Tampa lawyers carve out a niche as data hostage negotiators
They may carry briefcases instead of bullhorns, and prefer business attire to bullet-proof vests.
But two Tampa attorneys can claim an unofficial job description that sets them apart from most of their colleagues in the Bar — data hostage negotiators.
“Primarily, our role is legal ramifications that may be present as a result of a ransomware attack,” said Robert Shimberg, a 21-year veteran of Hill Ward Henderson who previously served as a Hillsborough County prosecutor.
“We learn something from every attack, because the hackers are getting more sophisticated,” said Melina Garcia, who focuses on complex commercial litigation and cyber security at the firm.
Cyber criminals can strike at any time. Recovery can be complicated.
A massive ransomware attack paralyzed 11 of 13 municipal departments in Atlanta last year, interrupting electronic bill paying for some 6 million residents and wiping out everything from police body cam videos to electronic court records. Recovery eventually cost taxpayers more than $9 million.
According to a subsequent federal indictment, the Atlanta hackers were Iranians and employed the infamous “SamSam” virus that can guess weak passwords in public-facing systems. A handful of other sites, including Riviera Beach, have fallen victim to similar attacks.
A ransomware attack typically involves a hacker planting a virus through a fraudulent email, known as a “phishing attack,” that tricks the recipient into downloading malware. When the system crashes, criminals demand payment for a digital key that unlocks the files.
Government attacks make headlines, but businesses are frequent targets. Law firms are among the most tempting, warns Vic Duman, vice president of sales for SECNAP Network Security on his “Demystifying Cybersecurity for Law Firms” CLE webinar available on the Bar’s LegalFuel website. He sites ABA statistics that show 23 percent of law firms reported security breaches last year, up from 15 percent in 2013.
Garcia and Shimberg estimate they are called by business clients to respond to a “major incident” about eight times a year. During a recent one, managers of a “regional” business entity in Southwest Florida were greeted with a personalized ransom note when they turned on their system.
To protect their client’s privacy, Shimberg and Garcia could not name the entity or say how large a payment the hackers demanded.
“It was substantial,” Shimberg said.
Shimberg was traveling when the attack occurred but participated in the response by cell phone. Garcia was on site immediately and quickly brought in the FBI and the Secret Service.
“The Secret Service is great in coordinating and asking the right questions,” Garcia said.
Federal authorities discourage giving in to ransom demands, Shimberg said, but “they are very mindful of the business ramifications of these situations.”
“They also make it very clear that the ultimate decision [belongs to the] businesses,” Shimberg said. “And there are situations where, if the choice is between bad and worse, decrypting on your own may be worse.”
Victims must consider the cost of being offline and, often, hiring outside IT consultants to untangle the mess, Garcia said.
In the recent incident, the business decided to negotiate, Garcia said. She became what she describes as the “middleman.”
That entailed sitting side-by-side with the client at a computer screen to help manage the data hostage negotiations. She said the hackers insisted on communicating directly with the client. They used an untraceable email address that was routed through a public domain based in Switzerland, Garcia said.
Multiple decisions had to be made rapidly, Garcia said. Time is always money for the client, Garcia said, and the hackers are always in a hurry, too.
“They want to get in and get out as quickly as they can, and the longer that they’re communicating with us, they think the more exposure that they have,” Garcia said. “I would say that every minute counts in these situations.”
The hackers demanded payment in Bitcoin, the untraceable digital currency, Garcia said. That posed an additional headache, Garcia said. Bitcoin values fluctuate and the transactions are complex.
Garcia had to make sure the hackers could restore the files, even if they provided the key.
“So, we requested an example, a small data set, and sent a small, encrypted file to the hacker, and requested that they send it back decrypted, so that we even knew that they had the tool to decrypt,” Garcia said.
Garcia said hackers will often agree to accept less ransom in exchange for quicker payment. According to some published accounts, hackers have provided references to previous victims to assure the instant one they will keep their word.
Others offer full-service recovery, Garcia said.
“It’s almost comical,” she said. “Once payment’s been made, they’ve actually offered technical support in applying the key, they offer their assistance in decrypting the files.”
But make no mistake, she said, “at the end of the day, they are criminals.”
And victims shouldn’t be lulled into a false sense of security even if the key works, Shimberg said.
“If somebody does go this route, they have to be very careful because anything they receive from the hacker could have additional malware,” he said. “It has to be forensically scrubbed….”
In the recent incident, Shimberg recounted that the client’s IT system was only partially down for a full day. He said the business used temporary computers at uninfected sites to continue operations, and most importantly, no customer data was compromised.
“All in all, it worked out pretty well,” said Shimberg, although there was a price to pay.
“They had to pay the amount of the ransom, they had to have outside IT professionals come in, and they had to pay employees overtime, they had attorney fees,” he said. “And I’m not sure exactly how you measure the loss of potential business.”
While they aren’t law enforcement agents or IT professionals, Shimberg and Garcia say lawyers play an important role in helping ransomware victims deal with an attack.
Businesses could face lawsuits if customer data falls into the wrong hands. In addition to the federal HIPAA statute, which protects the privacy of medical records, there’s FIPA, the Florida Information Protection Act, which requires businesses to establish protocols for notifying customers if their data has been compromised. Other states, including California, have similar laws.
Businesses are getting better at minimizing the risks of ransomware attacks, Shimberg said. But hackers are finding more direct ways to profit from their crime, including wire transfers.
“We’ve seen a large number of cases where a hacker has infiltrated an email server,” Shimberg said. “And they will assume a person’s identity and change the wire instructions, and some large sum of money will be sent to the wrong place — the hacker.”