State Farm got the Internet’s attention this year with a deepfake advertisement of ESPN SportsCenter anchor Kenny Mayne. To many, this was an introduction to a new and accessible technology that creates convincingly realistic fake videos.

Nearly anyone with Internet access can create a realistic video clip of events that never happened. Deepfakes are videos that use artificial intelligence to “face-swap” one person’s face (often a celebrity or politician) onto another person’s body. Deepfakes are created by a pair of neural networks called Generative Adversarial Networks. One of the networks uses a set of real images to create new, fake images. The opposing network then attempts to detect whether the fake image is forged. This adversarial relationship continues until the first network creates an image that the second network cannot detect as fake.

At worst, deepfakes can threaten consumers’ ability to rely on information they see online – even more than “fake news.” At best, deepfake technology can be used to create more affordable and accessible content. Your business should be aware of the prevalence of deepfake technology to both guard against its dangers and become aware of its ability to generate helpful content.

Deepfakes Threaten Private Sector Businesses

Deepfakes pose unique risks to private sector businesses and rapidly evolving deepfake technology might allow for attacks on companies by unprecedented means.

ShuftiPro, an identity verification software company, warns that deepfakes are used to tarnish business reputations by staging fake events or spreading fake news about businesses or individuals. Bad actors can also use them to impersonate executive officers of companies – even on a Zoom call – and give misleading or detrimental instructions to a company. Deepfakes circulated on social media can threaten publicly traded companies by creating fake news of takeover bids, scandals, or breakthroughs in an attempt to manipulate stock prices.

Social media also makes it possible for a single deepfake video to alter public perception of a brand or business, even if it later comes out that the video was fraudulent. This inflicts lasting damage on businesses and individuals, regardless of whether the victimized party can later prove its innocence.

Companies are also responsible for navigating ambiguities and unpredictability in the law surrounding deepfakes. Deepfakes have garnered the attention of legislatures across the country. In 2019, the U.S. Senate passed the “Deepfake Report Act.” The bill remains pending in the House.

Many states, including California, Texas, and Virginia, have already enacted laws regulating deepfakes through criminal and civil causes of action. This area of the law will quickly evolve in the coming years, affecting issues ranging from privacy torts, the First Amendment, and intellectual property.

The Upside — Benefits of Deepfakes

While troubling in many ways, deepfakes also present many positive educational, entertainment, and marketing opportunities.

In education, deepfakes can make lesson plans come to life. For instance, Scottish company CereProc used deepfake voice-cloning technology to assemble “lost” audio of the speech President John F. Kennedy intended to give in Dallas the day of his assassination. The Illinois Holocaust Museum and Education Center used deepfakes to showcase interviews with 15 Holocaust survivors and allow visitors to ask questions of the survivors. Last year, the Dalí Museum in St. Petersburg, Florida, displayed a deepfake of the artist explaining his artwork and taking selfies with museum visitors. Businesses can similarly enliven training and educational materials.

Likewise, deepfakes revolutionize entertainment and advertising. Production companies can forgo re-shoots by using deepfakes to correct filming errors and adjust scripts. What’s more, deepfakes can expand the global reach of content by seamlessly dubbing scripts into other languages.

Deepfakes also present other amusing advertising opportunities. As mentioned above, viewers lauded State Farm’s TV commercial that used deepfakes to feature an ESPN analyst from 1998 accurately predicting events in 2020. This type of creative use can create marketing opportunities that leave a lasting impression.

So, while businesses should beware of the downsides of deepfakes, they should also consider how this can be an effective tool to cut costs, expand markets, and energize advertising and education.

Next Steps — Creative Solutions for Using Deepfakes

In the future, deepfakes may be the source of many headaches and successes for businesses. The first step in familiarizing yourself with this new technology is to protect your business and employees.

Start by training employees to recognize the difference between real and fabricated content. Employees should be able to acknowledge the difference between real videos and deepfakes before sharing them on company pages and social media. Continually monitor your business’ online presence. To prevent the spread of false information, search for videos related to your company and employees. Finally, stay on top of the latest technology for detecting and avoiding fraud.

While deepfakes can present an obvious threat to your business’s reputation and finances, they can also serve as a creative marketing solution. Consider reaching out to your marketing team to see if they can translate videos into multiple languages to make them more accessible to a wider audience. Alternatively, you might consider using deepfakes to create new ads out of pre-recorded clips. An appropriate application of the technology can save your business time and money. Businesses may also consider using deepfakes to animate corporate training videos and programs.

Whether you are concerned about the potential risks of deepfakes or are interested in using deepfake technology as a business tool, Taft’s Technology team would be happy to help you navigate this new legal landscape.

This blog post was written by Taft summer associates. 

As SAP and some other vendors are forcing users of ERP software systems into vendors’ proprietary clouds, a significant percentage of the world’s Chief Information Officers are concerned about the security of the data being stored there.

This is one of the main takeaways from a KPMG and Oracle survey released during the midst of COVID-19. Due to the timing, many executives may have missed this news as they focused on the security and safety of their families.

ERP security is not the only concern for technology heads – this applies to all information stored in the cloud. However, for many public and private sector businesses, ERP contains a huge amount of information, concentrated in one place and covering many functions in the company. The global study also found that CIOs are concerned about how their organizations are taking a mixed, often confusing approach to data security.

(We highlighted some of the growing issues surrounding ERP migration to the cloud in an earlier blog post from Sept. 2019)

Multiple Security Systems

The hodge-podge approach to security in ERP software systems is just one thing keeping technology chiefs awake at night.

  • Some 78% of respondents said they used more than 50 discrete cybersecurity products to protect their data and nearly four in 10 use a whopping 100 or more, making them concerned about how they do – or do not – work together.
  • Organizations that uncovered misconfigured cloud services experienced 10 or more data loss incidents in the previous 12 months.
  • A mere 8% of those surveyed fully understand the shared security responsibility for data stored in the cloud, unsure about what is their obligation to protect and what the cloud provider oversees.

Many organizations responded to the stay-at-home orders that found everybody working remotely by accelerating moving both workloads and data to the cloud. In doing so, it revealed current vulnerabilities and created new ones in the protocols governing company systems.

Despite this, 92% of respondents do not believe their organization is well-prepared to secure data in public cloud services. Eighty percent take some comfort in reporting that news of data breaches at other businesses increases their organization’s focus on securing the data in ERP software systems and other technology. Nearly nine out of 10 people believe that artificial intelligence and machine learning will help improve data security in the cloud.

Tightening ERP and Cloud Data Security

Many heads of technology worry that the corner office turns its attention to data security only after there is a problem. It seems to take security breaches and data leaks, usually reported in the media, to attract the attention of the C-suite, even though it is a management issue that needs to be discussed and reviewed on an ongoing basis at the board level.

As a result, some 69% of CIOs responding to the survey complain that CEOs and Chief Information Security Officers – if the organizations have one – get involved in public cloud projects only after a cybersecurity incident.

Address the issues and concerns uncovered in the study in the contract for cloud services, whether it involves migrating ERP or some other data-rich piece of technology. We have spent our career focusing on all aspects of ERP software system contracts and protecting the security of the treasure trove of data they hold.

As one example, a well-crafted cloud contract will specify the responsibilities of the user and the cloud provider. Not only does this eliminate the confusion many CIOs expressed in the survey, if there is a data incident, each side will know who to hold accountable for the problem.

If you want to discuss your situation, whether you are an executive of a private business or a senior technology manager in a public sector organization, feel free to contact Taft. We will be happy to share our knowledge and insights regarding negotiation of a cloud contract.

As is happening with almost everything in business, COVID-19 is having an impact on ERP software systems and digital transformation projects – particularly with respect to interruptions or delays in software implementation projects. Some companies are postponing their implementation or drastically reducing the scope of their implementations.

While halting or postponing an implementation project in the face of COVID-19 may make sense, there is a risk of losing the institutional knowledge accumulated by the integration team working on the project.

Consultants that understood your business requirements may not be available at a future date. There will also be additional costs associated with getting new consultants on board who have an understanding of where the implementation project has been, where it is going, and how the project addresses unique business requirements.

We went through the options facing users when we spoke at the virtual 2020 Digital Stratosphere conference in late April. We also explored how current contracts can be renegotiated and what should be included in new contracts.

Creating Workarounds in a COVID-19 World

For implementation projects in progress, instead of stopping them altogether, a better option may be to narrow the scope to essential modules or pieces of functionality. If you are moving forward with your implementation, whether with a reduced scope or not, you need to ensure you have reasonable workarounds in place to account for the project disruption associated with stay-at-home orders, social distancing, and consultants working remotely.

Diligently managing the scope and the cost of the implementation is more important than ever. It is imperative you focus on project governance. You need to ensure you receive project status updates on a regular basis, and that the updates you receive provide meaningful information that allows you to make informed decisions about the project.

Similarly, you need to focus on change orders to counteract the likelihood of scope creep and budget expansion. You may also be able to use change orders to “back-door” amendments to the implementation contract.

Protecting Remote Integration

Data security and maintaining confidentiality of information in an ERP software system has always been critical, but is now even more so with consultants working remotely.

Long before COVID-19 created worldwide problems, the ERP software system contracts we negotiated for clients always included clauses that detailed specific responsibilities for the vendor, the integrator, and the user. Now, with many people using their personal computers, the chances of a breach, whether by accident or due to a hack, have multiplied ten-fold.

With consultants working remotely, having a structure in place for coordinating a project is essential. Users need to incorporate proper nondisclosure provisions into their contracts, which take into account the increased data security risk. Important data could be compromised. It is critical to account for the consultants who have possession of your information, as well as the security protocols you have in place to protect your information.

Right now, users have more leverage over vendors and integrators than they realize. This is important with new contracts and existing agreements, whether those contracts are on-premise or cloud contracts. Renegotiating onerous provisions or provisions that no longer make sense in the current environment is critical to success.

Take a practical approach and begin with the premise that vendors are your partners. However, don’t talk with the sales team who sold the project. Have the conversation with a senior decision-maker who is empowered to say yes and can fully appreciate the value of maintaining a long-term customer relationship.

It may also be possible to arrange for discounts and fee adjustments for either cloud services or the ERP software system.

Create a Long-Term, Flexible IT Strategy 

Now is a good time to evaluate your critical IT initiatives and prioritize those that are strategically important to your business. Digital transformations are often complicated undertakings with many moving parts. If you have questions or concerns, feel free to contact Taft. We are happy to share our experience, and can also refer you to highly reputable consultants.

Enacted in 2008, the Illinois Biometric Information Privacy Act (BIPA) continues to be the most consumer-friendly biometric privacy law in the country. In the wake of the Illinois Supreme Court’s seminal 2019 decision in Rosenbach v. Six Flags, plaintiffs have filed hundreds of class action lawsuits against businesses and employers in a broad range of industries, including manufacturing, logistics, retail, hospitality, food and beverage, health and technology. These lawsuits have been filed because of a perception that BIPA, as interpreted by the Illinois Supreme Court in Rosenbach, creates significant liability where biometric information has been collected from an employee or consumer without first providing notification and obtaining consent, even if no actual damages have been suffered.

In the spring of 2020, however, there have been a handful of court decisions that have bucked the previously plaintiff-friendly BIPA trends and perceptions.

To read the full Taft law bulletin on this topic, click here.

In an interview with TechTarget, Chicago Taft partners Marcus Harris and Daniel Saeedi explored the impacts that the pandemic will have on ERP implementations and what customers can do to alleviate risk and protect their ERP investments. In a separate interview, Marcus Harris also provided advice on renegotiating ERP contracts when the scope of ERP implementation projects change due to the COVID-19 crisis.

The full interviews are available by clicking on the following links:

Taft Chicago partners Marcus Harris and Daniel Saeedi presented several sessions during the Digital Stratosphere Online Edition, April 20-24, 2020. Each day featured different presenters discussing the new realities of ERP, HCM and digital transformation projects in a post-COVID-19 world. Harris and Saeedi spoke jointly on “How to Negotiate (and Renegotiate) ERP Contracts During Crisis;” Saeedi spoke on “Cleanse and Protect: Why Data and Cybersecurity are More Important than Ever” and Harris spoke on “Mitigating Digital Transformation Risk Amidst Disruption and Uncertainty.”

If you are interested in learning more about these topics, please contact Marcus Harris or Daniel Saeedi.

The China Council for the Promotion of International Trade has currently issued at least 4,811 force majeure certificates due to the COVID-19 pandemic (link). These certificates qualify the coronavirus outbreak as a force majeure event and certify that a party’s partial performance or failure to perform under an agreement be excused if there is a force majeure clause in the agreement.  According to a Xinhua state media report, the total contract value for the agreements associated with the certificates is an alarming 373.7 billion Chinese yuan (equivalent to US$53.79 billion). Unfortunately, for many U.S. businesses impacted by the economic hardships caused by COVID-19, these force majeure certificates will be of little use if their contracts are governed by U.S. law. Companies should understand the impact and application of their existing force majeure clauses to COVID-19.

A typical force majeure clause releases obligations and liability if an extraordinary event occurs. These events are usually limited to events like war, fire, natural disasters, civil disorder, strikes or labor disputes, acts of God or other circumstances beyond a party’s reasonable control. When these unanticipated circumstances arise, the force majeure clause may be invoked to relieve the parties from their contractual obligations or to terminate the contract with no further liability from either party.

Far too often, force majeure clauses are an afterthought during the contract negotiation process.  Although seemingly unimportant when the parties are trying to close a deal, these clauses have substantive impacts to the business when unanticipated events occur. As the spread of COVID-19 disrupts global supply chains and results in the imposition of emergency rules and regulations, it becomes imperative for companies to prepare themselves for impending commercial disputes.

As a historical example, the SARS virus outbreak in 2003 resulted in many companies asserting force majeure clauses. Northwest Airlines famously relied on the force majeure clause in its labor contracts to lay off employees without notice, asserting that the SARS virus caused its air traffic to Asia to significantly decline. Not surprisingly, the Aircraft Mechanics Fraternal Association, an independent aviation union, claimed the layoffs were an immoral exploitation of the provision and challenged Northwest Airlines’ legal justification by filing a class-action grievance. The arbitration board held that while a number of the layoffs were justified by force majeure events, a certain subset of mechanics were unjustifiably laid off, and Northwest Airlines was ordered to rehire those mechanics. The takeaway from this is that a force majeure clause may not apply uniformly to different circumstances.

While the SARS virus resulted in many companies revising the force majeure clauses in their contracts to include “global epidemics” as triggering events, the Northwest Airlines example shows that COVID-19 should be carefully analyzed in its specific impact to different industries. In addition, other contract provisions will alter the legal analysis about whether a specific force majeure clause can be invoked. For example, certain jurisdictions may interpret “acts of God” or “epidemic” differently, so the governing law provision will have an effect on whether the force majeure clause may be invoked. Moreover, force majeure clauses are drafted with specific terms that impact their interpretation. For example, a force majeure clause that does not specifically cite “disease” or “epidemics” may nonetheless have an all-inclusive catch-all phrase (such as “any similar event beyond the reasonable control of a party”) that would lead to the COVID-19 pandemic qualifying as a force majeure event.

Just as companies must take a proactive approach to their employees’ health and safety with respect to COVID-19, companies should also take a proactive approach to the other business effects of COVID-19. If a company’s obligations have been affected by COVID-19 in any capacity, the company should consider certain practices in anticipation of any disputes and to prepare for the possible invocation of a force majeure clause, including, but not limited to the following:

  • keeping detailed records of COVID-19’s impact on its business functions and on any inability to perform the company’s contractual duties;
  • documenting COVID-19’s impact on the company’s supply chains, such as its vendor’s inability to secure raw materials, parts, components, or disruption to the capabilities of the vendor’s suppliers or independent distributors;
  • continuously evaluating the current events of COVID-19 and how the incident is affecting governments and the company’s industry. The situation is changing day-by-day, and keeping abreast of the current events will allow the company to quickly reassess its obligations and liabilities;
  • reviewing both existing customer agreements and vendor agreements, to analyze the legal obligations and liabilities of all parties under the agreements. Force majeure clauses are each drafted differently and should be interpreted by legal counsel.  Companies should also keep in mind notice provisions within its agreements, so that it does not inadvertently run afoul of its obligations to notify the other party; and
  • reviewing insurance coverages and whether the company’s current insurance covers business interruption related to COVID-19.

As companies work together to create business solutions to the impact that COVID-19 has had on all industries, not all businesses will come out unscathed. Although these are uncertain and challenging times, Taft understands the importance of business continuity and is resolved to maintain our high standard of responsiveness and excellence for our clients. Taft’s team of attorneys is ready to advise clients on all aspects of legal issues, obligations, and liabilities associated with COVID-19.

These are thoroughly disturbing statistics that should make every ERP user shudder:

A survey of more than 400 IT professionals conducted by Onapsis Research Labs found that 64-percent of ERP software systems suffered a data breach in the past two years. Onapsis reported that 90-percent of SAP’s ERP software systems remain vulnerable to a nasty virus called 10KBLAZE discovered one year ago.  Onapsis also reported that there are serious security weaknesses in Oracle’s ERP payment modules.

It seems that every week news of another data breach involving businesses, hospitals, and other organizations in the healthcare field and even government agencies find its way into the news media. For users of ERP software systems, there is a two-pronged risk they need to confront and address proactively:

  • The loss of valuable proprietary information about their supply chain, production processes, and even trade secrets that could command a high price in the underground market from unsavory competitors and counterfeiters in unfriendly countries.
  • Violating various state data breach and privacy laws including, the California Consumer Privacy Act (CCPA), if personally identifiable information of employees or customers is revealed.

In many respects, a leak of personal customer information would be as damaging as having business processes revealed to competitors. First off, there comes to the time, expenses and opportunity costs of properly responding to a data breach and providing the applicable notices to affected individuals, state regulators and the media.  Then comes the public embarrassment with a possible loss of trust along with the real possibility of penalties imposed by the state. This is all in addition to a wave of potential lawsuits that could be filed by affected individuals under state law, including the  CCPA, which allows for a private right of action.

Protecting ERP from Incidents

An ERP software system is a particularly inviting target for private and state-sponsored criminals as well as run-of-the-mill mischief-makers. For most companies, so many employees need access to the software that accidental or inadvertent data incidents can easily occur.

We wrote recently on the need for all businesses to prepare to defend themselves against CCPA lawsuits or penalties. For users of ERP software systems, beyond the obvious, there are additional steps organizations should implement.

One that often gets overlooked is to promptly install patches and fixes when the vendor sends them. As attorneys who’ve spent our careers working with clients on legal issues connected to data security matters relating to ERP software systems, often we are amazed at how slow some companies do this (or maintain and review log files). Now there is a kind of “double jeopardy” for not installing updates quickly: The software might become vulnerable to a hack or breach and the risk of possible CCPA penalties if there is a breach.

Establish Cybersecurity Policies

A related necessity is to ensure comprehensive and compliant cybersecurity procedures are established along with a software application maintenance policy. Part of this includes an audit methodology that delves deep into the system so that vulnerabilities can be identified even if the vendor has yet to launch a patch for it.

Keep in mind the law specifies that doing these things proactively can help create a safe harbor in the event of a hack, leak, or data incident, possibly preventing state investigators from knocking on your door.

Another important way of preventing data incidents is to limit the people who have access to identifiable customer data. A contractor who is part of the supply chain may very well need to know how many and when the components they provide must arrive at a manufacturer. They don’t need to be able to see which customers ordered the finished product. From both a current technological and cost perspective, there is little excuse for any company to allow access to identifiable customer data when there is no need for such access.

Finally, keep reinforcing to everyone who has access to data that security is as much their responsibility as it is the responsibility of the IT department. Far more breaches result from employee carelessness inside an organization than are the result of criminal activity. Remember that the CCPA does not distinguish between a deliberate hack and a mistake; the liability for an ERP user is the same.

ERP Contract Precautions

There are other preventative measures related to the CCPA that can be taken even before the contract for a new or upgraded ERP software system is signed.

Perhaps the most important is to ensure that the contract specifies who is responsible for data security and under what circumstances: Users, vendors, or integrators. The template ERP contracts used by vendors and integrators are usually vague about this, so greater specificity needs to be negotiated and written into the document.

Another aspect deals with specifying the roles and responsibilities of third-party contractors from when a contract is signed to when the ERP software system goes live. It is common for an integrator to use outside resources, which means there could be dozens of people unknown to the customer who will have at least temporary access to identifiable data. These entities need to have a contractual obligation to be responsible if their work is the cause of an incident or breach.

By the way, all of these precautions are important steps to take to help comply with not just the CCPA but most data privacy and data breach laws as well, such as New York’s new Shield Law.

We’ve spent our career negotiating and drafting contracts for ERP software systems and handling disputes that arise when there is an issue. If you’re an executive or inside counsel at an organization concerned about possible liability under the CCPA due to an ERP implementation, feel free to contact us. We will be pleased to share our knowledge and experience with you.

The California Consumer Privacy Act (CCPA) was barely a month old when the first private lawsuit was filed under the law. The action against a children’s clothing company and Salesforce Inc., the giant developer of CRM software that hosted the retailer’s customer data, was filed in federal court in early February 2020.

The details of the lawsuit are not as important as the reality that it highlights the need for companies of all sizes and types to do two things. They must ensure they are taking proactive steps to prevent data hacks and leaks and know what will be required to defend themselves against allegations made by consumers and the state.

The state attorney general says his office will not launch enforcement actions against companies until July 1, 2020, as long as they can show they are taking steps to comply with CCPA’s requirements. Yet as the lawsuit underscores, there is nothing stopping individuals from seeking damages as a result of alleged leaks and hacks well before mid-year.

Offense is Defense

In 2018, a 15-year-old, self-taught, ethical hacker named Marcus Weinberger terrified a packed hall at a technology conference by having attendees call out the name of their firm. Using the laptop he takes class notes on and some things he bought with his allowance at the mall, he hacked into every organization’s data in under 15 minutes.

This proves that companies must begin to acknowledge that what can get hacked will get hacked, deliberately or leaked by accident, carelessness or error.

The first line of defense is to ensure that identifiable or personalized information is thoroughly encrypted. In fact, the CCPA specifies this as a possible safe harbor against fines or a lawsuit. One technology company went so far as to set up its software so that it could be downloaded only onto an encrypted stick it licensed to its users. Non-users could not acquire it.

But there are additional steps that must be taken by businesses to prepare themselves to defend against CCPA complaints.

Another vital move is to prepare and document a plan that will detect and stop a breach, whether from a potential hacker or because an employee made a mistake, and know how to notify people whose data may have been compromised. The CCPA requires prompt notification. Being able to show a court or a state tribunal that this was done and the company had taken proactive steps to limit the damage can be a strong defense.

Limit the number of people who have access to customer data to only those that need the customer data to do their job. For instance, an ERP software system will likely contain an enormous amount of identifiable information about customers. An employee responsible for the supply chain or one who is involved in the production process may not need to have access to data about specific customers. The fewer people who can accidentally or deliberately expose this information, the lower the risk of a breach.

If employees use their own devices for work – perhaps because they travel for their job – check these devices regularly for any malware or viruses. When Barack Obama was elected president, he did not want to give up his beloved Blackberry. So, the NSA spent a week making sure it was clean and installing safeguards to prevent it from being hacked in the future. Businesses need to do something similar with the phones, tablets and laptops carried around by people who use them to remotely access customer data. It may not need to be as stringent as needed to protect a president’s communications and data, but sufficient to safeguard a company’s customer information.

Likewise, every company needs to remind all employees at every level in the organization that data security is their job and not merely the responsibility of somebody in IT.

CCPA Can Be Costly

The CCPA creates statutory damages for any business that collects and stores a customer’s personal data. The penalties range from $100 to $750 per customer, per incident or the actual damages – whichever is greater. The law states the breach itself is a damage.

A breach involving 10,000 individuals or households could result in a fine of $7.5 million and unleash a torrent of individual and class action lawsuits around minor and major breaches because the plaintiffs do not have to prove actual damages.

In fact, the law instructs judges to consider the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, over how long the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities and net worth.

For a large corporation, the award could be in the hundreds of millions of dollars and a smaller, privately owned business might be forced into bankruptcy.

As data security and privacy lawyers, we have helped companies establish internal procedures, policies and rules around protecting the data they hold. If you are a general counsel or executive and want to ask questions about what programs your organization can implement to head off CCPA sanctions from the state or lawsuits, please call or email us. We’ll be happy to share what we know about the law and what other companies are doing.

According to the FBI, billions of dollars are lost every year repairing computer systems and networks hit by cyberattacks like ransomware. The 2019 Internet Crime Report notes that in 2019 alone, the FBI’s Internet Crime Complaint Center received 467,361 complaints of cybercrime with reported losses exceeding $3.5 billion. While the number of ransomware attacks has declined sharply, the amounts demanded in such attacks has increased. For example, BleepingComputer recently reported seeing ransom notes for the Ragnar Locker ransomware, which targets software commonly used by managed service providers, with demands ranging from $200,000 to about $600,000.

Some insurers selling cyber insurance offer to pay a ransom demand, which theoretically should allow the policyholder to get their data back. But what happens if you don’t have cyber insurance or the funds to pay the ransom? What if you pay the ransom and the criminals renege? If your computers and network are slowed but otherwise operable, will your traditional business owners’ insurance policy pay to replace the damaged computers and network?

Contrary to popular belief, paying a criminal’s ransom demand does not guarantee that you will get access back to your computers and data. The FBI does not advocate paying a ransom because in some cases, victims who paid a ransom were never provided with decryption keys to unlock their computers and data. Indeed, in a recent federal court case in Maryland, an embroidery company that was the victim of a ransomware demand paid the ransom and the criminal reneged. The company then had to hire a security firm to replace and reinstall the company’s software and install protective software on their computer system, but some software was lost forever. In the end, the computer system lost efficiency because the protective software slowed the system, and the company’s computer expert testified that there were likely dormant remnants of the computer virus on the system that could re-infect the entire system.

The State Auto business owners’ insurance policy appeared to cover the damage. But because the computer system was still operable, State Auto denied the claim. The case turned on the policy language that the insurer would pay for “direct physical loss of or damage to Covered Property,” where the term “Covered Property” included software and data stored on the computer. The court, citing other cases, held that “physical damage” was not restricted to the physical destruction of the computer, but included loss of access, loss of use, and loss of functionality. The court also rejected the insurer’s argument that the policy required an utter inability to function. Instead, the court reasoned:

The more persuasive cases are those suggesting that loss of use, loss of reliability, or impaired function demonstrate the required damage to a computer system, consistent with the “physical loss or damage to” policy language. Here, not only did Plaintiff sustain a loss of its data and software, but Plaintiff is left with a slower system, which appears to be harboring a dormant virus, and is unable to access a significant portion of software and stored data.

In the end, the court granted summary judgment for the embroidery company allowing it to recover more than $300,000 to replace its computer server, software, and data. The case is National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Company, No. SAG-18-2138 (D. Md. Jan. 23, 2020).

A list of the FBI’s cyber defense best practices can be found here.