Ransomware Attacks on French Hospitals Accelerate French Government Cybersecurity Responses

Over the past year, hospitals in multiple cities and towns across France have been the target of ransomware attacks by unknown adversaries.  Within the last ten days, two more French hospitals – the Villefranche-sur-Saône hospital complex in the Southwest Landes Département, and the Dax hospital in the eastern Rhone Département – suffered ransomware attacks, and a third hospital in the Dordogne Département preemptively broke connections with an information technology provider.

Neither of the two most recent cyberattacks appeared to have resulted in any harm to patients.  The French Ministry of Health, however, stated that the attack on the Dax hospital had “paralysed . . . almost all information systems” in the hospital, and the Villefranche hospital reported that the attack on it “strongly impact[ed]” three of its locations.

This recent spate of ransomware attacks in the French healthcare sector may constitute a significant change in targeting by ransomware criminal groups.  As recently as December 2020, the German Federal Office of Information Security and the French National Agency for the Security of Information Systems (ANSSI) issued a joint report stating that “the overall threat level for a cyber-attack on the healthcare sector has not risen above levels observed before the COVID-19 pandemic.”

In response to the latest cyberattacks, on February 18 French President Emmanuel Macron publicly stated that the attacks had put the hospitals in a position of “vulnerability.”  He called cybersecurity a “priority,” and promised to accelerate cyberdefense measures that reportedly include “boosting police and judicial cooperation, earmarking around €500 million ($600 million) to help companies and public authorities boost their cyber defences, and funding research and development.”  He also noted that later in 2021 he would open a new cyberdefense center in Paris’s financial district, to be staffed by 1,500 researchers and others working for private firms or for the government.

These latest reports should come as no surprise to information security officers in the healthcare sector.  Last October, the New York Times reported that Russian hackers had been trading a list of more than 400 hospitals that they planned to target.  Even before the latest French hospital attacks, the Wall Street Journal reported this month that hackers “are increasing their attempts to break into health-care companies.”

While COVID-related financial pressures may have made it exceedingly difficult for many hospitals to fund cybersecurity improvements, it is imperative for hospitals to bolster their cyberdefenses, particularly for ransomware attacks, while they can.  Although no hospital patient has yet died as a direct result of ransomware-caused loss of electricity or system functionality, hospitals need to understand that ransomware groups are indifferent to the possibility that their attacks may one day result in such deaths.

Brazilian President Bolsonaro Disbands Operation “Lava Jato” Task Force

Since his electoral campaign in 2018, Brazilian President Jair Bolsonaro has repeatedly and publicly demonstrated his commitment to the issue of corruption.  That commitment, however, has devolved from rooting out corruption to rooting out law enforcement officials and agencies dedicated to combating corruption.

After selecting Judge Sérgio Moro – a national hero for overseeing the multiyear anticorruption investigation known as Operation Lava Jato (Car Wash) — as his Attorney General, Bolsonaro proceeded in 2020 to fire Maurício Valeixo, the chief of the Brazilian national police, as investigators reportedly were investigatng a number of Bolsonaro’s supporters, including Bolsonaro’s son, Senator Flavio Bolsonaro.  Valeixo’s firing precipitated the resignation of Judge Moro, as well as charges by Moro that Bolsonaro was seeking improperly to politicize the Ministry of Justice.

Despite the political and popular outcry that followed, Bolsonaro has remained resolute in undermining Brazilian law enforcement’s efforts to uncover corruption.  In October 2020, even while he himself was under investigation by the Brazilian Supreme Court for alleged misconduct, Bolsonaro stated that he had “ended” Lava Jato, declaring, “There isn’t any more corruption in the government.”

Although the Lava Jato team evidently tried to continue its investigative work, on February 3 it “announced its termination after several of its investigators were seconded to another federal anti-organised crime task force.”  Moro’s successor as Attorney General, Augusto Aras – who had once said that Moro’s allegations against Bolsonaro, if true, “would reveal the practice of illegal actions” – dismissed the disbanding of the task force as amounting to no more than a change of name.

Risk and compliance officers at companies doing business in Brazil should not underestimate the significance of Bolsonaro’s latest action.  By snuffing out the Car Wash investigation altogether, he has not only eliminated the most effective anti-corruption force in Brazil, but signaled to his supporters and to other Brazilian politicians that corruption carries no consequences – at least if they continue to support or remain silent about his and his administration’s malversations.  As Bolsonaro has another two years in his current term of office, and is likely to seek reelection in 2022, it is equally likely that Brazil will return to the levels of pervasive corruption in Brazilian government and business that preceded Bolsonaro’s election.

United Kingdom Anti-Slavery Commissioner Calls for “Naming and Shaming” of Firms with Slave Labor in Supply Chains

Since 2015, the United Kingdom Modern Slavery Act 2015 has provided government agencies with a wide array of authority to combat human trafficking, slavery, servitude, and forced or compulsory labor.  That authority includes criminal offenses with substantial terms of imprisonment, confiscation of assets, judicially imposed slavery and trafficking reparation orders, prevention orders, and risk orders, as well as various protections for slavery or trafficking victims.

Recently, Dame Sara Thornton, the United Kingdom Independent Anti-Slavery Commissioner (IASC), reportedly called for the United Kingdom Parliament to enact legislation that would authorize the “naming and shaming” of firms “if slavery or criminal labour exploitation is uncovered at any stage in their supply chain.”  In an interview with The Times, Thornton argued that “[e]vidence from around the world shows that naming and shaming can have a real impact on business practices. The upcoming Employment Bill provides a timely opportunity for parliament to consider how to incentivise business to do the right thing.”

Thornton and Matthew Taylor, the former United Kingdom director of Labour Market Enforcement, made clear that they “want companies named and shamed as a deterrent, even if they were unaware of mistreatment. They said that this would encourage businesses to check what was happening at every stage of their chain.”  Taylor added that

“Everyone would be outed — no one is suggesting that the companies at the top of the supply chain are involved [in illegal practices]. But that it has taken place in their supply chain almost certainly means that they could have done more.

“Maybe they’re two or three steps removed. The point is it is not good enough to look at the next step in the supply chain, they need to be sure of what is happening all the way through.”

The prospects for inclusion of Thornton’s and Taylor’s proposals in the Employment Bill are not clear.  Nonetheless, companies doing business in the United Kingdom should take the opportunity to review their Modern Slavery Act compliance programs, with particular attention to the robustness of their oversight and internal controls relating to supply chain relationships.

It is unfortunate that, as the IASC stated in her most recent report, “prosecutions for offences under the Modern Slavery Act remain low and have been decreasing.”  Nonetheless, no company can afford to risk reputational damage if it becomes publicly associated with supply-chain partners’ forced-labor practices that it could have detected with reasonable diligence.

Head of Germany’s BaFin Financial Regulatory Agency Replaced in Wake of Wirecard Scandal

One of the more baffling performances by a financial regulator in recent years has been the response by the German financial supervisory agency Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) to media reports about financial irregularities associated with the German fintech company Wirecard.  Beginning in early 2019, a series of articles, principally by the Financial Times, identified multiple instances of potential wrongdoing within Wirecard.  Those instances included forging and backdating of contracts to inflate revenues and attributing half of its worldwide revenue to three shell firms with virtually no evidence of genuine business activity that could generate such revenue.

When Wirecard’s share price plunged in response to media reports, BaFin’s response was not to open an inquiry into possible fraud or other violations of law at Wirecard.  Instead, it imposed a temporary ban on short-selling of Wirecard stock, opened a market-manipulation investigation, and filed a complaint with the Munich public prosecutor, who opened a criminal market-manipulation investigation in which the lead Financial Times reporter was named as a suspect.

Not until the spring of 2020 did BaFin show active interest in Wirecard itself, filing a criminal complaint with the Munich prosecutor alleging market manipulation by Wirecard senior leadership.  Shortly before Wirecard’s complete collapse in June 2020, BaFin President Felix Hufeld finally termed the Wirecard scandal “a complete disaster” and “a shame” for Germany, as a market that “should be governed by quality and reliability.”

On January 29, after six months in which the European Securities and Markets Authority, investors, and others took BaFin to task for its failures in supervising Wirecard, German Finance Minister Olaf Scholz announced that Hufeld was being replaced as head of BaFin.  While Scholz reportedly thanked Hufeld for his years of service at BaFin, a Finance Ministry statement pointedly did not identify a successor for Hufeld, but stated that BaFin “needs a reorganization to fulfill its supervisory role more effectively.”

Both the Finance Ministry and the German Parliamentary committee tasked with investigating the Wirecard scandal will undoubtedly have much to say about how that reorganization should proceed.  At a minimum, if it is to regain public confidence as a national financial regulator, BaFin will need to redefine its mission and purpose and persuade the government and the public that it is committed to vigorous regulation rather than corporate protectionism.

European Commission Opens Investigation Into Mondelēz for Alleged Cross-Border Trade Restrictions

If the average person were asked, “What’s the first word that comes into your mind when you think of chocolate and cookies?”, the answer might be “sweet.”  The tenor of competition in the global snack food market, however, is anything but sweet.  The confectionery industry, for example, is not highly concentrated, with a small handful of global companies holding the dominant market share but many hundreds of other manufacturers in the United States, the United Kingdom, and Europe.   Even in competitive industries, however, there may be times in which a leading firm may prefer bridled to unbridled competition.

On January 28, the European Commission (EC) announced that it has opened a formal antitrust investigation into the global snack producer Mondelēz International.  The investigation is to “assess whether Mondelēz has restricted competition in a range of national markets for chocolate, biscuits and coffee by hindering the cross-border trade of these products between EU Member States, which would be in breach of EU antitrust rules.”

The Commission expressed concern “that Mondelēz may have restricted the so-called ‘parallel trade’ of its chocolates, biscuits and coffee between EU Member States through agreements and unilateral practices.”  In particular, it stated that it “will investigate certain potentially anti-competitive practices by Mondelēz including:

  • “Possible limitations of the sales territories within the EU through agreements that determine in which Member State a trader can or cannot sell the products, or that restrict passive sales;
  • “Possible curtailing of parallel trade through agreements that raise prices or limit volumes specifically for customers that trade the products across Member States;
  • “Possible agreements with customers not to engage in parallel trade or not to procure products from parallel trade, inter alia, in exchange for payments or other forms of compensation;
  • “Possible restrictions on the languages used on packaging either unilaterally or through agreements with traders, thereby creating friction on sales to certain other EU Member States;
  • “Possibly refusing to supply certain traders with a view to restricting imports into certain markets.”

The EC noted that its investigation stemmed from “repeatedly voiced” concerns by European Union (EU) citizens, EU Member States’ competition authorities and the European Parliament “that prices for common food and drink products can significantly vary between EU Member States including between neighbouring Member States” as well as allegations “that operators raise obstacles to trade from Member States where products are cheaper to Member States where products are more expensive (so-called parallel trade).”  The EC evidently augmented these reports with a number of what it termed “unannounced inspections at the premises of Mondelēz in November 2019.”

In light of Mondelēz’s prominence in the global snack industry, the EC investigation will bear close watching this year.  As the EC made clear in this case, “no legal deadline for bringing an antitrust investigation to an end. The duration of an investigation depends on a number of factors, including the complexity of the case, the cooperation of the undertaking with the Commission and the exercise of the rights of defence.”