Skip to main content
Cyber News

Legal implications of ransomware attacks- a guideline for veterinary practices

By November 1, 2021June 9th, 2022No Comments

Are there legal ramifications if you pay the ransom?

One of the most overlooked topics while discussing ransomware attacks is the legal implications the attacks have on veterinary practices.

Veterinary practices that have fallen victims to ransomware attacks in the past few years, have found themselves in uncharted waters, with no guidelines to navigate the legal implications caused by these attacks.

One high-profile scenario that showed how legally unprepared veterinary practices are is the ransomware attack on York veterinary practice. The attack offered a glimpse into how a veterinary practice should approach a ransomware attack. They refused to pay the ransom, and although they ended up losing all their data, they had backup data and were able to bring their services quickly. They were also able to notify their clients about the attack and asked them to update their information with them, and also offered a comprehensive explanation of how the attack occurred in their practice.

Unlike York veterinary practice, not many practices know how to navigate through a ransomware attack. This can lead to legal implications. Here is a look at some of the legal implications your veterinary practice can get into when attacked by ransomware.

Consequences of being a ransomware attack victim

 

On October 1, 2020, the Department of Treasury Office of Foreign Assets Control (OFAC) issued an advisory to victims of ransomware attacks, warning them that paying ransom after a ransomware attack is a contravention to federal law.

The directive was very significant for victims of ransomware attacks who decide to pay ransomware groups behind the attacks to get their data back. According to the directive, OFAC noted that some of these groups might be under US sanctions. Legally speaking, a ransom payment to a sanctioned individual or entity, whether intentionally or otherwise, goes against federal laws and victims of ransomware attacks who violate this rule may be penalized through criminal or civil lawsuits.

 

Veterinary practices that contravene these laws may be liable to fines as high as $20 million and imprisonment. Civil penalties can also be imposed on veterinary practices that violate sanctions after a ransomware attack, even if the practice owners were not aware of the criminality of their actions.

To avoid this, the October 1, 2020 directive advised veterinary practices and anyone who may become a victim of ransomware attacks to self-report to law enforcement. This is to avoid punishment and lessen legal implications in case a victim pays sanctioned individuals or entities. They indicated that they would consider the victim’s “self-initiated, timely, and complete report of a ransomware attack to law enforcement” when making their final decisions.

 

The legality of paying your ransomware attackers

 

Legally, it is not illegal to pay ransom to ransomware attacks under US law, and as stated above, the OFAC directive of October 1, 2020, is very specific that the payment only becomes illegal if it is directed to a sanctioned individual or entity by the federal government. The OFAC directive is also very clear that, as a veterinary practice, you can not legally claim ignorance because whether you intentionally or unintentionally make a payment to a sanctioned entity or individual, the consequences are the same.

Now, should you pay the ransom to get your data back and fend off attackers from future ransomware attacks against your practice? According to cybersecurity experts, the answer is no, you should not consider paying ransom to cybercriminal groups even though it is, in most instances, legal.

FBI formal recommendations also make it clear that you should avoid paying ransom to cybercriminals. According to the law enforcement agency, paying cybercriminals to get your data back does not guarantee they will hold their end of the bargain. The FBI further states that paying cybercriminals the ransom they request only encourages the behavior and can lead to other organizations and individuals being targeted using the resources you gave the ransomware attackers in the form of ransom.

Consequences of a data breach

 

A data breach occurs when an organization, a business, or an institution exposes sensitive or protected information to unauthorized persons, either intentionally or unintentionally.

By definition, every ransomware attack qualifies as a form of a data breach, especially where clients’ data is involved. With the recent advent of triple extortion ransomware attacks, where ransomware attackers steal data to leak to the public, encrypt data, and contact clients of the victims asking for payments or pressure the victims to pay, data breaches have become a norm in ransomware attacks.

Veterinary practices have to approach data breaches with the utmost caution because it poses significant legal implications for their practices and staff.

Depending on the state you live in, you have a legal obligation to notify your clients in case their data has been breached. A good example is the Massachusetts security breach and data destruction law which is the toughest in the US and used by multiple states to determine what happens when data is breached. Therefore, after you are compromised, the first thing to do is research the state you live in to determine if you are required by law to notify your clients about the data breach.

Federal notifications, however, has been slow to pass, and hence there is no common law that covers data breach federally. However, efforts to have such a law have already been attempted with the introduction of the Data Security Breach Notification Act of 2017 by three senators.

The other legal ramification of data breaches that most veterinary practices don’t consider is the cost of litigations and settlements, which can run from a few thousand dollars to hundreds of millions of dollars. Plaintiff payments are also not cheap, and to avoid such huge costs, it is important to familiarize yourself with the legal impact of your actions after a ransomware attack and data breach.

Legal obligations of veterinary practices after ransomware attacks

As victims of ransomware attacks, veterinary practices are supposed to act within the legal framework before, during and after a ransomware attack.

The guidelines set aside by OFAC, state and federal government entities regarding ransomware attacks should be adhered to, and veterinary practices have a legal obligation to follow the laws to the letter.

Legal obligations such as HIPAA Security Rule that protects physicians and patients during data breaches are also applicable to veterinary practices to some extent. These laws require your practice to establish safeguards for guarding your clients’ data, training your staff about malware attacks and promptly patching software to avoid being compromised.

There are also other obligations such as data breach obligations discussed above, where you are supposed to notify clients about any data breach in your practice, depending on the state you live in, and if you are legally required or compelled through legal proceedings.

Also, to some extent, your veterinary practice is obligated to contact law enforcement and notify them of the attack. This, however, is not mandatory and will depend on an evaluation of cyber security experts and legal advisors after reviewing the extent of a ransomware attack to your practice.

Breach of privacy laws in ransomware attacks

Currently, US law does not mandate reporting of ransomware attacks, as seen in the case of data breaches. However, the Biden administration, following a torrent of ransomware attacks has championed for an increased reporting of ransomware across the country.

One question that has always puzzled cybersecurity experts and lawyers, is who should carry the responsibility of a ransomware attack that results in privacy concerns, and should clients be notified about privacy violations after ransomware attacks.

As it stands, you have to rely on the state laws concerning the reporting of security violations of your veterinary practice. If your state mandates reporting after your veterinary practice has been compromised by ransomware, thereby resulting in privacy concerns, then you are legally required to make that clear to your clients to avoid falling into legal troubles.

Law enforcement involvement in a ransomware attack, what you need to know

Are you legally obligated to report ransomware attacks to law enforcement if your veterinary practice is compromised? The answer is no, but it is much more complicated than that. The FBI recommends that all ransomware attacks should be reported to law enforcement to allow for investigations, tracking of the attacks and understanding the nature of ransomware attacks being launched in the US.

However, the reality is most ransomware attacks go unreported making it hard to keep a score of how many cyberattacks happen in the US. Unless required by law, most organizations opt not to report to law enforcement when they are attacked, and in the majority of these circumstances, they are not obligated by law to report these attacks.

Reporting to law enforcement can also help your veterinary practice achieve quick recovery, as seen in multiple cases where the FBI has been involved and provided a quick response to ransomware attacks resulting in a quick solution.

How is a ransomware attack prosecuted?

The prosecution of ransomware attackers is complex, and in most cases, the perpetrators are not apprehended, even when identified by law enforcement. This is because most attacks targeting US veterinary practices and other organizations do not originate from the US. In fact, there have been some instances where the attackers are foreign governments, hence making it nearly impossible to prosecute perpetrators.

Ransomware gangs such as REvil also originate from Russia, which in most cases is uncooperative and does not prosecute them.

Therefore, chances are, if your veterinary practice is compromised, the people behind the attack will never be prosecuted, therefore, you should place all measures in your veterinary practice to ensure that you do not fall victim to cyber-attack.

…………………………………………………………………………………………………………

DISCLAIMER: The information provided on our site does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general educational and research purposes only. Readers should contact their attorney for any legal questions if you were a victim of ransomware or a cyber-attack.