Part Three – What other legal issues might a victim of a ransomware attack face?
This article forms part of a three part series in the wake of the recent Garmin ransomware attack which explores what this experience tells us about the future landscape of the crime and the possible legal issues victims face.
In Part One we looked at what we know about what went on in the Garmin ransomware attack and considered what Garmin’s selection as a target tells us about possible future attacks.
In Part Two, we considered the fact that Garmin reportedly paid the ransom that was demanded and look at the legality of ransom payments.
In this article, we consider what other legal issues a victim of a ransomware attack might face in the aftermath of an attack.
Liability for breaches of the GDPR
Garmin was quick to make the public aware that it had no indication that any customer data had been accessed or stolen. It is no wonder why when Garmin’s servers collect information about millions of users’ locations, sleep patterns and fitness levels while also allowing payments to be made by its customers via Garmin Pay.
Other victims may not be so lucky, and the General Data Protection Regulation (“GDPR”) has raised the stakes of ransomware even higher in the past two years since its introduction. While compliance with the GDPR in the event of attack is a subject sufficiently complex to warrant its own article, at the very least a UK company victim to an attack that becomes aware of a personal data breach will almost certainly have to notify the Information Commissioner’s Office pursuant to Article 33, and depending on the nature of breach, may also be under a duty to notify the data subjects themselves.
Fines for non-compliance with notification obligations are severe, as are the potential fines for an attacked company that is unable to prove it was GDPR compliant. The precise consequences will depend on the nature of the attack and resultant breach, and what systems the company had in place to protect its data subjects personal data.
Class actions
High profile data breaches are increasingly leading to group litigation with recent examples including cases being brought against EasyJet, British Airways and Marriott International.
Claims typically allege breaches of the Data Protection Act 2018 and the GDPR and a defendant will normally look to show that it took appropriate and proportionate measures to mitigate the risk of a security breach.
The potential damages for an organisation unable to defend itself may far exceed a fine imposed by the ICO. Claimants can seek compensation for any damage suffered as a result of a breach of the Data Protection Act 2018, which can include a claim simply for the loss of control of their personal data. This means that customers may be entitled to damages even when they cannot show that they have suffered financial loss or distress as a result of the breach.
Again, as discussed further in Part One of this series, it is vital that businesses ensure that they have adequate insurance coverage.
Breach of contract
In addition, a company brought to its knees by an attack may well find itself unable to perform its obligations under its commercial contracts, and may be liable for the loss their counterparty suffers as a result.
Again, the exact consequences will be highly fact specific. It is possible that the relevant commercial contracts contain a cap for liability arising from the criminal acts of a third party. Force majeure clauses may also prove useful, though protection is unlikely if the attack could have been prevented if the victim had sufficient protections in place.
This series is intended as a whistle-stop tour of common issues only. If further information on any of these matters would be useful, please get in contact.