent Arnold

Privacy Implications and Reporting Obligations Christopher Oates

Insurance Issues Belinda Bain

• Malware that locks a user’s computer or files until user performs actions demanded by the software

• Demands range from annoying-but-benign—e.g. forcing user to complete a survey—to actual ransom, i.e. payment of funds, typically via Bitcoin

• Unlike conventional privacy breaches, goal isn’t to steal / leak info; it’s to prevent user from accessing it—typically, no-one else ever sees it

• No guarantee access will be restored once demands are met

WHAT IS RANSOMWARE?

3

• February 2016:

• Hollywood Presbyterian Medical Centre—access to email, electronic patient records paralyzed for over a week; $3.6M in Bitcoin demanded

• March 2016:

• First-ever successful attack on an iOS (Apple) computer

• Ottawa Hospital—infected 4 hospital computers; IT able to remediate without paying ransom; no patient info affected

• Norfolk (Ontario) General Hospital—virus pushed out from hospital website to visitor computers (including hospital patients and staff)

RANSOMWARE IN THE NEWS

4

• June 2016:

• University of Calgary

– Encrypted the University’s email server

– U Cal paid $20K ransom

– Decryption successful; no files leaked to public (they think)

RANSOMWARE IN THE NEWS

5

• First-ever (we think) ransomware attack:

• 1989—pre-Internet, distributed by 5 1/4” floppy disk by mail

• Sent to AIDS researchers, by a disgruntled AIDS researcher

• Virus demanded users send $189 by cheque / money order to P.O. box in Panama

• Early attacks targeted random individuals for small sums of money—pay the ransom or you’ll never be able to access your photos, personal files

• CAFC received 2,800 reports of CryptoLocker attacks in 2013

HISTORY OF RANSOMWARE

6

• Typically, virus gains access when user clicks on unfamiliar links, opens email attachments from strangers

• More recently: virus is downloaded via infected copies of legitimate applications

• e.g. March 2016 iOS attack was downloaded via tainted copy of legitimate peer-to-peer file sharing program, downloaded from the app developer’s own website, and bearing a genuine Apple developer’s certificate

• And: latest generation includes “ransomware worms”—virus that can self-replicate onto network drives, USB keys, etc.

HOW DO ATTACKS HAPPEN?

7

• Not just a Windows problem anymore—hackers have adapted software to attack Android and iOS machines

• More sophisticated attack vectors (e.g. downloaded from authentic-but-infected apps from legitimate sources)

• More attacks on public institutions

• Higher ransoms

RECENT DEVELOPMENTS

8

• Increasingly targeting businesses rather than individuals

• Hackers transitioning from “opportunistic extortion” to “market-based” approach, i.e.:

• Hackers are targeting profitable businesses, not random individuals / entities

• “Soft-targeting” of specific personnel—e.g. human resources / hiring managers

• Targeting not just companies /firms with high-value data—e.g. legal, accounting, architectural / engineering, intellectual property

• Hackers are tailoring the amount of ransom demand to the size and profitability of the corporate targets (“cyber-surge pricing”—like Uber)

RECENT DEVELOPMENTS

9

• Estimating there will be 90 million ransomware attacks in 2016 alone—400 raids every minute

• Estimated cost to victims: $1 billion in 2016 alone (up from estimated $24 million in 2015)

• 93% of all phishing attacks contained ransomware (March 2016 sample), and phishing attack volume increased 789% from 2015

• Increased attacks on cloud-based apps (especially Dropbox, Office 365 and Google Apps)

2016 ROUND-UP

10

• Targeting the IoT:

• Brick your whole car

• Hack your pacemaker—pay or we shut it down

• Record from your webcam, blackmail to release the video / images

• “Human life as leverage”—more hospitals, EMS, critical infrastructure (e.g. water treatment plants”)

• Critical asset targeting—focus on key / vulnerable systems

• Source code injection—infect all the machines at the source

RANSOMWARE 2017?

11

• Lost profit, productivity due to temporary / permanent loss of data

• Loss of current / potential customers; reputational loss

• Liability to customers / third parties whose data is lost

• Possible liability for directors and officers where prudent steps to prevent attacks aren’t taken

CONSEQUENCES OF RANSOMWARE ATTACKS

12

• Little prospect for recovery

• Can’t sue them if you can’t find them

• Usual enforcement issues if you do find and sue them—they’re probably not in Canada

• Little chance of seeing hackers brought to justice

• FBI still searching for Russian hacker indicted for CryptoLocker attack (not the one they nabbed in Prague)

• But: Russia, China cracking down on hackers from time to time

• You may have reporting obligations to public bodies

LEGAL RECOURSE AND OBLIGATIONS

13

Securing Personal InformationPIPEDA creates very general requirements to safeguard Personal Information:

• Personal information must be protected by security safeguards appropriate to the sensitivity of the information, and intended to protect against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.

• The Commissioner has looked to industry standards such as the PCI DSS in assessing what constitutes an “appropriate” level of security.

Data Protection

14

Breach of Security Safeguards: 

“the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards … or from a failure to establish those safeguards.”

Privacy Breaches

15

Securing Personal Information

Suffering a breach does not always indicate that Personal Information was not afforded the requisite protection.

In a 2014 decision, a service provider was found in compliance when an unknown ‘zero-day exploit’ lead to a breach despite safeguards.

Data Protection

16

Securing Personal InformationThe Organization’s protection included:

• Firewalls;

• Hashing and encryption for sensitive information;

• Separate storage and obfuscation for encryption keys;

• Multiple intrusion detection systems (which detected the breach).

Data Protection

17

In response to the breach, the organization added further security including salted hashing, stronger encryption and further isolation for sensitive data.

Breach NotificationThe Commissioner has provided key steps when responding to a breach:

0. Detect the breach1. Contain and assess the breach2. Evaluate the risk

• What information and individuals was affected?• What was the cause and extent of the breach?• Foreseeable harm?

3. Notifying the individuals4. Develop a prevention plan

Privacy Breaches

18

Breach NotificationSoon PIPEDA will require notification where a breach of security safeguards creates a real risk of significant harm to an individual. Whether there is a “real risk” of “significant harm” must be determined considering:

• The sensitivity of the information involved

• The probability the information has been or will be misused

“Significant Harm” will include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

Privacy Breaches

19

Breach NotificationIf there is a real risk of significant harm to an individual, notification will need to be given to:

•the Commissioner,

•directly to the affected individuals, and

•any other organizations or government institutions that may be able to reduce risk to the affected individuals

Privacy Breaches

20

The form and required content of the Notices will be set out in regulations.

The Commissioner’s recommendation on report content:

•Name and contact information of the organization;

•The circumstances of the breach (individuals and information affected, date and nature of the breach);

•Assessment of the risk of harm;

•Whether the individuals or other organizations have been notified;

•Mitigation implemented; and

•The organization’s security safeguards.

Privacy Breaches

21

When mandatory breach notification is in force, PIPEDA will also require organizations to retain a record of all security breaches that involve personal information. Even in the absence of a real risk of significant harm.• Date and nature of the breach, • Circumstances of the breach,• Information involved, and •Risk assessment leading to decision whether to notify.

Breach Records

22

Facilitates Commissioner oversight.

• Not all cyber losses will be insurable

INSURANCE ISSUES

23

• First-party losses1. Data breach response

2. Crisis management costs

3. Lost income

4. Online defamation

5. Regulatory defence costs and fines

6. Cyber-extortion

INSURABLE CYBER LOSSES

24

• Third-party losses1. Customer or client losses resulting from data breach

2. Invasion of privacy claims

3. Client losses resulting from inability to access systems

INSURABLE CYBER LOSSES

25

• Damage to reputation/brand

• Loss of goodwill

• Loss of future earnings

• Opportunity cost

UNINSURABLE CYBER LOSSES

26

• E&O

• CGL

• D&O

• Cyber/tech

WHERE COULD LOSSES BE COVERED ?

27

• Damages or losses that insured legally obligated to pay as a result of a “claim”

• Ordinarily tied to “wrongful act” or negligence arising from delivery of “professional services”

• May contain privacy/data breach exclusion

E&O

28

• Damages or losses that insured legally obligated to pay as a result of a “claim”

• Claim arising from decisions and actions taken on behalf of the corporation

D&O

29

• ‘Bodily injury' or 'property damage’

• Caused by an 'occurrence,'

• ‘Advertising injury' or 'personal injury'

CGL

30

• In 2001, Insurance Services Office (U.S.) revised its standard CGL policy form to exclude “electronic data” from the definition of “property damage”

• In 2005, Insurance Service Bureau of Canada followed suit

CGL

31

• Zurich American Insurance Company v Sony Corporation of America, (NY Sup Ct, Feb 21 2014)• Sony’s online systems breached by hackers

• Personal data of 77 million users stolen

• Approximately 12 million credit card numbers stolen

• Estimated $2 billion in losses

• 55 class actions commenced

• Sony claimed under CGL and excess policies

• Sony’s CGL policy included coverage for “oral or written publication, in any matter, of material that violates a person’s right of privacy”

CGL

32

• Zurich v Sony, cont’d• Zurich argued that “publication” required an intentional act on the part of

the insured

• Court agreed with Zurich and denied coverage; the acts of third-party hackers did not satisfy the “publication” requirement in the CGL policy

• Sony decision was appealed, but case settled out of court before decision released by the appeal court

• More recent case of Portal Healthcare, Travelers ordered to provide defence under CGL to health care provider in class action regarding lack of security of private health information

CGL

33

• Notification costs

• Credit monitoring

• Regulatory fines/penalties

• Cyber extortion

• Privacy liability

• Third party losses from failure of network security

CYBER POLICY

34

• Remains to be seen how Courts will interpret various coverage issues

• Businesses should be aware of the scope of cyber risks and proactively assess insurance coverage

• Businesses should not assume that CGL/D&O/E&O policies will be sufficient to cover all losses associated with a cyber event

CONCLUSIONS RE INSURANCE

35

QUESTIONS?

36

gowlingwlg.com Gowling WLG (Canada) LLP is a member of Gowling WLG, an international law firm which consists of independent and

autonomous entities providing services around the world. Our structure is explained in more detail at

gowlingwlg.com/legal

CONTACT

Christopher OatesAssociate

chris.oates@gowlingwlg.com

416-369-7333