How to respond to a ransomware attack – an illustrative example
Published on 14th Jun 2022
Cyber attacks have become a fact of life. They are a persistent and real risk for any business, with the frequency and severity of attacks increasing dramatically over the past few years. Our case study illustrates how to navigate a cyber attack: to ensure that operational impact, reputational damage, financial loss, and legal liability are minimised, and the potential fallout is managed to the greatest extent possible.
This is chapter 2.9 of Data-driven business models: The role of legal teams in delivering success
TechCo, a London-headquartered technology company, with subsidiaries in France, Germany and Poland, has suffered a ransomware attack. The ransomware attack has encrypted a large tranche of the data held by TechCo (including personal data). The type and quantity of affected personal data is unknown at this stage. It is also not yet clear whether TechCo's back-ups have been affected.
The hackers have contacted TechCo's CEO, threatening to release personal data onto the dark web if a ransom payment of the bitcoin equivalent of $500,000 is not made within 72 hours, in exchange for the return of the data. TechCo's IT team has started investigating the incident. Investigations have not yet confirmed whether the hackers have, in fact, exfiltrated data (including personal data) from TechCo's systems.
Factual investigations and operational issues
TechCo should consider at the earliest opportunity whether it may be necessary to appoint an expert cyber forensics firm to assist with any investigation. Internal IT teams may not have the necessary time and expertise and there can be questions in relation to independence.
If TechCo instructs a cyber forensics expert, it should consider whether it is possible to instruct that expert in a way which means that any reports produced are privileged (to the extent that this is possible in individual jurisdictions). If it is not possible to produce a report under privilege, then TechCo (and its lawyers) should exercise careful control over the production of the report to ensure that it does not increase TechCo's legal liability for the incident.
Data-driven business models
The role of legal teams in delivering success
Legal and regulatory issues
Article 33 GDPR – notifying the relevant supervisory authority
Under Article 33 of the General Data Protection Regulation (GDPR), a data controller must notify a personal data breach to the relevant data protection authority no later than 72 hours after having become aware of it unless the breach is unlikely to result in a risk to the rights and freedoms of those affected. At present, there is no divergence between the UK GDPR and the EU GDPR, but the manner in which Article 33 is interpreted does vary across jurisdictions.
If there has been unauthorised access to, and encryption of, large volumes of personal data (as well as the potential exfiltration of this data) by a hacker, it is likely that the Article 33 threshold for notification to a data protection authority will be met.
TechCo does not have an obvious "main establishment" in the EU. As such, it cannot reliably take advantage of the EU's 'one-stop shop' system, where one competent data protection authority acts as the lead supervisory authority in relation to the incident. This means that, if Article 33 is triggered, TechCo must report the incident to the supervisory authority in each affected jurisdiction. And, of course, the UK is no longer in the EU, so even if there were a "main establishment" in the EU, the UK would need to be dealt with separately. From a practical perspective, if multiple jurisdictions are involved and the decision is made to notify in one jurisdiction, it is sensible to notify the relevant supervisory authority in all relevant jurisdictions.
The UK's data protection authority, the Information Commissioner's Office (the ICO), has various guidance on its website with respect to how it expects data controllers to assess whether any breach is likely to result in a risk to the rights and freedoms of those affected including, most recently, new guidance in relation to ransom attacks. If TechCo determines that Article 33 has been triggered, it should make an initial notification within the 72 hour period (the ICO has not, to date, fined data controllers who make this notification a few minutes or a few hours late). This could then be followed by an update as the situation progresses. While the ICO has a specific form on its website for reporting data breaches, the use of this form is not mandatory (breaches can be notified via email).
If personal data of the French subsidiary is affected by the incident, TechCo would have to make an initial notification of the incident to the French data protection authority (the CNIL), directly on the CNIL’s website using the standard online form. When TechCo has gathered more comprehensive information about the incident, it will be able to update its initial declaration with an additional and final declaration. The CNIL is usually keen to claim jurisdiction over certain incidents. So, in case of doubt, it would be sensible for TechCo to notify the CNIL, even if investigations at a later stage reveals that the French subsidiary was not affected.
As TechCo has an establishment in Germany, the supervisory authority of the state in which it is located would be the competent data protection authority provided that the establishment was affected by the incident. Germany has 16 independent supervisory authorities for each state (Bundesland) and one federal supervisory authority. Some supervisory authorities tend to be stricter with regard to incident reports than others. Many supervisory authorities have published guidance notes on their approach to data incidents and on when they expect to be notified.
The Polish data protection authority, the Urząd Ochrony Danych Osobowych (UODO), would expect TechCo to notify them of this incident, if data related to the Polish subsidiary is affected. The notification can be submitted either by filling in a dedicated electronic form available on their website, or by sending the completed form to the ePUAP electronic message box (which is a specific system for communicating with government bodies) or via traditional post to their address.
Article 34 GDPR – personal data – notifying the relevant data subjects
Under Article 34 of the GDPR, data subjects must be notified "without undue delay" where a "personal data breach is likely to result in a high risk" to their rights and freedoms. There are certain instances where communication to data subjects is not required: (1) where the data controller has previously taken measures to protect its data in the event of a breach, thus rendering the exfiltrated data useless (such as encryption); (2) the controller has taken measures since the breach to combat the likelihood of a high risk to the rights and freedoms of the data subjects; and (3) it would involve disproportionate effort, and a public communication or similar would be equally effective.
On the facts of this scenario, we do not know what volume or types of personal data have been affected, how they have been affected, and for which data subjects. TechCo will need further information in order to assess whether Article 34 has been triggered, and will need to consider what proportionate investigations it should carry out. Once it has further information, TechCo will need to assess both the severity of the potential or actual impact on individuals as a result of a breach and the likelihood of this occurring. It should refer to the ICO's guidance on personal data breaches in making this determination and consider preparing a risk assessment.
The CNIL adopts a conservative approach and tends to have a broad interpretation of situations that are considered as “high risk”. An assessment of the risk/high risk situation would need to be made on a case-by-case basis by TechCo, taking into account the relevant factors (see CNIL's website for guidance). In many cases, following CNIL's approach, it will be necessary to notify the data subjects. Data controllers will have to carefully weigh the pros (compliance from a regulatory perspective) and cons (potential bad publicity) of notifying in case of doubt as to whether the “high risk” threshold is met or not.
The assessment as to whether to notify data subjects depends to some degree on which supervisory authority will be competent for TechCo’s establishment in Germany. Many supervisory authorities in Germany have published guidance notes with practical examples when they usually see a likely risk.
In carrying out the assessment of whether to notify data subjects, we would recommend carrying out a risk assessment. Given that the UODO usually follows a formalised risk-based approach, documentation of the impact analysis would be an important part of any discussions with the UODO.
C. Ransom payments
The payment of a ransom raises legal, practical, and ethical considerations. These include: whether payment of a ransom will be effective (for instance, will it result in the provision of decryption tools and will the attacker abide by assurances?), the potential that payment of a ransom will attract further ransom attacks, possible criminal liability, and whether there is any negative reputational impact for a business in paying.
Under English law, the payment of a ransom is not of itself illegal. However, the payment of a ransom may be illegal and constitute a criminal offence if it breaches anti-money laundering legislation, anti-terrorism laws, or breaches sanctions. If TechCo wishes to consider paying the ransom, it will need to conduct due diligence regarding the payee before any payment is made.
The ICO has recently issued new guidance on the payment of ransoms, and the impact that this has on a data controller's regulatory duties. The ICO's position is that payment of a ransom does not affect the position that personal data has been compromised.
Businesses in certain regulated sectors may be subject to additional obligations and restrictions.
Both the CNIL and the ANSSI (governmental agency for IT security) warn against paying a ransom. The CNIL does not permit controllers to view the risk to data subjects as being lower by virtue of having paid a ransom (no weight is given to a cyber criminal's promise of returning data). Moreover, French insurers are usually very reluctant to cover payment of ransom.
It is unclear whether paying ransom would constitute a criminal offence under German law. The payment could potentially infringe anti-money laundering regulations. German law enforcement agencies as well as the German Federal Agency for Information Security (BSI) warn companies not to pay in the case of a ransomware attack. However, German law enforcement agencies also usually have a clear focus on the actual perpetrators and the practical risk of prosecution is rather low if a company actually pays ransom.
There is no direct legal regulation in Poland governing the payment of ransoms. However, the ethical and legal assessment of the payment of the ransom may be considered from the point of view of the concept of a state of necessity, in which it is necessary to eliminate a danger directly threatening the personal well-being of a person, which is recognised by Polish law. If the ransom were to be paid by the Polish branch of TechCo, TechCo would be advised to cooperate with the special cyber department of the Polish police, especially in order to avoid doubts related to the transfer of payments in cryptocurrency, a tool which is often used in criminal activities related to money laundering.
Potential follow-on claims
Under Article 82 of the GDPR, data subjects that suffer material or non-material damage as a result of an infringement of the GDPR are entitled to compensation. This means that TechCo faces the prospect of potential claims against it by affected data subjects. The likelihood of potential claims against it being threatened varies by jurisdiction, with certain jurisdictions having developed a 'claims culture'.
In England, there has developed a 'class action' or claims culture.5 If TechCo were to notify data subjects of a personal data breach, it can expect to receive claims for compensation from a certain number of data subjects. In order for any claim for compensation to succeed, a data subject must demonstrate that: (1) TechCo has breached the UK GDPR and (2) as a result, the data subject has suffered material or non-material damage (such as distress).
France has not yet fully developed a claims culture. Nonetheless, over the past few years, consumer associations are slowing integrating the fact that some of them can now act to claim damages in cases of alleged breach of data protection obligations. Indeed, in France, the law extended “collective action” (action de groupe) to cover the compensation of material and moral damages suffered due to a breach of data protection obligations incumbent to a data controller or processor (as provided for by French data protection law and by the EU GDPR).
Under French law, each person participating in a collective action has the right to be compensated individually. The compensation that TechCo may be liable to pay corresponds to the economic loss suffered; it is a matter of compensating the loss actually suffered by the person concerned.
Germany does not recognise representative actions. German civil law is very much focused on the compensatory effect of damages claims. Therefore, claimants will have to provide evidence that damage has actually occurred. Although it is possible to claim for non-material damages, German courts tend to grant relatively small amounts compared to other jurisdictions. Typical damages granted by courts for data protection infringements have varied between zero and €5,000 (per data subject). The claims that TechCo may face very much depends on the nature of the data affected by the attack, whether the data has actually been exfiltrated and the impact the incident has on the data subjects.
Poland is not a country with a high culture of lawsuits. The compensation awarded by courts for damages is generally low, limited to actual or future monetary losses, with little regard for victims' suffering and indirect effects. The main concern for TechCo in relation to personal data breaches is the risk of administrative fines and the loss of customers (rather than claims for compensation under the GDPR). In addition, the nature of personal data can cause serious reputational damage to data subjects, which can translate into high claims.
Other legal, regulatory and reputational considerations
TechCo should consider how the incident affects data for which TechCo is acting as data processor, as TechCo will have GDPR obligations to notify relevant data controllers.
Aside from the GDPR, TechCo will need to consider whether the incident gives rise to any other legal and regulatory considerations. This could include regulation under the NIS Regulations, regulation by other professional bodies (such as the Financial Conduct Authority, in the UK), rules which may apply if it is listed on a stock exchange, and/or contractual obligations (under insurance contracts or to commercial counterparties).
Further, if it transpires that the cyber incident has arisen as a result of any breach by a third party supplier, TechCo should consider whether it is able to bring a claim against that third party supplier to recoup its losses arising from the incident.
TechCo should also be careful to ensure that communications, both internal and external, follow a narrative designed to protect the company's interests and reputation. Inadvertent admissions of liability can and will result in regulatory scrutiny and open the door for follow-on claims.
TechCo may also wish to notify the relevant law enforcement authorities.
Data-Driven Business Models: The role of legal teams in delivering success
Explore the full report
Data-Driven Business Models: The role of legal teams in delivering success
We have partnered with European Company Lawyers Association (ECLA) to produce a report exploring the challenges and opportunities associated with new data-driven business models.