At the WSJ’s Cybersecurity Executive Forum event yesterday, UK Information Commissioner Elizabeth Denham remarked that victims of the WannaCry attack should have contacted her office. "But why," you ask, "would victims of a ransomware attack be required to report to a privacy official? Ransomware locks up your data. Isn't that, like, the complete and total opposite of a data breach?"
Denham's answer is that making data inaccessible is itself a data protection issue. In her remarks, she noted that the UK Data Protection Act and incoming EU General Data Protection Regulation both mandate that data controllers give data subject access to their data. But the access requirement is neither new nor specific to Europe. One of the earliest official expositions of data privacy, a 1973 report by the US Department of Health, Education and Welfare Advisory Committee on Automated Systems, identified access a central principle. So did the OECD Guidelines in 1980, the APEC Privacy Framework of 2004... you get the point.
It's easy, I think, for companies to forget this. Cybersecurity is a sprawling endeavor, and it's natural for people to try to break it up into more manageable chunks. So you split it out into the familiar triad of confidentiality, integrity, and accessibility. Data privacy goes in the first box, ransomware goes into the third, right? That thinking's likely to get you into trouble, as Denham's remarks suggest.
By the way, do check out Law360's excellent 5 Takeaways For Financial Firms From The WannaCry Hack, in which I'm quoted on the ways that bitcoin has been both fairly and unfairly maligned for the WannaCry attack.
(Many thanks to my colleague Sam Kirsop for reporting on Denham's event.)