Companies and governments around the globe were shocked by the “WannaCry” global ransomware attack over the weekend, and privacy lawyers say the affected organizations, and even those not directly affected, will be dealing with the fallout for months to come.

As with any cyberattack on such a massive scale, the affected entities—which have been confirmed to include the U.K. health care system, FedEx and the Russian Interior Ministry, among others—must now brace for “liability and exposure to enforcement action” related to their level of preparedness for the breach, London data privacy partner Rafi Azim-Khan told Bloomberg’s Privacy Law Watch.

Other systems around the world that were reportedly breached include several Asian businesses, such as two higher education institutions in China, a South Korean movie theater company and Japanese companies Hitachi and Nissan. And Law360 reports that more targeted businesses continue to be uncovered.

“There’s still a lot of scrambling to make sure systems are safe from this,” said Global Security and Public Policy partner Brian Finch. “There will be a post-mortem going on after this and a lot of directors and officers asking if their business is safe from ransomware and how to protect against the next wave.” 

That next wave continues to be a major concern for privacy lawyers. While WannaCry was stopped over the weekend by a security researcher in the U.K. who uncovered a “kill switch” in the virus code, privacy lawyers say this common “whack-a-mole” approach to patching vulnerabilities simply cannot keep up with the pace of newly developing attacks, especially in areas of the world where resources and enforcement may be lacking.

“We’re likely to see the attack linger in some of the less-developed countries, especially those in Asia and Africa, that are relying on older software or are not respective of intellectual property and software licensing agreements,” Finch said.

Law360 also reports that, in the wake of WannaCry, there are likely to be calls for a uniform global law that standardizes steps for data security maintenance. But lawyers say that legislative approach may still be unable to keep pace with hackers’ constantly evolving methods, and it also may be tough to get companies to embrace on a global scale.

“Legislation that promotes incentives for good investment in cybersecurity seems like a better approach than telling companies what to do,” Finch said. “Mandates turn this into a check-the-box exercise. Companies would be better served making sure they have good processes and well-though-out cyber programs in place.”

Read more about WannaCry on Law360 and Bloomberg  (subscription required for both).