Is Ransomware protection important for GDPR compliance?
This question came up at a GDPR event at which I recently spoke. Most of the attendees were from their respective Legal, GRC, or CISO offices; a legally astute, but also a very technical audience. One of the speakers who went up before I did, brought this up — as he was trying to draw the distinction between different types of cyber threats. The point the speaker made was that, while Ransomware can be painful for an organization to experience, it is not really data theft — since the attacker isn’t actually stealing your data. He/she is only rendering it unusable.
So, the question came up — “If ransomware isn’t really data theft, then can a ransomware attack cause an organization to run afoul of GDPR compliance? Should Ransomware protection really be an important piece of the GDPR puzzle?”
A quick background on GDPR
The EU’s General Data Protection Regulation is set to come into effect in roughly 2 months, and it now top of mind among Legal, Risk and Compliance Departments in organizations worldwide.
The EU Commission negotiated and finalized the text of what is called the “General Data Protection Regulation” (GDPR) in December of 2015. This was officially approved as Law in April 2016, and goes into effect on May 25, 2018. And, if you’re an organization that does business in the EU or even has customers from those geographies, this could significantly change the way you do business.
GDPR is the latest in a long line of regulations that have been put in place over the last 25+years. HIPAA that many of us are familiar with, came into being back in 1996. Regulations are mainly designed to make organizations more accountable for the data they hold. Most regulations ask for the same basic compliances:
a. Know what you have
b. Manage access to what you — and make sure it doesn’t fall in the wrong hands
c. Protect / Save what you have — so you don’t lose it in case of a disaster
d. Prove that you have processes that are doing the above on a regular basis
GDPR however is also a bit different than other regulation in several ways:
a. The EU has tended to place citizen rights at a higher plane than the Executive Branch’s right to collect information on its citizens — and this is reflected in the emphasis GDPR places on data privacy and a citizen’s “right to be forgotten”.
b. There is also a better attempt to define what is personal data. This may not be as straightforward as simply saying let me look for Personally Identifiable Information (PII) — like a Name, Social Security #, etc. Any data singly OR in conjunction with other data, that can be used to identify an individual, can qualify as “personal data”. So, organizations need to be mindful of seemingly disparate pieces of information about a person which individually won’t uniquely identify them — but when put together can identify a person.
c. GDPR also has strict rules about notification and even going public within 72 hours of a breach.
d. Also, GDPR has teeth, more so than previous regulations. It can hurt organizations where it matters most — Penalties can be as high as € 20M or 4% of annual revenues, not to mention the negative public relations fallout.
So, what does this have to do with Ransomware?
So, in this context, the question of whether ransomware can impact an organization’s GDPR compliance is indeed interesting.
What is Ransomware? Ransomware is a form of malware that has existed over the last 10 years or so, but really taken on a visibly destructive form over the last 24 months. It operates by encrypting ﬁles on the infected computer and then demanding a bitcoin ransom in return for the decryption key.
Conventional wisdom would seem to indicate that you should be concerned only if personal data is “stolen” or “unlawfully disclosed” or is “unlawfully given access to”. You wouldn’t normally think of data ‘loss’ or accidental ‘destruction’ to fall in the category of a ‘personal data breach’.
But, let’s take a look at how GDPR defines a personal data breach. “Article 4, (12) from the text of the GDPR regulation says a ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;”
It is fairly clear from the above that a personal data breach doesn’t have to be a theft, even an accidental destruction, loss or alteration of data can qualify. This means a ransomware attack can indeed very easily compromise an organization’s stance on GDPR compliance.
Backup & Recovery
Ransomware variants such as WannaCry have breached sophisticated defences, and have proven that just having expensive security software isn’t enough. Experience tells us that the best defense against Ransomware, is to have data backup of your user endpoints. Having a safe copy of your data means that you don’t have to be held hostage by a faceless attacker or make a ransomware payment.
Setting aside ransomware, without a reliable backup, years of stored data could be lost. Just the costs from data loss, theft and hard drive crashes — not to mention legal and disclosure costs associated with GDPR — should build a compelling case for endpoint backups.
In fact, GDPR makes the case for Backup and Recovery procedures unambiguously. “Article 32, (1) — c states that “The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.”
Most IT organizations, when thinking about Backup strategies, tend to think of their servers and databases. When crafting your compliance strategy for GDPR, remember to include your end user data.
What is end user data? Think of it as all of an organization’s data that is not residing on their central file or DB servers. This includes data on all desktops, laptops, mobile devices and even SaaS applications. By even conservative estimates, this accounts for two-thirds or more of a company’s total data assets.
Also, importantly, endpoint devices are the favorite vector via which Ransomware attacks. While attacks can exploit a broad spectrum of vulnerabilities — phishing is possibly the most common, enticing a user to click on an innocent looking email attachment, which then drops a deadly ransomware payload on the endpoint.
What You can do
If you’re an organization that is likely to fall under the ambit of GDPR, you should consider a few important statistics:
• Two Thirds of Enterprise data lies outside the data center on end user devices (like laptops).
• 99% of employees have sensitive data on their laptops and almost a third admit to uploading it to the cloud
• A little-known fact is that most SaaS vendors don’t take responsibility for backing up your data. Many of them operate in a “shared responsibility model” which means that you are responsible for your data backups — even when your data is in the cloud.
Protecting end user data has never been more critical. If you don’t have an end user data protection strategy, consider an end-point backup solution. Get one that can use cloud storage for the backup repository. In fact, look for solutions that can leverage cloud storage you may have already purchased for your end users (like OneDrive or Google Drive).
Consider a solution that can ensure security and privacy by encrypting files with a clear segregation of duties. Encrypted data is important for GDPR compliance, but proper segregation of duties ensures that you, as the data owner, control the encryption & decryption keys, and not the cloud or software vendor.
Most importantly, if you haven’t taken steps to cover yourself, Act Now! Use the next couple of months getting control over your data assets, keeping them safe and getting compliant.