What are the legal implications of a ransomware attack?

Malware attacks are on the rise, so reviewing the relevant legal considerations is essential. The European Union Agency for Cybersecurity (ENISA) reported the number of attacks nearly doubled from 2020 to 2021, and the estimated cost increased from around $761,000 to over $1.85 million in the same span. In addition, ransomware attacks affect businesses of every size in every industry. Every organization should know the legal implications because they affect every sector.

1. Should you pay the ransom?

The most pressing legal consideration of a ransomware attack is whether or not the organization will pay the threat actor. Although over 60% of businesses paid the ransom, they face potential legal ramifications for doing so.

Many cybercriminal groups have financial sanctions in the European Union (EU), so paying them anything is illegal. The government recognizes a paid ransom as a form of cooperation with them. Because of this, a business may face additional consequences if it decides to proceed with payment.

There’s also no guarantee that paying will get your data back. If a business tries to circumvent authorities by making the payment but the criminals don’t return the data, the company might have to go back to the authorities empty-handed. Attempting to handle the situation without them could result in more legal ramifications.

2. Should You Report the Attack?

An organization can attempt to handle the matter quietly, but the best course of action is to go to the relevant authorities. While it could technically resolve everything without government intervention, it might then face fines and legal consequences.

It must go to the Supervisory Authority to report the attack. In addition, it must inform all parties — like employees or clients — who face harm due to the data breach. Ransomware is unlike other malware because it typically presents itself immediately. Act as soon as it affects the company’s systems to avoid fines.

3. Should you do nothing?

Inaction might seem like the only option other than paying the ransom, but doing nothing can also lead to negative consequences. Since ransomware often holds sensitive data hostage, the legal considerations surrounding the incident relate to data privacy laws.

Beyond that, the government considers specific industries essential and won’t allow negligence. As of May 2022, a law requires industries like energy, transportation, banking and telecoms to implement robust cybersecurity protocols and take action within 24 hours or face significant punishment. Waiting is costly because the potential for fines grows as time goes on.

4. How should you handle the data breach?

Even though ransomware attacks don’t typically expose data, cybercriminals retain access for however long it takes to fix the issue. In the span of around a year between 2021 and 2022, ransomware threat actors stole nearly 10 terabytes of data every month. Since there’s no telling what might happen to the information, it’s crucial to handle the breach carefully.

The government doesn’t take consumer data breaches lightly, so it’s in a business’s best interest to report to the Supervisory Authority immediately. Beyond that, taking whatever possible measures to mitigate the damage is essential.

Legal Ramifications After a Ransomware Attack

The legal consequences for businesses affected by a ransomware attack relate to their response and the data. Multiple laws regarding data privacy and cybersecurity reporting are in place, so an organization needs to know which affects it.

1. Fines for Paying the Ransom

Under the Security of Network and Information Systems Directive, businesses can face fines for paying ransoms. Although it might seem like the best course of action when under duress, the company will likely pay more legal penalties. To avoid additional costs, don’t attempt to pay the ransom. Instead, go to the supervisory authority to handle the situation.

2. Fines for Not Reporting

The threat of legal action and fines may seem harsh enough to deter a company from coming forward with its ransomware issue, but it’s the best course of action. Government authorities don’t look kindly at non-compliant businesses.

The EU Cybersecurity Act of 2019 gave ENISA more assets and permanent authority to handle most cases, so it has more reach. The legal ramifications it sets forth are steep to encourage compliance. For example, businesses in the manufacturing or distribution industries could face fines of up to 15 million euros if they don’t notify ENISA. Reporting is critical, especially if an organization deals with sensitive consumer or financial information.

3. Fines for inaction

Although many businesses might assume waiting to figure out a solution is the best course of action, it’s better to act immediately. The General Data Protection Regulation (GDPR) requires businesses affected by ransomware attacks to report to authorities within 72 hours or face legal consequences. The 72-hour limit is the absolute maximum, so it’s best to act sooner.

In addition, authorities can impose harsher penalties if they find a business has failed to attempt to mitigate damage or cooperate properly. If it doesn’t try to rectify the damage after the attack or reach out to relevant authorities, the legal ramifications involve steep fines and punishments.

4. Fines for Breach of Data

The collection and processing of data are held to strict legal standards, so a data breach puts a business at risk for legal consequences. A lack of compliance can result in fines of 4% of the organization’s yearly total revenue or 20 million euros — whichever is larger. Although those numbers apply more to cases of severe negligence, it’s still possible to have to pay them.

Although businesses can’t retroactively go back and strengthen their data protection, they can try to minimize the damage as much as possible. Informing affected parties, safeguarding backups, and promptly reporting the attack can help them to avoid legal ramifications.

Legal Implications of a Ransomware Attack

While it slightly varies depending on the industry or the sensitivity of affected systems, it’s in every business’s best interest to take immediate action and go straight to relevant authorities. Since paying the ransom or not reporting the attack quickly enough can result in hefty fines and punishments, it is better to follow the guidelines the law has set up.