Ransomware is a significant and increasing threat to organizations of all kinds and sizes. Ransomware is malicious software that prevents access to or use of an affected information technology resource or related data, and demands payment of a ransom to restore the resource or data. A ransomware attack can cause significant financial loss and other harm to the victim organization and to its customers and business partners.
Recently published research indicates that the severity and frequency of ransomware attacks increased during 2016, that many organizations are completely unprepared for a ransomware attack and that ransomware attacks often result in the exfiltration of data. See Gone in 60 seconds. The grim reality of Ransomware. (published by Timico in partnership with Datto) and The Rise of Ransomware (research by Ponemon Institute sponsored by Carbonite).
Government agencies (including the Canadian Cyber Incident Response Centre and the Privacy Commissioners of Alberta and Ontario) have issued helpful guidance for preventing, defending and responding to ransomware attacks. See Government Guidance for Preventing and Responding to Ransomware Attacks and Guidance for Defending and Responding to Ransomware Attacks.
In July 2016, the U.S. Department of Health and Human Services issued FACT SHEET: Ransomware and HIPPA to provide guidance for preventing, defending and responding to ransomware attacks in compliance with the U.S. Health Insurance Portability and Accountability Act (HIPPA). The Fact Sheet details the kinds of investigations required to properly assess the nature and impact of a ransomware attack and to determine whether there is an obligation under HIPPA to report the attack. Helpful guidance may also be found in the U.S. government interagency technical guidance document titled How to Protect Your Network from Ransomware.
Regulatory guidance consistently emphasizes that organizations should have an established and tested incident response plan for ransomware attacks to assist in making important technical, business and legal decisions in a timely manner, including decisions about giving notice of a ransomware attack to regulators, affected individuals and organizations, stakeholders and insurers. Organizations should obtain appropriate technical and legal advice when preparing and testing a cyber incident response plan and when responding to a ransomware attack. See Data Security Incident Response Plans — Some Practical Suggestions and Data Incident Notification Obligations.