Clarifying Cloud Computing: Ransomware and Ethics

Vol. 6, No. 12

Al Harrison is a patent attorney concentrating on oil and gas and software and practicing intellectual property law in Houston, Texas. He is co-chair of the GPSolo Division’s Joint Resource Center—Technology Committee, chair of the Intellectual Property Committee, and a member of the Book Publishing Board. He is chair of the Data Privacy and Security Committee of the ABA Business Law Section and a past chair of the Computer and Technology Section of the State Bar of Texas; he also serves on the Advertising Review and the Professionalism Committees and is a board member of the Texas Bar College.

 

Joseph Jacobson is a transactional attorney practicing various aspects of business law and commercial real estate. He has represented businesses having operations in Europe and Asia. He was a board member of the Japan-American Society of Dallas and a founder of the e-Commerce Committee of the Dallas Bar Association. He was an adjunct professor at Southern Methodist University Dedman Law School. He is vice-chair of the Data Privacy and Security Committee of the ABA Business Law Section and a past chair of the Computer and Technology Section of the State Bar of Texas.

This article, the first in our GPSolo eReport series exploring cloud computing and ethics, addresses ransomware and its relation to cloud computing. Our introduction to the topic appeared as the “GP Mentor” column in GPSolo magazine’s May/June 2017 issue.

 

Be Aware! Ransomware Can Reach Your Cloud

Ransomware is malware designed to encrypt your hard drive and all other digital storage devices on your local network. Access to your illicitly encrypted files then depends on payment of a ransom in crypto-currency (untraceable digital currency such as Bitcoin). Unless the demanded ransom is timely paid, you will not be given the key to unlock (i.e., to decrypt) your files. Importantly, even if the ransom is paid, you are not assured of receiving the key to decrypt your files.

Some ransomware attacks include destruction of files on a timed schedule to encourage immediate compliance before you lose more data. Often file names are changed. The options you have depend on the malware that was triggered on your computer hardware.

Incredibly, a species of malware has been exposed as masquerading as ransomware; actually it permanently encrypts or destroys your files. There is no real ransom opportunity: First, your files are encrypted and money is demanded, then you pay the ransom, but a key to decrypt your illicitly encrypted files isn’t forthcoming. Another variation occurs when destructive behavior devolves to your files being permanently purged with no chance of recovery.

Often portrayed as attacking an operating system such as Windows or Mac OS, ransomware is, unfortunately, more sophisticated and more destructive than you may perceive from a cursory review of reported invasive malware events. Ransomware now runs using JavaScript, avoiding analysis and possible warnings by Windows. Ransomware has the capability of encrypting all the network resources found. Furthermore, ransomware versions may remain inactive while awaiting transfer onto backup storage, whereupon time-sensitive malware would be activated to encrypt accessible resources. Ransomware launches when you invoke backup and immediately encrypts the backup files before remedial action may be taken.

 

Ransomware’s Impact on Your Ethical Duties

You have a duty to be technologically sophisticated (ABA Model Rule of Professional Conduct 1.1, Comment 8). The ABA Standing Committee on Ethics and Professional Responsibility Formal Opinion 477R (Revised May 22, 2017) adopts a “fact-specific” approach to business security obligations requiring a “process” of continual assessments of risks and implementation of commensurate preventive measures.

Your obligation to address informed consent requirements is not fully explicated. How much information do you have an obligation to provide clients about your cloud use? A cloud contract typically requires you to represent that permission and authority have been obtained to place third-party information in your cloud and that clients have been informed that recourse against the cloud service provider (CSP) is unavailable. Barring insurance protection, you and/or your firm would be liable to the CSP, which would be indemnified. Has this crucial CSP-related information been included in your firm engagement agreements?

CSP agreements additionally provide that you may encrypt documents and that security is your responsibility. Disclosure of CSP recommendations or specific preferred affirmative behavior (encrypting files) indicates important issues essential to share with your clients. Otherwise, clients may assume your security procedures are inadequate, with detrimental effect on the attorney-client relationship likely to cause consequent ethics concerns with adverse ramifications.

Ideally, your firm would have malpractice insurance and cyber insurance, coupled with your client having cyber insurance. Of course, having cyber insurance should be considered to be a vital aspect of your malware defense. Industry-wide, the average cost of a breach in 2016 was about $141 per record lost. Your client could demand an accounting when and if a breach occurs. Adequate preventive treatment of computerized client files should facilitate your insurance coverage, possibly augmented by clients’ insurance coverage.

Your handling of personal health information (PHI) for health care clients may be even more challenging per the Health Insurance Portability and Accountability Act (HIPAA). The U.S. Department of Health and Human Services has issued a ruling that a ransomware attack is presumed to be a breach unless a (health care) “covered entity” can demonstrate there is a “low probability” that PHI has been compromised. If you have possession of health care clients’ files that are breached, your client and you (as a HIPAA “business associate”) may both be liable for notification charges and fines.

 

Looking Ahead

The next article in the “Clarifying Cloud Computing” series will address appropriate language recommended to reinforce and disclose your firm’s ethically sound approach to handling privacy and confidentiality issues to clients to assure you have enabled informed consent of your cybersecurity practices and have accommodated clients’ preference for invoking acceptable malware-preventive procedures.

 

Next Article > > >

Advertisement

Zola Suite
ABA Member Discounts and Offers
  • About GPSolo eReport

  • Subscriptions

  • More Information

  • Contact Us

GPSolo -- Your Success, Our Mission