The big cyber news last month was the global outbreak of the WannaCry worm and its impact on NHS services across the UK. Cyber-attacks continue to increase. The Department of Culture, Media and Sport last month reported in its Cyber Security Breaches Survey that 46% of businesses had suffered at least one attack in the last year, and that, organisations that hold more personal data are more likely to be attacked. The WannaCry attack highlighted the impact of ransomware on organisations. The legal implications for businesses that fall victim to ransomware attacks are wide ranging: from contractual obligations arising from the interruption of services, to potential bodily injury arising out the postponement of medical operations.
Ransomware attacks also raise particular data protection issues. Under the current Data Protection Act 1998 ("DPA"), organisations must ensure that “appropriate and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” It is understood that WannaCry encrypts data and the confidentiality of the data is not compromised. If personal data is irrecoverable, such an event could constitute "loss of data" and a breach of the DPA. However, if the personal data is fully backed-up or reconstituted after a ransom is paid, it is arguable that the DPA has not been contravened.
A copy of the Cyber Security Breaches Survey can be accessed here.
In May 2018, the General Data Protection Regulation ("GDPR") will come into force and contains a similar principle to that of the DPA, but also includes an express requirement (Art 32) to ensure the ongoing availability and resilience of processing systems and services. This latter requirement goes further than simply preventing the confidentiality or loss of data, and is enforced by a sanction of €10m or 2% of annual turnover (Art 32 is subject to the lower level sanction, not the higher 4%/€20m sanction).
Perhaps surprisingly, such events may not fall within the scope of mandatory breach notification. A "personal data breach" means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Unless personal data is permanently lost or destroyed by the malware, or exfiltrated or accessed by the attacker, the requirement to notify would not be triggered.
However, there mere fact that data is inaccessible due to a ransomware attack could result in breach of data protection law and potentially high sanctions under the GDPR. It is critical, therefore, that organisations investigating such incidents consider their legal obligations and that forensic investigations are conducted with the benefit of legal privilege.
Organisations should regularly review that it has appropriate technical measures in place to safeguard systems and an effective breach response procedure in the event of a cyber security incident.
The ICO blog on ransomware, including top tips on prevention and recovery which can be accessed here.