NCL letter to Subcommittee on Crime and Terrorism on ransomware – National Consumers League

May 17, 2016

The Honorable Lindsey Graham
Chairman
Subcommittee on Crime and Terrorism
Committee on the Judiciary
United States Senate
224 Dirksen Senate Office Building
Washington, DC 20510

The Honorable Sheldon Whitehouse
Ranking Member
Subcommittee on Crime and Terrorism
Committee on the Judiciary
United States Senate
224 Dirksen Senate Office Building
Washington, DC 20510

RE: Senate Subcommittee on Crime and Terrorism Hearing on “Ransomware: Understanding the Threat and Exploring Solutions”

Dear Senators Graham and Whitehouse:

Ransomware has rapidly developed into a major threat to both consumers and businesses. In the first three months of 2016, cyber criminals have extorted a reported $209 million from businesses, industry and consumers, up from $24 million in all of 2015.^{^[1]} If this pace continues, hackers will collect $1 billion from business and consumers this year.^{^[2]} The rise of ransomware has had a detrimental effect on commerce and consumers as hackers have demanded ransoms and halted operations at schools,^{^[3]} government agencies,^{^[4]} small businesses,^{^[5]} utilities^{^[6]} and hospitals in growing numbers across the country.

Ransomware can cost its victims more than just money. In March, MedStar Health, a $5 billion health care provider suffered a ransomware attack that prevented the hospital from accessing email and health records, resulting in many patients in need of treatment being turned away.^{^[7]} Likewise, Hollywood Presbyterian Hospital recently faced a similar attack and was forced to pay $17,000 to hackers if they wanted to regain access to their clients’ medical records. ^{^[8]}

While ransomware is a grave threat, it is but one symptom of the larger threat that a lack of data security poses to consumers and organizations. To significantly reduce the risk of ransomware and other online threats, we urge the subcommittee to consider the legislative steps that NCL outlined in our 2015 Congressional Data Security Agenda.^{^[9]} In particular, we urge the subcommittee to support solutions that:

grant the Federal Trade Commission the authority they need to protect consumer’s data by granting the Commission civil penalty authority and clarifying its role as the primary authority in data protection;
require data holders to abide by reasonable data security requirements that would stem not only ransomware attacks but which would also prevent data breaches that cause the loss of consumer data that cyber criminals use to steal identities;
increase federal civil and criminal penalties for hacking to deter potential cyber criminals; and
Promote robust cyber insurance underwriting standards.

Many of these protections have already been proposed in several bills this Congress. In particular, we note Senator Leahy’s Consumer Privacy Protection Act of 2015 is supported by NCL ^{^[10]} and numerous consumer and public interest organizations.^{^[11]}^{^[12]}^{^[13]}^{^[14]}

We urge you to support the proposals we have outlined in this letter as you explore solutions to the growing threat ransomware poses to consumers and commerce.

Sincerely,

Sally Greenberg
Executive Director
National Consumers League

^{^[1]}Finkle, Jim. “Ransomware: Extortionist hackers borrow customer-service tactics,” Reuters. April 12, 2016. Online: https://www.reuters.com/article/us-usa-cyber-ransomware-idUSKCN0X917X

^{^[2]} Fitzpatrick, David and Griffin, Drew. “Cyber-extortion losses skyrocket, says FBI,” CNN Money. April 15, 2016. Online: https://money.cnn.com/2016/04/15/technology/ransomware-cyber-security/

^{^[3]} Fitzpatrick, David, and Drew Griffin. “Ransomware’ Crime Wave Growing.” CNN Money. April 4, 2016. https://money.cnn.com/2016/04/04/technology/ransomware-cybercrime/

^{^[4]} Bennett, Cory. “DHS: Ransomware Attacks Widely Targeting Feds.” The Hill. March 30, 2016. https://thehill.com/policy/cybersecurity/274724-dhs-ransomware-attacks-widely-targeting-feds

^{^[5]} Simon, Ruth. “Ransomware’ a Growing Threat to Small Businesses.” Wall Street Journal. April 15, 2015. https://www.wsj.com/articles/ransomware-a-growing-threat-to-small-businesses-1429127403

^{^[6]} Smith. “Ransomware Attack Forces Michigan Utility to Shut down Systems, Phone Lines, Email.” Networkworld. May 1, 2016. https://www.networkworld.com/article/3063773/security/michigan-utility-shuts-down-systems-phone-lines-email-after-ransomware-attack.html

^{^[7]} Cox, John Woodrow. “MedStar Health Turns Away Patients after Likely Ransomware Cyber Attack.” Washington Post. March 29, 2016. https://www.washingtonpost.com/local/medstar-health-turns-away-patients-one-day-after-cyberattack-on-its-computers/2016/03/29/252626ae-f5bc-11e5-a3ce-f06b5ba21f33_story.html

^{^[8]}McLaughlin, Jenna. “Hackers Attempt to Hold Capitol Hill Data for Ransom.” The Intercept. May 10, 2016. https://theintercept.com/2016/05/10/hackers-attempt-to-hold-capitol-hill-data-for-ransom/

^{^[9]} “2015 Congressional Data Security Agenda: A To-Do List for the 114th Congress.” SlideShare. December 9, 2014. https://www.slideshare.net/nationalconsumersleague/national-consumers-leagues-2015-cybersecurity-policy-agenda

^{^[10]} “National Consumers League Statement on Introduction of Consumer Privacy Protection Act of 2015.” National Consumers League. April 30, 2015. https://nclnet.org/consumer_privacy_protection_act_2015

^{^[11]} Bradshaw, Alex. “Consumer Privacy Protection Act is Data Breach Legislation We Can Support,” Center for Democracy and Technology. April 30, 2015. Online: https://cdt.org/blog/consumer-privacy-protection-act-is-data-breach-legislation-we-can-support/

^{^[12]} Stella, Shiva. “Public Knowledge Supports the Consumer Privacy Protection Act of 2015,” Public Knowledge. April 30, 2015. Online: https://www.publicknowledge.org/press-release/public-knowledge-supports-the-consumer-privacy-protection-act-of-2015

^{^[13]} Consumer Watchdog. “Consumer Watchdog Backs Consumer Privacy Protection Act Introduced By Sen. Leahy,” Press Release. April 30, 2015. Online: https://www.consumerwatchdog.org/newsrelease/consumer-watchdog-backs-consumer-privacy-protection-act-introduced-sen-leahy

^{^[14]} Consumer Federation of America. “Statement from Susan Grant, Director of Consumer Protection and Privacy Concerning the Consumer Privacy Protection Act of 2015,” Press Release. April 30, 2015. Online: https://consumerfed.org/press_release/statement-from-susan-grant-director-of-consumer-protection-and-privacy-concerning-the-consumer-privacy-protection-act-of-2015/