Legal Implications Regarding Ransomware

15 July 2019

Jurriaan Jansen, privacy and cyber of Counsel at Norton Rose Fulbright LLP, talked us through the myriad of potential legal implications a ransomware attack could trigger.

Here are the five key takeaways from our discussion:

1. Be Prepared

The first priority when navigating the legal implications of ransomware is preparing in advance for the possibility of an attack. This can include making sure that your incident response plan is up to date and that your employees are aware of their roles regarding cyber security and data protection.

2. Perform Your Due Diligence

Companies should assess their potential cyber risks thoroughly before an incident occurs. Your due diligence process should include understanding terrorism legislation within the regions in which your business operates and whether paying a ransom would implicate the business in criminal activity.

For example, in a traditional piracy case, a UK ship owner would legally be able to pay the ransom to the pirates in exchange for the ship’s release, unless they were under a reasonable belief that the transaction would be used for the purpose of terrorism.

Unfortunately, this process is difficult to conduct if you are unaware of the threat’s source. Therefore performing your due diligence after an incident occurs can prove more beneficial.

Winston Krone, Global Managing Director at Kivu Consulting, adds that “to be found criminally liable, there must be proof that you have been in contact with terrorists or people on a government prohibited list. Performing your due diligence process will significantly reduce your chances of this.

However, the scope of due diligence is constantly expanding; first as it becomes technically possible to further trace bitcoin payments and the identity of attackers, and secondly as regulators consistently add individuals, organisations and even specific bitcoin addresses to the list of prohibited organisations.”

3. Ensure That You Comply with Regulatory Obligations

Check that your business is complying with the various regulatory obligations by getting legal advice. Take all appropriate organisational and technical measures to avoid a breach and, if a breach occurs, identify your notification obligations ASAP to protect the business from the steep noncompliance penalties.

These regulations include: civil liability, data protection, and specific industry legislation. For instance, if you are found to be operating on older servers that weren’t patched appropriately, you could be fined or given substantial sanctions under the GDPR for not having adequate technical protection for personal data related to individuals. You could also be fined or sanctioned for not reporting the incident within 72 hours of detection, as this is another GDPR requirement.

4. GDPR, the Game Changer

Before GDPR came into effect in Europe, there were similar regulations in place, but GDPR has introduced tougher penalties for non-compliance, and more responsibility for businesses. Under the GDPR, businesses need to actively demonstrate the actions they have taken to comply with the relevant obligations.

The actions deemed ‘appropriate’ to avoid a breach will differ depending on your company’s industry, region, and sector, as there are many sector-specific ideas on best practice. To determine your sector’s benchmark for compliant behaviour, it is best to check the ICO certification.

In addition, the GDPR requires businesses to be proactive when clarifying dates and limits and ensuring that all the appropriate technical and organisational measures are in place, including an incident response plan (IRP). It has also forced companies to think more about their cyber risk exposures, security practices and their potential attack response, which can only improve their protection in the future.

Subscribe to our latest News & Insights Sign up to our latest  news & insights

Notification requirements can also be affected by the type of data breach. There are three types of data breach; availability, confidentiality and integrity. You must determine whether the incident caused any of the three in order to decide how to resolve, or at least mitigate, the consequences of a ransomware attack.

An availability breach involves access to your systems being restricted or revoked. It can take a long time to decrypt all affected data, which can impact consumers, as your systems need to be available to conduct business.

A confidentiality breach describes your data being used or accessed by unauthorised third parties. Some new strains of ransomware require hackers to look at your data before launching the encryption, and phishing attackers can also access your data before encrypting it.

An integrity breach involves corruption or alteration of data. In most cases this is unintentional, as the decryption key or backup drives may create errors in the data. It is difficult to prove that the data remained the same after a breach.

5. Ensure Your Incident Response Plan Remains Relevant

“Key terms like ‘ransomware’ and ‘cyber extortion’ must be included in your IRP to make it applicable to the situation you find yourself in. The destructiveness of ransomware, the challenges of recovering from a massive encryption attack, and the unique legal issues of cyber extortion are issues that simply didn’t exist when most IRPs were drafted”, comments Winston Krone.

He continues, “Similar to the concept of ‘silent cyber’ that attempts to find cyber coverage in crime and property policies, there is an obvious shortfall in hoping that an IRP that doesn’t mention cyber extortion could successfully respond to such an attack.

The envisaged timelines, reporting structure and expectations of internal resources are radically different for a ransomware attack in comparison with a traditional hacking or network intrusion case.”

Your IRP should be checked by expert vendors to ensure that you have taken all appropriate measures to prevent a breach and comply with all relevant legislation and regulations. The courts are aware that mistakes are always possible, but you need to live up to your promises to be considered compliant. It is also important to include a detailed IT security plan, certified by the ICO, in your response plan to prove that you have market standard cover.


Thorough preparation and planning is vital to protect your company against a ransomware attack and the possible legal implications. You need to understand each applicable regulation and piece of legislation to ensure that every base is covered.

Achieving certification and seeking expert advice can help you assess the best practice expectations for your company. Staying abreast of the latest regulatory updates will also help to keep your incident response plan relevant.

By Cyber Collective Partner Jurriaan Jansen, Norton Rose Fulbright LLP



  • Sarah StephensSarah Stephens

    As part of Marsh JLT Specialty's London-based Financial Lines Group, Sarah and her team work both directly with our clients and with network colleagues and independent partners to make sense of cyber, technology, and media E&O (PI) risks and create leading edge bespoke insurance solutions in the London market.

    Prior, Sarah spent 12 years with Aon in a variety of roles. Her last role at Aon was Head of Cyber & Commercial E&O for the Europe, Middle East, and Africa (EMEA) Region, working with colleagues across business groups and clients in the region to identify, analyse, and drive awareness of cyber risks, exposures, and both insurance and non-insurance solutions.

    Previously, Sarah spent seven years with Aon’s US Cyber and Errors & Omissions practice group thinking nonstop about cyber insurance way before it was cool. Her first four years at Aon were spent in the Account Management group working with large clients and developing a keen eye for excellent client service.

    For further information or to learn more about cyber insurance, contact Sarah Stephens, Head of Cyber, on +44 (0)20 8108 9541.

  • For more articles like this, download our Cyber Decoder

    Share this article