The ICO’s new ransomware guidance could not have come at a more pertinent time. This week Joe Biden, told US business leaders it was their “patriotic obligation” to strengthen their digital defences against Russian cyberattacks and last month the National Cyber Security Centre (“NCSC”) renewed its call for organisations in the UK to examine their online defences given a heightened risk of cyberattacks in light of the attacks in Ukraine (see our blog here here). The ICO has also just issued its first ever ransomware related fine to law firm Tuckers LLP (see our blog here).
In the Tuckers fine, the ICO emphasised the need for organisations to be prepared and get the basics right across their entire IT estate in order to prevent attacks, and the new guidance provides a simple checklist for organisations to assess their level of preparedness. It also presents eight scenarios focused on the most common ransomware compliance issues the ICO has seen over the last two years. These provide guidance and, most helpfully, make clear some of the practical steps the ICO expects organisations to take. They relate to attacker sophistication, breach categorisation and breach notification as well as when to use law enforcement, responding to attacker tactics, disaster recovery, whether to pay a ransom and testing and assessing security controls.
Some of the key points to note are:
State of the art and ‘appropriate measures’
- To comply with the UK GDPR, organisations must apply appropriate security measures to prevent basic and common types of attacks, the NCSC’s Cyber Essentials are referenced as a good baseline of controls.
- Medium and larger organisations will be expected to do more and the ICO advises that they assess their cyber security arrangements and capabilities against relevant good practice models, including the ISO27001 for Information Security.
- Organisations should consider whether the measures they have in place are appropriate in view of the most common attacker tactics, techniques and procedures (“TTP”). For example:
- Phishing – ensure all relevant staff receive basic awareness training to spot phishing attacks;
- Remote access – put in place an access control policy and use multi-factor authentication or comparably secure access controls;
- Privileged account compromise – regularly review the security of privileged accounts, including permissions and approvals; and
- Known software of application vulnerabilities – monitor known vulnerabilities and make sure vulnerabilities are patched and software and applications maintained.
Personal data breaches and breach notifications
- Organisations are responsible for determining whether a ransomware attack has led to a personal data breach requiring notification. While the term ‘breach’ is often associated with data being taken or lost, loss of access to personal data, e.g. through encryption by an attacker, is also a type of personal data breach.
- Organisations should consider the rights and freedoms of data subjects in totality when assessing whether or not a ransomware attack needs to be notified as a personal data breach, including taking into account whether data exfiltration has occurred.
- The ICO may ask for the logs and measures used by organisations to make this decision and it is therefore very important that appropriate logs are monitored (see the NCSC’s blog post “What exactly should we be logging”) and that risk assessments/decisions are documented and retained.
- The ICO recommend that organisations:
- have a backup of their personal data in place; and
- perform a threat analysis against their backup solution(s), including considering how an attacker could delete or encrypt the data and how this could be mitigated (e.g. whether the backup is segregated/offline, how can it be accessed, etc.).
- While many regulated entities will have disaster recovery plans and backup solutions in place, it is clear that the ICO expects all organisations to be thinking about this.
- The ICO warns against the risks of paying a ransom, noting that:
- law enforcement do not encourage or condone ransom payments and the ICO supports this position;
- while the GDPR requires you to have appropriate measures in place to restore the data in the event of a disaster, the ICO does not consider ransomware payments to be an “appropriate measure”;
- “double extortion” is a common tactic, effectively requiring one payment for access to the data and a second payment to prevent publication; and
- organisations who pay may not get the data back, may make themselves a future target (as a known payer) and must assume that the data is compromised. This means they must consider how they will mitigate the risks to individuals even when they have paid the ransom.
Testing and assessing security controls
- The UK GDPR requires organisations to regularly test, assess and evaluate the effectiveness of their technical and organisational controls and the ICO expects organisations to do so by reference to standards such as Cyber Essentials and ISO027001 as well as guidance released by the ICO, the NCSC and others.
- Importantly, organisations should ensure that they document and retain records of any such tests, reviews and assessments, as they may need to be submitted to the ICO in case of a breach.
A key takeaway from the new guidance is that ICO will expect organisations to have ongoing processes to understand and protect the personal data they hold – and to take account of the changing technical challenges from potential attackers. The interaction of this new ransomware guidance and the ICO’s updated regulatory action policy framework will be an area to watch in future enforcement decisions.