Partner Abigail Healey comments on recent cases of cyber criminals leveraging GDPR to pressure hacked victims into paying ransoms, in Compliance Week.
Abigail’s comments were published in Compliance Week, 7 September 2023, and can be found here.
“No company could safely consider paying a ransom to be an effective means of remedying a breach so as to avoid the obligation to self-report to the ICO. Engaging with anonymous criminals is inherently risky, and there are no guarantees that doing so would negate the risks posed to data subjects potentially affected by the data breach. Even if the company chooses to pay the ransom, the company would still need to report the breach to the ICO if there is a risk to the rights and freedoms of individuals.
“Paying a ransom may well have further repercussions for the company, not least being seen as an easy target and leaving it more susceptible to future ransomware attacks. It may also void any cyber insurance cover, and in certain circumstances may even be illegal, such as if the attacker is subject to sanctions, or the funds are used for terrorism purposes. The company should therefore give very careful consideration before acceding to any ransom demands.
“Companies wishing to avoid heavy fines would be far better placed investigating how the breach occurred as well as reviewing what organisational and technical measures are in place to protect personal data and addressing any identified vulnerabilities. While it might not be possible to avoid a fine, the steps taken by a responsible company to identify why the breach happened and learn from it may count as mitigating factors to limit the potential regulatory exposure.
“The ICO has, however, made it clear that paying a ransom demand will not result in a lower fine, should the ICO undertake an investigation. What is abundantly clear is that if a company pays the ransom, does not self-report and is later the subject of enforcement action, the amount of the fine levied is likely to increase significantly.
Quillon Law ranked as a “Firm to Watch”
Quillon Law ranked as a "Firm to Watch" and Partner Michael Barnett recognised as a Leading Individual in The Legal 500 UK 2023 Guide
Partner Nicola McKinney explores IRS crypto proposals in Bloomberg
Partner Nicola McKinney argues that recent US Treasury proposals that would force crypto brokers to disclose details of their clients’ transactions fail to address the cross-border nature of many digital assets.
Partner Nicola McKinney discusses digital asset recovery and the Economic Crime and Corporate Transparency Bill in Law360
Partner Nicola McKinney examines a recent Civil Recovery Order and explores how the recovery of digital assets will be impacted by upcoming legislation.
Partner Nicola McKinney analyses the G20’s crypto recommendations in Compliance Monitor
Partner Nicola McKinney explores recent recommendations from the G20's Financial Stability Board regarding the regulation of crypto assets, and discusses the role of such reports in forming an integrated and cross-border regulatory approach.