Failing to report sensitive data breaches to US regulatory and law enforcement agencies just got more dangerous and confusing for CISOs and their organizations. If that failure is seen as a coverup, such as paying ransoms for retrieving sensitive data, it could lead to steep fines or jail time.
In a case that is playing out now, Joe Sullivan, former Uber CISO, was recently charged under an ambiguous, arcane law that goes back to 1789 called misprision of a felony. In the charging documents, the FBI claims Sullivan’s actions of paying off the attackers to retrieve the data are akin to aiding and abetting a crime. If this case wins, it will grind businesses to a halt as they feel compelled to report anything that might appear to be a data-related crime against their organizations.
“Misprision is very subtle crime. The statutory words say that you commit a crime if you see a crime and don’t report it,” says Ben Wright, a well-known cyber attorney and SANS instructor. “The feds do not bring a lot of charges under this law because courts have long recognized that you can’t take those words literally or businesses would have to report almost anything that looks like a crime.”
Ransomware response just got more complicated
In another example, the US Department of Treasury on October 1 released an advisory saying that paying a ransom may be violating the Office of Foreign Assets Control (OFAC) against sanctioned ransomware operators. This advisory is supported and enforceable through the FBI, which two weeks ago issued a statement to CSO that the FBI would not charge businesses that pay ransomware operators.
These OFAC sanction requirements will be hard to follow because they count on victim organizations knowing who the ransomware operators are, which they usually don’t. The only sanctioned entities that OFAC provides are Lazarus from North Korea, BlueNorOff and AndAriel (believed to be units within Lazarus), and Evil Corp from Russia and its Dridex malware, so payment intermediaries will have to call Treasury’s cyber department, the FBI, DHS or Secret Service to check if the ransomware operators are part of a sanctioned group. Time is of the essence when a ransomware demand is made, especially when these payment intermediaries are working on behalf of health services organization with human lives on the line.