Partner Abigail Healey comments on data protection and ransomware in Compliance Week

January 19, 2023

Partner Abigail Healey comments on recent cases of cyber criminals leveraging GDPR to pressure hacked victims into paying ransoms, in Compliance Week.


Abigail’s comments were published in Compliance Week, 7 September 2023, and can be found here.

“No company could safely consider paying a ransom to be an effective means of remedying a breach so as to avoid the obligation to self-report to the ICO. Engaging with anonymous criminals is inherently risky, and there are no guarantees that doing so would negate the risks posed to data subjects potentially affected by the data breach. Even if the company chooses to pay the ransom, the company would still need to report the breach to the ICO if there is a risk to the rights and freedoms of individuals.

“Paying a ransom may well have further repercussions for the company, not least being seen as an easy target and leaving it more susceptible to future ransomware attacks. It may also void any cyber insurance cover, and in certain circumstances may even be illegal, such as if the attacker is subject to sanctions, or the funds are used for terrorism purposes. The company should therefore give very careful consideration before acceding to any ransom demands.

“Companies wishing to avoid heavy fines would be far better placed investigating how the breach occurred as well as reviewing what organisational and technical measures are in place to protect personal data and addressing any identified vulnerabilities. While it might not be possible to avoid a fine, the steps taken by a responsible company to identify why the breach happened and learn from it may count as mitigating factors to limit the potential regulatory exposure.

“The ICO has, however, made it clear that paying a ransom demand will not result in a lower fine, should the ICO undertake an investigation. What is abundantly clear is that if a company pays the ransom, does not self-report and is later the subject of enforcement action, the amount of the fine levied is likely to increase significantly.