To contain the impact of a ransomware attack, organizations must move swiftly to engage a qualified Incident Response company to contain and mitigate the impact of the attack. The 2018 Data breach impact report by Ponemon Institute calculated that organizations who engage quickly and decisively saved on average over $1 million dollars in breach response efforts, leading to a faster return to business operations.
Attackers are getting more aggressive, and releasing the data that they encrypt if they don’t receive the requested ransom during ransomware incidents. Even without these tactics, the act of making customer data unavailable via extortion-related encryption is a listed criterion for breach notification under GDPR. If your organization is not prepared to deal with ransomware, and the personal data that has been entrusted to your organization is hit with a ransomware attack, then this would violate data breach regulations like the European General Data Protection Regulation (GDPR) and count as a data breach, becoming a reportable event with possible regulatory fines.
A ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed; – Article 4 section 12 defines GDPR Legislation