As every organization affected by ransomware eventually understands, the disruption caused by an attack is only the beginning of its problems.
Next comes paying a lot of big bills. The first is the ransom demand, although at least that’s optional. Beyond that lie unavoidable costs such as loss of business, hiring an expensive forensics company to help with cleanup, and costs relating to breach notification.
Cyber insurance will cover some of this but by no means all. So, having received the insurance check, can organizations rest easily?
In a growing number of cases, unfortunately not. Indeed, the traditional costs mentioned above are starting to look as if they barely scratch the surface of a much bigger financial worry now stalking the boardroom—lawsuits.
This was always going to happen. When ransomware was all about encrypting files as a form of denial-of-business attack, cleanup was seen largely as an internal issue. Around four years ago, ransomware started focusing much more on stealing data, at which point it became obvious that these were really data breaches by another name.
Inevitably, some of that data was personally identifiable information (PII), which has led more data subjects to the doors of the lawyers. Even so, the scale of what’s happening with ransomware lawsuits is hard to miss.
Take, for instance, the student suing Whitworth University in Washington State for a reported $5 million in connection with a ransomware attack affecting 65,500 other students that happened in July 2022.
Or the ransomware breach lawsuit settled by The San Francisco 49ers which resulted in a settlement that could reach as much as $5.65 million if every affected data subject claims.
In almost all of these cases, the complaint was the same—the breached organization didn’t do enough to stop the ransomware attackers from accessing PII.
Separately, law firm BakerHostetler analyzed data breach cases it handled in 2022, finding that of 494 notifiable incidents, 42 resulted in at least one lawsuit.
While not all of those will have been caused by ransomware, this was undoubtedly an important cause. Many of these lawsuits related to smaller incidents affecting the PII of 10,000 to 50,000 people that might not get wide publicity.
As yet, there are no year-on-year case numbers to track—not all suits necessarily receive publicity—but everyone agrees that the number of ransomware-related lawsuits is growing.
It’s as if the public has finally woken up to what’s been going on for the last decade. Arguably, ransomware attacks have always been a data breach event, but it has taken the deliberate leaking of PII by attackers on dark web sites to remove any ambiguity about this.
But might lawsuits be a good thing in the long run?
One view is that the plaintiffs in these cases are right: Many organizations haven’t devoted enough resources to defending PII. If lawsuits are a pressure that helps correct that situation, then everyone will benefit in the long run. A more pessimistic view is that the new era of ransomware lawsuits could end up costing organizations a lot of money without costing them so much that deeper change occurs. If that’s true, only one group can look forward to the future with any enthusiasm—the lawyers.