Unlocking the GDPR Data Protection Officer

Briefing

The EU’s General Data Protection Regulation Data Protection Officer (GDPR DPO) role has been specifically crafted. Before the GDPR, Data Protection Officers (DPOs) existed because of a range of national laws, guidance and best practice. Globally, related roles such as Chief Privacy Officers, Privacy Officers, Heads of Data Protection, Data Protection Lead Counsels, Data Guardians and Data Governance Leads have also developed. However, GDPR DPOs have a clearer legal mandate, function and licence to operate. For the largest companies and organisations, subject to several data protection laws, they must decide how much the GDPR DPO role will influence the overall structure and substance of their global data privacy programmes. The danger is that the fundamental and unique elements of the GDPR DPO role can become trapped in governance systems that prioritise uniformity, efficiency, base-level interoperability and the lowest common denominator. It is important that the GDPR DPO role remains distinct, effective, influential and accountable.

Benefits and Risks: Appointing and Not Appointing a GDPR DPO

Not all businesses and organisations are legally required to appoint GDPR DPOs. Before GDPR, most DPOs were regarded as good practice appointments, where there was no clear legal duty to do so. This practice has continued through GDPR implementation. The GDPR is clear that both Data Controllers and Data Processors should appoint GDPR DPOs, in line with the law. Broadly, all public authorities and non-judicial public bodies must appoint GDPR DPOs. They are also legally required where any organisation regularly and systematically monitors individuals on a large scale or carries out large-scale processing of special categories of personal data or criminal offences data. Most organisations, especially larger ones, fall within these two latter categories. Where the law requires a GDPR DPO, one must be appointed, or risk breaching the GDPR. DPO appointments also encourage data governance accountability.

Questions arise for small Data Processors or the Data Controllers that do not meet the GDPR DPO threshold tests. Should they appoint a GDPR-type DPO? If they do so, should the DPO be fully GDPR-compliant, or can the organisation create its own unique DPO role?  European Data Protection Board (EDPB) Guidance states that if organisations adopt a GDPR DPO, even where they are not legally obliged to do so, that DPO will be judged against the full legal requirements of GDPR. Choosing not to have an identifiable GDPR DPO is also risky. The organisation will lack capacity to build and mature data protection programmes. Working with larger data-intensive organisations, liaising with GDPR regulators, responding to data breaches and keeping up to date with data protection, cybersecurity and good practice changes, will also be more difficult.  

Managing Great Expectations

The GDPR DPO can be an internal employed member of staff or an external appointment. The office holder must be well qualified, well resourced, independent and act independently. They may fulfil another role in their organisation but must avoid conflicts of interest. For example, they must not make specific data processing decisions and then provide assurance or GDPR compliance sign-off for that data processing activity. They must act autonomously and cooperate with the GDPR regulator.  They must have tangible influence by reporting to the highest level of management. Conversely, they must also be accessible and contactable by staff inside the organisation, external individuals, external stakeholders and GDPR regulators. They must also not be disciplined, removed or suffer other detriment because of performing their role and duties.

The GDPR DPO’s baseline outputs are to inform and advise. They must monitor compliance, which includes involvement in promoting awareness training, assigning responsibilities and audits. The GDPR DPO should provide advice for Data Protection Impact Assessments (DPIAs). They must cooperate with and act as the point of contact for the GDPR regulator. Although not an explicit legal requirement, GDPR regulators expect DPOs to be involved in offering information and advice on decisions to report data breaches to the regulators and to individuals affected. GDPR DPOs are not responsible for GDPR compliance; this always remains the legal responsibility of the Data Controller or Data Processor.  

DPOs in Reality: Details Matter

Despite the clear legal requirements, regulatory guidance and established best practice, some businesses and organisations have kept legacy data governance structures and pre-GDPR DPO reporting lines. Much of this may be a result of corporate or organisational inertia. For other organisations, whose business models prefer low or no regulation, the GDPR DPO role can often be minimised or an external law firm is used to provide legal advice from time to time. No organisational or culture change in data governance is anticipated. The GDPR DPO requirement challenges organisation power-centres and leadership cliques. It requires boards to work closely with a board outsider, who is legally obliged to act independently and respond to an external regulator, if and as required. It also challenges business cultures that regard regulatory compliance as interfering, anti-innovation and bureaucratic, because the GDPR DPO must monitor compliance and report to the highest level of management.  Often, in these organisations, the selected DPO is a middle-manager with limited influence, little direct budget and few resources. The DPO is not seen as a coveted role for inward or outward career progression. The DPO is located far from senior leadership and the centres of power. The GDPR DPO role is also a challenge to organisations that are opaque, siloed and do not actively promote transparency and accountability.

In some organisations, the DPO is seen as an arms-length advisor, a person to go to for an opinion. DPOs are only permitted to become involved in a matter after business and data-use decisions have been finalised and their role is to offer a view, for the record, which may not influence on the decisions already made. The aim, in these organisations, is to evidence that they have an established process for DPO involvement. Data Protection by Design and Default as well as high quality iterative Data Protection Impact Assessments (DPIAs) are rare and the ones completed are often superficial. In some organisations, a very senior person with an existing substantial role is appointed as the DPO. The real work is done by a far more junior Data Protection Manager and a small team. This senior person does not have the expertise, proximity to the data processing or the ability to spot data protection issues and so other senior employees see data protection as a non-demanding adjunct activity. For other businesses, using external or outsourced DPOs can be an effective way of freeing data governance from corporate apathy, internal factions and to ensure a level of detached independent expert analysis. The challenge for these organisations is to agree enough funding for these services and to provide effective internal support systems for the external or outsourced DPO. High quality internal access by the DPO to fully understand the organisation and to ensure that the DPO’s outputs are respected and actioned, are vital for this approach to be effective.

What the GDPR Regulators say about DPOs

The EU’s data protection regulators have started to investigate and enforce the GDPR DPO requirements. They have restated and emphasised the legal duties and issued fines to businesses and organisations that have not met the legal requirements of the role. Most of the enforcement decisions have been in Belgium, Germany, Spain, Greece, Luxembourg and Austria and were about the failure to appoint DPOs.  In 2020, the Belgian Data Protection Authority, Autorité de protection des données Gegevensbeschermingsautoriteit (APD-GBA), fined a company for its DPO’s lack of independence because the DPO had other roles in the organisation. There was no system to prevent conflicts of interest and the DPO was not sufficiently involved in the processing of personal data breaches.

In a series of cases in 2021, the Luxembourg Data Protection Authority, Commission Nationale pour la Protection des Données (CNPD), issued fines against five companies for DPOs not reporting to the highest level of the organisation (two levels of hierarchy were in between), insufficient resources to fulfil the role and not including the DPO in all data processing matters. CNPD also fined an organisation for not properly training the DPO so that they could independently and properly advise and inform the organisation. They also found that a DPO lacked enough autonomy. CNPD found common themes, such as Data Controllers not having control plans to ensure that the DPO’s duties were being properly performed. 

The legal position on the role of the GDPR DPO is clear. Data Controllers and Data Processors cannot argue lack of knowledge, unclear legal interpretation or uncertainty, when their DPOs and other GDPR accountability and transparency efforts are judged and put to the test.

PrivacySolved offers External and Special Projects Data Protection Officers, as well as Data Protection Officer as a Service (DPOaaS). We also offer international businesses and organisations EU and UK Data Protection Representative Services. Contact PrivacySolved:

Telephone:  +44 (0) 207 175 9771 (London)

Telephone:  +353 1 960 9370 (Dublin)

Email: contact@privacysolved.com

PS022022

High Impact Future Technologies, Data Trends and Innovations

New technologies, emerging digital innovations and trends in data, data analytics and cybersecurity are developing at a rapid pace. These will shape the future of business, trade, politics, the economy and society. Chief Executive Officers (CEOs), Data Protection Officers (DPOs), Chief Data Officers (CDOs), Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), Boards  and Senior Leaders must understand these developments, assess their competitive advantages, manage  inherent risks and track the evolving governance and security implications. Automation, Artificial Intelligence (AI) Ethics, Blockchain, Data Bias, Differential Privacy, Digital Twins, Edge Computing, the Metaverse, Ransomware and Zero Trust Architecture and Security will increasingly lead the conversations in technology. These are set to grow exponentially, diversify and create lasting impacts. Here are the definitions of these key technologies, innovations and digital trends:  

Automation describes the increased use of sophisticated technologies that minimise or eliminate human input. This includes business process automation (BPA), IT automation, robotics and personal applications such as the automation of private homes and self-driving cars. Automation is driven by a range of technological features and applications of data science, engineering, algorithms, blockchain, machine learning, deep learning, industrialised robotics and artificial intelligence.

Artificial Intelligence (AI) Ethics are a group of values, principles, and techniques that apply widely accepted standards to guide ethical and moral conduct in the development, use and outcomes of AI systems. These disciplines seek to address the individual and societal harms AI systems might cause. AI ethics mitigates these harms by offering leaders, developers, engineers and project teams the values, principles, and techniques needed to produce more ethical, fairer, and safer AI applications.

Blockchain is a decentralised, distributed, and often public, digital ledger made up of records called blocks that are used to record transactions across many computers so that each block cannot be later altered, without changing all other blocks. This allows the participants to verify and audit transactions independently and relatively cheaply. Each block contains a cryptographic hash of the previous block, a timestamp, and transaction data. Blocks contain information about the blocks preceding it, forming a chain, each additional block reinforces the ones before it. A blockchain database is managed autonomously using a peer-to-peer network and a distributed timestamping server. They are authenticated by mass collaboration, powered by collective self-interests. Blockchains are growing in popularity through cryptocurrencies, especially using the Ethereum blockchain, and via the creation, sale, collection and distribution of Non-Fungible Tokens (NFTs).

Data Bias is any trend or deviation from the truth in data collection, data analysis, interpretation and publication which can cause false conclusions. Bias can occur intentionally or unintentionally. A biased dataset, for example in machine learning, does not accurately represent a model’s use case, resulting in skewed outcomes, low accuracy levels, and analytical errors. Types of bias include association bias, exclusion bias, measurement bias, observer (confirmation) bias, recall bias, racial bias, sample bias and sexual (gender) bias.

Differential Privacy is a mathematical technique of adding a degree of controlled randomness to a dataset to prevent the release or extraction of information about individuals in the dataset. This allows researchers and analysts to extract useful insights from datasets containing personal information while also offering stronger data privacy protections.

Digital Twins are digital replicas or representations of physical objects, such as a machine or person, or an intangible system, like a business process, that can be examined, altered and tested without interacting with it in the real world and avoiding negative consequences. The Digital Twin often spans the lifecycle of the object, person or system, is updated from real-time data, and uses simulation, machine learning and reasoning to aid decision-making.

Edge Computing is a distributed computing architecture framework where an organisation’s applications are closer to data sources such as Internet of Things (IoT) devices or local edge servers. The closeness to data at its source can deliver strong business benefits, faster insights, improved response times and better use of bandwidth.

The Metaverse is a unified way for people, data and things to interact in the virtual, physical and spacial environments. It is a collection of systems and interfaces combining computer screens, avatars, virtual reality, augmented reality, internet of things, robotics, artificial intelligence and automation. The term originates from science fiction, specifically from Neal Stephenson in Snow Crash in 1992 and the work of William Gibson.

Ransomware is malicious software, or malware, that stops organisations and computer users from accessing their computer files, systems or networks. This is accompanied by a demand for financial ransom payments to restore access to systems, unencrypt databases or return data. Ransomware can be introduced to a computer or system by users accidentally downloading ransomware by opening email attachments, clicking on advertisements, clicking on hyperlinks or visiting a website that has been deliberately infected with malware. Ransomware attacks can cause significant disruption to IT operations. Critical business information and personal data can be lost. Ransomware attacks can be initiated by state actors and by opportunistic hacktivism. In most cases, ransomware is part of international cybercrime and organised crime.

Zero Trust Architecture and Security uses zero trust principles to plan business, industrial and enterprise infrastructure and workflows. Zero trust architecture is created on the premise “never trust, always verify.” Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical attributes, presence on the network or asset type. Authentication and authorisation of individuals and devices are discrete functions performed continuously before access to an enterprise resource is established. Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), working from home, and cloud-based assets that are not located within an enterprise-owned network boundary. Zero Trust Security is a cybersecurity strategy in which information security policy is applied based on context established through least-privileged access controls and strict user authentication. Trust is not assumed.  A mature best-of-breed zero trust architecture can create a simpler network infrastructure, better user experience, and improved cyber defence.

PrivacySolved has a well-established track record of advising and leading projects for Consumer Relationship Management (CRM) systems, ecommerce, e-government, CCTV systems, cloud computing, fintech, artificial intelligence data, big data and data analytics. Contact PrivacySolved:

Telephone:  +44 (0) 207 175 9771 (London)

Telephone:  +353 1 960 9370 (Dublin)

Email: contact@privacysolved.com

PS012022

Log4j and Future Cybersecurity Risks

In November 2021, major vulnerabilities were discovered in Log4j.  Log4j is an open-source Java logging library developed by the Apache Foundation. It is used in many custom applications, off-the-shelf software, security products and cloud applications like Steam and Apple iCloud. The Log4j library is present in many enterprise Java software and Apache frameworks. Other large projects including Netty, MyBatis and the Spring Framework also use the library. A range of vulnerabilities have been discovered in multiple versions of Apache Log4j. Scanning and attempted exploitations have been found globally. National Cyber Security Centres have discovered exploited vulnerabilities in VMware Horizon, MobileIron and Ubiquiti Unifi Network Application, among others. Vulnerabilities allow remote code execution and information disclosure, if exploited. Denial of Service exploits, bypassing mitigations to Log4shell and Conti ransomware operators gaining access through vulnerabilities, are all risks. Vulnerabilities also allow exfiltration of sensitive data. The list of applications impacted by these vulnerabilities is vast and so all organisations must proactively audit, test, review and respond to patching and updates. 

Information security specialists say that the Log4j vulnerability may be one of the most serious in the last ten years. Over time, it may become the most impactful vulnerability in the history of modern cyber security. Known vulnerabilities, patched vulnerabilities, half-day and zero-day exploits in the open-source code libraries can result in major future data breaches, supply chain attacks and ransomware attacks. Companies and organisations should locate and upgrade all instances of log4j and mitigate threats. This Resources Page is a dashboard of the most useful information and guidance. 

Log4j Joint Cybersecurity Advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), the US  Federal Bureau of Investigation (FBI), the US National Security Agency (NSA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), the Computer Emergency Response Team New Zealand (CERT NZ), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) are releasing this joint Cybersecurity Advisory (CSA) – December 2021

NCSC UK Alert: Apache Log4J Vulnerabilities

NCSC UK Log4j Vulnerability: What Everyone Needs to Know

NCSC UK Log4J Vulnerability: What Should Boards be Asking?

NCSC Ireland Log4j Alert and Advisory

NCSC Netherlands Log4j Alert and Resources

CISA GOV (USA) Log4j Vulnerability Guidance on Github

PrivacySolved has years of expertise in data protection, cybersecurity strategy and data breach response. For advice, support, projects and programmes, contact PrivacySolved:

Telephone:  +44 (0) 207 175 9771 (London)

Telephone:  +353 1 960 9370 (Dublin)

Email: contact@privacysolved.com

Five Key Things to Know about the UAE Data Protection Law 2021

The United Arab Emirates (UAE) is a nation in the Middle East made up of the seven emirates of Abu Dhabi (the capital), Ajman, Dubai, Fujairah, Ras Al Khaimah, Sharjah and Umm Al Quwain. On 27 November 2021, the UAE Cabinet Office announced the new national data protection law (UAE DP Law). The UAE DP Law protects personal data held and processed by organisations that are registered in the UAE and processes personal data of individuals inside or outside the UAE. It also applies to any organisation that is established outside the UAE that process personal data of individuals inside the UAE, and external organisations with personal data links to the UAE. The law encourages data processing controls which includes lawfulness, fairness, transparency, using personal data for specific and clear purposes, accuracy, personal data security and responsible data retention. Individuals have rights to receive information, request a transfer of their personal data (data portability), correction, erasure, restrict processing, the right to object to types of processing like direct marketing and the right to object to automated processing. The UAE Data Office will be the regulator, established under a separate law. The UAE DP Law comes into force 1 January 2022. Further regulations will also follow, allowing time for compliance after these regulations are published. The UAE Data Office will also publish rules and guidance.

  1. What types or organisations are covered by UAE DP Law?

The law applies to businesses and organisations, both controllers and processors, that are registered in the UAE and that process personal data or sensitive personal data. It also applies to businesses and organisations based outside the UAE that process personal data of individuals who are in the UAE.  Businesses that process data on behalf of these organisations, such as their suppliers, are also covered by the law. Controllers are those that decide the method, criteria and purpose for processing personal data. Processors collect use and store personal data on behalf of, under the direction of and in accordance with the instructions of the controller. Data processors must follow the instructions of controllers and agree personal data processing contracts setting out the scope, purpose and types of data processing.

The UAE DP Law does not apply to government data, government organisations that control or process personal data, personal data held by security and judicial authorities and personal data used for personal purposes by individuals. Health personal data regulated by the ICT Healthcare Law of 2019 are excluded. Banking personal data regulated by other laws are also out of scope. Companies and organisations registered in UAE free zones that have their own specific free zone data protection laws are excluded. The Abu Dhabi Global Market (ADGM) and the Dubai International Financial Centre (DIFC) have their own separate data protection laws.

2. What types of data or information are covered by UAE DP Law?

The UAE DP Law protects personal data, which is defined as any data related to a specific natural person or related to a natural person that can be identified directly or indirectly by linking the data. The definition includes an individual’s name, voice, image, identification number, electronic identifier and geographical location. Sensitive personal data are also covered by the UAE DP Law. This category is defined as data that directly or indirectly reveals the family or ethnic origin of a natural person, political or philosophical opinions or religious beliefs, criminal record, biometric data and any data relating to an individual’s health.

3. What are the main UAE DP Law obligations for businesses?

UAE registered businesses and foreign based organisations should:

(a) Create a UAE (or Middle East and Africa) data protection framework with data processing controls and apply the law’s data protection principles, such as transparency (notices), fairness, lawfulness, accuracy and responsible data retention.

(b) Businesses and organisations acting as controllers and processors should establish and maintain a Special Record for Personal Data (SRPD). This should be available to the UAE Data Office, if requested. This appears to be like the GDPR’s Record of Processing Activities (ROPA).

(c) Establish opt-in consent mechanisms and ensure that each consent transaction is specific, clear, unambiguous and forms a clear positive statement or action.

(d) Appoint a sufficiently skilled and knowledgeable Data Protection Officer (DPO), as an employee or via an external service provider based inside or outside of the UAE. A DPO is legally required where personal data processing creates a high risk to the privacy of the personal data because of the adoption of new technologies or the volume of personal data processed. Also, where processing involves the assessment of sensitive personal data as part of profiling or automated processing.  Or, where large volumes of sensitive personal data are processed.

(e) Report personal data breaches and data leakages to the UAE Data Office and to individuals affected, where necessary, as soon as they become aware of these incidents.

(f) Complete Data Protection Impact Assessments (DPIAs) when using any modern technologies that pose a high risk to the privacy and confidentiality of individuals.

(g) Create appropriate policies for processing sensitive personal data.

(h) Put in place appropriate technical and organisational measures to protect personal data and manage automatic processing to remain limited to the intended purpose, including anonymisation and pseudonymisation.

(i) Set up accessible systems and processes to allow individuals to exercise their data protection rights, free of charge.

(j) Prepare for the new UAE DP Law international data transfer regime. There will be rules for countries that the UAE deem to have an adequate level of data protection and those that are treated differently by mandating contractual clauses, assessments and personal data transfer mechanisms.

4. If businesses comply with the European Union’s General Data Protection Regulation (GDPR), UAE ADGM DP Law or UAE DIFC DP Law will they automatically comply with UAE DP Law?

Yes, to a certain extent, but not completely. GDPR, UAE free zone data protection laws and UAE DP Law have different scopes, definitions, special provisions and compliance requirements. However, there are important similarities. UAE DP Law was enacted to include provisions that largely reflect the EU’s GDPR requirements. GDPR data mapping and Records of Processing Activities logs can help to identify UAE DP Law-impacted personal data. GDPR Data Protection Notices, policies and GDPR processes used to respond to GDPR rights can assist UAE DP Law compliance, but these must be tailored. Data processing agreements and online notices must be specifically updated. The UAE DP Law also contains broad sector and data exclusions from government data, government bodies, health bodies, judicial and security bodies and some banking related personal data. UAE DP Law will also be supported by a range of further regulations in the coming months and years that will expand, specify and interpret the law.

5. Does the UAE DP Law apply to foreign based companies and what are the penalties for breach of the law?

Yes, it can. If foreign businesses are registered in UAE and process personal data in the UAE or elsewhere, then the UAE DP Law will apply. The law also applies to foreign based businesses that process personal data on behalf of organisations registered in the UAE as well as foreign based businesses that externally process personal data about individuals who live, work or are otherwise in the UAE.

The UAE DP Law has not yet published the penalties that will apply. These will appear in future regulations and output from the UAE Data Office.

Resources

UAE Government Data Protection Pages

PrivacySolved Data Protection Officer Services

PrivacySolved Consulting and Strategy Services

PS122021

The Ransomware Problem: Five Steps to Success

Briefing

Ransomware is malicious software, or malware, that stops organisations and computer users from accessing their computer files, systems and networks. This is accompanied by a demand for a financial ransom payment to restore access to systems, unencrypt databases or return data. Ransomware attacks can cause significant disruption to IT operations. Critical business information and personal data can be lost. Ransomware can be introduced to a computer or system by users accidentally downloading ransomware by opening an email attachment, clicking an advertisement, clicking on a hyperlink or visiting a website that has been deliberately infected with malware. Globally, across all sectors, these attacks have increased in scope, frequency, sophistication and the levels of financial payments demanded. It is now a major component of global cybercrime. Combatting these cyberattacks can be complex, especially for the largest businesses and organisations.

A Sophos poll of 5,400 IT decision makers in mid-sized organizations in 30 countries across Europe, the Americas, Asia-Pacific, Central Asia, the Middle East and Africa found startling results. The total cost of recovery from a ransomware attack has more than doubled in a year, increasing from $761,106 USD in 2020 to $1.85 million USD in 2021. The average ransom paid is $170,404 USD. Only 8% of organisations managed to get back all their data after paying a ransom, with 29% getting back no more than half of their data.

Here are five steps that all businesses and organisations can take to improve their resilience, their offensive capabilities and their defensive success:

  1. Strategic, Systematic and Regular Backups

Ransomware should be treated at a strategic and existential threat. An attack should be regarded as inevitable. Organisations should create backups to build resilience. These are crucial for recovering data after an attack. The industry standard approach is called 3:2:1. Three sets of backups, using two different media, one of which must be kept offline. Backups should be programmed to be completed regularly.

2. Prevent Malware from being Delivered and Running on Systems

Businesses and organisations can reduce malware and ransomware reaching your devices by filtering to only allow file types that they expect to receive, and blocking known malicious websites. Content can be actively inspected, and signatures can be used to block known malicious code. Network services are used to fulfil these tasks and tools include intercepting proxies, internet security gateways, safe browsing lists and mail and spam filtering. Disabling Remote Desktop Protocol (RDP) if it is not needed, enabling Multi-Factor Authentication (MFA) at all remote access points into the network and using a secure Virtual Private Network (VPN) can provide effective responses to the most modern ransomware deployment practices.

A defence in depth approach should be in place. This assumes that malware will reach your devices. Businesses should take steps to prevent malware from running by using device-level security features. Organisations should centrally manage devices to only permit applications trusted by the enterprise to run on devices and use up-to-date enterprise antivirus or anti-malware products. Scripting environments and macros should be disabled or restricted by enforcing PowerShell Constrained Language mode via a User Mode Code Integrity (UMCI) policy. Also, systems can be protected from malicious Microsoft Office macros and autorun for mounted (activated) media can be disabled.

To avoid attackers forcing their malicious code to execute by exploiting vulnerabilities in devices, these must be well-configured and kept up to date. Security updates should be installed as soon as they become available to fix exploitable bugs, enable automatic updates for Operating Systems, applications, and firmware (if possible). Using the latest versions of Operating Systems and applications to access the latest security features is advisable. Host-based and network firewalls should be configured to bar inbound connections by default.        

3. If Attacked: To Pay, or Not to Pay the Ransom?

A wide range of law enforcement agencies around the world discourage the payment of ransom demands. However, sometimes payments must be made as a pragmatic response and to aid business continuity. At all times, organisations must avoid committing a criminal offence by sending payments to sanctioned individuals, entities or organisations or those involved in money laundering. Companies should liaise with their insurers, lawyers and risk professionals. Even after payments are made, confidential personal data could still be published online, breaching data protection and global privacy laws. There is no guarantee that organisations will regain access to their data, computer systems or networks. An IT system may still be infected long after the ransomware attack. Repairing, recovering and remediating the systems can be expensive and take many weeks or months.

4. Train Staff and Prepare for Incidents

Businesses and organisations should develop a corporate training strategy, on a rolling basis, that is updated to include the latest developments in malware, ransomware and information security threats. Different types of staff will need varying depths of training and awareness.

Organisations should identify their critical assets and determine the impact if these were affected by a malware attack. This is a very important preparatory step. Preparation also includes developing an internal and external communication strategy (including any impacts from collateral third-party malware not intended for the organisation). Incident management plans should be rehearsed and reviewed. This helps to clarify the roles and responsibilities of staff and third parties, and to prioritise system recovery. War-games and hackathons to rebuild virtual environments, servers, files, physical servers and rebuilds from offline backups, under pressure, should be included. Developing a plan to continue to operate critical business services or a minimum viable service or product, is also essential.

5. Report and Share Intelligence

There are legal obligations to report certain cyberattacks and data breaches to personal data regulators, governments, information services regulators, financial services regulators and market regulators. These reports should be done quickly, to receive help and to reduce liability. There is a growing drive to voluntarily report ransomware to government agencies and law enforcement. This should be considered because they may hold information that could be useful for the organisation’s response. Reports also help them to better understand the level of the threat and can deploy offensive and defensive capabilities to protect a sector or group of companies. The most difficult and controversial decision will be whether to report ransomware attacks to sector groups, fellow businesses and potential competitors. This is increasingly being encouraged, but will rely heavily on mutual trust, non-disclosure agreements and clear memorandums of understanding to protect each party. The more information and intelligence about ransomware that can be collected and skilfully used, will reduce the impacts and costs of ransomware.

For assistance with Personal Data Beach Response, Ransomware, Cybersecurity Strategy or Information Security Training, contact PrivacySolved:

London +44 207 175 9771

Dublin +353 1 960 9370

Email: contact@privacysolved.com

PS112021