Jon Polenberg, Shareholder, Becker & Poliakof January 30, 20254 Min ReadBrain light via Alamy StockA Pennsylvania healthcare system agreed to pay $65 million to patients who had their medical photographs and personal information posted on the internet after the provider declined to pay ransom demands from a threat actor in an attack last year. The $65 million settlement stands as a stark warning to businesses that protecting data is a critical task. Failing to do so will be expensive.Todays technology landscape makes it challenging for businesses to protect their data.Lehigh Valley Health Network, a 13-hospital organization, received an ultimatum to pay up or have patient data plastered across the internet. LVHN declined to pay the ransom, and the threat actor kept their promise. They released over the internet personal medical records and undressed patient images taken for diagnostic purposes.But Lehigh Valley Health Network was not alone. Businesses across the US face the same risks: from January to June2024, there were an average of 14 reported ransomware attacks each day. It is also becoming difficult for companies to pay their way out of a ransomware crisis as federal guidelines have made paying a ransomware threat actor more difficult. The Treasury Departments Office of Foreign Assets Control (OFAC) released an advisory in 2021 that stated American companies that pay ransoms to threat actors on the Specially Designated Nationals and Blocked Persons List or in sanctioned jurisdictions may face civil penalties and liability imposed by the federal government.Related:In other words, giving into ransom demands may invite the federal governments wrath. But refusing to pay may invite the wrong side in a lawsuit. Putting aside the rock-and-a-hard-place dilemma, many companies lack a plan for what to do when a ransomware attack hits.Building an Incident Response PlanJust as companies need to prepare for extreme weather events and supply chain disruptions resulting from them, similar forethought is necessary for dealing with a ransomware or cyberattack. How will the company identify the attack, what are the initial steps to take, who will lead the response team, what advisors will they call, and what will prevent further harm?Cyber-attacks are tricky. It can be weeks or months before a company discoversa vulnerability exists, meaning that companies may already be behind the eight ball in responding when they discover the attack occurred.But whether an attack has been percolating for minutes or months, the incident response plan provides a structure and creates systems for teams to respond quickly and effectively. The data exfiltration from a ransomware attack exposes companies vulnerabilities.Related:The first step is always assessing the damage. The response team must evaluate the attack to identify its extent, which may require hiring a third-party cybersecurity company to forensically understand the breach and its implications.Prisons, hospitals, utility companies, and other life-and-death service providers that find themselves under attack may require more urgent response capabilities. For most other companies without an immediate life safety issue, it may make more sense to take time to assess how long ago the attack occurred and what it will take to restore the systems.Without this diligence, businesses put themselves further at risk; if they return too quickly to their systems backup capabilities without understanding the timeline of the attack, they may not know whether the breach infiltrated the backup system too. Restoring the network using an infected backup would not only fail to cure the attack, but it may also exacerbate the threat and increase the ransom demands. But without the capability to restore the system from backups,a company may have less options in dealing with a ransomware attack.Related:Managing After an AttackBetween the third-party negotiators and insurance coverage, there may be a way to financially manage the attack. There are third-party providers that negotiate with ransomware threat actors, and some insurance companies cover for ransomware attacks.For other victims, paying the ransom themselves may be the only way out. While doing so may come up against OFAC guidance, the federal government may limit liability for companies that cooperate with them. While theres no guaranteed exit ramp or roadmap here, industry associations are working to create guidance for companies that find themselves stuck in this dilemma.The bigger issue companies face post-attack is managing the fallout. In the US, each state manages data breach disclosure differently, so a company's legal obligation and the liability may change depending on where they operate.Ransoms are high, breach-related settlements are high, and the reputational damage is high. As a result, cyberattacks are becoming more expensive each year,and insuring against ransomware attacks has become more difficult.Diligent data protection is the best defense companies have. Organizations that are cautious about how they collect and store data will have less risk than those that are lackadaisical. Companies that dont risk falling susceptible to an ever-rising financial threat.About the AuthorJon PolenbergShareholder, Becker & Poliakof Jon Polenberg is a shareholder at Becker & Poliakoff. As an established litigation attorney in state and federal courts, as well as pursuing alternative dispute resolution methods such as arbitration on behalf of his clients, Jon is client-focused while maintaining the highest professional standards.See more from Jon PolenbergNever Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.SIGN-UPYou May Also LikeWebinarsMore WebinarsReportsMore Reports