Over the past several years, we have witnessed a fundamental shift in orchestrated cyber-attacks from hacking credit card data and healthcare information to targeting businesses, their operations and bottom lines.
Companies across the globe were recently hit by the so-called “Petya” ransomware attack, as this blog has previously discussed. In that attack, hackers infected computer systems with malicious software that rapidly spread and encrypted a company’s data, and held it hostage until the victim made a ransom payment. And in May, it was the “WannaCry” global ransomware virus that locked up thousands of computers around the globe and disrupted businesses operations.
While the full scope of the recent ransomware attacks is impossible to know, given varying degrees of public disclosure from one victimized organization to the next, one aspect of these attacks is apparent and notable: That is, companies now face the risk of data security breaches that may threaten their core business.
Take, for instance, Nuance Communications, Inc., which, to quote its most recent annual report, is “a leading provider of voice recognition and natural language understanding solutions.” Almost half of Nuance’s profits last year were attributable to its healthcare segment, including its eScription product, described by Bloomberg as “a Nuance staple product that allows physicians to dictate notes from a telephone.”
Nuance disclosed on June 27 that certain “portions of its network were affected” by the ransomware attack, and functionality was impaired. A week later, Nuance said that it was still “working tirelessly” to restore normal operations. During this time, a number of doctors switched to transcription products offered by Nuance’s competitors, Bloomberg reported.
On July 21, Nuance disclosed in a press release—which it also submitted to the SEC—that the company expects the malware incident to have a material effect on its financial results. As to how substantial the effect may be, only time will tell. While Nuance has denied that any protected health information in their systems was accessed, nonetheless, a critical question will be whether doctors will be willing to entrust a company whose systems are known to have been breached with their patients’ confidential information.
Another example of a business disruption caused by the recent attacks is FedEx’s TNT Express unit, which resulted in FedEx’s disclosure that while it “cannot measure the financial impact of service disruption,” “it could be material.”
Previously, even the most expensive data breaches have posed manageable financial burdens on affected firms. The recent ransomware attacks, however, illustrate how malicious attacks may potentially impact a company’s bottom line. In addition to the business ramifications, victimized companies will be presented with numerous legal challenges, including potential litigation (such as class action lawsuits and shareholder derivative actions) as well as questions of disclosure under applicable laws and regulations. Already companies are dealing with these issues, of which there will be more to come.
Derek Borchardt (associate) and Craig A. Newman (partner) represent Patterson Belknap Webb & Tyler LLP, a law firm in New York that has a Privacy and Data Security Practice. Read more Patterson Belknap blogs here.