It has been a busy few weeks for hackers and cybercrime specialists around the world, following the news of high-profile ransomware attacks on a range of entities. These include attacks on UK Research and Innovation (UKRI), CD Projekt Red, the makers of the highly popular Cyberpunk 2077 game and Bombardier, the airline manufacturer.

The threat is pervasive and growing, and Sophos’ principal research scientist Chester Wisniewski has indicated that ransomware groups are starting to share know-how and form “collaborative cartels”. Against the backdrop of ransomware damage costs being predicted to reach $20 billion this year, and such attacks having increased by 239% from 2018-2019, it is important to be prepared.

Revisit of the Law

Payment of Cyber Ransoms

In the UK, the payment of a cyber ransom is not illegal in itself and therefore, entities which have fallen victim to these attacks frequently pay to regain their data and often prevent their business from collapsing.

However, it is important to note that under s15(3) the UK’s Terrorism Act 2000, it is an offence for a person to provide money (or other property) knowing, or having reasonable cause to suspect that it will or may be used for the purposes of terrorism. In most cases, cyber attackers operate under a veil of anonymity and this would be very difficult to establish. However, where due diligence or the ransomware attackers’ message suggests that there may be a link to terrorism, this would be sufficient to give rise to reasonable cause.

Data Protection Considerations

Following Brexit, the GDPR has been incorporated into UK data protection law by virtue of the UK GDPR. The UK GDPR introduces a duty on all entities to report personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach (where feasible).

If a ransomware attack has resulted in a personal data breach and that breach has a “high risk of adversely affecting individuals’ rights and freedoms”, the Information Commissioner’s Office (ICO) mandates that you must also notify the affected individuals without undue delay.

Failure to report a breach under the guidelines above can result in fines of up to £8.7 million or 2% of your business’ global turnover. However, larger fines of up to £17.5 million, or 4% of global turnover could also be given if the ICO find that the incident was a result of the company’s failure to comply with data protection principles. This shows the importance of ensuring your business is compliant with its security obligations and has security measures in place to prevent a data breach. 

For businesses operating in or offering goods or services to individuals in the European Economic Area (EEA), the GDPR may also still apply directly. Therefore, it is vital that measures are put in place to prevent such a breach from occurring in the first place.

What can a business do to protect itself?

• Ensure that there are systems in place which back up all relevant data on a frequent basis. In many instances, organisations give in to ransomware demands because they have not done so, and not paying would mean the certain collapse of the business as they lose operational capacity until the ransomware is paid.
• Take out appropriate cyber insurance cover and/or review existing insurance policies to check whether a breach of this nature would be covered.
• Put a compliance team in place ready to robustly deal with all regulatory requirements in relation to notification, should the worst happen and a cyber breach or ransomware attack occur.

As these attacks become more prominent due to the increased digitisation of our world, it remains to be seen whether we will see stricter laws regulating cyber ransom payments. However in the meantime, it is important to be proactive in safeguarding your organisation against the risk of ransomware.

Whilst the attack on CD Projekt Red has compromised various source code and prevented developers from being able to get back to work, the company has been praised for refusing to give in to the ransomware demand and instead relying on its back up servers. That, coupled with their transparency to the market and the authorities, means that holding your ground (especially when there has not been a breach of any personal data) could be the new way forward.

For more information, please contact Nia John.