The best way for a company to handle a data breach is to be prepared. As we discuss in our data breach readiness handbook, preparation includes, among other things, drafting an incident response plan, reviewing cyber-insurance, reviewing contractual obligations with business partners, having relationships to help investigate security incidents, and training your incident response teams.
Preparation also requires anticipating decision-points that are likely to arise in a breach. Our clients often ask to look back at the approximately 600 data security incidents and breaches that we have handled over the years and identify the decision-points that are most difficult.
Many of the areas where we have seen companies struggle involve management-level strategic decisions that must be made when a security incident is identified. This eight-part series explores these difficult decision points. For each there are no “right” or “wrong” answers. Like all strategic decisions management must examine the specific facts facing their company and their organization’s culture, their industry, and business realities.
While there may be no right or wrong answer, in our experience executives that have anticipated these decision points before a breach are better able to make decisions that align with the organization’s overall strategic goals and are able to do so with greater speed and confidence.
Part 7: Cyber-Extortion.
Situation. The cyber-extortion most often discussed in the press is ransomware (i.e., malware that threatens to encrypt files or destroy systems unless a payment is made), other forms of cyber-extortion often raise more strategic issues for management. Take, for example, the situation where an individual contacts a company and claims to have information concerning data (e.g., IP, credit card numbers, SSNs, etc.) that has been stolen from the company and offers to provide that information in return for a large payment (e.g., $100k).
Strategic considerations: Management typically considers the following factors when determining how to respond to cyber-extortion demands:
- Is it extortion or consulting? The line between “extortion” and “consulting” can be blurry and individuals that make demands upon companies often intentionally straddle the line. As a result, most requests for payment do not have an explicit threat (e., extortion). The company functionally has a choice – it can interpret the request as being accompanied by an implicit threat, or it can interpret the request as being without threat. If the company elects the former route it may decide to reach out to law enforcement. If the company elects the latter route it can try to channel the individual towards appropriate behavior that may lead to an exchange of information for money. The “right” interpretation typically depends on the specific facts involved and a policy determination by the company concerning how it wants to respond to these types of demands.
- Where is the money going? Payments are often made in untraceable currencies (g., bitcoin) and to unknown individuals. If it turns out that payment has been made to an individual that resides in a restricted country the company may inadvertently find itself in violation of OFAC prohibitions. This may lead to additional regulatory or reputational risk.
- How to establish trust? If a demand is made for payment in exchange for information (or a forebearance of harm), it is extremely difficult to know whether payment will in fact lead to the promised behavior. Although there are some steps that the legal department can take to try to facilitate trust (e.g., non-disclosure agreements, due diligence on the individual that reached out to the company, etc.) at the end of the day a decision to make a payment to a white hat, grey hat, or black hat hacker necessitates management’s acceptance of a fair amount of uncertainty and risk.