Ransomware Payments and GDPR

Read our blog following advice from the ICO on ransomware attacks and the risks that paying a ransom can create through incentivising further harmful behaviour rather than guaranteeing the safe return of data.

The Information Commissioner’s Office (ICO), in conjunction with the National Cyber Security Centre (NSCS), have issued guidance to assist solicitors when advising clients who may have suffered a cybersecurity incident.

With the increasing number of ransomware attacks and ransom amounts being paid, the ICO wants to clarify the mistaken, but persistent belief that payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO should it undertake an investigation. The ICO would like to be clear that this is not the case.

Law enforcement does not encourage, endorse nor condone the payment of ransoms. While payments are not usually unlawful, payers should be mindful of how relevant sanctions regimes (particularly those related to Russia) – and their associated public guidance - may change that position. More importantly, payment incentivises further harmful behaviour by malicious actors and does not guarantee decryption of networks or return of stolen data. UK data protection law requires organisations to take appropriate technical and organisational measures to keep personal information secure and to restore information in the event of an information security incident.

As regulator, the ICO recognises in setting its response and any penalty level the actions taken to mitigate the risk of harm to individuals involved in a data breach. For the avoidance of doubt the ICO does not consider the payment of monies to criminals who have attacked a system as mitigating the risk to individuals and this will not reduce any penalties incurred through ICO enforcement action.

Where the ICO will recognise mitigation of risk is where organisations have taken steps to fully understand what has happened and learn from it, and, where appropriate, they have raised their incident with the NCSC, reported to Police Scotland, and can evidence that they have taken advice from or can demonstrate compliance with appropriate NCSC guidance and support.

The ICO are keen to highlight that payment of a ransom does not necessarily protect stolen data nor result in a lower penalty by the ICO. Law enforcement agencies discourage the payments of ransom, chiefly because they incentivise further attacks and do not guarantee decryption of networks or the return of stolen data.

As the regulator of the security principle the ICO has recently published its updated ransomware guidance. This sets out an up-to-date view of the common ransomware compliance issues including what you should do if you receive an offer to make a payment. The NCSC also set out all its guidance on ransomware on their website.

In the event of a ransomware attack, there may be a regulatory requirement to report to the ICO as the data regulator whereas NCSC – as the technical authority on cyber security – provides support and incident response to mitigate harm and learn broader cyber security lessons. The NCSC works with organisations to ensure they have understood how they came to be a victim of ransomware, have understood the cyber security implications and taken steps to protect themselves from similar incidents. Neither the NCSC nor Police Scotland share information on incidents with any regulators without permission from the affected organisation. However, the ICO and the NCSC continue to work together – sharing information on strategic trends – to ensure we are making the UK a safer place to be online.

The National Crime Agency (NCA) lead the Law Enforcement response to ransomware and work closely with Police Scotland to investigate offenders and deliver services to support victims and provide support to businesses to help them understand their cyber security requirements and the necessary steps they need to take to fulfil obligations under UKGDPR and DPA 18.

You can find out more on the Society’s website about cyber and data security and legal obligations and you can contact our strategic partner Mitigo Cybersecurity, if you wish assistance with cyber protection. Mitigo also provide emergency cyber incident management and a free consultation service.