InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court dismisses ransomware suit alleging negligence
On August 30, the U.S. District Court for the Northern District of Indiana granted a software company defendant’s motion to dismiss, ruling that a healthcare system nonprofit (the “nonprofit”) and its insurer (collectively, “plaintiffs”) had not plausibly alleged that the defendant’s 2020 ransomware attack caused it to incur expenses that were compensable injuries. According to the opinion, the nonprofit, which possesses personally identifiable information (PII) records, executed two contracts with the defendant “to help consolidate its existing databases into one system of records and protect this sensitive data.” According to the first agreement, the defendant agreed to maintain servers holding the health nonprofit’s donor and patient data, including PII. In the second agreement, the defendant agreed to, among other things, comply with its obligations as a “business associate” under HIPAA, HITECH, and any implementing regulations.
According to the plaintiffs’ complaint, a third party allegedly hacked into the defendant’s systems and deployed ransomware in February 2020, which gained access to the PII that the health nonprofit stored with the defendant; however, the cybercriminals were unable to block the defendant from accessing its own systems. The defendant was said to have learned about the cyber-attack May 2020 and waited until July 2020 to notify the nonprofit. The plaintiffs alleged that the data breach occurred because of the defendant’s failure to reasonably safeguard their database of PII. The plaintiffs also claimed that “’had [the defendant] maintained a sufficient security program, including properly monitoring its network, security, and communications, it would have discovered the cyberattack sooner or prevented it altogether.’” Following the breach, the plaintiffs alleged that they incurred remediation damages that included “various expenses, which included credit monitoring services and call centers, legal counsel, computer systems recovery, and data recovery and data migration services.” The plaintiffs filed suit, alleging breach of contract, negligence, gross negligence, negligent misrepresentation, fraudulent misrepresentation, and breach of fiduciary duty. The defendant argued that the plaintiffs do not adequately explain how the breach caused their remediation damages, warranting dismissal.
The district court found that the plaintiffs failed to adequately plead causation for each of their claims, noting that “without any allegations explaining why they had to spend these amounts, the court is left to speculate how [the defendant’s] breaches caused [the health nonprofit’s] remediation damages.” The district court additionally determined that the plaintiffs’ negligence and contract claims must also fail because “harm caused by identity information exposure, coupled with the attendant costs to guard against identity theft did not constitute a compensable injury under either a negligence claim or a contract claim brought pursuant to Indiana law.” The district court also found that the plaintiffs’ negligence claims are barred under Indiana’s economic loss rule because it did not point to an independent duty outside of contract. The plaintiffs were, however, given leave to amend their complaint and attempt to remedy its deficiencies.
FAFT restricts Russia’s membership privileges, takes action against corruption and virtual asset misuse
On June 17, the U.S. Treasury Department announced that the Financial Action Task Force (FATF) concluded another plenary meeting, in which it, among other things, took steps to restrict Russia’s FATF membership privileges. During the meeting, FATF again criticized Russia’s war against Ukraine and issued a statement, stressing that “Russian actions run counter to the FATF core principles aiming to promote security, safety, and the integrity of the global financial system. They also represent a gross violation of the commitment to international cooperation and mutual respect upon which FATF Members have agreed to implement and support the FATF standards.” Treasury Secretary Janet Yellen also stated that she “welcome[s] the serious steps the FATF took to restrict Russia’s presence in its community.” FATF members agreed that Russia can no longer hold any leadership or advisory roles, nor take part in decision making on any standard-setting, peer-review processes, governance, or membership matters. Russia is also prohibited from providing assessors, reviewers, or other experts for FATF peer-review processes. FATF stated it “will monitor the situation and consider at each of its Plenary meetings whether grounds exist for modifying these restrictions.”
FATF also produced policy recommendations for combatting corruption and countering corrupt actors or illicit funds. FATF stated it will continue to fight the abuse of shell companies, trusts, or other legal arrangements employed by bad actors, and intends to seek input on guidance to implement recommendations related to the collection and verification of beneficial ownership information for companies or other legal entities. FATF members will release a white paper for public consultation on important issues concerning “the misuse of trusts and other legal arrangements to facilitate illicit finance,” and will published guidance on ways governments and firms can mitigate money laundering risks within the real estate sector.
Additionally, FATF adopted a report on virtual assets during the meeting, calling “for accelerated compliance by the public and private sectors with the FATF standards, particularly the ‘travel rule,’ for virtual assets and virtual asset service providers.” The travel rule requires virtual asset service providers to collect or send information on the identities of the originator and beneficiary of virtual asset transfers. However, FATF noted that, despite some progress, not all countries have introduced the travel rule, creating significant vulnerabilities for criminal misuse and underscoring the need for universal implementation and enforcement of the travel rule. FATF also approved a new project related to ransomware finance and related money laundering, with an objective of raising global awareness and understanding of how payments for ransomware are made and how these proceeds are often laundered.
U.S. and EU collaborate to combat ransomware attacks
On June 16, the DOJ announced that representatives from the U.S. and EU met at a recent workshop in the Hague to share best practices and to plan enhanced collaboration efforts to confront ransomware attacks. According to the DOJ, attorneys from the DOJ’s Computer Crime and Intellectual Property Section, along with representatives from the FBI, the U.S. Secret Service, the U.S. Homeland Security Investigations, European Judicial Cybercrime Network, Eurojust’s Cybercrime Team, and Europol’s European Cybercrime Centre shared “experiences, best practices, and lessons learned in directing an investigation to a successful outcome including collaborating with the tech and private sector.” Participants also discussed “relevant changes in the law, including issues related to electronic evidence, charging options, and cross-border considerations."
U.S. and Israel form partnership to combat ransomware; U.S. enters cybersecurity initiative with France
On November 14, the U.S. Treasury Department announced the establishment of a bilateral partnership with the Israeli Ministry of Finance as part of the Biden Administration’s efforts to crackdown on ransomware. The partnership is part of the U.S.-Israeli Task Force on Fintech Innovation and Cybersecurity, which was launched the same day. During the launch of the partnership, Treasury Department Deputy Secretary Wally Adeyemo and Israeli counterparts affirmed their commitment for encouraging robust fintech innovation and reinforced the importance of working together to combat cyber threats posed by nation-state and criminal actors to the global economy. The Task Force will take several measures, including immediately developing a Memorandum of Understanding that will support “(1) permissible information sharing related to the financial sector, including cybersecurity regulations and guidance, cybersecurity incidents, and cybersecurity threat intelligence; (2) staff training and study visits to promote cooperation in the area of cybersecurity and the financial system; and, (3) competency-building activities such as the conduct of cross-border cybersecurity exercises linked to global financial institutions financial and investment flows.” The Task Force also plans to launch a series of expert technical exchanges to support fintech innovation and examine ways cyber-analytics firms and fintech/regtech innovations are developing new measures to combat illicit finance risk and enhance public sector analytical and enforcement activities. According to Adeyemo, international cooperation is vital for addressing virtual currency abuses and disrupting the ransomware business model.
Separately, on November 10, Vice President Kamala Harris announced, among other initiatives, an international cybersecurity initiative with France to combat cyber threats. Harris stated that the U.S. will support the Paris Call for Trust and Security in Cyberspace, which the White House described as “a voluntary commitment to work with the international community to advance cybersecurity and preserve the open, interoperable, secure, and reliable internet.” According to the announcement, the U.S. “looks forward to continued partnership with France and other governments, private sector, and civil society around the world to advance and promote norms of responsible behavior in cyberspace.” Harris’ announcement builds on recent counter-ransomware actions taken to increase international cooperation to combat cybercrime. (Covered previously by InfoBytes here.)
Treasury and DOJ announce sanctions and charges in ransomware attacks, FinCEN updates ransomware guidance
On November 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13694 as amended against two ransomware operators and a virtual currency exchange network. According to OFAC, the virtual currency exchange, and its associated support network, are being designated for allegedly facilitating financial transactions for ransomware actors. OFAC is also designating two individuals allegedly associated with perpetuating ransomware incidents against the U.S., and who are part of a cybercriminal group that has engaged in ransomware activities and has received over $200 million in ransom payments. As a result of the sanctions, “all property and interests in property of the designated targets that are subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them” and “any entities 50 percent or more owned by one or more designated persons are also blocked.” According to OFAC, the sanctions are a part of a set of actions focused on disrupting criminal ransomware actors and virtual currency exchanges that launder the proceeds of ransomware, which “advance the Biden Administration’s counter-ransomware efforts to disrupt ransomware infrastructure and actors and address abuse of the virtual currency ecosystem to launder ransom payments.” Additionally, the DOJ announced charges against the sanctioned individuals under OFACs designations, seizing approximately $6.1 million in alleged ransomware payments.
The same day, FinCEN issued an advisory, which updated and replaced its October 1, 2020 Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments (covered by InfoBytes here). The updated advisory is in response to the recent increase in ransomware attacks against critical U.S. infrastructure. The updated advisory also reflects information released by FinCEN in its Financial Trend Analysis Report, which discusses ransomware trends and includes information on current trends and typologies of ransomware and associated payments as well as recent examples of ransomware incidents. Additionally, the updated advisory describes financial red flag indicators of ransomware-related illicit activity to assist financial institutions in identifying and reporting suspicious transactions related to ransomware payments, consistent with obligations under the Bank Secrecy Act.
District Court partially denies company’s motion to dismiss in data breach class action
On October 19, the U.S. District Court for the District of South Carolina granted in part and denied in part a defendant software company’s motion to dismiss a putative class action, which alleged the company had a “deficient security program” in place that led to a ransomware attack. The plaintiffs alleged that the defendant failed to comply with industry and regulatory standards by neglecting to implement proper security measures. According to the plaintiffs, after the ransomware attack, the defendant “launched a narrow internal investigation into the attack that analyzed a limited number of [the defendant's] systems and did not address the full scope of the attack.” The plaintiffs contended that the defendant also failed to provide timely and adequate notice of the attack and the extent of the resulting data breach.
The court ordered various phases of motions practice, and addressed certain common law claims against the defendant for negligence, negligence per se, gross negligence, and unjust enrichment. With respect to the negligence and gross negligence claims, the court denied the defendant’s motion to dismiss, finding that plaintiffs alleged sufficient facts to show that the defendant owed them a duty to protect the information. The court, however, granted defendant’s motion to dismiss the plaintiffs’ negligence per se claims premised on defendant’s alleged violations of the FTC Act, HIPAA, and COPPA, finding that the plaintiff failed to state such a claim as applied under South Carolina law. Finally, the court granted the defendant’s motion to dismiss the plaintiffs’ unjust enrichment claim because plaintiffs failed to allege facts to show that they conferred a benefit on defendant to support a claim for unjust enrichment.
NIST issues draft cybersecurity framework to mitigate ransomware events
Recently, the National Institute of Standards and Technology (NIST) issued a draft version of its Cybersecurity Framework Profile for Ransomware Risk Management, which proposes recommended steps for organizations to follow to prevent and mitigate ransomware events. The profile identifies Cybersecurity Framework Version 1.1 security objectives and can be used as a risk-management guide to help gauge an organization’s readiness level. Steps include “identifying and protecting critical data, systems, and devices; detecting ransomware events as early as possible (preferably before the ransomware is deployed); and preparing for responses to and recovery from any ransomware events that do occur.” The profile also outlines basic preventative measures organizations should take, including: (i) using antivirus software at all times to automatically scan emails and flash drives; (ii) ensuring computers are fully patched and running scheduled checks to identify and install new patches; (iii) segmenting internal networks as a precaution against malware; (iv) continuously monitoring directory services (and other primary user stores) to identify indicators of compromise or active attack; (v) blocking access to potentially malicious web resource and allowing only authorized applications; (vi) using standard user accounts; (vii) restricting personally owned devices and the use of personal applications on work computers; (viii) educating employees about social engineering; and (ix) assigning and managing credential authorization and running periodic reviews to ensure each account has the appropriate access only. Among other things, NIST further outlines five cybersecurity framework functions (identify, protect, detect, respond and recover), and advises organizations to develop an incident recovery plan; develop, implement, and test data backups and restoration strategies; and maintain updated contacts for ransomware attacks. According to NIST, taking these proactive measures will help organizations recover from future ransomware events.
Agencies announce new measures to combat ransomware
On October 15, the U.S. Treasury Department announced additional steps to help the virtual currency industry combat ransomware and prevent exploitation by illicit actors. The guidance builds upon recent “whole-of-government” actions focused on confronting “criminal networks and virtual currency exchanges responsible for laundering ransoms, encouraging improved cyber security across the private sector, and increasing incident and ransomware payment reporting to U.S. government agencies, including both Treasury and law enforcement.” (Covered by InfoBytes here.) The newest industry-specific guidance—part of the Biden administration’s efforts to counter ransomware threats—outlines sanctions compliance best practices tailored to the unique risks associated with this space. According to Treasury, there is a “need for a collaborative approach to counter ransomware attacks, including public-private partnerships and close relationships with international partners.”
The same day, the Financial Crimes Enforcement Network (FinCEN) released new data analyzing ransomware trends in Bank Secrecy Act reporting filed between January 2021 and June 2021. The report follows FinCEN’s government-wide priorities for anti-money laundering and countering the financing of terrorism priorities released in July (covered by InfoBytes here). Issued pursuant to the Anti-Money Laundering Act of 2020, the report flags “ransomware as a particularly acute cybercrime concern,” and states that in the first half of 2021, FinCEN identified $590 million in ransomware-related suspicious activity reports (SARs)—an amount exceeding the entirety of the value report in 2020 ($416 million). If this trends continues, FinCEN warns that ransomware-related SARs submitted in 2021 will have a higher transaction value than similar SARs filed in the previous 10 years combined. FinCEN attributes this uptick in activity to several factors, including an increasing overall prevalence of ransomware-related incidents, improved detection and incident reporting, and an increased awareness of reporting obligations and willingness to report by financial institutions.
In conjunction with the “growing prevalence of virtual currency as a payment method,” Treasury’s Office of Foreign Assets Control (OFAC) issued sanctions compliance guidance for companies in the virtual currency industry, including technology companies, exchangers, administrators, miners, wallet providers, and financial institutions. OFAC warned that “sanctions compliance obligations apply equally to transactions involving virtual currencies and those involving traditional fiat currencies,” and that participants “are responsible for ensuring that they do not engage, directly or indirectly, in transactions prohibited by OFAC sanctions, such as dealings with blocked persons or property, or engaging in prohibited trade- or investment-related transactions.” Among other things, the guidance will assist participants on ways to evaluate risks and build a risk-based sanctions compliance program. OFAC also updated related FAQs 559 and 646.
Treasury takes robust measures against ransomware
On September 21, the U.S. Treasury Department announced recent actions that are focused on confronting “criminal networks and virtual currency exchanges responsible for laundering ransoms, encouraging improved cyber security across the private sector, and increasing incident and ransomware payment reporting to U.S. government agencies, including both Treasury and law enforcement.” As part of its continuing actions to counter the increasing threat of ransomware, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions against a virtual currency exchange, pursuant to Executive Order 13694, as amended, for its alleged role in providing material support to the threat posed by criminal ransomware actors. As a result of the sanctions, all transactions by U.S. persons or in the U.S. that involve any property or interests in property of designated or otherwise blocked persons are generally prohibited. Additionally, OFAC issued an updated advisory, which highlights “the sanctions risks associated with ransomware payments in connection with malicious cyber-enabled activities and the proactive steps companies can take to mitigate such risks, including actions that OFAC would consider to be ‘mitigating factors’ in any related enforcement action.” Treasury also noted that FinCEN has engaged with industry, law enforcement, and others regarding the ransomware threat through the FinCEN Exchange public-private partnership (covered by InfoBytes here).
FinCEN hosts second ransomware exchange
On August 10, the Financial Crimes Enforcement Network (FinCEN) held a virtual “FinCEN Exchange” with representatives from financial institutions, other key industry stakeholders, and federal government agencies to discuss continuing concerns regarding ransomware. As previously covered by InfoBytes, in July, FinCEN announced the event, which builds upon FinCEN’s November 2020 event regarding ransomware. Topics discussed at the FinCEN Exchange included “cybercrime, trends and typologies, detection and reporting, and the recovery of funds after ransomware attacks.” FinCEN’s recent efforts against ransomware attacks include: (i) issuing an advisory in October 2020 to aid U.S. individuals and businesses in combating ransomware scams and attacks (covered by InfoBytes here); and (ii) highlighting ransomware in June as a particularly acute cybercrime concern in its issuance of the first government-wide priorities for anti-money laundering and countering the financing of terrorism policy. According to FinCEN, the agency will host a “ransomware technical workshop to discuss ways to establish an enhanced and more effective way to communicate, monitor, and receive information related to the use of cryptocurrency connected to a ransomware incident.”