June 23, 2021

Volume XI, Number 174

Advertisement

June 23, 2021

Subscribe to Latest Legal News and Analysis

June 22, 2021

Subscribe to Latest Legal News and Analysis

June 21, 2021

Subscribe to Latest Legal News and Analysis

Does the European Data Protection Board’s Data Breach Guidance mandate reporting of ransomware attacks?

Given the circumstances of most ransomware attacks, likely yes.

The EDPB issued practical guidance on various types of data breaches, giving top billing to ransomware attacks. Given the recent increase in ransomware attacks likely due to the sudden shift to remote work in response to COVID-19, the EDPB’s guidance focuses extensively on ransomware attacks. In its first example, the EDPB identifies a ransomware attack where the data was not accessed due to encryption at rest and was restored very quickly from back-ups as an incident that would not require reporting to either a supervisory authority or the data subjects, noting “the timeliness of an effective data restoration from the readily available back-up is a key variable when analysing the breach.”

In contrast, the EDPB addressed a scenario that is all too common in ransomware attacks, one in which alteration of or lack of availability of logs creates uncertainty about whether data was accessed. In that case, because a confidentiality breach cannot be eliminated as a possibility, the EDPB directs the controller to take into account “the nature, the sensitivity, the volume, and the context of personal data affected.” For example, if no categories of “sensitive personal data” were potentially exposed, and data was ultimately restored from other sources with minimal effect to the data subjects, then reporting to data subjects may not be required. The EDPB contrasts this with cases on the other end of the risk spectrum where reporting to both the supervisory authorities and the data subjects would be required, for example, hospital data encrypted without back-ups for restoration or data that has been likely exfiltrated from the network.

Ransomware attacks have become increasingly aggressive in 2020 and 2021, with threat actors spending more time conducting reconnaissance while in a company’s network, exfiltrating company data to post on “shame” websites if the company doesn’t pay the ransom, and demanding increasingly high ransom payments. The facts and circumstances of each attack should be carefully evaluated in determining whether notification will be required.

©2021 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 43
Advertisement
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement
Advertisement

About this Author

Jena M. Valdetero Cybersecurity Lawyer Greenberg Traurig Law Firm
Shareholder

Jena M. Valdetero serves as Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice where she advises clients on complex data privacy and security issues. She has led more than 1,000 data breach investigations. A litigator by background, Jena defends companies against privacy and data breach litigation, with an emphasis on class action lawsuits. She has designed and conducted dozens of data breach tabletop exercises to empower clients to respond effectively to a data security incident. She also counsels companies on data privacy and security compliance programs and advises on...

312.456.1025
Advertisement
Advertisement