***URGENT*** MEMO TO “THE IT GUY” RE: RANSOMWARE

***urgent memorandum***

TO: The “IT Guy”

FROM: Shawn Tuma

SUBJECT: Your clients affected by ransomware


STOP OVERWRITING / WIPING / DELETING OR OTHERWISE DESTROYING YOUR CLIENTS’ DATA WHEN THEY ARE AFFECTED BY RANSOMWARE!!!

PLEASE!!! PRETTY PLEASE!!! PRETTY PLEASE WITH SUGAR ON TOP!!! JUST STOP IT!!!

Seriously, everyone understands that ransomware is scary stuff and when you discover that one of your clients has been hit by it, it can cause quite a bit of panic. That is understandable. But, when you feel that sense of panic, that is not the time to act — that is the time to pause, take a deep breath, gather your senses, and let your emotions settle down and your brain take back over. Then, recall the Hippocratic Oath that doctors must take:

“first, do no harm”

Just because you cannot figure out what to do with the encrypted data does not mean that there are not other people out there who can. Consider these points:

  • There are really good folks out there who are experts at getting data like this decrypted.
  • There are outstanding cyber insurance policies that will pay the cost of the ransom to recover the data.
  • Over the course of time, ransomware decryption keys start to make their way into the wild and data that was at one time unrecoverable magically becomes recoverable.
  • And, in many cases, that original encrypted data is necessary to perform forensics that may prove to be very beneficial to your client.

But guess what? NONE OF THIS IS POSSIBLE AFTER YOU COME ALONG AND FINISH THE HACKER’S JOB BY DESTROYING ANY HOPE YOUR CLIENT EVER HAD OF RECOVERING ITS DATA BY PERMANENTLY DELETING IT!!!

PLEASE, JUST STOP IT!!!

Cyber Insurance – A Better Way to Help Small Businesses Manage Cyber Risk

In a recent Wall Street Journal article, The Case for Protecting Small Firms from Cyber Lawsuits, the authors argue that, because smaller companies lack the resources of larger companies when it comes to protecting data, smaller companies should have legal protections to exempt them from facing the consequences of these laws.

While it seems this argument is based on a fundamental misunderstanding of the purpose of these laws, it does offer some productive suggestions and I found it interesting for another reason. The reasons the authors gave for arguing that smaller companies should be exempted from the laws are some of the same reasons I give to smaller companies when I explain why it is so important that they have appropriate cyber insurance coverage:

  1. Small businesses have the same obligations to protect data that larger companies have.
  2. Breach notification laws may have penalties of a certain cost per record breached, regardless of fault.
  3. Breach notification laws may require notifying those individuals whose data was breached, that their data has been breached.
  4. Breach notification laws may require providing identity theft protection services to the individuals whose data was breached.
  5. Individuals whose data was breached may sue and seek recovery of damages and legal fees.

Cyber insurance coverage that is appropriately tailored to meet the needs of a small business will provide them with protection against the risks listed above, and many more, such as the legal fees and costs of having an experienced attorney serve as their breach guide to advise them through the process of managing a cyber incident (see Why You Need a Cyber Attorney) and properly respond to the incident.

I have been practicing in the cybersecurity and data privacy areas of law for nearly two decades and have served as breach guide to hundreds of companies — one of the biggest lessons that I have learned in all of these years is that in many cases, it is not the initial incident that causes most of the harm, it is the failure to properly respond to the initial incident after learning about it that causes it to escalate.

Incident response is expensive. The legal fees, the fees for security services, forensic services, remediation, public relations, and identity theft protection, notification of consumers, and reporting to regulatory agencies — all of these things are very expensive but they are mandatory to properly respond to an incident, in most cases. When a business does not have the resources to pay these expenses, it is not able to properly respond to an incident and that is what can be most devastating of all for small and midsize businesses. That is why it is so critical that small and midsize businesses have appropriate cyber insurance coverage to step in and provide them with the resources needed to help manage and properly respond to such incidents.

Trump and Kanye West Bring Emphasis to #CyberAware Cybersecurity Awareness Month With Password Example

October is National Cyber Security Awareness Month in the United States. There is excellent cyber awareness content available by going to #CyberAware and #CyberAvengers hashtags on Twitter and visiting The #CyberAvengers Website for free resources, including this free Good Cyber Hygiene Checklist.

President Trump and Kanye West put a big ‘ole Texas-sized exclamation point on the [need for?] #CyberAware campaign with Kanye’s password demonstration while on national tv in the Oval Office.

Politicos will spin this a million ways. Security folks will go back and forth between laughing and crying — and maybe do both at the same time. But, the important thing is that we learn from this and use it as an example to help educate others. I thought there was no better way to do that than by putting “Trump”, “Kanye West”, “Password”, “Cybersecurity”, and “#CyberAware” in the title — how’s that for getting a wide range of attention? 🙂

All joking aside, what are the most important lessons you take away from this example and can you use this lightning rod example to help educate your team, family, and friends about good cyber hygiene?

5 Key Things In-House Counsel Can Do to Help Their Businesses’ Cybersecurity

internet screen security protection
Photo by Pixabay on Pexels.com

Cybersecurity is a team sport and many people within a business must work together to help effectively manage their businesses’ cyber risk. In-house counsel plays a critical role in this process. A recent Law360 article (subscription required) identified the following key things they can do:

  1. Develop, implement, and table-top test an incident response plan
  2. Advise executives on their ethical obligations (and make sure to mention insider trading on knowledge of cyber incidents)
  3. Have an awareness of applicable laws and regulatory standards
  4. Understand and help manage third-party risk from vendors and business partners

I am adding one more because it is critical: Ensure the business has appropriate cyber insurance to address its unique risks.

SecureWorld Post: 4 Key Cyber Insurance Takeaways for Companies from Spec’s v. Hanover Lawsuit

In my latest post for SecureWorld, explain 4 key takeaways for businesses from the Spec’s v. Hanover lawsuit regarding cyber insurance. Check it out and let me know what you think:  4 Key Cyber Insurance Takeaways for Companies from Spec’s v. Hanover Lawsuit