The proper management of a data breach following a ransomware cyberattack can avoid potential GDPR fines and damages due to claims from customers in a situation of considerable difficulty.
What is the size of the ransomware risk?
Ransomware is a type of malware that restricts access to the computer system that infects or the data that it stores (often using encryption techniques) and demands a ransom be paid to the creator(s) of the malware.
The impact of ransomware on the operation of a company can be massive since it can encrypt in a few minutes all the files in the computer systems, preventing access to it and blocking the vast majority of the functionalities of a business. Suddenly, a message will be displayed on your screen, and you will not have access to emails, to any file in the database, to customers’ data, to any IT system necessary for the operation of your plant, etc.
And the downtime can last for quite a while. According to data published by Group-IB, the number of ransomware attacks grew by more than 150% in 2020. In 2020, ransomware attacks, on average, caused 18 days of downtime for the affected companies, while the average ransom amount increased almost twofold.
The Covid-19 pandemic and a remote working environment increased the risk exposure. Companies have a lower level of control over their employees, and human error is the main source of cyberattacks.
What can a ransomware cyberattack cause to data in your systems?
During the previous years, ransomware cyberattacks were encrypting data in the victim’s systems. This type of attack can still lead to a data breach if a backup copy of encrypted data is not promptly available so that data can quickly be restored.
However, hackers have recently become more sophisticated and understood that with an exfoliation of personal data, they are more likely to receive a ransom payment. So during the last two years, we frequently saw hackers that
- access the victim’s system for a while;
- exfoliate personal data, being careful to limit the data exfoliation flow within tolerance limits to avoid being detected by data loss prevention (DLP) systems, also deleting log files if possible;
- then encrypt data in the systems; and
- publish a few personal data on the dark web to prove the actual exfoliation, threatening that – if the ransom is not paid within a week – thousands of data will be published.
How to deal with a data breach following a ransomware cyberattack?
The European Data Protection Board (EDPB) issued its Guidelines on examples of data breaches where it addressed the following scenarios:
- Ransomware with data encrypted at rest by the victim with no special category of data involved, proper backup and without data exfiltration
- ❌ no data breach notification to the competent supervisory authority and ❌ no communication to the affected individuals, if data can be quickly restored, but according to the EDPB, when dealing with high-risk level cases, even restoring data within the 72-hour deadline can be viewed as unsatisfactory.
- Ransomware without data exfiltration (which cannot be excluded though), but without proper backup (but manual restoration in 5 days) and without encryption at rest with no special category of personal data involved
- ✅ yes data breach notification to the competent supervisory authority is due, but ❌ no communication to the affected individuals, but it depends on the time necessary for restoration. Also, according to the EDPB, if delays in payments and deliveries due to the data breach may lead to a financial loss for the individuals whose data has been compromised, one could also argue the breach is likely to result in a high risk. Yet, it might not be possible to avoid informing the data subjects if their contribution is needed for restoring the encrypted data.
- Ransomware with backup and without exfiltration in a hospital with special categories of data involved
- ✅ yes data breach notification to the competent supervisory authority is due, and ✅ yes communication to patients whose treatment was scheduled is necessary. Indeed, according to the EDPB, if data cannot be immediately restored and this circumstance leads to a delay in patients’ treatment, they shall be informed.
- Ransomware without backup, with no special category of data involved, but with financial data affected and with exfiltration
- ✅ yes, data breach notification to the competent supervisory authority is due, ✅ yes communication to the affected individuals, as – according to the EDPB – the communication to the individuals is essential to make the necessary steps to avoid material damage (e.g., block their credit cards).
What measures are recommended to avoid a ransomware cyberattack?
The EDPB provides a very long list of organizational and technical measures for preventing/mitigating the impacts of ransomware attacks which include:
- Designing and organizing processing systems and infrastructure to segment or isolate data systems and networks to avoid propagation of malware within the organization and to external systems;
- The existence of an up-to-date, secure, and tested backup procedure with media for medium- and long-term backup kept separate from operational data storage and out of reach of third parties even in case of a successful attack;
- Training employees on the methods of recognizing and preventing IT attacks, enabling them to establish whether emails and messages obtained by other means of communication are authentic and trustworthy
- Forwarding or replicating all logs to a central log server;
- Adopting strong encryption and authentication, in particular for administrative access to IT systems;
- Performing vulnerability and penetration testing regularly;
- Establishing a Computer Security Incident Response Team (CSIRT) or Computer Emergency Response Team (CERT) within the organization, or join a collective CSIRT/CERT; and
- Creating an Incident Response Plan, Disaster Recovery Plan, and a Business Continuity Plan ensures that these are thoroughly tested.
My view on the position of the European Data Protection Board on how to handle a ransomware data breach
It is important to emphasize that the European Data Protection Board guidelines are just best practices that are not binding, as opposed to the terms of the GDPR. Indeed, some of the positions taken, for instance, in case of backup copies of data are available, and no exfiltration occurred, are at least arguable.
I am not of the view that a ransomware data breach shall be notified to the data protection supervisory authority, regardless of its actual effects on personal data. This course of action is not in line with the GDPR principle of accountability, and it right not be in the company’s best interest. Indeed, in countries like Italy, data protection authorities scrutinize and investigate each data breach notification that they receive. Therefore, a notification performed when it was not actually due can lead to investigations and potential GDPR fines for aspects that were not connected with the data breach that emerged during, for instance, a dawn raid subsequential to the notification.
A case-by-case assessment shall be performed, but – more importantly – companies shall be ready for a potential cyberattack with organizational and technical measures.
On a similar topic, the article “Top 3 lessons learned on how to be ready to handle a data breach” can be interesting.