A nationwide rise in ransomware attacks that increasingly involve the theft of data on top of the locking out of systems owners means more regulatory and legal headaches for affected companies, reports BloombergLaw. Exfiltrated data taken in what are known as double-extortion attacks can trigger breach reporting requirements and other types of disclosures. Such disclosures boost the chances a company would be subject to regulatory scrutiny and consumer-led litigation. Double-extortion attacks put companies in a bind because they likely have to navigate potential legal risks regardless of whether they pay the ransom.
Attacks that increasingly threaten to post stolen information if a ransom isn’t paid could leave victims potentially running afoul of privacy laws such as the California Consumer Privacy Act and Europe’s General Data Protection Regulation, which may result in hefty fines for businesses that leave customers’ personally identifiable information exposed. Depending on the circumstances of the attack and the type of data that was exfiltrated, companies may have to report incidents under state data breach laws or to businesses they partner with if that’s written into a contract. Meanwhile, Law360 reports that Biden administration officials hashing out new cybersecurity policies — including an imminent executive order expected to set new security standards for federal agencies and government contractors — face a delicate balancing act of trying to hold entities accountable for shoring up their defenses while still encouraging them to speak up if they are hacked.