The recent WannaCry cyber-attack has sent shockwaves through the global business community. Since its initial outbreak in May 2017, the largest ransomware attack in internet history has infected over 300,000 computers in more than 150 countries. According to some estimates, the attack has given rise to US$4 billion in losses. In late June 2017, a similar ransomware attack using “Petya” ransomware hit computers across the globe.
The WannaCry and Petya incidents highlight a growing danger posed to businesses by ransomware extortion. In a typical attack of this kind, hackers use malicious software to encrypt the victim’s data, blocking access to it and threatening to publish or delete it, unless a ransom is paid. This article discusses some of the legal and practical issues surrounding ransomware attacks, including the question of the legality of ransom payments and the key role lawyers can play in advising on preventative measures, mitigation of loss and cyber insurance.
Should a victim pay the ransom?
It is doubtful whether paying a ransom is likely to be productive in the majority of cases. Carrying out a ransomware attack is a highly illegal act, in contravention of several statutory criminal laws and punishable by lengthy prison terms. If caught, the offenders may be charged with offences under the Theft Ordinance (fraud, blackmail) and s. 60 of the Crimes Ordinance (destroying or damaging property), as well as more “cyber-crime”-specific offences under s. 161 of the Crimes Ordinance (access to a computer with criminal or dishonest intent) and s. 27A of the Telecommunications Ordinance (unauthorised access to computer by telecommunications). Individuals prepared to commit such serious criminal offences are unlikely feel any ethical quandary if they fail to honour a bargain to release their victims’ data on receipt of a ransom. Even if the data is released, payment of the ransom is likely to encourage repeat attacks by indicating the victim is a “soft target”.
However, it is understandable that some victims may be tempted to risk making the ransom payment. Time pressures may mean that businesses have limited options. Some victims may choose to rely on their backup systems to restore the files, while others may opt to employ computer experts to attempt to decrypt the files. However, none of these methods is usually as effective as obtaining the decryption “key” directly from the hackers. This is particularly true when the victim has not made regular system backups or does not have extensive financial resources or technological support.
The Legality of Ransom Payments
Is a business making a ransom payment acting lawfully in doing so? This question not only concerns the victims, but also their insurers.
Currently, there is no specific legislation under Hong Kong or generally applicable international law which makes ransom payments illegal. Also, there is no duty on ransom payers to report the incidents to the police in Hong Kong (although the police encourage them to do so).
In Mansefield AG v Amlin Corporate Member Ltd  EWCA Civ 24, a case which involved the seizure of a vessel and its cargo and crew off the coast of Somalia by pirates, the common law position on whether the payment of a ransom is lawful was clarified by the Court of Appeal of England & Wales. An argument was raised that the ransom payment was unlawful since it was contrary to public policy to reward piracy.
However, the Court of Appeal rejected this argument, concluding:
there is no universal morality against the payment of ransom, the act not of the aggressor but of the victim of piratical threats, performed in order to save property and the liberty or life of hostages. There is no evidence before the court of such payments being illegal anywhere in the world. This is despite the realisation that the payment of ransom … encourages the incidence of piracy for the purposes of exacting more ransoms. (Perhaps it should be said that the pirates are not classified as terrorists. It may be that the position with regard to terrorists is different.)
The court’s observation that the public policy position with regard to terrorists could be different has, at present, limited relevance to ransomware attacks. In Hong Kong, under s. 7 of the United Nations (Anti-Terrorism Measures) Ordinance, a person must not provide or collect any property with the intention or knowledge that such property will be used to commit any terrorist acts. However, to date, there is no known connection between ransomware attacks in Hong Kong and terrorism, and even if there were, the victim may not be aware of it. It is therefore unlikely that a ransom payment made in response to a ransomware attack would fall within the scope of this offence.
It is worth noting that the UK’s Counter-Terrorism and Security Act 2015 introduced a new offence prohibiting insurers from making any reimbursement of ransom payments made by the insured to persons involved or suspected to be involved in terrorism. It remains to be seen whether Hong Kong will adopt a similar provision.
Litigation Exposure for Data Breaches and Data Loss
Businesses suffering from ransomware attacks may face potential claims arising from data breaches or loss of data.
Under the Personal Data (Privacy) Ordinance (“PDPO”), a “data user” shall comply with the data protection principles covering various aspects of “personal data”. Principle 4 requires data users to take all practical steps to protect personal data against unauthorised or accidental access, processing, erasure, loss or use.
Those steps may include the use of secure computer software. The WannaCry hackers took advantage of a security flaw in the Microsoft Windows operating system. Microsoft had issued security patches for the more recent versions of Windows in order to address this vulnerability, but not all users had installed the patch. Of further concern was the vulnerability of the 16-year-old Microsoft Windows XP, for which Microsoft had stopped releasing security patches in April 2014. Despite its age, Windows XP has continued to be used widely. If hackers gained access to or destroyed personal data stored on a business’ computer system as a result of its failure to update the operating system used on its computers or to download and install security patches when available, the business could be held to have failed to take adequate steps to prevent the incident, in contravention of Principle 4.
In addition, pursuant to s. 66 of the PDPO, any person suffering damages as a result of such contravention would be entitled to claim compensation from the “data user”. Victimised businesses must, therefore, be mindful of their potential exposure to civil claims from parties affected by damage to, disclosure of or loss of personal data, which may include their employees, clients and trading partners.
Can a victim sue the software supplier?
One potential avenue for recovering losses resulting from a ransomware attack is to bring proceedings against the software supplier for the security flaw. Such a claim may be brought on the basis that the software supplier should be held liable for breach of contract or in negligence for the vulnerability that existed in the software, which could be regarded as “defective”. However, such claims can be problematic. In particular, software suppliers may argue the customer failed to take reasonable steps to prevent the attack (eg, by failing to install available security updates or antivirus software).
The licensing agreements between the suppliers and their customers usually include a standard exclusion clause to the effect that the software company should not be liable for security breaches. Unless security is integral to the product’s purpose (eg, in the case of antivirus software), such clauses are likely to satisfy the reasonableness test under the Control of Exemption Clauses Ordinance.
Shifting Risks via Cyber Insurance
Recently, the Hong Kong Productivity Council reported a 23 percent rise in security incidents in Hong Kong in 2016 as compared to 2015. Among the 6,058 incidents, malware cases (including ransom attacks) powered the surge, with the number of reported incidents increasing by 247 percent. In this context, cyber insurance can play an important role in shifting the business risks associated with cyber security. Although policy terms vary significantly, policies generally provide coverage for costs connected with ransomware attacks, for example:
- Ransom payment: usually a ransom is not paid up-front by the insurer; once the threat is over, the insurer will reimburse the policyholder for the ransom up to a certain amount.
- Costs of data restoration: victims will commonly consult computer specialists for assistance with decryption of the files or restoration from backups.
- Loss of revenue due to business interruption: typically there must be a direct causal relationship between the ransomware attack, business interruption and the loss of revenue.
- Costs of forensic investigation: forensic investigations are usually required to determine the scope of the attack and the files which have been lost or encrypted.
- Third Party Liability: defence costs and civil damages arising from third party liability claims (eg, customers and suppliers) arising out of a cyber incident may be covered, such as security and data breaches, defamation, breach of privacy and negligence claims.
It is relatively common for those taking out cyber insurance policies to lack adequate understanding of how those policies operate, and what is and is not covered by them; many will benefit significantly from legal advice and assistance with negotiation at the time of entry into the policy. Areas particularly ripe for disputes, and which may be affected by the policy wording, include causation, the date on which the loss is deemed to have been suffered, the timeliness and proportionality of the insured’s response, and the adequacy of the insured’s cyber security measures.
Guidance on Reducing Cyber Risks
Besides cyber insurance, businesses should be advised to adopt cyber security measures (indeed, failing to take adequate measures could prevent recovery under the insurance policy, and could in some circumstances also expose directors and officers to personal liability). In response to the alarming proliferation of the WannaCry ransomware, on 15 May 2017 the Securities and Futures Commission published a circular to alert all licensed corporations to the risk of ransomware attacks and suggested the following measures:
- apply the latest security update to your computers and network devices;
- install and properly set up a firewall or broadband router for connecting your devices to the internet;
- perform offline backup (ie, backup on another storage device, disconnected after backup);
- avoid opening links and attachments in any suspicious emails;
- avoid connecting any computer or device to your office network before proper security verification; and
- ensure that suitable antivirus / internet security software is installed and regularly updated.
Finally, the circular states that business entities are expected to evaluate the effectiveness of their cybersecurity controls critically and to seek advice from external experts if necessary.
The circular’s recommendations are relevant not just to licensed corporations but also to a wide range of other organisations, including those not subject to industry-specific regulatory oversight; their attention should be brought to the SFC guidance, and to the numerous circulars on cyber security in general issued by the SFC, HKMA and the Privacy Commissioner.
The security measures recommended in such circulars may, however, appear to many businesses to be prohibitively expensive to implement; lawyers can assist by advising on what measures are likely to satisfy the applicable regulators as adequate and proportionate for the organisation in question.
WannaCry and similar incidents have raised significant IT security issues across various industries in Hong Kong and across the world. The loss suffered and liability to third parties incurred in the event of such an attack can be devastating. Businesses should therefore be advised to keep a close eye on the latest technological developments and on the steps they should take to protect their IT systems from such an attack in compliance with any applicable regulations.
However, the reality is that no system is entirely invulnerable. Before becoming a victim to a ransomware or other cyber attack, businesses should therefore be advised on making the necessary preparations for the worst, ensuring not only that they have adequate insurance cover in place but also that they adopt comprehensive response plans to mitigate the potential losses resulting from ransomware attacks. Such response plans should include the coordination of urgent assistance from lawyers and technical experts well versed in the field.