Law360 (March 11, 2021, 10:37 PM EST) -- Data breach responders are coming up for air after an onslaught of security episodes over the past year, as hackers' evolving tactics collided with unprecedented challenges for organizations responding to the COVID-19 pandemic, cybersecurity lawyers tell Law360.
Roughly one year after the pandemic upended life in the U.S., industry attorneys say their teams have never responded to more incidents, as intruders demand ransoms from targets of all sizes in exchange for unlocking frozen networks or returning stolen data.
"In the course of the last year, every client that I work with frequently has had some sort of touchpoint with this," said Amy de La Lama, who heads the data privacy and cybersecurity practice at Bryan Cave Leighton Paisner LLP.
As cybercriminals got more creative — in some cases leaking sensitive data on publicly accessible websites in attempts to shame their victims into paying up — organizations confronted a difficult-to-avoid vulnerability during the pandemic: their own employees.
With workers communicating online at uncharted rates while working from home, hackers continue to take advantage, pretending to be trusted associates while hiding malicious software in phishing messages or trying to intercept wire transfers, cybersecurity experts say.
Facing the economic and personal costs of operating during a worldwide health crisis, many organizations also slowed down the pace of taking preventive steps to avoid cyberattacks, like undergoing risk assessments or compliance reviews, attorneys tell Law360.
"There were a lot of organizations that pushed pause on taking proactive measures because they were in 'reactive' mode," said Phyllis Sumner, who leads the data privacy and cybersecurity practice at King & Spalding LLP.
It's impossible to know how much the pandemic spurred what authorities have called an increase in cybercrime in the past year, given that cybercriminals were already becoming more organized and inventive before the novel coronavirus emerged, experts say.
Confirmed victims of cyberattacks since the onset of the pandemic include several hospitals treating coronavirus patients and pharmaceutical companies and other institutions researching vaccines and treatments for COVID-19, U.S. authorities have said.
A cyberattack on Twitter in July resulted in identical messages about a cryptocurrency scam being posted from the accounts of some of the platform's most high-profile users, including former President Barack Obama. In January, U.S. officials said that threat actors linked to Russian intelligence had breached the networks of government agencies including the U.S. Departments of Commerce, Treasury, Homeland Security and Defense.
Cybercriminals are also causing more damage than ever before and reaping bigger profits, often from victims agreeing to pay ransoms in digital currency. Research from security firm PurpleSec has pegged the global cost of ransomware in 2020 at roughly $20 billion. According to IBM, hackers using a single strain of ransomware known as Sodinokibi brought in more than $123 million alone in ransom payments in 2020.
John Dermody, data security and privacy counsel at O'Melveny & Myers LLP, said that though the increase in remote work during the pandemic hasn't made cybersecurity matters easier, a "more significant factor" in the spike of incidents "has been the evolution of ransomware actors and the maturation of illicit markets to support that activity."
Ransomware crews are also asking for higher payments in cryptocurrency than ever before, cybersecurity experts say. Meanwhile, a new complication for victims emerged in October, when organizations were warned that paying attackers on the U.S. sanctions list could lead to legal punishments from the U.S. Department of the Treasury.
"Gone are the average mid-five-figure demands of 2019. Threat actors are increasingly opening with seven-figure demands," said Jena Valdetero, co-chair of the U.S. data privacy and cybersecurity practice at Greenberg Traurig LLP.
Companies continue to face an impossible choice of "whether to pay a significant demand to a criminal organization or risk major business disruption and potential leaks of confidential information," Valdetero added.
But amid a grueling year for cybersecurity incident responders, several attorneys described one silver lining: a chance for law firms to sharpen the communication of their breach response teams, many of which had already been collaborating remotely from sites across the globe even before the pandemic hit.
"We have been able to work with clients across the country and internationally, and the flexibility to hop on a teleconference at any hour of the day has allowed us to quickly meet those needs," O'Melveny's Dermody said. "Even if we happen to be wearing slippers while doing so."
Sumner, of King & Spalding, said that many of the firm's clients are now preparing for data security incidents like they were doing before the pandemic, training employees about cybersecurity risks and rehearsing how they would respond to data security incidents in practices that may help limit the damage of potential episodes.
"I'm not optimistic that we will see a dip in threat actor activity in 2021, but I do see organizations working again to mitigate the risk of cyber incidents and to develop more mature incident response plans," Sumner said.
--Editing by Nicole Bleier and Daniel King.
For a reprint of this article, please contact firstname.lastname@example.org.