Ransomware is not only a growing security threat but a potentially thorny notification issue.

Ransomware is one of the most prevalent cybersecurity threats afflicting businesses today. When an attack hits, a victim company must confront the difficult question whether to pay the ransom demanded in order to regain access to the company’s files and restore business operations. But there is an additional question the company may face: does the incident need to be disclosed? The answer may not be straightforward. When sensitive data has been encrypted by ransomware, has it been “accessed” or “acquired” by an unauthorized actor as those terms are used in relevant breach notification statutes? What risks are there that the attacker will use the information in a way that harms the individuals whose data is affected? This Client Alert discusses these questions as well as other legal and technical issues a company should consider in addressing notification in the wake of a ransomware attack.