The point is if you do business in the US, and you have Personally Identifiable Information which meets any of the disclosure standards, this posting may apply to you. I think there may be quite a lot of notification triggering breaches which are NOT resulting in notification based on the relative prevalence of ransomware plaguing the Internet.
The original standard for defining when a notification trigger happens (and the one most states copied to some degree) is the California law, which says:
California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person.Pretty simple language, considering how many lawyers were likely involved. If we break this down a bit, we can address the applicability of these criteria one element at a time.
- Unauthorized person: Can we all agree that cyber criminals, operating by encrypting your data and the ransoming it back to you for bitcoins are unauthorized persons? OK, that was easy.
- Unencrypted Personal Information: Well, it may be encrypted now, but since the criminals are the only ones with the keys - I don't think that meets the criteria for exception.
- Acquired, or reasonably believed to have been acquired by #1 above: This is the meat of my argument here, so more in a bit. The short version is, software cannot encrypt data without reading it.
Since in order to encrypt data, you have to first read it - we have to admit that any PII that's been encrypted by ransomware has been read (and then re-written, but we will get back to that) by software under the control of unauthorized persons. If we assume that the ransomware is also operating at the behest or in coordination with a command and control server (at the very least, sharing the encryption key used with the criminals) -- it's not hard to make the case that PII which has been read and then written by software under the control of a cyber criminal meets the criteria which should trigger mandatory breach notification laws.
A lawyer, or other argumentative persons, might take exception with the term "acquired" as used in the California law. After all, ransomware just encrypts data and leaves it on your disk, right? How could that be considered "acquisition?" If the software could be shown to only read data, but never write - I think you could make this argument. In fact, the ransomware software reads the PII, then encrypts it, and writes it TO A PLACE OF ITS CHOOSING. Generally, that means your disk, but at that point the malware is in complete control of that protected PII, and can write it to local disk, send it up to the command and control server, or just send it out in an email if that's what the malware author chose to do. Since the activities are by nature clandestine, and the command and control activities use encrypted connections (everyone allows TLS/SSL outbound, right?), it's impossible to prove that the PII is not in the hands of the criminals.
So, what should our "reasonable belief" be, considering the circumstances? Do YOU have the resources to capture a sample of the malware, behaviorally deconstruct it and then know if it only encrypted it? Would it really surprise anyone reading this if some malware writer tossed in a regex looking for SSNs or other account-like data and shipped those all back to the main (evil) office?
Is it more reasonable to believe that the criminals will NOT ship juicy bits back to their office for further exploitation, or that they will be nice and just encrypt it and hold it for ransom?
**Addendum: Found this HHS paper a few months after this post, which essentially makes the exact same argument (see section 6)
