, , , , ,

The COVID-19 – The Surge of Cyberattacks Amid the Global Pandemic

, , , , ,

What just happened?

The Germany-based private hospital chain Fresenius Group has been the latest victim of ransomware attack.[1] The International Criminal Police Organization (“Interpol”) has issued a global alert regarding the new trend of ransomware attacks targeting at healthcare organisations.[2]

What does it mean?

Ransomware is a form a malware that attacks computer operating system by blocking the access to data until a ransom is paid. The better-known, large-scale ransomware attack was due to the “WannaCry” virus dated back in 2017 while the NHS was one of the victims. Cybercrimes have been evolving to take advantage of new online behaviours to attack the computer systems or organisations that are more vulnerable. While the healthcare operators are overwhelmed by the influx of COVID-19 patients or research on much needed new medical treatment, it is likely that they could not pay as much attention on cybersecurity.

In fact, not only the healthcare sector is facing the threat of cyberattack. According to the research reports, 62% of responding organisations have been attacked by ransomware in 2019, increased from 56% in 2018[3] whereas the UK was the second most attacked country in the world in 2019.[4] Some recent victims in the UK include the global currency exchange company, Travelex and the Redcar and Cleveland Council. In the former case, Travelex’s operating system has been locked by the cybercriminals and customers’ personal data was stolen. Because of the company’s global network and integration with payment service, the disruption caused significant impact on its customers. In the latter case, the local council was hit by a ransomware attack which made the computer system inoperable.[5]  

How does this affect the legal industry?

Cybersecurity is an issue for virtually all businesses that operate with computer systems. While the protection from technology’s perspectives is out of the scope of this article, the surge of cyberattacks revealed various legal issues.

For instance, date privacy is critical as the cybercriminal could have access to the personal data stored in the system for malicious purposes. In the Travelex case, the company was pressured to pay the ransom in order to restore the customer data given the serious consequence under the GDPR regime.[6] Commercial law firms, especially those with specialised practice of technology and cybersecurity have to advise their clients on the statutory requirement on data protection from both precautionary and resolving perspectives.

When the access to operating systems were blocked by cybercriminals, the business can be terminally disrupted. This would stop the companies from performing their obligations in commercial contracts which leads to potential liability. Depending on the terms of the contract, the parties may have agreed to limit the liability arising from certain events. If there are force majeure clauses, the company may be protected from the liability arisen from the cyberattacks, especially when reasonable cybersecurity measures are in place.[7]

Last but not least, law firms themselves may as well fall victims to cyberattacks. Taking the example of the incident at global firm DLA Piper in 2017, the firm’s computer systems including access to phones, emails and documents were affected.[8] To prevent the potential loss and adverse impact on the business, it is not surprising to see law firms are investing in technology and system enhancement as precautions. With the adjustment to a new remote working pattern that highly depends on technology during the pandemic, it may also be an opportunity for the firms to review the issue of cybersecurity.

Written by Cleo Ho

Assessing firms:

#BakerMcKenzie #Bird&Bird #Bristows #CMS #Dentons #DLAPiper #Fieldfisher #PinsentMasonsLLP #BryanCaveLeightonPaisner #HerbertSmithFreehills #HoganLovells #Linklaters #Milbank #OsborneClark #RPC #Simmons&Simmons #SlaughterandMay #TaylorWessing #Bristows #Fieldfisher #Allen&Overy #Covington&Burling #EvershedsSutherland #Latham&Watkins #PwC

References:

[1] Jay Jay, ‘Snake ransomware attack disrupts operations at hospital chain Fresenius Group’ (Teiss, 6th May 2020)

[2] ‘INTERPOL launches awareness campaign on COVID-19 cyberthreats’ (Interpol,  6th May 2020)

[3] CyberEdge, 2020 Cyberthreat Defense Repor (https://cyber-edge.com/cdr/)

[4] 2020 SonicWall Cyber Threat Report (https://www.sonicwall.com/2020-cyber-threat-report/)

[5] ‘Redcar council cyber-attack: 90% of systems working’(BBC, 3rd May 2020)

[6] Jay Jay, ‘Travelex paid $2.3m in ransom to REvil cyber gang’ ( Teiss, 16th April 2020)

[7] ‘Ransomware: loss and liability’ (Taylor Wessing, July 2017)

[8] ‘The Impact of Ransomware on Law Firms’ (Lawyersdefencegroup, 28th November 2017)

Disclaimer: This article (and any information accessed through links in this article) is provided for information purposes only and does not constitute legal advice.