A ransomware infection would be considered a data breach under the terms of the new data protection regulation that comes into force next year, cybersecurity and legal experts say.
Ransomware encrypts the data on an infected machine, and criminals demand payment from the owner to release the information. Ransomware is one of the fastest-spreading forms of cybercrime. It increased by 50 per cent in the past year, according to Kaspersky Lab. The FBI estimates criminals have extorted $1 billion from these infections since 2015.
In May, the WannaCry strain of ransomware made headlines across the world after it spread to 150 countries. Among its 200,000 victims were high-profile organisations like the NHS and the Spanish communications provider Telefonica.
“Ransomware has been deemed to be a breach of data protection. Those incidents will be notifiable issues when you have them,” said Brian Honan, and independent security consultant and a special advisor to Europol.
The UK Information Commissioner’s Office has previously warned that ransomware constitutes a breach. “If the personal data which you are responsible for has been encrypted as a result of a ransomware attack and you are unable to restore that data then the ICO could be of the view that you have not taken appropriate measures to keep it secure and have therefore breached the Data Protection Act.”
This issue will become especially pressing under the EU General Data Protection Regulation that comes into force from May 2018. It requires organisations that have suffered a breach to report it to the authorities within 72 hours.
“Having a breach response plan is a new thing to worry about. It is important to have processes and infrastructure in place to respond to a security breach. If you miss the deadline [to report], you will have to explain why the delay happened,” Honan said. Law firm Loyens & Loeff said companies that have been affected by a serious breach could face sanctions or heavy fines under the new rules. It said that data controllers and data processors must take appropriate technical and organisational measures to prevent loss or unauthorised access of personal data.
It said companies should prepare for attacks through proper IT governance, staff security awareness and updating their important systems. Some companies are taking out cyber risk insurance to cover some of the potential liabilities, the firm added.