Cyber criminals’ entire business model is based on developing threats faster than the public can develop safeguards.  Privacy laws are fast becoming the first place data collectors look for guidance when they have suffered a cyber attack.  Unfortunately, the legislatures that develop privacy laws are not known for their efficient work.  For example, the Illinois Information Protection Act is one of the most comprehensive data laws found in the United States and provides the model for many states.  PIPA provides guidelines for data collectors, including how to properly respond to a breach of personal information.  However, even though it is generally considered to be on the cutting edge, PIPA still has trouble keeping up with technological developments created by criminals.

Is Ransomware An “Acquisition” Of Data Under The Illinois Information Protection Act?

As it stands, PIPA does not expressly state that it applies to data collectors that are attacked with ransomware.  Of course, ransomware has been a threat for a while and this threat appears to be on the increase. For example, a new strain of ransomware nicknamed “Bad Rabbit” is reportedly spreading in Russia, Ukraine and moving into other parts of the world. This new threat appears to be related to the WannaCry and Petya ransomware attacks that caused problems earlier this year. At present, this malware is not being detected by anti-virus programs.

While the extent of the damage caused by Bad Rabbit is still unknown, the threat created by ransomware is clear. Reports indicate the total value of ransomware sales on the dark web has rapidly increased from $250,000 to over $6m in just a year. The growth of ransomware will continue as criminals get more access to the malware and victims are resigned to the fact that they have no choice but to pay to regain access to their systems. The only hurdle for ransomware at this point appears to be an increased number of amateur criminals using malicious software and potentially not releasing encrypted files to victims.  These amateurs may destroy the credibility of the ransomware criminal enterprise.

For our purposes though, this is not a good environment for PIPA to have any ambiguity concerning whether it applies to ransomware attacks.   PIPA addresses a data collector’s obligations if they sustain a “breach.”  Specifically, PIPA requires that a data collector notify Illinois residents that their personal information has been involved in a “breach.” Of course, the ransomware threat is different than the threat created by a disclosure of personal information through a classic system breach or a disclosure caused by a phishing scam.  PIPA defines “breach” as:

Breach of the security of the system data” or “breach” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector. “Breach of the security of the system data” does not include good faith acquisition of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector, provided that the personal information is not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure.

While PIPA does not mention ransomware by name, it does create a question as to whether ransomware falls under the definition of “breach of the security of the system data.” Oftentimes, ransomware may not arguably involve the “acquisition” of data and may be limited to the encryption of data until a ransom is paid. That is, there may be no “acquisition” of the data in a ransomware attack.  Therefore, a data collector may struggle with determining whether ransomware constitutes a “breach” under PIPA.

Based on this ambiguity, if a data collector is hit with ransomware, the most prudent course may involve notifying all Illinois residents of the incident.

Is It A Good Idea To Send People To Equifax In Notification Letters?

PIPA also provides notification requirements if a data collector experiences a breach.   Specifically, if a data collector breaches the personal information of an Illinois resident, the data collector must send a “disclosure notification” which provides “the toll-free numbers and addresses for consumer reporting agencies.” After the recent breach at Equifax, a consumer reporting agency, data collectors may be hesitant to tell people involved in an incident to contact Equifax. Further, even if Equifax’s information is provided merely to comply with this requirement, Illinois residents may not be willing to reach out to Equifax. As we see recent events make this requirement useless, the Illinois legislature may want to amend PIPA to remove this requirement for notification letters.

Even if Bad Rabbit does not develop into a major threat in the United States, we can be certain that criminals are already working on their next crime involving our home, government and business computer systems.   Therefore, the Bad Rabbit outbreak provides the perfect opportunity to take a look at a data collector’s responsibilities if they are hit with ransomware or some cyber crime that may not even be in the news at this time.

Even though there may be some uncertainty, privacy laws are still the first place data collectors should still go if they are involved in an incident.  At this point, it may be slightly unrealistic to expect legislatures to create privacy laws that move as quickly as the criminals that we are trying to protect ourselves against.  Further, most criminals will have moved on from ransomware to the next threat by the time the legislature is able to pass laws addressing ransomware.  Data collectors may need to look to the intent behind privacy laws and notify impacted individuals if there is a chance that their information has been exposed to another person without authorization, regardless of whether information was compromised through employee negligence, a classic breach, ransomware or some threat presently unknown.