• news-banner

    Expert Insights

Ransomware: Proceed with Caution

It has been a busy few weeks for hackers and cybercrime specialists around the world, following the news of high-profile ransomware attacks on a range of entities. These include attacks on UK Research and Innovation (UKRI), CD Projekt Red, the makers of the highly popular Cyberpunk 2077 game and Bombardier, the airline manufacturer.

The threat is pervasive and growing, and Sophos’ principal research scientist Chester Wisniewski has indicated that ransomware groups are starting to share know-how and form “collaborative cartels”. Against the backdrop of ransomware damage costs being predicted to reach $20 billion this year, and such attacks having increased by 239% from 2018-2019, it is important to be prepared.

Revisit of the Law

Payment of Cyber Ransoms

In the UK, the payment of a cyber ransom is not illegal in itself and therefore, entities which have fallen victim to these attacks frequently pay to regain their data and often prevent their business from collapsing.

However, it is important to note that under s15(3) the UK’s Terrorism Act 2000, it is an offence for a person to provide money (or other property) knowing, or having reasonable cause to suspect that it will or may be used for the purposes of terrorism. In most cases, cyber attackers operate under a veil of anonymity and this would be very difficult to establish. However, where due diligence or the ransomware attackers’ message suggests that there may be a link to terrorism, this would be sufficient to give rise to reasonable cause.

Data Protection Considerations

Following Brexit, the GDPR has been incorporated into UK data protection law by virtue of the UK GDPR. The UK GDPR introduces a duty on all entities to report personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach (where feasible).

If a ransomware attack has resulted in a personal data breach and that breach has a “high risk of adversely affecting individuals’ rights and freedoms”, the Information Commissioner’s Office (ICO) mandates that you must also notify the affected individuals without undue delay.

Failure to report a breach under the guidelines above can result in fines of up to £8.7 million or 2% of your business’ global turnover. However, larger fines of up to £17.5 million, or 4% of global turnover could also be given if the ICO find that the incident was a result of the company’s failure to comply with data protection principles. This shows the importance of ensuring your business is compliant with its security obligations and has security measures in place to prevent a data breach. 

For businesses operating in or offering goods or services to individuals in the European Economic Area (EEA), the GDPR may also still apply directly. Therefore, it is vital that measures are put in place to prevent such a breach from occurring in the first place.

What can a business do to protect itself?
  • Ensure that there are systems in place which back up all relevant data on a frequent basis. In many instances, organisations give in to ransomware demands because they have not done so, and not paying would mean the certain collapse of the business as they lose operational capacity until the ransomware is paid.
  • Take out appropriate cyber insurance cover and/or review existing insurance policies to check whether a breach of this nature would be covered.
  • Put a compliance team in place ready to robustly deal with all regulatory requirements in relation to notification, should the worst happen and a cyber breach or ransomware attack occur.

As these attacks become more prominent due to the increased digitisation of our world, it remains to be seen whether we will see stricter laws regulating cyber ransom payments. However in the meantime, it is important to be proactive in safeguarding your organisation against the risk of ransomware.

Whilst the attack on CD Projekt Red has compromised various source code and prevented developers from being able to get back to work, the company has been praised for refusing to give in to the ransomware demand and instead relying on its back up servers. That, coupled with their transparency to the market and the authorities, means that holding your ground (especially when there has not been a breach of any personal data) could be the new way forward.

For more information, please contact Nia John.

Our thinking

  • Women in Leadership: Planning for the future

    Sarah Wigington

    Events

  • Retail Week quotes Ilona Bateson on the CMA’s investigation into environmental claims in the fashion retail sector

    Ilona Bateson

    In the Press

  • Fashion and the Green Claims Code brought into focus by open letter from the CMA.

    Ilona Bateson

    Quick Reads

  • Charles Russell Speechlys grows its rankings in The Legal 500 EMEA directory

    Frédéric Jeannin

    News

  • Landmark European AI Act Passed By The European Parliament

    Louise Zafer

    Insights

  • Expert Evidence - Avoiding fatal failure

    Claudine Morgan

    Insights

  • Charles Russell Speechlys hosts international arbitration event in Dubai

    Peter Smith

    Quick Reads

  • Property Patter – Filming Agreements Part 2

    Naomi Nettleton

    Podcasts

  • Charles Russell Speechlys Paris significantly strengthens litigation practice with notable team hire led by Frédéric Dereux

    Frédéric Dereux

    News

  • Trade Credit Insurance – Protection, Economic Instability and Increased Demand

    Mary Barrett

    Insights

  • Consumer Duty - FCA warns that some firms are “lagging behind”

    Richard Ellis

    Insights

  • UK Government AI Regulation Response & Roadmap – Is the Government behind the wheel?

    Mark Bailey

    Insights

  • Remote Hearings – factors to consider

    Richard Kiddell

    Insights

  • Richard Davies writes for City AM on the lessons that the Premier League can learn from the Super Bowl and NFL

    Richard Davies

    In the Press

  • The ongoing fight against fakes

    Charlotte Duly

    Quick Reads

  • Abu Dhabi’s New Arbitral Centre Unveils its Rules

    Dalal Alhouti

    Quick Reads

  • Fortune quotes Richard Davies on sponsorship deals and the strength of brand/supporter loyalty in football

    Richard Davies

    In the Press

  • Legal tips and trends for Creative Design Agencies in 2024

    Rebecca Steer

    Insights

  • Charles Russell Speechlys advises Downing LLP on the successful refinancing of its loan facility with Kao Data

    News

  • New Regulations for the UAE’s Media Sector in 2024

    Mark Hill

    Quick Reads

  • Megan Paul writes for The Grocer on why green energy can be a 'money saver' for retailers rather than a 'money spender'

    Megan Paul

    In the Press

  • Greenwashing: The Story So Far

    Caroline Greenwell

    Insights

  • Under the Influence: Legal Considerations for Social Media Influencer Partnerships in the UAE

    Mark Hill

    Quick Reads

  • Reuters quotes Megan Paul on supply chain considerations coming out of tensions in the Red Sea

    Megan Paul

    In the Press

  • EU AI Act – Will it become a law for all the world?

    Nick White

    Quick Reads

  • Indemnity Costs in Derivative Claims – Briefing Note

    John Sykes

    Insights

  • Trading insolvently or trading out of difficulty? Are we being naughty or did we have the best intentions? Part 3

    Claudine Morgan

    Insights

  • Ctrl + GCC: The Rise of e-Sports in the Gulf

    Mark Hill

    Quick Reads

  • Digital Markets, Competition and Consumers Bill: Will new consumer protection rules restrict access to Gift Aid?

    Quick Reads

  • The End of the SAG-AFTRA Strike & What it Means for the Middle East

    Mark Hill

    Quick Reads

  • UAE Strengthens its Position as Leading Destination for A.I.

    Mark Hill

    Quick Reads

  • Dubai Court of Cassation Extends Arbitration Agreement Across Subsequent Contracts

    Peter Smith

    Quick Reads

  • UAE Polishes Federal Arbitration Law

    Peter Smith

    Quick Reads

  • Drone deliveries: Be Prepared

    Emma Humphreys

    Quick Reads

  • Product compliance and Brexit - UK Government concedes to CE markings indefinite recognition

    Jamie Cartwright

    Quick Reads

  • Has the Orpéa plan impaired shareholder's consent? - Le plan de sauvegarde d'Orpéa n'a-t-il pas vicié le consentement des actionnaires historiques ?

    Dimitri-André Sonier

    Quick Reads

  • Les défaillances en France proches de leur niveau de 2019 - French insolvencies close to 2019 levels

    Dimitri-André Sonier

    Quick Reads

  • Casino Group: An agreement with investors and debt holders is expected at the end of July

    Dimitri-André Sonier

    Quick Reads

  • DIAC Issues First Annual Report

    Georgia Fullarton

    Quick Reads

  • One year on: "Influencer Culture: lights, camera, inaction" remains astonishingly accurate

    Caroline Swain

    Quick Reads

Back to top