Dear privacy pros,

I hoped to move away from the topic of ransomware this week, having covered headlines in this area in my last two introductions.

However, it would be remiss of me if we did not mention the massive Kaseya hack, the most recent in a string of high-profile ransomware attacks the last couple months. The hackers allegedly used the ransomware-as-a-service platform REvil to compromise a software tool provided by the IT firm to its managed service provider clients. It is estimated between 800 to 1,500 mostly small businesses worldwide have been affected by the hack. The hackers have demanded $70 million in exchange for providing Kaseya with a universal decryption tool.

According to the newly launched Ransomwhere ransomware payment tracker site, REvil is emerging as the most lucrative operation in this space, with $11.3 million in payments received this year. It will certainly cement its position on the leaderboard if it collects even part of the $70 million demanded for the Kaseya exploit. On the other hand, the cost for businesses continues to mount, even if a company has not been the victim of an attack or chosen not to pay the ransom. For example, reinsurance broker Willis Re reported cyber reinsurance rates have skyrocketed by about 40% in the July renewal season, prompted no doubt by the relentless increase in the number of recent attacks.

All this has led Interpol to call for increased collaboration between law enforcement agencies and industry to stave off a "potential ransomware pandemic." In the face of the exponential growth of ransomware attacks, Interpol Secretary General Jürgen Stock has clearly stated a new strategy is needed as "the magnitude of this challenge urgently demands united global action."

It is critical for companies to proactively review their cybersecurity postures and assess their readiness to defend and recover from a potential ransomware attack. In this regard, the Ransomware Readiness Assessment tool released by the Cybersecurity and Infrastructure Security Agency may prove helpful as it offers a step-by-step guide to help network administrators evaluate their cybersecurity practices and identify potential vulnerabilities.

Education is also key; readers may want to refer to the latest issue of The Privacy Advisor. IAPP Staff Writer Joe Duball interviewed Miller Partner Guillermo Christensen and Morrison & Foerster Partner and Co-Chair of the Global Risk & Crisis Management Group Alex Iftimie. The article breaks down the issues surrounding ransomware in detail and highlights how companies can better equip themselves to face attacks.

Moving on from ransomware, I wanted to provide a quick footnote on the recent crackdown by the Cyberspace Administration of China on Big Tech platforms that collect a huge amount of user data. Much ink has already been spilled on the latest action against Didi Global, which had its popular ride-sharing app pulled from app stores for violating Chinese data protection rules. So I will just add that it seems particularly pertinent that "national security" was invoked as a ground for the probe. The timing of the ruling, coming just four days after Didi started trading on the New York Stock Exchange after a $4.4 billion initial public offering, raises some interesting questions, particularly since the Chinese authorities have signaled it would be mandatory for any company that processes the data of more than 1 million users to undergo a security review before listing overseas.

I have touched the interface between data privacy and antitrust a couple of times, so I will just point you to the upcoming IAPP web conference on The New Frontier: Privacy, Big Data and Antitrust, where you can learn more about this emerging battleground.
With that, I wish you happy reading!