Ransomware – what are some of the legal considerations? (Part One)

The severity and frequency of ransomware, both grew exponentially during 2020 and that trajectory shows no sign of slowing this year. With cybersecurity already on the agendas of most boards, developing resiliency to ransomware makes a strong case to be the very first agenda item.

From a legal standpoint, there are a lot of issues to unpack, but an essential prerequisite is for board level executives to acquire a proper understanding of the threat and its potential risk to their organisation. This will entail, for example, appreciating that ransomware has grown into a franchised business model, with ransomware as a service (RAAS) being sold cheaply on the Dark Web. This means the threat has scale and the profile of the attacker is likely vary considerably (technical skill no longer being a barrier to entry). It is also necessary to understand how the threat has and continues to evolve, encompassing tactics such as re-extorition and public shaming. The associated litigation risk, including mass civil damages claims must also be factored in to any risk analysis.

Fortunately, there is a lot that can be done to significantly improve resilency to ransomware, through effective planning, preparation and testing. Understanding the legal cybersecurity standards and regulatory expectations that your organisation is subject to, is a good first step. For example, GDPR requires data controllers and data processors to have in place ‘appropriate technical and organisational measures’ to protect personal data and to notify the relevant supervisory authority of any data breaches within 72 hours. However, GDPR is just one law and there are numerous others that may be equally as relevant, such as PSD2, NIS and PECR that each have their own breach notification and security requirements, not to mention additional regulatory obligations, exposure to international laws and relevant industry best practice guidance from bodies such as NIST, NCSC or ENISA, to consider.

In relation to ransomware specifically, legal considerations will include whether your organisation would ever contemplate payment of a ransom demand? The initial reaction is often no, but what about if the attack is preventing you from accessing your systems and has also infected your data back-ups? Although generally speaking, it is not illegal to pay a ransom demand, there are important prior legal considerations that will demand careful analysis, for example, establishing attribution in order to guard against inadvertently committing money laundering or terrorist financing offences.

The importance of developing and robustly testing incident response plans and specific playbooks for different types of attack, cannot be overstated. Table-top exercises that include board level participation are crucial to stress test current defences and expose how your plan would survive an attack.

This article is Part One of a two part series. Part Two will continue looking at some of the legal considerations in a ransomware attack, including legal professional privilege and disclosure obligations.