Ransomware: Proceed with Caution
It has been a busy few weeks for hackers and cybercrime specialists around the world, following the news of high-profile ransomware attacks on a range of entities. These include attacks on UK Research and Innovation (UKRI), CD Projekt Red, the makers of the highly popular Cyberpunk 2077 game and Bombardier, the airline manufacturer.
The threat is pervasive and growing, and Sophos’ principal research scientist Chester Wisniewski has indicated that ransomware groups are starting to share know-how and form “collaborative cartels”. Against the backdrop of ransomware damage costs being predicted to reach $20 billion this year, and such attacks having increased by 239% from 2018-2019, it is important to be prepared.
Revisit of the Law
Payment of Cyber Ransoms
In the UK, the payment of a cyber ransom is not illegal in itself and therefore, entities which have fallen victim to these attacks frequently pay to regain their data and often prevent their business from collapsing.
However, it is important to note that under s15(3) the UK’s Terrorism Act 2000, it is an offence for a person to provide money (or other property) knowing, or having reasonable cause to suspect that it will or may be used for the purposes of terrorism. In most cases, cyber attackers operate under a veil of anonymity and this would be very difficult to establish. However, where due diligence or the ransomware attackers’ message suggests that there may be a link to terrorism, this would be sufficient to give rise to reasonable cause.
Data Protection Considerations
Following Brexit, the GDPR has been incorporated into UK data protection law by virtue of the UK GDPR. The UK GDPR introduces a duty on all entities to report personal data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach (where feasible).
If a ransomware attack has resulted in a personal data breach and that breach has a “high risk of adversely affecting individuals’ rights and freedoms”, the Information Commissioner’s Office (ICO) mandates that you must also notify the affected individuals without undue delay.
Failure to report a breach under the guidelines above can result in fines of up to £8.7 million or 2% of your business’ global turnover. However, larger fines of up to £17.5 million, or 4% of global turnover could also be given if the ICO find that the incident was a result of the company’s failure to comply with data protection principles. This shows the importance of ensuring your business is compliant with its security obligations and has security measures in place to prevent a data breach.
For businesses operating in or offering goods or services to individuals in the European Economic Area (EEA), the GDPR may also still apply directly. Therefore, it is vital that measures are put in place to prevent such a breach from occurring in the first place.
What can a business do to protect itself?
- Ensure that there are systems in place which back up all relevant data on a frequent basis. In many instances, organisations give in to ransomware demands because they have not done so, and not paying would mean the certain collapse of the business as they lose operational capacity until the ransomware is paid.
- Take out appropriate cyber insurance cover and/or review existing insurance policies to check whether a breach of this nature would be covered.
- Put a compliance team in place ready to robustly deal with all regulatory requirements in relation to notification, should the worst happen and a cyber breach or ransomware attack occur.
As these attacks become more prominent due to the increased digitisation of our world, it remains to be seen whether we will see stricter laws regulating cyber ransom payments. However in the meantime, it is important to be proactive in safeguarding your organisation against the risk of ransomware.
Whilst the attack on CD Projekt Red has compromised various source code and prevented developers from being able to get back to work, the company has been praised for refusing to give in to the ransomware demand and instead relying on its back up servers. That, coupled with their transparency to the market and the authorities, means that holding your ground (especially when there has not been a breach of any personal data) could be the new way forward.
For more information, please contact Nia John.
Our thinking
Natalie Batra
ITV takes the plunge and “couples up” with Ebay to dress love island contestants in pre-loved clothing
Grégoire Uldry
New Swiss succession law on the transfer of businesses
On 10 June 2022, the Federal Council adopted its Message amending the Civil Code on the transfer of businesses by succession.
Louise Paterson
Artnet quotes Louise Paterson on the Ivory Act
UK’s Ivory Act comes into force
Pei Li Kew
Pei Li Kew writes for Pharmacy Business on the link between pharmacy and IP
Pei Li Kew writes for Pharmacy Business on the link between pharmacy and IP
Jonathan McDonald
Jonathan McDonald provides comment for City AM on the Data Reform Bill announced in the Queen's Speech
Jonathan McDonald provides comment for City AM on the Data Reform Bill announced in the Queen's Speech
Nick White
Charles Russell Speechlys advises Symphony Holdings Limited on the sale of its PONY trade mark portfolio for USD $28 million
Charles Russell Speechlys advises Symphony Holdings Limited on the sale of its PONY trade mark portfolio for USD $28 million.
Simon Ridpath
Simon Ridpath featured in the Lawyer’s Hot 100 list
Simon Ridpath features in The Lawyer’s Hot 100 list
Natalie Batra
Patents and Peppa Pig: What is happening to intellectual property rights in Russia?
Certain Russian individuals and businesses can now use patents, utility models and industrial designs without obtaining prior permission.
Simon Green
International Bar Association quotes Simon Green on the future of the legal sector in Hong Kong
International Bar Association quote Simon Green on the future of Hong Kong's legal sector
Charlotte Duly
Charlotte Duly quoted in Retail Gazette on House of Zana trademark dispute
Charlotte Duly quoted in Retail Gazette on House of Zana trademark dispute
Caroline Greenwell
Nowhere to hide for greenwashing brands
In the UK, regulators are cracking down, with many companies now at risk of financial and other penalties.
Jamie Cartwright
Weighing up the Plastic Packaging Tax
The Plastic Packaging Tax came into force on 1 April 2022.
Jamie Cartwright
Crunching numbers - Mandatory calorie laws come into force
The Calorie Labelling (Out of Home Sector) (England) Regulations 2021 (the Regulations) are now in force.
Jody MacDonald
Liverpool FC’s Hero Club and the current state of play with football NFTs
Liverpool’s Hero Club hit the headlines this week and serves as an interesting reflection of the current state of play.
Rachel Bell
Rachel Bell commented in IT Pro on the implications of the proposed EU’s Digital Markets Act
The proposed EU’s Digital Markets Act is set to require larger messaging platforms to interoperate with their smaller rivals.
Quentin de la Bastide
Constructing a Blue-print for Electronic Execution – New Guidance from the Industry Working Group on the Electronic Execution of Documents
Sonia Kenawy
Claimant ordered to pay security for costs in cryptocurrency dispute and digital assets rejected as form of security
Proceedings that are sure to be watched closely by the cryptocurrency community as well as legal practitioners.
Stewart Hey
Freezing Orders: Policing the Nuclear Option (PT 2)
Looking at the impact these checks and balances have when it comes to drafting and construing the terms of the order.
Stewart Hey
Freezing Orders: Policing the Nuclear Option
This article considered some of the checks and balances that apply when seeking access to one of the law’s most potent weapons.
Mark Hill
UAE Labour Law Update – The five big changes to note…
Federal Decree Law No. 33 of 2021 - The five big changes to note