Ransomware – what are the obligations on data controllers?

Malware has long been a thorn in the side of those using the internet for personal and for business reasons and you don’t need me to explain the plethora of issues that a victim can suffer. However, a particular category of malware called ransomware has recently increasingly become significant as it has become both more commonly encountered and its effects are more far-reaching than ever before.

What is it?

Those affected by Ransomware cannot access their computers, networks or specific software on their systems unless a ransom is paid. Following payment of the ransom, the user’s machine may be released, more money may be requested or, most worryingly, nothing at all may happen and their computer may remain useless.

Ransomware is a cryptovirology attack and notable examples include Cryptolocker, CryptoWall and Locky Virus and, while the precise cryptographic mechanism used to render a victim machine inaccessible without a ransom payment may differ, the sums of money netted by the perpetrators is vast. It is suggested by Bitcoin tracing of the ransom bounty that those behind Cryptolocker, for example, saw $27M pass through their greasy hands.

How does it affect businesses?

The problem for businesses suffering a ransomware incident is that they are stuck between the devil and the deep blue sea – pay the ransom requested (generally up to around £1,000) and effectively reward the criminals for what they have done, or refuse to cooperate with the criminals and contact the police and a friendly cyber-consultancy in an attempt to resolve the situation without paying the reward and risk losing their data entirely.

What is the law?

It goes without saying that those behind the ransomware are guilty of criminal offences – whether through a common law conspiracy to defraud, as blackmail under section 21 of the Theft Act 1968, or under section 3 of the Computer Misuse Act 1990 in relation to the unauthorised acts with intent to impair, or with recklessness as to impairing, the operation of computers.

However, it also appears that the victims themselves should be concerned by the law in this respect.

Businesses that hold personal data as data controllers do so within the legislative framework set out by the Data Protection Act 1998, for which the seventh data protection principle provides the following obligation:

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

Ransomware could certainly represent a breach of this principle and, in particular, with respect to a ransomware incident that would have been avoided had anti-virus software been up to date, or patching been undertaken to prevent known vulnerabilities from being exploited.

Indeed, one of the most common attack vectors for ransomware is through a malicious Word macro that users have to actively enable in order for the attack to succeed. This technique is now old-hat, but obviously still very effective.  Staff training and adequate organisational policies and controls should avoid an issue like this arising and, indeed, a lack of such training and controls is a fairly frequent justification for monetary penalty notices imposed by the UK data protection regulator, the Information Commissioner’s Office (ICO).

The ICO specifically raised the issue of ransomware in its formal guidance document published in January 2016, “A Practical Guide to IT Security”, and emphasised the need for businesses to have a robust data back-up strategy, so as to avoid disruption to the availability of personal data held and a potential breach of the Data Protection Act 1998.

What should businesses do if they suffer a ransomware incident?

This is a tricky subject. Businesses could simply pay the ransom and hope that they get away with it.  They could also brush the incident under the carpet as an undefined IT issue having caused them an outage.  However, the reality is that a level of transparency around such issues may not only be the ethical approach but also one for which regulators are actually now baring their teeth to ensure compliance.

As discussed, the Data Protection Act 1998 compels businesses to ensure that appropriate technical and organisational measures are in place to secure personal data held and ICO guidance is clear that disruption due to ransomware incidents should be avoided through additional controls being in place. A breach of the Data Protection Act 1998 can lead to a monetary penalty being imposed of up to £500,000.

However, we are in the midst of data protection reforms largely in the guise of the General Data Protection Regulation (GDPR), which provide for more onerous obligations than the existing regime, which is backed up by a more fearsome risk for failure for an entity: (i) mandatory breach disclosure (and ensuing reputational damage); (ii) regulatory fines of up to 4% of annual worldwide turnover; and, (iii) compensation class action (for distress alone) for the data subjects affected.

Dirty linen should no longer be swept under the carpet, but must be aired in public. If that is too much of a mixed metaphor to end with, then the message can be made clearer – transparency, transparency, transparency.