A Business Owner’s Liability In A Ransomware Attack

System hacked symbol

In the first week of July, affiliates of the Russian hacker group REvil infiltrated Kaseya, a Florida-based international technology firm, seizing a wealth of data and demanding £70 million for its return.  It has been confirmed  as the biggest global ransomware attack in history, affecting around 2000 SMEs, local and state government agencies from the US to the UK.  According to The Guardian, hundreds of supermarkets were forced to close in Sweden, when their cash registers were rendered inoperative, and schools and kindergartens in New Zealand were knocked offline.

With the world now so interconnected and reliant on online systems, cyberterrorism will continue to increase.  For business owners, it is a threat to be taken seriously, as domestic and international regulations place a heavy burden on organisations to protect personal data.  One of the main regulations that business owners may find themselves in breach of should a ransomware attack strike is the UK GDPR or the EU GDPR.

What is a ransomware attack?

A ransomware attack is a type of malicious software used by cybercriminals to steal data or block access to it by crashing the network.  To regain access to the data or prevent it from being published, the affected organisation must pay a ransom.

The GDPR provisions are triggered when a ransomware attack results in personal data being compromised.  Cleverly, cybercriminals will often set the ransom demand just below what they estimate the Regulator (in the UK, this is the Information Commissioner’s Office (ICO)) would fine the organisation for a GDPR breach.  They work on the assumption that a company would rather quietly pay the ransom rather than face the publicity of a regulatory investigation which may unearth other data protection and privacy shortcomings.

However, the risk of not notifying the ICO and paying the ransom puts an organisation into an extremely precarious position as it is likely to become the target of further attacks as ‘word on the street’ gets out that it has paid the ransom and breached its regulatory duties.  Furthermore, if no personal data was seized, changed, or damaged during the attack, there will be no GDPR-related breach.

Data breach compliance under the GDPR

The potential for serious harm posed by data breaches is the reason why all regulators take the threat so seriously and are prepared to hand down stiff financial penalties if an avoidable breach occurs.  Recital 87 of the GDPR illustrates this, stating:

“It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and the data subject. The fact that the notification was made without undue delay should be established taking into account, in particular, the nature and gravity of the personal data breach and its consequences and adverse effects for the data subject. Such notification may result in an intervention of the supervisory authority in accordance with its tasks and powers laid down in this Regulation.”

Article 32 of the GDPR states that data controllers and processors have a duty to implement “appropriate technical and organisational measures” to ensure security measures match the risk of a data breach.  Methods should include:

(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

All these measures should be undertaken in light of the findings of regular, ongoing risk assessments.

Article 33 of the GDPR goes on to require that an organisation report a data breach within 72 hours unless the breach is unlikely to result in a risk to people’s rights and freedoms.  You will also need to notify the data subjects if it is established that their rights and freedoms have been put in jeopardy.

How to protect your business from a ransomware attack

There are several steps you can do to protect your business from ransomware attacks and demonstrate to the ICO that you are complying with the GDPR principles and can prove accountability.  These include:

  • Regularly map your data so you can quickly access how many people have been affected by the ransomware attack and isolate potential damage or destruction of personal data.
  • Undertake regular risk assessments regarding your organisation’s vulnerability to a ransomware attack and put policies and procedures in place based on the findings.
  • Invest in licensed anti-virus software that can block an attack or at least stop it from spreading throughout the system.
  • Update and re-enforce passwords.
  • Hold regular training sessions to ensure all staff are aware of the risks associated with ransomware attacks and feel confident in reporting any emails or files that do not seem safe.
  • Scan emails for SPAM or malicious content.

Your best line of defence when it comes to preventing ransomware attacks that could result in an ICO investigation and enforcement action is your personnel.  By regularly communicating the risks of ransomware attacks and how cybercriminals may infiltrate your organisation, as well as spelling out the compliance requirements of the GDPR and Data Protection Act 2018, you have a chance of preventing a potential ransomware attack from occurring and compromising the personal data you hold.

If you require advice and representation concerning a regulatory or criminal investigation, please call us on 02476 231000 or email enquiries@askewslegal.co.