Ransomware: Proceed with Caution
It has been a busy few weeks for hackers and cybercrime specialists around the world, following the news of high-profile ransomware attacks on a range of entities. These include attacks on UK Research and Innovation (UKRI), CD Projekt Red, the makers of the highly popular Cyberpunk 2077 game and Bombardier, the airline manufacturer.
The threat is pervasive and growing, and Sophos’ principal research scientist Chester Wisniewski has indicated that ransomware groups are starting to share know-how and form “collaborative cartels”. Against the backdrop of ransomware damage costs being predicted to reach $20 billion this year, and such attacks having increased by 239% from 2018-2019, it is important to be prepared.
Revisit of the Law
Payment of Cyber Ransoms
In the UK, the payment of a cyber ransom is not illegal in itself and therefore, entities which have fallen victim to these attacks frequently pay to regain their data and often prevent their business from collapsing.
However, it is important to note that under s15(3) the UK’s Terrorism Act 2000, it is an offence for a person to provide money (or other property) knowing, or having reasonable cause to suspect that it will or may be used for the purposes of terrorism. In most cases, cyber attackers operate under a veil of anonymity and this would be very difficult to establish. However, where due diligence or the ransomware attackers’ message suggests that there may be a link to terrorism, this would be sufficient to give rise to reasonable cause.
Data Protection Considerations
Following Brexit, the GDPR has been incorporated into UK data protection law by virtue of the UK GDPR. The UK GDPR introduces a duty on all entities to report personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach (where feasible).
If a ransomware attack has resulted in a personal data breach and that breach has a “high risk of adversely affecting individuals’ rights and freedoms”, the Information Commissioner’s Office (ICO) mandates that you must also notify the affected individuals without undue delay.
Failure to report a breach under the guidelines above can result in fines of up to £8.7 million or 2% of your business’ global turnover. However, larger fines of up to £17.5 million, or 4% of global turnover could also be given if the ICO find that the incident was a result of the company’s failure to comply with data protection principles. This shows the importance of ensuring your business is compliant with its security obligations and has security measures in place to prevent a data breach.
For businesses operating in or offering goods or services to individuals in the European Economic Area (EEA), the GDPR may also still apply directly. Therefore, it is vital that measures are put in place to prevent such a breach from occurring in the first place.
What can a business do to protect itself?
- Ensure that there are systems in place which back up all relevant data on a frequent basis. In many instances, organisations give in to ransomware demands because they have not done so, and not paying would mean the certain collapse of the business as they lose operational capacity until the ransomware is paid.
- Take out appropriate cyber insurance cover and/or review existing insurance policies to check whether a breach of this nature would be covered.
- Put a compliance team in place ready to robustly deal with all regulatory requirements in relation to notification, should the worst happen and a cyber breach or ransomware attack occur.
As these attacks become more prominent due to the increased digitisation of our world, it remains to be seen whether we will see stricter laws regulating cyber ransom payments. However in the meantime, it is important to be proactive in safeguarding your organisation against the risk of ransomware.
Whilst the attack on CD Projekt Red has compromised various source code and prevented developers from being able to get back to work, the company has been praised for refusing to give in to the ransomware demand and instead relying on its back up servers. That, coupled with their transparency to the market and the authorities, means that holding your ground (especially when there has not been a breach of any personal data) could be the new way forward.
For more information, please contact Nia John.
2020: Influencer, 2021: Creative Director – what could go wrong?
Coded messages for landlords and tenants
“What does the code of practice mean for landlords and tenants? Read more here”
Jason Saiban writes for Food Manufacture on the food industry's climate change challenge
The key challenge will be how the environmental targets are actually met.
Grab the tail by the horns - Why is tail spend so critical in today’s outsourced portfolio?
It’s usually invisible, but in all likelihood, you’ve got tail spend.
Mark Hill writes for In-House Community Magazine on solutions templating, a new priority for in-house legal teams
Removing the burden from legal teams, contract managers and administrators.
Olivia Crane quoted by SoGlos on the increasing issue of cyber fraud being faced by businesses in Gloucestershire
Cyber fraud has cost Gloucestershire businesses around £369,800 in the last 13 months.
Tattoos, athletes and image rights
Campaigns featuring athletes often include visible tattoos and a number of recent legal cases demonstrate the issues that may arise.
Food Sector steps up on climate goals
Blue Sky Linking
Daniel looks at Sky's recent success in obtaining interim protection from infringement of their broadcast rights
Don’t Gamble on Bingo Ads, Warns ASA
The ASA has issued a reminder to advertisers that bingo adverts will be treated as gambling ads for the purpose of standards regulation.
Recording Phone Calls: Don’t take Consent for Granted
What if an interviewee who is being called and interviewed “live” does not actually know he/she is on live television?
Continuing Progress in the Sphere of Inclusive and Non-Discriminatory Advertising
The latest developments from the ASA, CAP and BCAP relating to the advertising regulators’ attempts to tackle discrimination in advertising.
eCommerce and the Post-Brexit State of Play
Key UK and EU legislation governing how online platforms deal with consumers and their business users.
UK and EU launch two-pronged attack into whether Facebook is abusing a dominant market position
The CMA and the European Commission have said that they intend to work together closely as their respective investigations develop.
Jason Saiban and Caroline Swain among contributors to the ICLG Guide on Digital Business Laws and Regulations in the UK
An overview of the laws and regulations for digital businesses operating in the UK.
Draft Online Safety Bill: Regulating the online world
On 12 May 2021, the UK government published the draft Online Safety Bill...
Counterfeit goods – online platforms and luxury brands take a new collaborative approach
Online retail has been increasing for the best part of a decade due to a shift in consumer behaviour.
Charles Russell Speechlys proud to sponsor the ‘Outstanding Achievement’ award at the final Sunday Times Virgin Fast Track 100 awards
The awards celebrated the successes of Britain’s 100 private companies with the fastest-growing sales.
New foreign ownership rules take effect on 1 June 2021
Trade Marks - what is bad faith?
In any legal dispute, the term ‘bad faith’ is often banded about.