On New Year’s Eve, a ransomware attack was launched on foreign exchange company, Travelex. Ever since, Travelex hasn’t been able to gain access to its computer systems and has been reduced to using paper records and invoices to try and maintain a basic level of service.
A ransomware attack essentially involves a third party gaining unauthorised access to an organisation's computer system (often via an initial phishing scam). The attacker then encrypts its victim’s digital files, meaning that the organisation is denied access to its own computer system. A ransom is then demanded for the release of the decryption key.
As well as causing business disruption, customer dissatisfaction and reputational issues, a ransomware attack can have several significant data protection implications:
Possible breach of security obligations
The fact that a third party is able to gain access to an organisation’s computer system may indicate a lack of appropriate security. This might be due to insufficient technical measures, failure to carry out periodic stress testing and/or a lack of staff awareness or training. All of these things may amount to a breach of the GDPR’s security requirements. In a worst-case scenario, such failures could result in the imposition of regulatory fines of up to €20 million or 4% of annual worldwide group turnover (whichever is the higher).
Possible personal data breach
If the attack results in:
- customers being denied access to their personal data;
- unauthorised persons having access to personal data; or
- loss or damage to personal data
there is likely to have been a personal data breach which may be notifiable to the ICO under the GDPR’s mandatory data breach reporting obligations (in relation to which there is a tight, 72 hour deadline). Such a breach may also be notifiable to the individuals involved if it is sufficiently serious. Also, any failure to comply with the reporting requirements set out in the GDPR will, in itself, amount to a breach of the GDPR.
Claims for compensation
In the longer term, such an attack may lead to claims for compensation by the individuals involved. Under the GDPR, individuals are given a right to receive compensation for any material (e.g. financial) or non-material (e.g. emotional distress) damage suffered as a result of a breach of the GDPR rules. Also, increased awareness of the rights individuals have over their personal data, means that class actions are on the rise...
So, what steps can your organisation take to minimise the risks?
- If you haven’t already done so, make a review of your organisation’s information security measures your New Year’s Resolution (ensuring that you think about organisational and physical measures, such as the security of premises and rights of access, as well as cyber security).
- Make sure that you understand your organisation’s reporting and other obligations in relation to personal data breaches. In addition, ensure that your staff are properly trained in how to identify and deal with personal data breaches and that your organisation has clear procedures in place to ensure that such incidents are dealt with appropriately and in compliance with the legal requirements.
- Some organisations are taking out insurance to try to protect themselves against GDPR liability. However, if you decide to take this approach, make sure you need the small print – some policies won’t be worth the paper they are written on.
- Think about your organisation’s public relations response to such an incident. Travelex has already been criticised for not making customers aware of the attack sooner. Getting the balance right between being open and honest with individuals and protecting your organisation’s position can be difficult. However, ensuring that you have good internal lines of communication and clear procedures to follow if you are the subject of a cyber-attack will undoubtedly help.
If you’d like to know more about your security obligations under the GDPR or the requirements relating to the reporting of personal data breaches, please don’t hesitate to contact a member of our Information Law team.
RELATED: INFORMATION LAWGDPR