I attended recently a very interesting event called “Deconstructing GDPR for Business Value Creation” organized by HPE in Prague. The presentations from Duncan Brown (IDC) and David Kemp (HPE) were extremely interesting.
I had the opportunity to have a quick chat over lunch with Duncan. The discussion started from organization readiness and moved to what we, as a security industry, can do to raise visibility. As is usually the case when an open discussion develops, we found ourselves talking about things we did not initially intend to. One of which was the unintended consequences of GDPR.
It is a fact that probably nobody understands the side effects such a regulation may have, so these discussions are immensely important as they open our eyes to opportunities or threats we could not figure out earlier.
Here is one: Ransom requested for ransomware attacks will raise.
Why? Right now nobody has the obligation to report ransomware attacks; organizations have the option to say “I don’t want to pay the ransom because I don’t care about the data, I can re-generate it or re-collect it”.
Well, with GDPR in effect, this is not the case any more. According to the regulation
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
Read that again. Did you notice “…accidental destruction, loss, alteration…”? It could not be plainer English, and it means that if you’re hit by a ransomware attack that affects personal data, since data is destructed or altered, it is considered a data breach.
Subsequently you have to report it within 72 hours (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons). Now, truth be told, if we are talking about the majority of the ranswomware variants currently available, it’s only loss or destruction of data. And it is very unlikely that the loss of data will result in a risk to the rights and freedoms of natural persons.
But there are cases when this can happen. If the altered data is used to provide access to facilities for example, or if it refers to someone’s academic achievements (e.g. a university or school). In these cases, losing the data affects the people’s rights. And I’m sure there are other cases I cannot think of, but that’s what we have the comments for.
If you recover the data though, you’re off the hook. And if you recover the data within 72 hours, you don’t have to report it. You save yourself from reputation damage, and potential sanctions such as penalties. Suddenly, paying that ransom looks a better option, and, as markets and economy work, that means that ransomware authors will raise the ransom requested.
Being known for my strange sense of humor, I will tag this article as “business development”.
If you can think of any other unintended consequences of GDPR, do post a comment!