As another law firm falls victim to hackers, DLA Piper lawyers David Cook and John Gollaglee share their insights into the growing problem of ransomware and what brands need to know
The risk of cyber attack is increasing and a fairly large proportion of incidents are now by way of ransomware. This is a particularly nasty sort of attack and one which we are seeing being utilised against businesses and in-house legal teams. Criminals understand that lawyers hold data that is commercially and professionally sensitive for businesses, a particular concern for luxury brands who may have additional concerns about the potential loss of valuable IP.
In simple terms: ransomware is malicious software used to block access to a computer system or data unless a ransom is paid. We see this leading to two potential bad outcomes for organisations, being that:
- company data is encrypted and unusable and the criminal will only decrypt the material if a ransom is paid; and/or,
- the criminal steals a portion of the data and threatens to release it and publicise what has happened unless the business pays the ransom.
Ransomware attacks cause a great deal of stress and disruption within an organisation. There are strict timelines that apply. A rushed response is very rarely a good response. Lawyers need time to properly consider those legal consequences.
After an attack like this, organisations have to get their IT back up and running and that is often the primary concern. They also need to consider how to protect their position with respect to the legal consequences of the incident. We see concerns frequently voiced around the loss of commercial data and the loss of IP. The most time sensitive issue though relates to the impact on personal data held by the organisation.
The default position set out under the GDPR is that an organisation must report a personal data breach to the relevant data protection supervisory authority within 72 hours of having become aware of it. The relevant authority in the UK is the Information Commissioner’s Office (ICO).
An assessment of the risk posed to the affected individuals needs to take place. If the incident or the data lost poses no risk whatsoever to the individuals, then the authority does not need to be notified. It’s a low bar though – if there is any risk at all, then the organisation is under an obligation to notify. The individuals themselves need to be notified, if the incident is assessed as being high risk.
What we see in practice
Many organisations are simply not prepared to deal with this sort of incident. Some are well equipped and practiced but they are in the minority.
Those hit by ransomware face a significant system outage. They cannot access the data that they hold and cannot continue to operate. They have received a ransom and are aware that the clock is ticking on all of that material being irreversibly deleted. They know that data has gone out of the door and it might be publicised very shortly.
In the chaos that generally ensues, decision-makers have to sit down and rationally consider the GDPR data breach risk assessment: what is the risk that this poses to the individuals concerned and what do we need to do next?
1. Communication – the importance of language is paramount. Not all incidents fit the statutory definition of a personal data breach. It is important to determine the nature of an incident before rushing to inform the authority.
2. Providing information - there are instances where the organisation wants to give the authority all information regarding the attack when little is known about how it will impact individuals, how long the attack went on for and what plan is in place to rectify the situation. Some of these questions cannot be answered in a 72 hour window, which means that those reporting may adopt a defensive response, potentially causing the regulator to become suspicious and start asking difficult questions.
3. Notifications and Scrutiny – when implementing contingency plans and communicating matters surrounding the breach, it is important to consider parties such as the media and the police who may scrutinise the notification. Bad outcomes and implications of drafting should be considered in order to establish certainty in the organisation’s ability to control the breach. The organisation should create a single document that sets out the agreed “truth” of the event as a means of avoiding inconsistent statements, gossip and to minimise further issues.
4. Legal Privilege - the availability of legal privilege must be considered and maintained as far as possible, in order to reduce the risk of disclosure to third parties. We are increasingly seeing an attack on privilege by litigants, regulators and others who may want to scrutinise damaging material.
5. Response Plans – the majority of organisations do not have response plans in place. Organisation without a plan are less likely to respond efficiently and effectively. The worst time to formulate how an organisation would go about reporting a breach within 72 hours is when it has already suffered a breach and is within the 72 hour window. It makes sense to get one in place, for all sorts of reasons. This ought to cover the personal data issues that we have raised, but also how the organisation would respond to the loss of IP and its strategy in such a scenario.
Cyber incident response is often seen as being solely the purview of the technical IT security teams. However, legal teams should be involved in cyber security proactively and before an attack has taken place. They should be familiar with this topic and understand the sorts of attacks and the sorts of responses that may be required. Then, if disaster does hit, everyone will know what is expected of them and what they must do next.
David Cook is a Legal Director, DLA Piper (firstname.lastname@example.org) and John Gollaglee is a partner (email@example.com)