On New Year’s Eve, a ransomware attack was launched on foreign exchange company, Travelex. Ever since, Travelex hasn’t been able to gain access to its computer systems and has been reduced to using paper records and invoices to try and maintain a basic level of service.

A ransomware attack essentially involves a third party gaining unauthorised access to an organisation's computer system (often via an initial phishing scam). The attacker then encrypts its victim’s digital files, meaning that the organisation is denied access to its own computer system. A ransom is then demanded for the release of the decryption key.

As well as causing business disruption, customer dissatisfaction and reputational issues, a ransomware attack can have several significant data protection implications:

Possible breach of security obligations

The fact that a third party is able to gain access to an organisation’s computer system may indicate a lack of appropriate security. This might be due to insufficient technical measures, failure to carry out periodic stress testing and/or a lack of staff awareness or training. All of these things may amount to a breach of the GDPR’s security requirements. In a worst-case scenario, such failures could result in the imposition of regulatory fines of up to €20 million or 4% of annual worldwide group turnover (whichever is the higher).

Possible personal data breach

If the attack results in:

  • customers being denied access to their personal data;
  •  
  • unauthorised persons having access to personal data; or
  •  
  • loss or damage to personal data
  •  

there is likely to have been a personal data breach which may be notifiable to the ICO under the GDPR’s mandatory data breach reporting obligations (in relation to which there is a tight, 72 hour deadline). Such a breach may also be notifiable to the individuals involved if it is sufficiently serious. Also, any failure to comply with the reporting requirements set out in the GDPR will, in itself, amount to a breach of the GDPR.

Claims for compensation

In the longer term, such an attack may lead to claims for compensation by the individuals involved. Under the GDPR, individuals are given a right to receive compensation for any material (e.g. financial) or non-material (e.g. emotional distress) damage suffered as a result of a breach of the GDPR rules. Also, increased awareness of the rights individuals have over their personal data, means that class actions are on the rise...

So, what steps can your organisation take to minimise the risks?

  • If you haven’t already done so, make a review of your organisation’s information security measures your New Year’s Resolution (ensuring that you think about organisational and physical measures, such as the security of premises and rights of access, as well as cyber security).
  •  
  • Make sure that you understand your organisation’s reporting and other obligations in relation to personal data breaches. In addition, ensure that your staff are properly trained in how to identify and deal with personal data breaches and that your organisation has clear procedures in place to ensure that such incidents are dealt with appropriately and in compliance with the legal requirements.
  •  
  • Some organisations are taking out insurance to try to protect themselves against GDPR liability. However, if you decide to take this approach, make sure you need the small print – some policies won’t be worth the paper they are written on.
  •  
  • Think about your organisation’s public relations response to such an incident. Travelex has already been criticised for not making customers aware of the attack sooner. Getting the balance right between being open and honest with individuals and protecting your organisation’s position can be difficult. However, ensuring that you have good internal lines of communication and clear procedures to follow if you are the subject of a cyber-attack will undoubtedly help.
  •  

If you’d like to know more about your security obligations under the GDPR or the requirements relating to the reporting of personal data breaches, please don’t hesitate to contact a member of our Information Law team.


RELATED:   INFORMATION LAWGDPR


MORE FROM THE ADVICE CENTRE

News

Car Industry Produce Key COVID-19 Guidance for Dealerships
03/06/2020
On 11th May 2020, the Government published its roadmap for the lifting of COVID-19 restrictions. This included plans to allow Car Dealerships to reopen from the 1st June.
more...

Events

Geldards Upcoming Webinars
26/09/2016
To support you through these unprecedented times, Geldards have been holding regular webinars on legal topics relevant to navigating the Covid-19 crisis.
more...

Blogs

CJRS Tapering Down
01/06/2020
The final date to start furlough for any employee will be 10 June. This is because the government have announced that the Coronavirus Job Retention Scheme (the Scheme) will close to new entrants on 30 June 2020.
more...

Publications

Salus – Wealth and Family Protection
11/03/2020
Salus Magazine is brought to you by the Private Client team at Geldards to help you protect your wealth and family.
more...

Content Contacts

PARTNER

Lowri Phillips

LOWRI PHILLIPS

Partner, Cardiff

+44 (0)29 2039 1758
email
more...

HEAD OF KNOWLEDGE MANAGEMENT

Hayley Lewis

HAYLEY LEWIS

Head of Knowledge Management, Cardiff

+44 (0)29 2039 1785
email
more...