A ransomware attack on EU personal data is unquestionably a breach — “accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access …”
But would it be reportable under the GDPR, which goes into effect next year?
In other words, would an EU company (or US one as well) have to notify a DPA and affected customers within the 72-hour window after being attacked by, say, WannaCry?
If you go by the language of the law, the answer is a definite … no!
Foster explains that for it to be reportable, a breach has to cause a risk “to the rights and freedoms of natural persons.” For what this legalese really means, you’ll just have to listen to the podcast. (Hint: it refers to a fundamental document of the EU.)
Anyway, personal data that’s encrypted by ransomware and not taken off premises is not much of a risk for anybody. There’s still more subtleties involving ransomware and other EU data laws that I think is best explained by her, so you’ll just have to listen to Sue’s legal advice directly!
There’s also very interesting analysis by Foster on the implications of the GDPR for Internet-of-Things gadget makers.
Come for the ransomware, but stay for the IoT: