This article, the first in our GPSolo eReport series exploring cloud computing and ethics, addresses ransomware and its relation to cloud computing. Our introduction to the topic appeared as the “GP Mentor” column in GPSolo magazine’s May/June 2017 issue.
Be Aware! Ransomware Can Reach Your Cloud
Ransomware is malware designed to encrypt your hard drive and all other digital storage devices on your local network. Access to your illicitly encrypted files then depends on payment of a ransom in crypto-currency (untraceable digital currency such as Bitcoin). Unless the demanded ransom is timely paid, you will not be given the key to unlock (i.e., to decrypt) your files. Importantly, even if the ransom is paid, you are not assured of receiving the key to decrypt your files.
Some ransomware attacks include destruction of files on a timed schedule to encourage immediate compliance before you lose more data. Often file names are changed. The options you have depend on the malware that was triggered on your computer hardware.
Incredibly, a species of malware has been exposed as masquerading as ransomware; actually it permanently encrypts or destroys your files. There is no real ransom opportunity: First, your files are encrypted and money is demanded, then you pay the ransom, but a key to decrypt your illicitly encrypted files isn’t forthcoming. Another variation occurs when destructive behavior devolves to your files being permanently purged with no chance of recovery.
Often portrayed as attacking an operating system such as Windows or Mac OS, ransomware is, unfortunately, more sophisticated and more destructive than you may perceive from a cursory review of reported invasive malware events. Ransomware now runs using JavaScript, avoiding analysis and possible warnings by Windows. Ransomware has the capability of encrypting all the network resources found. Furthermore, ransomware versions may remain inactive while awaiting transfer onto backup storage, whereupon time-sensitive malware would be activated to encrypt accessible resources. Ransomware launches when you invoke backup and immediately encrypts the backup files before remedial action may be taken.
Ransomware’s Impact on Your Ethical Duties
You have a duty to be technologically sophisticated (ABA Model Rule of Professional Conduct 1.1, Comment 8). The ABA Standing Committee on Ethics and Professional Responsibility Formal Opinion 477R (Revised May 22, 2017) adopts a “fact-specific” approach to business security obligations requiring a “process” of continual assessments of risks and implementation of commensurate preventive measures.
Your obligation to address informed consent requirements is not fully explicated. How much information do you have an obligation to provide clients about your cloud use? A cloud contract typically requires you to represent that permission and authority have been obtained to place third-party information in your cloud and that clients have been informed that recourse against the cloud service provider (CSP) is unavailable. Barring insurance protection, you and/or your firm would be liable to the CSP, which would be indemnified. Has this crucial CSP-related information been included in your firm engagement agreements?
CSP agreements additionally provide that you may encrypt documents and that security is your responsibility. Disclosure of CSP recommendations or specific preferred affirmative behavior (encrypting files) indicates important issues essential to share with your clients. Otherwise, clients may assume your security procedures are inadequate, with detrimental effect on the attorney-client relationship likely to cause consequent ethics concerns with adverse ramifications.
Ideally, your firm would have malpractice insurance and cyber insurance, coupled with your client having cyber insurance. Of course, having cyber insurance should be considered to be a vital aspect of your malware defense. Industry-wide, the average cost of a breach in 2016 was about $141 per record lost. Your client could demand an accounting when and if a breach occurs. Adequate preventive treatment of computerized client files should facilitate your insurance coverage, possibly augmented by clients’ insurance coverage.
Your handling of personal health information (PHI) for health care clients may be even more challenging per the Health Insurance Portability and Accountability Act (HIPAA). The U.S. Department of Health and Human Services has issued a ruling that a ransomware attack is presumed to be a breach unless a (health care) “covered entity” can demonstrate there is a “low probability” that PHI has been compromised. If you have possession of health care clients’ files that are breached, your client and you (as a HIPAA “business associate”) may both be liable for notification charges and fines.
Looking Ahead
The next article in the “Clarifying Cloud Computing” series will address appropriate language recommended to reinforce and disclose your firm’s ethically sound approach to handling privacy and confidentiality issues to clients to assure you have enabled informed consent of your cybersecurity practices and have accommodated clients’ preference for invoking acceptable malware-preventive procedures.
