Does the European Data Protection Board’s Data Breach Guidance mandate reporting of ransomware attacks?
Given the circumstances of most ransomware attacks, likely yes.
The EDPB issued practical guidance on various types of data breaches, giving top billing to ransomware attacks. Given the recent increase in ransomware attacks likely due to the sudden shift to remote work in response to COVID-19, the EDPB’s guidance focuses extensively on ransomware attacks. In its first example, the EDPB identifies a ransomware attack where the data was not accessed due to encryption at rest and was restored very quickly from back-ups as an incident that would not require reporting to either a supervisory authority or the data subjects, noting “the timeliness of an effective data restoration from the readily available back-up is a key variable when analysing the breach.”
In contrast, the EDPB addressed a scenario that is all too common in ransomware attacks, one in which alteration of or lack of availability of logs creates uncertainty about whether data was accessed. In that case, because a confidentiality breach cannot be eliminated as a possibility, the EDPB directs the controller to take into account “the nature, the sensitivity, the volume, and the context of personal data affected.” For example, if no categories of “sensitive personal data” were potentially exposed, and data was ultimately restored from other sources with minimal effect to the data subjects, then reporting to data subjects may not be required. The EDPB contrasts this with cases on the other end of the risk spectrum where reporting to both the supervisory authorities and the data subjects would be required, for example, hospital data encrypted without back-ups for restoration or data that has been likely exfiltrated from the network.
Ransomware attacks have become increasingly aggressive in 2020 and 2021, with threat actors spending more time conducting reconnaissance while in a company’s network, exfiltrating company data to post on “shame” websites if the company doesn’t pay the ransom, and demanding increasingly high ransom payments. The facts and circumstances of each attack should be carefully evaluated in determining whether notification will be required.