Follow Us Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Cybersecurity International Law Privacy Technology Media and Telecom

Ransomware – COVID-19 & Upgrading Your Defenses

It’s pretty shameful that in the current crisis we’re seeing ransomware on the rise. It’s even more shameful that organizations involved in fighting the virus seem to be especially at risk.


Thank you for sharing!

Your article was successfully shared with the contacts you provided.

It’s pretty shameful that in the current crisis we’re seeing ransomware on the rise. It’s even more shameful that organizations involved in fighting the virus seem to be especially at risk. Last year ransomware targeted healthcare more than any other industry, accounting for 29% of total ransomware attacks, according to Beazley’s 2020 Breach Briefing report. Recent events suggest that attacks are up as the COVID-19 virus spreads, with criminals working on the theory that an organization desperate to unlock its data is now more likely to pay.

The combined effects of COVID-19 + ransomware have already seen one victim as Travelex entered into administration on Aug. 6, 2020 after having reportedly paid a ransom to hackers. A rescue package was agreed but with the loss of 1,300 jobs. Regrettably it is likely that Travelex will be just the first of many victims.

What Techniques Are Hackers Using?

A ransomware attack uses malware that encrypts or otherwise restricts access to computers, system or data by exploiting system vulnerabilities. The attackers demand that the victim pays money (usually in cybercurrency such as Bitcoin) to receive the decryption key or recover access.

The main ways that a ransomware ‘payload’ can enter an organization’s network are via:

The criminals usually exploit a vulnerability in the operating system or other installed software, which then starts the encryption process.

What’s the Worst That Can Happen?

The impact of a ransomware attack can be severe and far-reaching. For the corporate victim, it can mean business disruption, financial loss and reputational damage. For some it may mean that they are forced to close.

For those whose data has been compromised, this could mean that critical data is rendered inaccessible or disclosed to unauthorized people — in some cases this could include sensitive data.

In terms of data protection law impact, the General Data Protection Regulation (GDPR) imposes key requirements relating to security. Controllers must take appropriate technical and organizational measures (TOMs) to keep personal data secure against loss or destruction.

Where a ransomware attack means that an organization is unable to restore compromised data, this could constitute a breach of GDPR on the basis that appropriate measures have not been taken to keep the data secure.

If a personal data breach has occurred, this will need to be reported by the controller organization to the relevant data protection regulator(s) (in the UK, the Information Commissioner’s Office (ICO)) within 72 hours, unless the personal data breach is unlikely to result in a risk to individuals. If the personal data breach is likely to result in a high risk to individuals, the controller needs to also communicate the breach to individuals whose data has been compromised without undue delay.

It is possible that the incident may not amount to a reportable personal data breach if:

We know that a number of organizations who have suffered a ransomware attack have argued that because the data has not left their systems no data breach has occurred. That’s unlikely to be correct. There’s detailed guidance on this at an EU level. Individual data protection authorities have issued guidance too — for example the ICO’s guidance says that even if it can restore data from back-up an organization “would still need to look at the circumstances of the case to determine whether or not there were appropriate measures in place which could have prevented the attack from succeeding”.

Organizations that fail to meet their security obligations under the GDPR face high fines as follows:

GDPR Provision Requirement Maximum Fines
Article 5(1)(f) For not ensuring that personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’). The higher of €20,000,000 ($23,891,100) and up to 4% of the total worldwide annual turnover of the preceding financial year
Article 32 For not implementing appropriate TOMs to ensure a level of security appropriate to the risk, including as appropriate:
This premium content is locked for Cybersecurity Law & Strategy subscribers only

Continue reading by getting
started with a subscription.

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on cyber threats, data breaches, and legal technology
  • Tap into expert guidance from top legal tech lawyers and experts


Subscribe Now For Unlimited Access

Read These Next

  • Privacy Risk Management & Data Minimization

    By Therese Craparo and Sarah Bruno

    Many organizations — from growing start-ups to mature, well-established companies — are struggling with the new reality of what it means to manage data in an era of digital transformation, exponential data growth, and expanding regulatory regimes focusing on data management and minimization.

    Read More ›

  • Digital Dibs: Rival Views of Generative AI Copyrights

    By Greg Moreman

    GAI platforms like ChatGPT and OpenAI often require very little human input, shattering this legal landscape’s framework by posing a simple question: Who authored the material? We’ll explore how two countries are answering this question in different ways.

    Read More ›

  • Empowering Legal Professionals: Navigating AI Solutions for Efficiency and Data Security

    By Michael T. Murray and Tony Donofrio

    Integrating AI tools into legal practice without compromising the security of sensitive client information is a paramount concern. In this article, we’ll examine how AI is revolutionizing certain aspects of legal work, while offering best practices for employing these technologies and providing guidance for legal professionals in selecting the right AI products and service providers.

    Read More ›

  • Pitfalls In Personal Device Data Collection

    By Marjorie Peerce and Marguerite O’Brien

    The increasing frequency of “bring your own device” policies creates serious implications for subpoena recipients and litigants to ensure compliance with discovery demands. And courts across the country consider such personal mobile data fair game. To avoid pitfalls —and sanctions — counsel must take proactive steps to ensure proper preservation and collection of personal mobile data and verify that clients comply.

    Read More ›