![]() TechCo does not have an obvious "main establishment" in the EU. If there has been unauthorised access to, and encryption of, large volumes of personal data (as well as the potential exfiltration of this data) by a hacker, it is likely that the Article 33 threshold for notification to a data protection authority will be met. At present, there is no divergence between the UK GDPR and the EU GDPR, but the manner in which Article 33 is interpreted does vary across jurisdictions. Under Article 33 of the General Data Protection Regulation (GDPR), a data controller must notify a personal data breach to the relevant data protection authority no later than 72 hours after having become aware of it unless the breach is unlikely to result in a risk to the rights and freedoms of those affected. Legal and regulatory issues Article 33 GDPR – notifying the relevant supervisory authority The role of legal teams in delivering success If TechCo instructs a cyber forensics expert, it should consider whether it is possible to instruct that expert in a way which means that any reports produced are privileged (to the extent that this is possible in individual jurisdictions). If it is not possible to produce a report under privilege, then TechCo (and its lawyers) should exercise careful control over the production of the report to ensure that it does not increase TechCo's legal liability for the incident. Internal IT teams may not have the necessary time and expertise and there can be questions in relation to independence. TechCo should consider at the earliest opportunity whether it may be necessary to appoint an expert cyber forensics firm to assist with any investigation. ![]() Factual investigations and operational issues Investigations have not yet confirmed whether the hackers have, in fact, exfiltrated data (including personal data) from TechCo's systems. The hackers have contacted TechCo's CEO, threatening to release personal data onto the dark web if a ransom payment of the bitcoin equivalent of $500,000 is not made within 72 hours, in exchange for the return of the data. TechCo's IT team has started investigating the incident. It is also not yet clear whether TechCo's back-ups have been affected. The type and quantity of affected personal data is unknown at this stage. TechCo, a London-headquartered technology company, with subsidiaries in France, Germany and Poland, has suffered a ransomware attack. The ransomware attack has encrypted a large tranche of the data held by TechCo (including personal data). Make sure that these are fully considered, alongside any GDPR analysis Cyber attacks might trigger additional legal and regulatory obligations. Expert legal and cyber forensics advice should be sought at the earliest opportunity Investigations need to be carefully managed, to ensure that the relevant issues are addressed and any written report does not inadvertently increase legal liability.There are jurisdictional nuances, even as between the UK and EU interpretations of the GDPR, which mean that the approach and strategy in one country may not be the right approach to take elsewhere
0 Comments
Leave a Reply. |