Lack of Ransomware Protections Could Violate FTC Act

The Department of Health and Human Services’ Office for Civil Rights has recently issued guidance for HIPAA covered entities on ransomware to help covered entities deal with the increased threat of ransomware attacks.

Now the Federal Trade Commission (FTC) has warned businesses that they must do more to deal with the ransomware threat. The failure to implement appropriate defenses against ransomware could constitute a violation of the FTC Act.

At a recent FTC forum that explored the current ransomware problem and the strategies that can be adopted to mitigate the threat, FTC Chair Edith Ramirez issued a stern warning to businesses, explaining more must be done to prevent ransomware attacks.

Ramirez explained that ransomware is now one of the “most troubling cyber threats.” The Department of Justice has reported that there has been a 300% increase in ransomware attacks in the past year, and an average of 4,000 ransomware attacks are now occurring every day. Ramirez also pointed out that an estimated 93% of all phishing emails are now being used to deliver ransomware, and that those campaigns are becoming increasingly sophisticated.

Ransomware has been around for many years, although in the past year the number of ransomware attacks on organizations has soared. Whereas cybercriminals used to use malware to attack organizations and steal data, cybercriminals have discovered that ransomware is far more profitable. This year has seen even greater numbers of ransomware variants released and many successful attacks on healthcare organizations, such as the February attack on Hollywood Presbyterian Medical Center – which resulted in a ransom of $17,000 being paid.

It is easy to single out HPMC, but as Intel Security’s researchers discovered from tracking Bitcoin ransomware payments, $100,000 in ransom payments have been made by healthcare organizations this year.

Ramirez explained that the threat will not be going away as long as it remains profitable for cybercriminals to use ransomware. That means businesses must do more to counter the threat and improve their cybersecurity defenses.

The FTC is currently attempting to gather information on the ransomware threat and is increasing its efforts to ensure that consumers are protected. Part of those efforts involve raising awareness of the problem with businesses.

The FTC requires companies to implement reasonable security measures against malware to ensure consumer information is protected. Since ransomware is part of the natural evolution of malware, organizations must similarly implement defenses to protect their systems from ransomware attacks.

Ramirez explained that “A company’s unreasonable failure to patch vulnerabilities known to be exploited by ransomware might very well violate the FTC Act.” If companies are found to have violated the FTC Act by failing to implement appropriate defenses, the FTC can issue stiff financial penalties.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.