Ransomware isn’t just an internal threat for your organization, it’s also a global crime, and data breach notifications are governed by various laws, policies, and agencies. Let’s go over some common cyber-compliance questions about ransomware, data breach notification and reporting, and the laws that cover cybercrime. The information included here is not intended as legal advice and you should be sure to check in with your legal team in the event of any type of data breach incident.
Is ransomware a federal crime?
Absolutely! While there are other laws and guidance that ransomware may also fall under, the specific law governing the criminality of ransomware is the Computer Fraud and Awareness Act | 18 U.S.C. § 1030, established in 1986 and amended in 1988, 1989, 1990, 1994, 1996, 2001, 2002, 2008, and 2020.
Sentences for crimes according to the CFAA are in the table below (taken from page 3 of a Department of Justice publication on Prosecuting Computer Crimes):
What do public agencies like FDIC or UK GCHQ generally mandate organizations to report after becoming aware of a breach?
Data breach notification laws vary based on location and industry. In the United States, the Federal Deposit Insurance Corporation (FDIC) requires banks to report an incident that has or is likely to affect the bank’s operations, services, or the financial sector no more than 36 hours after they have determined the breach occurred. They are also required to notify their customers as soon as possible if the breach will affect those customers for more than four hours. All banks must comply with these new data breach notification requirements by May 1, 2022.
Reporting in the United Kingdom is governed under the UK General Data Protection Regulation (GDPR). Under the UK GDPR, all organizations must report a data breach within 72 hours of determining a breach has occurred. Also within the United Kingdom, the National Cyber Security Centre (NCSC) provides advice and support to organizations on how to address cybersecurity threats both through data security and data protection measures to mitigate malware and ransomware attacks.
Should you report ransomware to the police?
There’s an excellent chance that your company has policies on cyber security compliance and cyber incident response. If you don’t know your company’s policies, ask your IT department. If your company doesn’t have policies on reporting ransomware and cyber compliance, now is the time to create those policies. While reporting is often a necessity, it also benefits your organization. Agencies may be able to assist you with the investigation and negotiations.
All incidents of ransomware in the United States, at home or work, can be reported to the FBI’s Internet Crime Complaint Center (IC3). You can file a complaint on their website. In the United Kingdom, you can report cybersecurity incidents to the National Cyber Security Centre (NCSC).
Other United States Data Breach Notification Resources:
Cybersecurity and Infrastructure Security Agency: https://us-cert.cisa.gov/forms/report
Financial Crimes Enforcement Network (FinCEN) | FinCEN Regulatory Support Section: firstname.lastname@example.org
Homeland Security Investigations Field Office: https://www.ice.gov/about-ice/homeland-security-investigations/cot
U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP): OCCIP-Coord@treasury.gov
U.S. Department of the Treasury’s Office of Foreign Assets Control Sanctions Compliance and Evaluation Division: email@example.com
U.S. Secret Service Cyber Fraud Task Force: https://www.secretservice.gov/investigation#field
Other United Kingdom Data Breach Notification Resources
Information Commissioner’s Office: https://ico.org.uk/for-organisations/report-a-breach/
Do ransomware attackers get caught?
As with all crimes, not all cyber criminals will be caught. But diligent reporting when attacks occur assist government and international agencies find and prosecuting perpetrators of cyber crime. Cyber crime is an international business and the International Criminal Police Organization (INTERPOL) works across borders to fight cyber crime. In January 2022, 11 suspected members of a cyber crime network were arrested in Nigeria. The individuals are believed to be responsible for Business Email Compromise (BEC) scams that harmed thousands of companies throughout the world. You can keep updated on INTERPOL’s cyber crime operations here.
Is it illegal to pay ransomware?
Currently, it is illegal to pay ransomware in the United States under certain circumstances. In October 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued a guidance warning that paying ransoms to certain cyber crime syndicates that have been sanctioned by the United States is illegal. The legality of those payments is evaluated by OFAC on a case-by-case basis to determine if the payment is in violation.
A new cybersecurity bill, H.R. 5936—the Ransomware and Financial Stability Act of 2021 would make it illegal to pay a ransom of $100,000 or more, subject to certain safe harbor exceptions. That legislation is currently in the House Committee on Financial Services awaiting a hearing. In the United Kingdom, it is strongly discouraged to pay the ransom, but it may not be illegal in all circumstances. Businesses in the United Kingdom are the most likely to pay a ransom.
How do I know if I have ransomware?
If you notice signs of an unexplained slowdown on your computer or network; odd changes to your files (or their names/locations); suspicious data extraction or encryption; or unfamiliar pop-ups, there’s a good chance you may have been attacked. While prevention is important, having swift detection and a dynamic recovery plan ensures the best outcome when an attack occurs. Rubrik simplifies and streamlines ransomware detection and remediation to mitigate ransomware risks and minimize business disruption.
Unfortunately, it's more of a matter of when you will be targeted in a ransomware attack than a matter of if. Check the status of your cybersecurity posture with the Ransomware Recovery Assessment by Rubrik.