Sorry, but I am not going to be very sympathetic to this law firm. Here is the story.
A Rhode Island law firm, Moses Afonso Ryan, was hit with a ransomware attack.
Apparently, the company did not have a plan for dealing with a ransomware attack. In general, if you have good backups and have tested restoring those backups, you are pretty well able to respond to a ransonware attack. We have a client who was hit by a ransomware attack and it encrypted 3,000,000 files. They did have effective backups and within a few days they were able to recover their data and move on. Good backups = good defense.
The firm hired some “experts” who were unable to decrypt the ransomware – which is not totally uncommon. They don’t say who the experts were or what the ransomware strain was, so I take this at face value.
They said that after they could not decrypt the files, they reached out to the hackers. They claim that they could not collect the ransom of $25,000 quickly because they could only buy two Bitcoins a day. Perhaps, based on whoever they picked to buy bitcoin from they could only buy 2 Bitcoin a day, but that is certainly not a systemic issue with Bitcoin. If the company that they chose to buy Bitcoin from had that restriction, they should have immediately looked elsewhere for a solution.
After they paid the ransom ($25,000) the file decryption tools did not work – which is not altogether unusual either. After paying more ransom the hackers provided some other tools and were able to decrypt the files.
The firm says that the process took them three months. While I wasn’t there, that number seems ridiculously long. Perhaps they didn’t want to pay the ransom – and didn’t have backups – and worked on trying to decrypt the files for 2.5 out of those 3 months. I don’t know.
The law firm said that the lawyers were essentially unproductive for those three months and that in the previous year they billed out $700,000 during those same three months.
So, if I understand this right, they normally billed around $230,000 a month and they messed around for 3 months trying to fix this – with their 10 lawyers sitting on their thumbs during these three months. What’s wrong with this picture?
Have they not heard of a disaster recovery plan? What about a business continuity plan? Did they even have an information security program?
Many companies think (or perhaps hope) that they will not be the target of hackers, but that is, at best, just hope. Hope is not a very effective management strategy.
The insurance company says that they paid the policy limit of $20,000 for computer viruses and is not liable for anything above that. Again, I am not there, but this is pretty common. The company buys a bargain rate insurance policy and they get a – yes – bargain rate insurance policy. It is extremely unlikely that the policy really had a million dollar limit but the insurance company decided to only pay out $20,000. More than likely, the company figured that they weren’t going to get attacked and bought a policy with really low limits because it also had really low premiums. Again, I was not there, so I can’t be sure, but this seems pretty likely.
In Colorado the minimum auto insurance you can buy is $25,000. Someone buys that and figures they are covered. Then they get into an accident, maybe a couple of cars are totaled and a couple of people are hurt. The insurance company writes a check for $25,000 and walks away from the deal. They don’t even bother to defend the driver. In this case, all the other drivers are left holding the bag and have to try and sue a turnip (the driver that only bought the minimum insurance policy). At least in this case, who gets to deal with the consequence of making a poor business decision (buying a cut rate insurance policy) is the people who were impacted by that decision.
Cyber insurance is complex. If you buy it from a broker who normally sells fire insurance or life insurance, or even general business insurance, you are likely to wind up on the wrong side of that deal. The typical cyber insurance policy has many options and picking the wrong ones is basically equivalent to not having any cyber insurance.
We shall see what happens with this deal, but I would put the vast majority of the blame on the law firm.
For your company, some questions to prepare you for that almost certain cyber incident –
- Do you have backups?
- Have you tested the backups?
- Do you have a data map and plan so you know whether you are backing up ALL of your data?
- Do you have a ransomware attack plan? The FBI said that ransomware reports were up 2500% over the last two years, so you should expect to be attacked.
- Does your attack plan include anything to mitigate the effects of an attack?
- Do you have a disaster recovery plan?
- Do you have a business continuity plan?
- Do you have a cyber incident response plan?
- Do you have cyber insurance? The RIGHT cyber insurance? Are you sure about that?
Of course the alternative is to pretend that you won’t get attacked.
How is that working for Moses, Afonso, Ryan? It likely would work just as well for you.
Prepare now or pay later. Pretty simple.
Information for this post came from the ABA Journal.