The Legal Impact of the Colonial Pipeline Ransomware Incident

May 17, 2021 Advisory

Last week, ransomware gained so much attention that even cybercriminals appeared caught off guard. As reported by Krebs on Security, after a $5 million ransom payment was obtained from Colonial Pipeline, the administrator of a Russian cybercrime forum stated “[t]here’s too much publicity” with ransomware and that it has “become dangerous and toxic.”    

Setting aside the questionable consciences of cybercriminals, the Colonial Pipeline incident more than other recent high-profile cybersecurity incidents – e.g., SolarWinds, Microsoft and Accellion – is likely to expand legal obligations relating to cybersecurity because of notable events that occurred before, during and after the incident.

An Enforcer Against Ransomware Emerges

On March 31, 2021, Department of Homeland Security (DHS) Secretary Alejandro Mayorkas outlined a roadmap for DHS’ cybersecurity strategy. Referring to a series of 60-day “sprints” to begin implementing the strategy, he stated that DHS’ first focus is on raising ransomware awareness and disrupting those who launch the attacks.  

DHS has designated the Cybersecurity & Infrastructure Security Agency (CISA) as its cybersecurity quarterback. On its website, CISA has a substantial library of ransomware resources including ransomware prevention best practices and a response checklist. These resources have evolved just as the types of ransomware variants have evolved and provide important information that should be considered when developing and refining cybersecurity incident response plans.    

A Task Force Proposes a Ransomware Response Framework

On April 29, 2021, a team of more than 60 experts from software companies, cybersecurity vendors, government agencies, nonprofits and academic institutions released an 81-page report titled “Combating Ransomware.”

The goal of the task force, similar to DHS and CISA’s, is “to proactively and relentlessly disrupt the ransomware business model through a series of coordinated actions.” In its report, the task force published 48 actions divided into four categories, the last two relating to how organizations prepare for and respond to ransomware attacks.

The task force noted that in 2020, nearly 2,400 organizations were victims of ransomware and that they:

  • averaged 21 days of downtime;
  • averaged 287 days to fully recover;
  • altogether paid $350 million in ransoms; and
  • averaged $312,493 per payment.

The task force then recommended the following:

  • Being Prepared
    • A framework should be developed to provide organizations with a ransomware-specific risk assessment tool.
    • Awareness materials should be developed to assist organizational leaders about the needs and risks of ransomware.
    • Regulatory guidance on how organizations can reduce the likelihood of fines or other penalties should be provided with preparation recommendations.
    • Incentivizing alignment with an established risk management framework should be encouraged, including tax breaks for meeting certain baseline standards. 
  • Knowing How to Respond
    • Rapid information sharing should occur between organizations that are affected by a ransomware incident.
    • A standardized incident reporting format and network should be created.
    • Organizations should be required to conduct a cost-benefit assessment prior to making a ransom payment. 

The White House Demands Better Cybersecurity

On May 12, 2021, President Biden issued the “Executive Order on Improving the Nation’s Cybersecurity.” The 18-page order includes numerous ambitious requirements with deadlines ranging from 14-360 days and is divided into sections relating to, among other things:

  • removal of contractual barriers to information sharing;
  • mandated use of multifactor authentication and encryption and security best practices;
  • building security into software from the ground up;
  • requiring baseline incident response capabilities;
  • enabling better endpoint detection and response systems to detect malicious activity; and 
  • creating event logging so that incidents can be better detected and mitigated.

While it pertains specifically to federal networks, in taking a bold step to chart a new course, the order encourages “private sector companies to follow the Federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.”   

Given the numerous deadlines established by the order, the coming days and weeks could see an unprecedented amount of activity in the development of cybersecurity standards. 

Alignment with Basic Cybersecurity Standards

The Colonial Pipeline incident and the events and announcements discussed above shed light on how organizations can prepare for, and respond to, ransomware and other cybersecurity incidents that involve similar attack vectors and unauthorized access by cyber criminals. While the Executive Order is still being analyzed and further guidance will be provided, one thing is certain: lessons learned must be implemented. 

As baseline requirements, organizations should at a minimum do the following to keep pace with the expanding cybersecurity legal obligations:

  • Refine your Cybersecurity Incident Response Plans (IRP)
    • An IRP should include detailed response processes that articulate communication, documentation and evaluation activities.
    • For example, the NIST Computer Security Incident Handling Guide has 20 recommendations for an incident response plan.
  • Reassess your Cybersecurity Risk Assessment (RA)
    • Certain statutes and regulations mandate RAs and provide guidance and tools to assist organizations.
    • For example, conduct an assessment to analyze your alignment with industry standards and ensure vulnerabilities targeted by ransomware have been addressed.
  • Refocus your Written Information Security Program (WISP)
    • Check to see if your WISP includes updated administrative, technical and physical safeguards, as some states now require.
    • For example, evaluate and adjust your program in light of any changes to your operations or business arrangements.

Just as organizations continue to embrace digital transformation – the process of leveraging technology, processes and people to innovate – so too will cybercriminals seek to exploit vulnerabilities for big paydays. Today it is ransomware, but tomorrow the attack vector could be new variants or something entirely different (e.g., deep fakes, disinformation, disruptionware, vulnerabilities within IoT devices). Thus, organizations must continue to evolve just as their cybersecurity legal obligations continue to evolve.

Contact Us
  • Worldwide
  • Boston, MA
  • Denver, CO
  • Edwardsville, IL
  • Jefferson City, MO
  • Kansas City, MO
  • Las Vegas, NV
  • London, England
  • New York, NY
  • Philadelphia, PA
  • Princeton, NJ
  • Salt Lake City, UT
  • St. Louis, MO
  • Wilmington, DE
Worldwide
abstract image of world map
Boston, MA
800 Boylston St.
30th Floor
Boston, MA 02199
Google Maps
Boston, Massachusetts
Denver, CO
4643 S. Ulster St.
Suite 800
Denver, CO 80237
Google Maps
Denver, Colorado
Edwardsville, IL
115 N. Second St.
Edwardsville, IL 62025
Google Maps
Edwardsville, Illinois
Jefferson City, MO
3405 W. Truman Boulevard
Suite 210
Jefferson City, MO 65109
Google Maps
Jefferson City, Missouri
Kansas City, MO
2345 Grand Blvd.
Suite 1500
Kansas City, MO 64108
Google Maps
Kansas City, Missouri
Las Vegas, NV
3770 Howard Hughes Parkway
Suite 200
Las Vegas, NV 89169
Google Maps
Las Vegas, Nevada
London, England
200 Strand
London, WC2R 1DJ
Google Maps
New York, NY
919 Third Ave., 37th Floor
New York, NY 10022
Google Maps
New York City
Philadelphia, PA
2005 Market Street
29th Floor, One Commerce Square
Philadelphia, PA 19103
Google Maps
Philadelphia, Pennsylvania
Princeton, NJ
100 Overlook Center
Second Floor
Princeton, NJ 08540
Google Maps
Princeton, New Jersey
Salt Lake City, UT
201 South Main Street
Suite 750
Salt Lake City, UT 84111
Google Maps
Salt Lake City, Utah
St. Louis, MO
7700 Forsyth Blvd.
Suite 1800
St. Louis, MO 63105
Google Maps
St. Louis, Missouri
Wilmington, DE
300 Delaware Avenue
Suite 210
Wilmington, DE 19801
Google Maps
Wilmington, Delaware