ICAEW.com works better with JavaScript enabled.

New guidance: ICO issues guidance to help organisations handle data protection consequences of ransomware attacks

Author: Atom Content Marketing

Published: 01 May 2022

Businesses and other organisations will welcome guidance from the Information Commissioner’s Office (ICO) ‘Ransomware and data protection compliance’, aimed at helping them comply with their data protection obligations if they are the victim of a ransomware attack.

Attacks on computer systems using ransomware (which the ICO describes as ‘a type of malicious software or “malware” designed to block access to computer systems, and the data held within them, using encryption’) is becoming increasingly common, with criminals demanding large sums to restore access to blocked computer systems. One consequence of such attacks can be that, if data encrypted by the attacker includes personal data, data protection laws have been breached because the user will have lost timely access to that data.

The ICO guidance provides organisations with a ten-point checklist, followed by eight scenarios illustrating how the ICO will approach ransomware attacks involving data protection breaches. It also provides useful indicators on how organisations can reduce the risks of an attack by taking steps to combat the most common tactics, techniques and procedures used by attackers to get access to computer systems and the data in them.

The guidance is not legally binding but the ICO is likely to take compliance (or non-compliance) into account when assessing data controllers’ actions following notification of a data protection breach arising from a ransomware attack.

The guidance also references various certifications, standards and assessments that may help different types of organisation to stop or reduce the effect of attacks in different circumstances, such as the National Cyber Security Centre’s Cyber Essentials certification for small and medium-sized enterprises. The guidance specifically notes that cyber attacks can affect small as well as larger businesses as they are often carried out on a scattergun rather than targeted basis.

It also notes that, despite the UK leaving the EU, guidelines issued by European bodies remain relevant and can help data controllers carry out data breach risk assessments.

Operative date

  • Now

Recommendation

  • Employers should download the guidance from the ICO website, and assess and review their policies, processes, procedures and staff training, to help protect computer systems from ransomware attacks and deal with any data protection consequences if one occurs.
Disclaimer

This article from Atom Content Marketing is for general guidance only, for businesses in the United Kingdom governed by the laws of England. Atom Content Marketing, expert contributors and ICAEW (as distributor) disclaim all liability for any errors or omissions.

Copyright © Atom Content Marketing

ICAEW Business Advice Service

Grow your business with trusted business advice. We connect entrepreneurs, start-ups, and SMEs with ICAEW regulated accountancy firms who will provide a free initial consultation without obligation.

Two people looking at a computer screen together smiling, one of them pointing at something on it
About Legal Alert

Legal Alert is a monthly checklist from Atom Content Marketing highlighting new and pending laws, regulations, codes of practice and rulings that could have an impact on your business.