FTC Warns Companies on Ransomware Attacks

    Sep 13, 2016

    A company’s unreasonable failure to patch vulnerabilities known to be exploited by ransomware might violate the Federal Trade Commission (FTC) Act, warned FTC Chairwoman Edith Ramirez at a ransomware workshop hosted by the agency on September 7. The workshop included presentations and panel discussions on how ransomware extortionists gain access to consumer and business computers, what steps consumers and businesses should take to reduce the risk or decrease its impact, and what technological measures can be implemented to prevent ransomware.

    The event featured law enforcement officials, security experts, and academics who discussed what ransomware has looked like to date and whether businesses should pay the ransom if they are victimized. According to a Justice Department guidance document to federal agencies, ransomware is a form of malware that targets critical data and systems for the purpose of extortion. On average, the report notes, more than 4,000 ransomware attacks have occurred daily since January 1, and “there are very effective prevention and response actions that can significantly mitigate the risk posed to your organization.”

    In her opening remarks, Ramirez said the FTC is developing guidance that will help companies better protect themselves against ransomware vulnerabilities. She said the agency will not be shy in going after companies whose lax data security efforts constitute unfair and deceptive practices that harm consumers. 

    “One component of reasonable security is that companies have procedures in place to address vulnerabilities as they arise, including malicious software,” she said.

    Ramirez cited recent FTC enforcement cases against device manufacturer ASUS, which the FTC alleged had allowed attackers to exploit vulnerabilities in the company’s routers, and against Wyndham Worldwide, which the FTC alleged had allowed hackers to exploit the company’s lax network security and steal sensitive customer information. 

    “As these cases illustrate,” she said, “businesses play a critical role in ensuring that they adequately protect consumers’ information, particularly as security threats like ransomware escalate.”

    In April, the FBI issued a ransomware prevention and response guide for CEOs. The guide said senior management should:

    • Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
    • Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
    • Limit administrative access to privileged accounts.
    • Configure access controls to files and directories.
    • Disable macro scripts from office files transmitted over e-mail.
    • Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations.




    The Washington Policy Brief is an online advisory that contains brief summaries of recent legislative and regulatory issues that may affect the records and information management profession. Further information about the issue is accessed by clicking on the link provided at the end of each summary.


    Want to sign up to receive an e-mail version of the Washington Policy Brief? It's free! Just tell us a little about yourself and you'll receive a monthly dose of the latest in legislation, regulation, and more.



    © 2017, ARMA International