ALERT Cyber-attacks Go Global: Responding to the Aftermath of the Global Attacks May 2017

Contributing Authors The WannaCry ransomware attack, first detected on a large scale on Friday, May 12,

2017, is a widespread cyber incident causing serious disruption to companies and Jeremy Bohrer [email protected] governments in approximately 100 countries. This attack follows previous global +1.212.209.4807 incidents such as the 'I Love You' virus of 2000 and the bug in 2014. Without detracting from its widespread scale and potential for harm, the WannaCry incident is, in principle, neither unprecedented nor surprising. Guillermo Christensen [email protected] This incident fits what many cybersecurity practitioners have been expecting, given +1.202.536.1730 the proliferation of technology, and even -for-hire services, around the world. In this case, the proliferation timeframe was short: on April 10, 2017, the Anupreet Amole known as revealed the vulnerability as part of [email protected] their publication of data allegedly stolen from the NSA; the current ransomware +44.207.851.6118 incident began on May 12, 2017. Software patches for many affected systems have

been available for some times but appear not to have been applied.

In the United Kingdom, this incident has disrupted operations of the National Health Service (the NHS), the country's free medical care provider, which is an essential

part of the critical national infrastructure. Media reports indicate that many hospitals postponed certain surgical procedures and x-rays. In Spain, the telecoms company Telefonica was also adversely affected.

At , it seems that WannaCry spread rapidly to computers using the Win-

dows XP operating system, which having reached its effective end of life stage, has not benefited from free security updates for several years. In the UK, the govern- ment had paid for updates to the NHS system until 2015 only.

In practical terms, businesses should reassess their cybersecurity measures, includ- brownrudnick.com ing: © 2016 Brown Rudnick LLP Prior results do not guarantee a similar outcome.  Immediately patching their operating systems with the latest available security Brown Rudnick is a tradename of both Brown Rudnick LLP, a limited liability partnership organized under the laws of the Com- updates; monwealth of Massachusetts ("BR-USA"), and its affiliate Brown Rudnick LLP, a limited liability partnership registered in England and Wales with registered number OC300611 ("BR-UK"). BR-UK  Briefing employees to be extra vigilant about spear- emails; is a law firm of Solicitors and Registered Foreign Lawyers author- ised and regulated by the Solicitors Regulation Authority of Eng-  Creating or improving their 'data compartments' (keeping the most valuable land and Wales, and registered with the Paris Bar pursuant to the 98/5/EC Directive. A full list of members of BR-UK, who are either data separate) and back-up arrangements, which will mitigate the damage caused Solicitors, European lawyers or Registered Foreign Lawyers, is open to inspection at its registered office, 8 Clifford Street, Lon- when, not if, the company is hit by ransomware or breached by an intruder; and don W1S 2LQ, England (tel. +44.20.7851.6000; fax. +44.20.7851.6100).  Instructing external advisers to review the organization's preparedness, and legal

Information contained in this Alert is not intended to constitute risk. legal advice by the author or the lawyers at Brown Rudnick LLP, and they expressly disclaim any such interpretation by any party. Specific legal advice depends on the facts of each situation and may vary from situation to situation.

Distribution of this Alert to interested parties does not establish a lawyer-client relationship. The views expressed herein are solely the views of the authors and do not represent the views of Brown Rudnick LLP, those parties represented by the authors, or those parties represented by Brown Rudnick LLP. 1

May 2017

This incident is significant on its own merits, but it also comes during a trend toward a hardened legal and regulatory framework regarding cybersecurity. For example:  In the US, the New York State Department of Financial Services published new regulations in March 2017, which require regu- lated firms to implement cyber security measures and to notify their regulator within 72 hours of a data ;  And in the European Union, the new General Data Protection Regulation 2016 and the incoming Network Information Securi- ty Directive.

Brown Rudnick's Cybersecurity and Data Incident Team: Enterprise Risk, Crisis Management and Business Opti- mization

Brown Rudnick’s Cybersecurity Group is an integrated team providing services that are customized to meet the distinctive needs of our clients; advising under the important protection of the attorney client privilege. We help organizations establish security that goes beyond protecting the business, and help create a competitive edge.

About Brown Rudnick

BROWN RUDNICK LLP, an international law firm with offices in the and Europe, represents clients from around the world in high-stakes litigation, international arbitration and complex business transactions. Clients include public and private corporations, multinational Fortune 100 businesses and start-up enterprises. The Firm also represents investors, as well as official and ad hoc creditors’ committees in today’s largest corporate restructurings, both domestically and abroad. Founded more than 60 years ago, Brown Rudnick has over 240 lawyers providing advice and services across areas of the law. Beyond the United States, the Firm regularly serves clients in Europe, the Middle East, North Africa, the Caribbean and Latin America. With its Brown Rudnick Center for the Public Interest, the Firm has created an innovative model combining its pro bono, charitable giving and community volunteer efforts.

2

NEW YORK BOSTON WASHINGTON, DC ORANGE COUNTY HARTFORD PROVIDENCE LONDON DUBLIN PARIS

© 2016 Brown Rudnick LLP ATTORNEY ADVERTISING