Article Detail

News & Knowledge

Avoiding Ransomware Attacks is Not a Pipe Dream: Actionable Steps to Avoid Becoming the Next Victim

May 14, 2021

By: Drew Sorrell, Michael Piccolo, Ferran Arimon & Brian Lawrence

Recently, the largest gasoline pipeline in the United States fell victim to a ransomware attack that caused the pipeline to go offline for several days. In addition to causing gas shortages across the Southeastern United States, it is now being reported that the Colonial Pipeline Company acquiesced to its virtual captors and paid $5 million to the hackers to stop the ransomware attack and bring the pipeline back online.   

Ransomware attacks are becoming more prevalent as hackers become more sophisticated and targets continue to ignore or downplay the threat. The following are some action items that you can take today to help avoid being the next unwitting victim of a ransomware attack:    

  1. Buy cyber-insurance. Invest in a policy that covers ransomware, wire-fraud spoofing, and anything else your company and insurance broker think might be applicable.

  2. Understand what your IT provider is actually providing you. If you outsource all or part of your IT, ask the provider to specify how the contract addresses what happens if you are breached, who is responsible for restoring the systems, notifying affected customers and employees, responding to regulators and regulatory action, defending lawsuits, who pays, what their cyber-insurance policy states, and whether you are covered (and have it written down).

  3. Understand what your internal IT provides you. If you handle your own IT internally, then ask IT to show you:

    • The company’s written data inventory. Maintain documentation of what data the company has, where it is kept, and how old it is. If you don’t know what you have, you cannot protect it or respond in an informed way if it is stolen (or lost).

    • The company’s “WISP” or written information security plan. Review the plan to ensure that it covers all of the data on the inventory you just reviewed. Update it periodically, either when a material change occurs or at least yearly.

    • The company’s data breach response plan. Know who is doing what, how they are doing it, who to call or how all of it will work. Role play different scenarios via a tabletop exercise to make sure you have thought through the problems.

    • The company’s data retention plan. Determine what data you need to keep and for how long. A previous client that you haven’t worked with in many years is going to be upset if you notify them that their data was stolen and is being ransomed. Old data that you are not using is only a liability, not an asset—don’t be a data hoarder.

    • The training plan. Create a plan for educating your employees about your data security, including what they need to be aware of, as well as what to do when there is or isn’t a problem (i.e., proactive security and routine security practices).  

  4. Review your patch log. Regardless of internal or external IT management, ask to see your company’s patch log. Confirm that it is up to date, and if it is not, be sure to put in writing a reasonable explanation and a plan for remediation with a due date. Items that are not patched for a valid reason should then be dealt with, with a “compensating control”, i.e. something that compensates security-wise for the lack of patch. Failing to patch is a consistent theme in data breach.

Finally, confer with your privacy or cybersecurity attorney (or if you don’t have one, think about retaining one) to ensure that you are prepared for any type of cyberattack and that you have taken the necessary precautions to prevent the cyberattack in the first place. Privacy or cybersecurity attorneys are uniquely skilled to spot critical issues, which may save you in the event of a breach. 


This article is informational only. You should consult an attorney before acting or failing to act. The law may change rapidly and no warranty is given. LOWNDES DISCLAIMS ALL IMPLIED WARRANTIES AND WITHOUT LIMITATION, ANY WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE. ALL ARTICLES ARE PROVIDED AS IS AND WITH ALL FAULTS. Consult a Lowndes attorney if you wish to establish an attorney/client relationship.
Drew

Drew Sorrell is a seasoned business lawyer with particular expertise in technology, cybersecurity and privacy issues. With an MBA in marketing and finance, he approaches clients’ legal issues with both a practical business bent and a self-described geeky love of technology.

Drew enjoys working with CLO’s, CIO’s, CTO’s and technology owners at businesses of all sizes in every phase of their legal needs. He assists them on the front end, drafting and negotiating software licenses, Internet service provider agreements, data privacy/breach policies and procedures, and employment/services agreements as well as the indemnity and insurance coverage related to those agreements. He advises clients on the GDPR and state-specific regulations, penetration testing and security audits. He also has years of experience handling matters when things go wrong, including data breaches, privacy issues and other technology or software problems.

A founding member of the Sedona Conference Group 11 (Privacy/Data Security), Drew is frequently asked to speak and write on legal and ethical issues arising from technology, including unfair and deceptive trade practices, data breach, privacy, data governance, and technology contract drafting. He is chair of the firm’s multi-disciplinary Data Governance Group as well as the past chair of the Orange County Bar Association’s Intellectual Property, Business Law and Technology Committees.

Outside the technology arena, Drew has substantial expertise in both contracts and commercial litigation. In addition, he has experience assisting clients with government contracting. Drew began his legal career as a judicial clerk to Senior United States District Judge John H. Moore II, in Jacksonville, Florida, and then practiced with an AmLaw top 10 firm in Manhattan. After a stint as an assistant county attorney responsible for day-to-day legal advice and litigating civil issues for the county, Drew returned to Lowndes. Drew is admitted to practice in Florida, New York and the District of Columbia.

Born in Florida, Drew roots for his adopted football team—the FSU Seminoles (because neither Rollins nor George Washington has a football team). He is a proud father of two sons who play basketball and soccer, make great grades and generally keep him on his toes.

Michael

Michael Piccolo focuses his legal practice on complex litigation, civil litigation, commercial litigation, business litigation, intellectual property litigation, significant divorce cases, and probate and trust litigation.

Ferran

Ferran Arimon is an attorney in the firm’s Commercial Real Estate Group. He focuses his practice on commercial real estate transactions, including the acquisition, disposition, financing, development and leasing of various property types, as well as construction financings and re-financings. His practice also includes corporate and securities law.

Ferran regularly advises buyers, sellers, developers, landlords and tenants in real estate transactions related to multifamily developments, industrial properties, office buildings, shopping centers, restaurants, hotels, retirement communities and vacant land. He also assists clients with leasing contracts, title review and survey analysis, contract negotiation for purchase and sale, due diligence, negotiation of transfer documents and finalizing of transaction closings.

Additionally, Ferran has experience in corporate and securities law, mergers and acquisitions, and tax law. He has worked with clients to structure financing transactions in compliance with federal and state securities laws, having represented both public and private companies in mergers, acquisitions, capital raising, and corporate governance matters. He has also counseled clients on a broad range of tax issues and business planning issues from entity selection and formation to dissolutions.

Prior to law school, Ferran was an analyst at real estate investment management company in Miami. His role centered around underwriting, valuing, and identifying acquisition opportunities for distressed or value-add commercial and residential real estate acquired through joint ventures, direct Investments and non-performing loans portfolios.

Fluent in Spanish, Ferran regularly writes articles on a variety of emerging legal issues.

Ferran earned his law degree from the University of Florida Levin College of Law and his MBA from the University of Florida Warrington College of Business. Prior to law school, he received his undergraduate degree from Babson College, where he majored in finance and was a member of the men’s tennis team.

Brian

Brian Lawrence concentrates his practice on complex litigation arising from commercial transactions, partnership disputes, trust and probate disputes and intellectual property matters.


Brian regularly advises national and local clients on matters pertaining to restrictive covenants, trademarks, copyrights and trade secrets. He has successfully defended and prosecuted lawsuits on behalf of national and local corporations and limited liability companies, sports teams, athletes and other public figures.


A member of the firm's Data Governance Group, Brian has significant experience evaluating complex security incidents and advising clients of their obligations under federal and state data security and privacy regulations. He has handled cybersecurity incident responses and data privacy matters impacting all 50 states and internationally.

Brian is as committed to serving the Central Florida community as he is to his practice. He is actively involved in Big Brothers Big Sisters of Central Florida, as both a big brother and a member of the executive board. He also serves as a guardian ad litem and provides pro bono services to professional guardianship organizations in Central Florida. Additionally, Brian is on the board of the Young Lawyers Section of the Orange County Bar Association, which supports local charitable endeavors and serves underprivileged youth.

Meritas Law Firms Worldwide logo
Do Your Part Logo