Extract from Paul Greene and Daniel J. Altieri’s article “Refine Your Legal Toolkit Before Ransomware Strikes”
Ransomware is more prevalent than ever, and it is getting worse. Rare is the organization that has not either experienced a network extortion event or dealt with another that has. Yet most organizations are ill prepared when hit with ransomware, losing precious time, and thereby increasing legal risk, all because of a failure to adequately plan for the potential disruptions that a ransomware attack may bring. Even after the attack subsides, the legal repercussions of ransomware can often dwarf the attack itself, considering such things as reporting duties, investigations, indemnification claims, and lawsuits.
Organizations are best served by preparing for these challenges in advance and honing the appropriate legal tools for use in an attack before the attack occurs. These tools include, amongst others, an Incident Response Plan keyed to the organization’s specific regulatory concerns; appropriate third-party relationships to provide support in a ransomware attack; and a thorough risk management analysis, addressing everything from risk transfer strategies, such as insurance, to the all-important question of whether or not to pay a ransom demand, if such payment is even possible.