Are You Required To Report a Ransomware Attack?

Whether a ransomware attack constitutes a reportable data breach under any data breach disclosure laws, regulations or other requirements is a vexed question, and according to Mark Rasch, it gets the usual answer from lawyers; it depends. What it depends on is the information that was breached, the location of the breached entity or subject of the hacked data. Even when it concerns health data, which is subject to a plethora of confidentiality requirements and reporting protocols, it is still somewhat dependent on who collects the data and why. Whether a ransomware attack is a breach often comes down to the nature of the attack and its impact, as well as the statutory definition of the breach involved. If the attacker exfiltrated and encrypted protected data, it’s pretty straightforward. It must be reported. If the attacker merely prevented the breached entity from accessing the data, then you’re back to “it depends,” because the security system was surely breached, but maybe the data wasn’t. The basic problem with ransomware is that the hacker has some level of access to the target’s computers and networks, but may or may have access to the data they contain. “This is why it is critical to understand how the ransomware entered the system, what it did, and often, what it did not do,” Rasch writes.