Follow ACC Docket Online:  

Understanding the WannaCry Virus: One of the Largest Cyber Attacks in History

I n an unprecedented event in cyber history, hackers utilizing software stolen from the US National Security Agency (NSA) unleashed a ransomware virus Friday that impacted nearly 200,000 computers in over 150 countries around the world. For in-house counsel, a data attack of this magnitude should signal as an essential wake-up call — emphasizing the importance of interdepartmental communication (especially with regards to IT) and reinforcing the consequences of failing to implement precautionary data security protocol.

Here are the key takeaways:
  • Starting in the United Kingdom and Spain, the software — dubbed WannaCry — spread rapidly on Friday, blocking companies from their data unless they paid US$300 in bitcoin to the service.
  • The spread and effectiveness of the attack can be attributed to software stolen from the NSA by the hacking group called “the Shadow Brokers.”
  • Companies using Microsoft computers with old software were especially susceptible. 
  • Microsoft released a security patch for hacking vulnerabilities in March, but many companies didn’t update their systems in time.
While apologetic for the software vulnerability, Microsoft President and Chief Legal Officer Brad Smith noted in a statement that companies should be increasingly mindful of their own negligence in the matter, and argued that legal departments should view cybersecurity as more than just a check the box exercise.

“This attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers … As cyber criminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past,” he explains. 

“This attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers … As cyber criminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past,” he explains.  

In fact, with 23 percent of CLO respondents to the ACC Chief Legal Officers 2017 Survey reporting that their company has experienced a data breach over the past two years — in-house counsel are increasingly struggling to keep up with up with the pace. To ensure your company is protected, it’s essential to create a solid data security foundation, integrate policy decisions beyond the legal department, and actively amend protocol due to technological advancements

In an ACCDocket.com article entitled “Cyber Awareness: How to Prevent Breaches on Healthcare Data,” author K Royal argues that the biggest mistake companies can make is assuming that they aren’t a target. Data protection protocol, risk assessment and management, vendor management, employee education and awareness, and incident responses should be continuously updated — regardless of the size or prominence of the company.

“Many people hear “cyber” anything and immediately dismiss it as a rare event that could not happen to them. Their company is not a target, they assume. Cyber attacks are for sophisticated, government actors. Not so. All of us are potential targets for cyber attacks,” the article states.

“Many people hear “cyber” anything and immediately dismiss it as a rare event that could not happen to them. Their company is not a target, they assume. Cyber attacks are for sophisticated, government actors. Not so. All of us are potential targets for cyber attacks,” the article states.

Although large-scale multinational organizations such as FedEx and Nissan reportedly fell victim to the WannaCry data hacking, small to mid-sized companies were also targeted. “It’s a battle we’re fighting every day,” says William Caraher of mid-sized law firm von Brieson & Roper in a report to the New York Times. “We live in this world where any email attachment could be carrying a malicious software that could go viral.”

China, in particular, was subject to nearly 40,000 hackings as a result of the virus. State-run oil company Petro China noted that gas stations across the country had to cease electronic payments to mitigate risk. In the United Kingdom, hospitals impacted by the virus had to momentarily shut down service and divert ambulances. As companies continue to assess the financial damage caused by the cyber attack, in-house counsel can use the opportunity to make a strong business case for precautionary data protection policies.

In the October ACC Docket feature article entitled “Getting the Board on Board: Fulfilling Cybersecurity Governance Duties,” authors Alexa King, Carly O’Halloran Alameda, and Olga V. Mack outline that the most crucial step to ensuring data protection is engaging the board of directors. By educating senior executives about the potential consequences of a data breach, including litigation and financial liability, in-house counsel can justify data security initiatives as a necessary cost measure.

“The board cannot fully and appropriately execute its cybersecurity governance duties until it has an understanding of what the implications are from a data breach event. In fact, this may be one of in-house counsel’s most valuable roles with regard to getting the board’s attention on, and advising the board about, cybersecurity,” the article states.

“The board cannot fully and appropriately execute its cybersecurity governance duties until it has an understanding of what the implications are from a data breach event. In fact, this may be one of in-house counsel’s most valuable roles with regard to getting the board’s attention on, and advising the board about, cybersecurity,” the article states.

Having a previously established relationship with the IT department can also serve as a useful tool in detecting risk as early as possible. In a September 2015 feature article entitled “Once More Unto the Breach: Why and How to be Ready for a Data Breach,” authors Robert Jett III and Peter Sloan assert that bringing different departments together in the pursuit of a common goal can provide a more multifaceted approach to data security. When the time comes and a hack occurs, in-house counsel will be far better prepared to mitigate risk if the IT department understands how to proceed. As many can attest, a disaster is a horrible time to exchange business cards.

“Managing effective breach response is no small feat. There are 10 different channels of response activity for an organization that has suffered a data security breach. Most of these activity channels are involved in every data breach, and all must be attended to in significant breach scenarios. These activity channels are not sequential — they must be orchestrated in a synchronized manner in order for the response to be successful."

While the effects of the WannaCry ransomware attack are largely subsiding, the event should serve as a valuable learning experience regarding the importance of data security. In-house counsel can no longer view the possibility of a hacking scenario as outside of the purview of the legal department. In truth, understanding the importance of data protection doesn’t require a computer science degree. By constructing a solid data protection protocol, opening an active dialogue between departments, and making amendments where necessary, in-house counsel can mitigate the threat of a future crisis and become the company’s legal hero in the process.



The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.