eDiscovery Daily Blog

• January 31, 2020

Care to hazard a guess?  Ten?  Twenty?  More?  Try TWO.  Maryland is currently considering a bill to become only the third state after Michigan and Wyoming, to criminalize the possession and distribution of ransomware.

As noted by Bitdefender’s Hot for Security blog (with hat tip to Sharon Nelson’s Ride the Lightning blog), the bill understandably makes exceptions for penetration testing, security researchers, and other legitimate reasons to own ransomware.

Certainly a motivating factor may have occurred when hackers hit Baltimore, Maryland’s largest city, with a RobbinHood ransomware attack on May 7, 2019. All administrative transactions, payments and communications were frozen after city officials refused to pay the attackers. It took them more than eight weeks to restore all systems.  Following the attack, Baltimore City’s board allocated $10 million to an emergency ransomware response to prevent similar attacks. When the dust settled, the city estimated recovery costs at $18 million.

The current law in Maryland specifies that a cyberattack that incurs damages of less than $10,000 is a misdemeanor and carries a punishment of up to five years in prison and a fine up to $10,000. If the damages pass the $10,000 mark, it turns into a felony, and the punishment goes up to 10 years in prison.  The bill would dispense with limits for damages and raises the punishment to up to 10 years, even if it’s a misdemeanor.

This while the Insurance Journal reported (via Reuters – hat tip again to Ride the Lightning) last week that U.S. insurers are ramping up cyber-insurance rates by as much as 25% and trying to curb exposure to vulnerable customers after a surge of costly claims.  While there were 6% fewer ransomware incidents in 2019 versus the prior year (according to Malwarebytes), the average ransom of $41,198 during the 2019 third quarter more than tripled from the first quarter, according to Coveware, which helps negotiate and facilitate the payments.

By the way, if you remember our post from a couple of weeks ago regarding Apple and Attorney General William Barr’s claim that they weren’t helping to crack into password-protected iPhones used by Pensacola Navy base shooter Mohammed Saeed Alshamrani (Apple, for their part, disputed Barr’s assessment that it failed to provide “substantive assistance”), Naked Security reported that Apple, under pressure from the FBI, backed off plans to let iPhones users have end-to-end encryption on their iCloud backups.  Where did I find that out?  You guessed it – Ride the Lightning (via Sharon’s post here).  It’s the RTL trifecta!  :o)

Just a reminder, CloudNine will be once again exhibiting next week at Legaltech, at booth 3000 in America’s Hall 2.  And, we’re once again excited to be co-sponsoring the annual #DrinkswithDougandMary cocktail reception with Mary Mack, Kaylee Walstad and the rest of the EDRM team!  This is our fourth year and we’re grateful to Marc Zamsky and Compliance Discovery for co-sponsoring as well.  It will once again be at Ruth’s Chris Steak house and will happen Wednesday, February 5 from 4-6pm.  You can register to attend here.  And, as I told you on Wednesday, we will be conducting another NineForum education series of TED-talk discussions from our booth, so please check that out as well!

So, what do you think?  Are you surprised that there are only TWO states that criminalize ransomware?  Seriously, TWO?!?  Please share any comments you might have or if you’d like to know more about a particular topic.

Ransom Image Copyright © Touchstone Pictures

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.