We are sharing this update from ACCA, our professional body, for the interest of clients and contacts. The content is (c) ACCA
Attacks are becoming increasingly common
Businesses and other organisations will welcome guidance from the Information Commissioner’s Office (ICO), Ransomware and data protection compliance, aimed at helping them comply with their data protection obligations if they are the victim of a ransomware attack.
Attacks on computer systems using ransomware (which the ICO describes as ‘a type of malicious software or “malware” designed to block access to computer systems, and the data held within them, using encryption’) is becoming increasingly common, with criminals demanding large sums to restore access to blocked computer systems.
One consequence of such attacks can be that, if data encrypted by the attacker includes personal data, data protection laws have been breached because the user will have lost timely access to that data.
The ICO guidance provides organisations with a ten-point checklist, followed by eight scenarios illustrating how the ICO will approach ransomware attacks involving data protection breaches. It also provides useful indicators on how organisations can reduce the risks of an attack by taking steps to combat the most common tactics, techniques and procedures used by attackers to get access to computer systems and the data in them.
The guidance is not legally binding but the ICO is likely to take compliance (or non-compliance) into account when assessing data controllers’ actions following notification of a data protection breach arising from a ransomware attack.
The guidance also references various certifications, standards and assessments that may help different types of organisation to stop or reduce the effect of attacks in different circumstances, such as the National Cyber Security Centre’s Cyber Essentials certification for small and medium-sized enterprises. The guidance specifically notes that cyber attacks can affect small as well as larger businesses as they are often carried out on a scattergun rather than targeted basis.
It also notes that, despite the UK leaving the EU, guidelines issued by European bodies remain relevant and can help data controllers carry out data breach risk assessments.
Employers should download the guidance from the ICO website, and assess and review their policies, processes, procedures and staff training, to help protect computer systems from ransomware attacks and deal with any data protection consequences if one occurs.