Cybercrime has become more frequent in the veterinary practice industry in the past few years. The targets have ranged from small unlisted practices to large veterinary practices, often with sophisticated cyber defenses and policies. The problem has been exacerbated in the past two years due to the rise in remote working and an uptick in ransomware as a preferred method for most cybercriminals.
However, even with the growing concern about cybersecurity, one issue has been neglected, the legal impact of these cyberattacks. This is despite numerous bills being put forward to address the growing threat of cyberattacks. To address these issues, veterinary practices need to be aware of some of the legal issues they will be faced with during and after a cyberattack. Below are some of these issues.
Ransom Payment
In many countries, the paying of ransoms is not prohibited by law. However, if your veterinary practice is attacked by cybercriminals demanding ransom payment, it is important to know that there are laws that call for special considerations. In the US, for instance, veterinary practices that come under cybercriminal attacks are still required to adhere to Office of Foreign Assets Control (OFAC) laws and regulations. Among these rules is sending money to foreign nationals from sanctioned countries such as Iran, Cuba, Iran, North Korea, Sudan, Syria, e.t.c. Unfortunately, some of the ransomware attacks targeting veterinary practices originate from these countries, and paying a ransom to your attackers can lead to legal problems with the US government.
On October 1, 2020, OFAC issued an advisory to would be victims of cybercriminals warning them that paying or facilitating a ransom payment could be in violation of federal laws if the payment is to a sanctioned entity or individual, whether intentional or otherwise. According to the OFAC advisory, the punishment for veterinary practices caught in violation of the advisory can be criminal or civil, and may include imprisonment depending on many factors. The advisory also does not consider whether the payment was made with prior knowledge that the individuals getting paid were sanctioned. It also calls for the victims to self-report cyberattacks and ransom payments to law enforcement and includes a section where they indicate that when determining punishment, they will consider the victim’s self-initiated, timely, and complete report of ransomware attack to law enforcement. The law also calls for full and timely cooperation with law enforcement to avoid harsh punishment during the legal process.
Another legal factor to consider before paying ransom is the , Anti-Money Laundering (AML) laws that penalize involvement in money laundering activities. Penalties can include up to $500,000. Your veterinary practice can also become liable for civil penalties up to the transaction value and imprisonment. When paying ransom to cybercriminals, there is a high chance that you will be in violation of AML laws because most of these cybercriminals are also involved in other illegal businesses that involve money laundering.
Under the US Patriot Act, your veterinary practice, or practice owners are prohibited from knowingly providing material support to known terrorist organizations. Although in most cases, a ransom payment could be made without being partially aware of terrorism involvement, there is a high chance that the cyberattack itself is classified as a terrorist attack. Paying ransom in such cases can land you in prison or get you fined up to $250,000 for individuals and $500,000 for veterinary practices.
2. Class actions
Ransomware class actions have become popular in the past few years. With most ransomware attacks resulting in the exposure of customer data, resulting in a breach of privacy. In one recent high profile case involving a class action lawsuit, Equifax settled with 147 class members that required the company to pay reimbursement for losses caused by the breach. The company was also required to invest over a billion dollars in data security over five years.
Although there is no documented case of a class action lawsuit against a veterinary practice, there is a high chance that your practice may be a victim of such a suit. Therefore, it is important to prepare for a scenario where your customer sues your practice after a cyberattack.
3. Data breach
If your veterinary practice collects data from your clients, you have to familiarize yourself with the country or state where your clients are based. This is due to the fact that, while the threat of a cyberattack is global, the approach to data breach varies from region to region. In the US, there are no federal laws on how to address data breaches. Therefore, it is important to know the type of data breach laws applicable to your veterinary practice based on your state.
However, if some of your clients are from any of the EU countries, then the General Data Protection Regulation (GDPR) has to be complied with. The type of punishment received will also depend on which country or state the data breach complaint is originating from. You should also expect class action lawsuits from your clients in the event of a data breach.
4. Notifying Law Enforcement
Although it is not a legal requirement to contact law enforcement during and after a cyber attack, having self-initiated contact with law enforcement can reduce the severity of your punishment if you are caught having broken any of the above discussed legal consequences of cyberattacks.
Contacting law enforcement during a cyberattack can also help you avoid most legal issues that come after the attack. Issues such as ransom payments and negotiations with cybercriminals are avoided. Although failing to pay the criminals may result in data loss in some cases, the long-term impact of contacting law enforcement may outweigh paying a ransom to get your data back.
Want help mitigating the chances that your veterinary hospital will become a victim of a ransomware attack?
Schedule a FREE no obligations call with us today to see how a cyber security audit for your veterinary hospital can help you close the gaps before a cyber criminal takes advantage of them.