Earlier this year, Carrie Palmer got a panicked phone call from a client. The trucking company had gotten hit by a ransomware attack minutes earlier, and it wanted the South Carolina-based lawyer’s guidance on what its next steps should be.
By Palmer’s account, it was a pretty typical attack. The hackers took the IT systems offline by encrypting data and left a note to begin the process of attempting to extort the carrier. The good news: The company had been well prepared with a plan of action, had backups of its data and had its systems running again within minutes. The bad news: The hackers were part of a ransomware gang that also steals data, threatening to post or sell it if they don’t get paid.
“I’ve been down this road before,” recalled Palmer, a lawyer with Nexsen Pruet whose specialties include responding to cyberattacks and data breaches.
Lawyers like Palmer often are one of the first calls ransomware victims or their insurers make after an attack. They play central roles — sometimes becoming the focal point — of a response to an attack, including the investigation, recovery process, any disclosure of data breaches and even negotiations with the hackers.
The attacks and companies’ responses to them inevitably present a legal minefield and can lead to costly litigation. Freight brokerage Total Quality Logistics is facing lawsuit over a data breach.
Palmer agreed to discuss her response to the attack on the trucking company on the condition that neither its name nor any identifiable details be disclosed.
‘A we-don’t-negotiate-with-terrorists kind of thing’
Despite the panicked phone call, the trucking company was in a better position than victims such as Colonial Pipeline, which faced days of operational downtime. But from the onset, it had one key question: whether to engage with the hackers to discuss a ransom payment. The company didn’t have cyber insurance, which meant it would have to cover the cost — potentially in the hundreds of thousands or even millions of dollars.
Palmer had brought in a cybersecurity response firm, and together with the company, they discussed the pros and cons of pursuing negotiations. Ultimately, they decided not to open that door.
“The decision was made to not engage in a … ‘we-don’t-negotiate-with-terrorists’ kind of thing,” Palmer said.
“Without question,” the company’s ability to get back up and running soon after the attack made it easier to simply ignore the attackers altogether, Palmer said.
“When you think about Colonial Pipeline, that was a completely different issue and affected a whole lot more people in a whole different way,” Palmer said. “And so you get into a situation like that — and I’m sure there was a conversation that probably included the same types of people — and it just went a different way.”
In Colonial’s case, the attack by affiliates of the DarkSide ransomware gang had managed to disrupt the flow of gas, diesel and aviation fuel in a large swath of the United States. The company ultimately paid nearly $5 million worth of bitcoin in ransom, a portion of which was later seized by the U.S. Department of Justice.
Weighing the risks of data exposure
For the trucking company represented by Palmer, the calculus ultimately boiled down to the risk of having data posted to a leak site or sold. It was complicated by not knowing the extent of the data theft. Forensic examinations to figure that out can take weeks or longer.
“There has to be basically a risk-weighing discussion,” Palmer said. “If these fraudsters have covered their tracks really well, the problem is that you may be working with a dataset that you’re not fully aware of. But you’ve got to make those decisions as quickly as you can given what information you have at the time.”
The FBI publicly advises against making ransomware payments. Apart from enriching the criminals and encouraging other attacks, the payments offer no guarantee that stolen data will never be posted or sold. Nonetheless, many companies pay to avert public data leaks, avoiding the potential public embarrassment from exposure of sensitive commercial data, as well as that of employees and customers.
Disclosure of breaches complicated by patch work of state, international laws
Palmer, who has worked extensively with trucking and logistics companies, said the proliferation of publicly available information about things like freight rates and routes has moved the goal posts regarding what constitutes trade secrets.
More complicated, and ultimately sensitive, is assessing the impacts of employees, contractors, partners and customers. Disclosure requirements vary depending on the state. There are then international laws to contend with potentially.
“That’s where working with counsel becomes critical because Arizona’s laws are different from California’s laws, which are different from Kansas’ laws, which are different from New Jersey’s laws,” Palmer said. “So what [constitutes] a breach, what has to be notified and how those things have to be handled, that needs to be assessed from the perspective of what law applies.”
The company’s data ultimately was leaked to the dark web. She declined to discuss whether the trucking company had disclosed the attack or any data breaches to any customers or partners, citing attorney-client privilege. But she said she is a believer in companies having a full picture of any data breach, and complying with all disclosure laws.
The company also eventually reported the attack to law enforcement, something that didn’t happen initially. Palmer said law enforcement was brought in once the investigation concluded there had been a significant breach.
The investigation led by Palmer ultimately traced the attack to a phishing email that had been opened by an employee. The company has since bolstered its employee training and has also tightened up other internal security measures.
“It’s important, within transportation, because the volume of outside email they get is incredible,” she said.