Whilst the majority of businesses invest in trying to prevent cybercrime – would they really be ready if their business became a victim of a Cybercrime?
Ransomeware attacks are one such threat where criminals have the ability to encrypt or steal data from a company’s system with a resulting message to delete or publish the data unless a ransom is paid.
There are several reasons why a business would not want data leaked into the public domain – in the food industry its often secret recipes, ingredients or methods – that could damage the company’s future should they be revealed.
It is also worth noting that both UK and EU business have a responsibility for safeguarding personal data under GDPR (General Data Protection Regulation. So this could not only result in damage to the company reputation but also the possiblity of hefty fines being incurred.
What would you do?
- Should you try to retrieve the data? Sadly, this would probably prove to be impossible.
- Choose to pay the ransom? This could well end up with you paying a terrorist or organised crime. Often the criminals ask for ‘Bitcoin’ ransoms and although this has become more mainstream it doesn’t have the same regulatory controls as ‘actual’ money and offers a level of anonymity for the criminal potentially resulting in companies falling foul of local legislation. However, it is of note that in 2019 the High Court did hold that cryptocurrencies constituted ‘property’ under English Law and is paving the way for granting an interim injuction over such ransoms.
- Whilst another question that must be addressed, if considering payment, has to be: “Does my cyber insurance cover the business or would it be in breach?”
- Finally, it’s worth remembering that even if the ransom is paid there’s no guarantee that the threat will be removed and that the attacker won’t ask for more money.
The first priority for any business must be:
- Stop the ‘attack’ happening in the first place. This means training employees to spot a ‘potential threat’ and giving them the confidence of taking action and not being fearful of repercussions after.
Should an attack take place and all technical support avenues have failed:
- Then the next move must be ‘damage limitation’ eg should a fraudulent payment have been made then legal remedies can freeze accounts, trace money and even recover the loss.
- As regards the risk of leaked or confidential information then the UK courts may be able to assist. There is an Interim Order , also known as a Non-Disclosure Order, which can be taken to the High Court to prevent the disclosure of data which includes ‘persons unknown’ i.e the cybercrime attacker. In order to qualify for this court order there must be requisite grounds for a claim of ‘break of confidence’ i.e.:
- the data must not already be in the public domain
- the information must have been given under circumstances that import an obligation of ‘confidence’
- there has to be an unauthorised use of information to the detriment of the party communicating it.
The true power of the Non-Disclosure Order lies in its ‘indirect effect’ meaning that it prevents the publication of the stolen data by any third parties that are in possession of it.
Sadly, in some instances the litigation itself can cause damage to the a firm’s reputation and especially in the food industry should food integrity be brought into question and subsequently damage a brand.
Whilst there is still a long way to go – the law is heading in the right direction.