Experts Say GDPR Could Lead To Higher Ransomware Demands

Photo by Christiaan Colen from Flickr

Last month, the General Data Protection Regulation came into effect. Experts say that it may potentially require businesses to pay cyber ransom demands from criminals as they may be considered to be a cheaper option than paying high GDPR fines.

The chief executive of ­cybersecurity company CrowdStrike, George Kurtz, said that “the price of admission of ransomware just went up” following the introduction of the GDPR.

Ransomware is a malicious software that is spread by criminals that lock files and computers until individuals or businesses agree to pay a cyber ransom in order to unlock the encrypted information.

The advice of the Government to the businesses is not to pay the ransomware demands. However, Kurtz said that the high fines that were introduced with GDPR could make businesses reconsider the payment of the cyber ransoms.

The GDPR introduced that imposition of new fines on businesses that experience data breaches. The firms can be fined with up to 4 percent of their global annual turnover or up to a maximum of €20m (£17.5m), whichever is higher.

Kurtz stated: “If [you have] a 4 percent fine on your overall top-line revenue, or you have a ransomware that you can pay off and maybe quietly make it go away, I think there’s going to be an interesting dynamic in the amount that the market values paying off enterprise ransomware.”

However, lawyers do not advise giving in to the ransomware demands despite the high fines. Renzo Marchini, a data protection lawyer from Fieldfisher, a law firm, pointed out that firms in the United Kingdom have a responsibility to report any ransomware incidents to the Information Commissioner’s Office (ICO).

He stated: “I think it’d be misplaced to pay the ransom in order to avoid the fine as the ICO should find out anyway if you’re a law-abiding company.”