Ransomware "extortion" under GDPR?

An article in the Times yesterday cited sources arguing that the recent introduction of the General Data Protection Regulation (GDPR) with its stricter rules and potential for costly fines could increase the risk of ransomware attacks for businesses. The argument is that hackers could access sensitive personal data held by a firm and threaten to disclose it if a ransom is not paid, on the grounds that the ransom demanded will be cheaper than a fine for breaching GDPR.

A breach of GDPR does bring a risk of a heavy fine - in some cases, up to ?20million or even four per cent of global turnover for a business, whichever is higher. However, getting hacked is not itself a breach of GDPR. Under the new rules, firms must have appropriate data security measures in place. Those that do, but that still get hacked, will not necessarily be fined.

Where the rules are broken, the Information Commissioner's Office (ICO) has a range of enforcement powers and has been consistent in saying that they will take account of a number of factors when choosing how to respond. These include whether it was intentional or a result of negligence(see for example their draft Regulatory Action Policy and their ?myth busting? blog on breach reporting).

Under GDPR  firms that are hacked will typically have to advise the ICO  of the incident, and the ICO has already said it will be more sympathetic of firms that self-report any incidents.

Ransomware attacks and other hacking are of course a risk and the threat to reputation - and harm to individuals if their personal data is compromised - is real. Firms should be working hard to ensure they maintain high standards of security to protect the personal data they hold. They should also have processes in place to report data breaches and cooperate with the ICO when needed. But these are data protection fundamentals, and as such are already being taken seriously by most businesses. Businesses should be working hard on cyber security because this is fundamental to protecting customers and complying with GDPR, not because they might be 'snitched on? by hackers.

Area of expertise: