The Information Commissioner’s Office recently refreshed its Guidance on Ransomware Attacks. These are data security breaches where hackers shut down systems or deny access to data and demand a payment to enable them to be restored. Increasingly, these attacks are accompanied by the hackers taking data as well and threatening to publish it unless their demands are met. Such attacks are becoming endemic.
The ICO Guidance contains a lot of useful practical and technical guidance about how to prevent attacks and respond to them when they happen. However, we thought it might be worth picking out some particular points from the Guidance which clients ask us about from a legal perspective:
- The ICO clarifies that these attacks are potentially reportable data breaches – denial of access to data or systems (even without the taking of any data) falls within the ICO’s definition of a personal data breach. So, a documented risk assessment to consider reporting to the ICO and affected individuals is required.
- If you form the view that data has not be taken, the ICO may require you to produce evidence, for example, via logs of activities on your systems.
- The ICO says you should normally report the incident to law enforcement. If the police ask you not to inform the affected individuals whilst they investigate then do not take this as read. The ICO says it wants to be informed and involved in discussions with you and the police about this before a final decision is taken.
- The ICO supports law enforcement’s position that it does not encourage the payment of ransoms (but the ICO doesn’t say organisations should never pay). Importantly, the ICO says that it does not view paying a ransom as an appropriate measure to restore data or access to systems. Nor does the ICO consider that the payment of a ransom to obtain the return of stolen data reduces the risk to individuals. The ICO emphasises that organisations are dealing with criminals who should not be trusted.
To emphasise these issues, the ICO recently fined a firm of solicitors, Tuckers, £98,000 following a ransomware attack on them. The ICO was critical of the firm’s approach to Multi-Factor Authentication for remote access, software patch management and failure to encrypt data on archived files. A copy of the ICO’s Monetary Penalty Notice is here.
We will be holding a webinar in the Summer which will look at the lessons to learn from ICO enforcement action following data security breaches. We will cover the Tuckers example in more detail then.
If you require further information about anything covered in this briefing, please contact Ian De Freitas or your usual contact at the firm on +44 (0)20 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, March 2022