Chairwoman Edith Ramirez made clear at the agency’s Fall Technology Series event that businesses should expect Federal Trade Commission enforcement actions for their failure to protect personal data from ransomware attacks.
At the first of the agency’s workshops to examine new and evolving technologies that raise critical consumer protection issues, academics, business and industry representatives, government experts, and consumer advocates gathered to discuss ransomware.
To begin the conversation, Chairwoman Ramirez set the stage for attendees by explaining that ransomware is the most profitable type of malware scam in history and that no one is immune from danger as scammers target individual consumers, government agencies, and entities of all types and sizes. “This type of malware infiltrates a computer system and uses tools like encryption to hold valuable data ‘hostage’ in exchange for a ransom,” she explained. “By charging victims for the return of their data,” she added, “criminals have created a new market for personal information.”
Ransomware attacks are on the rise, Ramirez added, averaging 4,000 attacks a day, with the typical payment requested ranging from $500 to $1,000, but occasionally up to $30,000. As the number of attacks has increased, so has the harm, she said.
To fight back, the FTC is working to raise awareness of the problem by hosting the workshop, issuing warnings to businesses about specific threats, and by stressing the importance of good cyber hygiene and network security.
“We have brought approximately 60 enforcement actions against companies that have failed to reasonably secure consumer data on their networks,” Ramirez said. “Through our enforcement, we aim to ensure that companies make truthful representations about their privacy and security practices and that they provide reasonable security for consumer information.”
Examples include a case against device manufacturer ASUS, where the FTC alleged that “pervasive security bugs” left the company’s routers vulnerable to malware and that attackers exploited these vulnerabilities to reconfigure consumers’ security settings and take control of consumers’ web activity and the agency’s action against Wyndham Worldwide over the company’s allegedly lax security practices.
Ramirez added that businesses should expect more enforcement actions.
“A company’s unreasonable failure to patch vulnerabilities known to be exploited by ransomware might violate the FTC Act,” she said. “As these cases illustrate, businesses play a critical role in ensuring that they adequately protect consumers’ information, particularly as security threats like ransomware escalate.”
To read Chairwoman Ramirez’s prepared remarks, click here.
Why it matters: Ransomware was the topic for the first of the FTC’s three-part series of seminars, with events scheduled for drones and smart TV later this fall. During the ransomware workshop, Federal Bureau of Investigation representative Will Bales was asked whether companies should pay the requested ransom. “The FBI’s position is we do not condone payment,” he told attendees. “Success breeds success.”