The big cyber news over the last few months is the rise of ransomware and the global outbreak of the WannaCry worm and its impact on NHS services across the UK. Cyber-attacks continue to increase. The Department of Digital, Culture, Media and Sport last month reported in its Cyber Security Breaches Survey that 46% of businesses had suffered at least one attack in the last year, and that, organisations that hold more personal data are more likely to be attacked. The WannaCry attack highlighted the impact of ransomware on organisations. The legal implications for businesses that fall victim to ransomware attacks are wide ranging: from contractual obligations arising from the interruption of services, to potential bodily injury arising out the postponement of medical operations.
Ransomware attacks also raise particular data protection issues. Under the current Data Protection Act 1998 ("DPA"), organisations must ensure that “appropriate and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” It is understood that WannaCry encrypts data and the confidentiality of the data is not compromised. If personal data is irrecoverable, such an event could constitute "loss of data" and a breach of the DPA. However, if the personal data is fully backed-up or reconstituted after a ransom is paid, it is arguable that the DPA has not been contravened.
A copy of the Cyber Security Breaches Survey can be accessed here.