New Report Sees Cyberattacks Increasing as Ransomware Demands Soar
The number of cyberattacks on corporate America continue to increase, with many beginning with a “phishing” email, according to the Data Security Incident Response Report from Baker & Hostetler, which details the more than 750 incidents the law firm worked on in 2018 compared to 200 in 2014.
April 04, 2019 at 05:14 PM
4 minute read
The original version of this story was published on Corporate Counsel
The number of cyberattacks on corporate America continues to increase at a steady rate, with many of them beginning with a “phishing” email that tricks employees into sending network access information, such as a password, to the attacker, according to a new report.
The study, the fifth annual Data Security Incident Response Report from Baker & Hostetler, discusses insights gained from the more than 750 incidents the law firm worked on in 2018. The report shows that the number of incidents investigated grew steadily each year from 200 in 2014 to 750 last year.
Law firm partner Craig Hoffman, of the privacy and data protection team, said the number of incidents detected and reported are expected to continue to increase in 2019. “There are more notification laws, so more entities are required to provide notice than in the past,” Hoffman said. “There are also better tools for detecting incidents, so incidents that were never detected before are now being identified.”
One trend that stood out is the increase in the amount of ransom being demanded when an attacker seizes a company's computers. In 2018, 12 percent of the Baker & Hostetler cases involved ransom demands, the report said, and the average payment was about $29,000.
But in the first three months of 2019, Hoffman said, “there have been several ransomware threat actors demanding higher ransoms,” including three separate instances of payments of $1 million.
There is always a risk of the attacker taking the money but keeping the computers locked up. The report said that 91 percent of the time when a ransom was paid, a decryption key was received.
Companies and their general counsel do not make ransom decisions lightly. Hoffman said, “There are a host of reasons that get thrown around when companies go through the pay—don't pay debate. Often the decision comes down to are there backup options that get operations restored in a time frame that is acceptable, or not.”
If not, he said, then the client often decides to pay. The other option would be suffer the impact of downtime while rebuilding the infected system, according to the report.
“Entities continue to overestimate the ability to restore and the time to restore,” the report said. “Consider your entity's approach to paying a ransom before a ransom scenario occurs, including under which scenarios you would pay and how you would pay.”
Of the 750 total cases, the report said 37 percent were caused by a phishing attack. Another 30 percent involved a network intrusion, while 10 percent occurred after a company device or records were lost or stolen.
“Raising employee awareness and employing multifactor authentication are still two of the best defenses against these attacks,” said Theodore “Ted” Kobus, chair of the law firm's privacy and data protection team, in the report.
“Cyberattacks continue,” Kobus noted, “whether motivated by monetary gain, to disrupt business operations, or to obtain information for a nation-state.”
Besides the damage to a company's data and to its reputation, a cyberattack can be extremely costly to investigate and shut down. Those costs can be followed by regulator penalties, lawsuits and charges for such things as offering free credit monitoring to consumers.
The report said the average cost of all its forensic investigations in 2018 was $63,000, while the average cost of the 20 largest network intrusions was almost $350,600.
It said in 397 cases where customers were notified of a data breach, four lawsuits were filed. State attorneys general opened inquiries in 34 percent of the cases.
Court decisions “continued to trend toward finding standing in data breach class actions, even in the absence of actual financial loss suffered by the named plaintiffs,” the report stated. The Supreme Court declined earlier this year to review a case that granted standing in a data breach case. “Thus, the trend toward finding standing will likely continue,” the report predicted.
International laws, such as the European Union's General Data Protection Regulation, have made incident response more complex because of detailed regulatory reporting requirements, the report said. More than 25 percent of the incidents Baker & Hostetler worked on involved international laws.
The report includes an interactive map showing U.S. breach notification laws by state. It also has the European Union data breach notification resource map.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllHighest-Earning Partners May Be Looking to Cash In on Early Retirement
5 minute readGrayRobinson Opens Office in Pensacola, Marking First New Office Since 2019
3 minute readFrost Enters Arizona Market With Acquisition of Litigation Boutique
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250