Last weekend’s cyber-attack has caused significant technical and operational problems worldwide.
And while the main issue in these cases is of course IT-security, such attack also gives rise to important legal / data protection issues that should not be neglected.
What is everyone talking about?
Over the past weekend, IT-systems around the world were hit by a highly-effective ransomware-attack labelled “WannaCry”, disabling entire computer systems and databases and in some cases even crippling public services like the NHS in the UK. The ransomware has already infected over 200,000 computers worldwide.
The “WannyCry” ransomware variant takes advantage of a specific Windows vulnerability posted online by a group of hackers in April 2017. Microsoft had already issued a critical patch via Windows Update (MS17-010) to fix this vulnerability on March 14. However, many companies and organisations worldwide, as well as many individual Windows users, had not yet installed this patch and were thus in a very vulnerable position.
Key legal considerations
1) Fines imposed on data controllers/processors for not ensuring an ‘appropriate’ level of data security
While it may be annoying having to resort to pen and paper to issue invoices for smartphones bought as mother’s day gifts, having to send a sick mother home without treatment because her medical record as well as the hospital’s medical devices have become inaccessible, is of course a critical issue.
The latter also pressingly demonstrates why ransomware attacks may involve data protection issues and could lead to sanctions under data protection legislation.
Both under the current national data protection legislation (based on EU Directive 95/46) and under the EU General Data Protection Regulation (“GDPR”), applying as from 25 May 2018, “data controllers” and “data processors” have to take ‘appropriate’ technical and organisational measures to prevent loss or unauthorized access of personal data (so-called “data breaches”). And while the source of the “WannaCry” attack was, as such, not interested in access to personal data, the ransomware did prevent access to such data stored in the infected computer systems and therefore constituted a “data breach”.
Such breach exposes data controllers (and, under the GDPR also data processors) to serious fines (under the GDPR up to EUR 20,000,000 or 4% of a company’s annual global turnover), but also to reputational damage, legal costs, IT costs,…
Last weekend’s events also painfully highlighted the need for, amongst others, proper IT governance and staff training and education. The ransomware attack could be avoided rather easily by timely installing patches fixing the vulnerabilities used by the ransomware and preventively installing adequate safeguards and upgrading to the latest software versions. Many companies also have a long way to go in terms of internal cyber-risk awareness and warning employees for the opening of suspicious e-mail attachments. Employees at all levels should be adequately trained on how to recognise malicious emails and know exactly who they should contact when in doubt.
To cover (some of) these risks and liabilities, more and more companies are taking out a specific cyber risk insurance, often including incident response assistance and IT and/or legal support.
2) Data breach documentation & notification obligations
Under the GDPR, data controllers will have to duly document any personal data breaches, including the facts relating to the data breach, its effects and the remedial action taken. In turn, data processors will be obliged to notify the controller without undue delay after becoming aware of a data breach.
The GDPR also requires data controllers to notify data breaches to the competent supervisory authority, without undue delay and, where feasible, not later than 72 hours after having become aware of the breach, unless such breach is ‘not likely’ to result in a risk to the rights and freedoms of natural persons. In addition, when the personal data breach is ‘likely’ to result in a high risk to the rights and freedoms of individuals, the controller in principle (limited exceptions apply) has to communicate the breach to the individuals concerned without undue delay.
At present (i.e. before the application of the GDPR) such notification obligation only exists in some countries (notable in the Netherlands) and/or for specific sectors (e.g. for financial institutions). Voluntary notification is however highly recommended by most national data protection authorities.
In the situation of the hospital referred to above, a data breach notification would indeed be required. Such notification requires setting-up data breach analysis and response procedures, preferably also including the filing of a complaint with the police or cyber security units set up by the government. As hacking is a criminal offence, a formal criminal complaint could also be filed to demonstrate both to the authorities and to insurers that the company has acted diligently (and could thus help to avoid sanctions or loss of insurance coverage).
To sum up
The most important lesson to learn from this worldwide ransomware attack, should be that an all-encompassing approach is really essential. Well-trained and educated people are defenceless without the right tools, and the right tools useless if nobody knows how to use them…
Also, you should know whom, how and when to reach out to in case of a data breach incident, both in the private sector (incident response consultants, forensic teams, legal advisers, etc.) and within public authorities (data protection authorities, police, etc.). And why not examine options for adequately insuring your company’s cyber risks?