This past week, I’ve been acting as a breach counsel. It’s a complicated matter in which my client used a service provider and that service provider experienced a ransomware attack.
Working with several parties to try and remediate the attack, coordinating between lawyers and IT forensic firms, and figuring out how to keep the business afloat all at once is an interesting juggling act.
It brings to mind the issue of whether or not our legal framework is adequate to deal with these types of threats. For sure, privacy laws and data breach laws are important, but what I think is missing is the ability for law enforcement to really mobilize when bad actors behave this way. As it is, we rely most heavily on private IT forensic firms to solve the problems, and there’s very little thought to actually catching — or, for that matter, punishing — the bad people behind the ordeal.
With respect to our privacy and data breach laws, what should the standards be to prevent such attacks? Currently, we say an organization must take reasonable measures to adequately protect personal information. Is that sufficient? On the one hand, if we specified with more accuracy what safeguards were required, we’d have a difficult time changing the law with each technological advancement — and we’d be giving the bad guys an idea of what we were doing. On the other hand, the reasonable standard leaves a lot to interpretation and provides very little certainty that you are doing enough. And there’s always the question of whether anything is enough. What are your thoughts? Should we be more prescriptive in all this or maintain the reasonableness standard?