The chief executive of an organisation hit last year by cybercrime has said they are too fearful of speaking openly about the attack – in case legal firms hound them with data protection compensation claims.
The business leader has said that even though their organisation has had their case officially closed by the Information Commissioner’s Office, there is a damaging phrase contained in a statement it issued against them which could open the floodgates for potentially ruinous legal action.
The unnamed Scots firm was hit by a ransomware incident early in 2021, in which thousands of files were stolen and published on the dark web. Although difficult to discover without specialist knowledge, the data remains on the illicit site and the business faces a six-year wait until which time it would be ‘safe’ from claims against it under data protection regulations.
Although the small organisation reported the loss of data to the ICO within the statutory 72-hours, and carried out due diligence by writing to the hundreds of individuals whose data was stolen by the suspected Russia-based ransomware attackers, they say they were told by their own lawyers that the statement issued by the ICO, which sits on their record, could be a way for anyone affected by the breach to pursue them in the courts.
The chief executive, who was supported by Police Scotland after the incident last year, said on the one hand they were treated as a victim during the course of the forensic investigation, but the effect of the General Data Protection Regulation (GDPR) was to make them feel as though they, too, had in some ways been culpable for the crime.
The phrase in question in the ICO statement was that ‘on the balance of probabilities’ their IT systems had been at fault for the breach.
She said: “Our lawyers said this statement was like a trap door being left behind. And we’ve got this hanging over us for six years. So you go to bed thinking, ‘I wonder what tomorrow will bring’.
“We are not a big company – we don’t even our own IT department – so is it reasonable for an organisation with our limited resources to be expected to mount a defence against, international, possibly state-sponsored hackers? It might be fair enough if we had left a laptop on a bus without a password, and with thousands of files compromised. But we didn’t do that; we had actually upgraded our IT system and had tried to do the right thing by modernising our processes.”
She added: “Don’t get me wrong, I think GDPR is a good thing, it is well-intentioned as we do need to look after people’s data. But I don’t think the legislation was designed with victims of crime in mind. Yet here we are, and the way it works in practice is to create a new claims culture, in a similar way to PPI.”
The organisation, which is not high-profile, was issued with a ransom demand of two bitcoins – equivalent to around £54,000 – to decrypt their files and restore access to the network. Based on police advice, the business leader refused to pay as she was told it was no guarantee the hackers would keep their end of the bargain, or that they wouldn’t be hit again as a ‘soft target’.
By good fortune, the attack happened shortly after the company had updated its insurance policy with the new package giving cover for cyberattacks. Once the hack had taken place, they were able to call on professional legal and IT help to try and restore systems. The work has nevertheless been painstaking and has sucked up a lot of time and resources that would have otherwise been spent on attending to the everyday needs of the business.
Another issue, says the chief executive, is the lack of a formal route to challenge the regulator. There is no independent ombudsman where organisations can overturn decisions of the ICO. Although content that her organisation was not sanctioned by the ICO, she feels powerless to force a change in the statement issued against it, which she said was not based on any kind of detailed analysis. To provide greater safeguards for ordinary firms like hers, she said there needs to be a national debate about the role of data protection and cybercrime.
“We need to grow up, and take this honestly and at face value,” she said. “The ICO needs to get real as to what this means for business, most of whom are doing their best but don’t have billions of pounds to spend on IT systems. Even if they do, these guys [the hackers] are still getting in. So, we need to influence a change in the law because companies like mine could be ruined. And it’s not because we’re an incompetent company or not capable of doing what we do. I don’t mind failing if I’ve done a bad job, but I think it would be beyond galling if we went to the wall because of this.”
GDPR is an EU-wide data protection law, which came into effect in 2018. It supersedes the previous Data Protection Act 1998 and was designed to make the law ‘fit for the digital age’. It caused, however, a great deal of controversy among the business community who viewed the regulations as onerous and an increased fines regime from a maximum of £500,000 to £17 million, or four per cent of an organisation’s global turnover (if greater) with considerable unease. Some of the highest fines meted out so far in the UK have included British Airways in 2019, which was fined £22m for a data breach, and Marriott Hotels which was fined £20m in the same year. In both instances, the fines resulted from cyberattacks on those organisations.
Scottish Tory MSP Miles Briggs has recently been campaigning to force ministers to be more transparent about which public sector organisations have been hit by cyberattacks after his parliamentary question highlighted a rise in cyber incidents from four in 2018 to 12 last year (up to October). He said the public deserved to know whether their data has been lost or compromised in any way as a result of the incidents, which were catalogued by the Scottish Government under the ‘Notifiable Scottish Public Sector Cyber Incidents’ procedure. However he also said he sympathised with the business concerned, and was aware of the contradiction of being asked to be transparent about cyber incidents – and then by doing so exposing yourself to data protection claims.
He said: “I have a lot of sympathy for this organisation and I know the pressures they face financially; at the end of the day they have been targeted by cybercriminals who have hacked and tried to get access to people’s data, and then extort them for it. The criminal activity is on the side of those doing the hacking, not the organisations who potentially face these data protection claims down the line. Clearly, I think we now need to urgently review the way this legislation is performing, particularly as cybercrime is becoming so widespread. And we need to ask ourselves whether the fact we do not have the ability to bring the perpetrators to justice, because they are more often than not operating in a foreign country where we cannot enforce our laws, means we are going after the only available target, which is otherwise law-abiding companies.
“And I do share the concern that without an independent ombudsman, there is a huge void in the jigsaw. We could be facing a situation where there are millions of pounds of compensation claims piling up soon, so I think we really need to look at this urgently at a Scottish and UK level. The timing for this debate to be had is really important now.” Briggs added that he would also like to see more emphasis on leadership and skills to ensure that organisations can be more resilient in the face of cybercrime.
According to ICO figures, there has been a stark rise in the number of data security incidents reported as ransomware in the last 24 months. Out of 25,965 incidents in total since 2019/20, 6,452 were ‘cyber’ and 1,052 as ransomware. The most recent figures go to quarter two of 2021/22 which indicated a steep rise, almost doubling on previous comparative periods.
A spokesperson for the ICO said it was unable to respond directly in this case, owing to the requested anonymity of the company.
However the spokesperson said: “Our approach has always been to be a pragmatic and proportionate regulator. All incidents reported to us are carefully reviewed on an individual case by case basis.”