ICO ransomware guide includes checklist for businesses

Out-Law News | 14 Mar 2022 | 2:18 pm | 2 min. read

UK organisations have been advised to establish incident response, disaster recovery and business continuity plans to address the heightened risk of ransomware attacks.

The recommendation was made by the Information Commissioner’s Office (ICO) within a broader checklist of actions that businesses can take in anticipation of a ransomware attack on their organisation. That checklist is contained in new guidance the data protection authority has published in relation to ransomware.

Ransomware is an increasingly prevalent form of cyber attack. It involves hackers installing malicious software to encrypt and lock an organisation out of its own systems, preventing the organisation from  carrying out everyday operations or accessing data or other assets. It is often coupled with the hacker stealing data from the organisation’s environment and threatening to publish that data on the dark web. Organisations are then prompted to make a payment to the hackers in return for the hackers decrypting and restoring their systems or preventing publication of their data. 

Both the ICO and the National Cyber Security Centre (NCSC) have identified a rise in ransomware-related incidents in the UK in recent months. Consistent with that, 31% of Pinsent Masons’ cyber team caseload over the most recent 12-month period analysed concerned ransomware incidents, up from just 16% in 2020.

“Ransomware is a trend that is not going away anytime soon,” said Julia Varley, a cyber risk expert at Pinsent Masons.

“It is notable that the ICO, in its guidance, supports the position of law enforcement in not encouraging, endorsing or condoning the payment of ransoms to criminals by businesses who have been locked out from accessing their systems and data,” Varley said.

“The ICO is also clear that businesses that choose to pay the ransom will not be considered to have mitigated any loss of control they have experienced as a result of a ransomware attack and that organisations should still presume data has been compromised and act accordingly – including notifying regulators and data subjects of personal data breaches, where the threshold for notification is met under the UK General Data Protection Regulation (GDPR),” she said.

“As the ICO itself alludes to, the best form of defence against ransomware attacks is cyber readiness. Pinsent Masons can help clients develop incident response plans through our cyber response plan solution, Cyturion,” Varley said.

In addition to providing a checklist for businesses to review and assess their preparedness against, the ICO’s guidance offers some insight into the authority’s view on when a personal data breach will be said to have occurred in the context of a ransomware attack under the UK GDPR.

The ICO confirmed that loss of access to personal data can constitute a personal data breach under the UK GDPR and trigger requirements to notify such incidents to it and data subjects.

“Where personal data is taken it typically results in unauthorised disclosure or access to personal data and therefore is a type of personal data breach. However, it is not the only consideration you should make when determining if a personal data breach has occurred,” the ICO said.

“You may have lost timely access to the personal data, for example because the data has been encrypted. This is a type of personal data breach because you have lost ‘access to’ personal data. Temporary loss of access is also a type of personal data breach. For example, if there is a period of time before you restore from backup. Therefore, loss of access to personal data is as much of a personal data breach as a loss of confidentiality,” it said.

The ICO said it could ask businesses to demonstrate what system logs and measures were relied on to evidence decisions not to notify it in the aftermath of ransomware incidents, as those logs may show whether data has been exfiltrated from business systems.