The General Data Protection Regulation (GDPR), of course, covers the protection and privacy of the personal data of EU citizens.
Ransomware, certainly, is a nightmare. Attacks have been increasing and hitting cities with huge ransoms so they can start functioning again!
But the GDPR raises the stakes of ransomware even higher than before, and organizations following the new laws must be aware of the added impact it poses in the event of an attack.
What happens if you get breached
First, you’ll have to be completely transparent and let people know if their data has been compromised. You will need to notify the appropriate within 72 hours of being aware of the breach and notify anyone affected “without undue delay.”
It’s important to note that ransomware does not simply lock up your data so you cannot get it back without paying. It is theft of your data and the door is wide open for the attacker to access the data.
(Remember on “Homeland” when the attacker realized that Carrie had super top-secret CIA agent data on her computer, and upped the ransom to $10,000 or he would expose it all?)
Keep unauthorized users out
Ensure that no one can access data who isn’t authorized to do. This means locking down permissions in Active Directory or enabling two-factor authentication for your user’s email inboxes.
Make Sure PII Is Safely – and Locally – Stored
3-2-1 is a good policy to stand by, and it is doubly so in the case of PII. Make sure you are consistently backing up your data and verifying that you can recover from it. And while keeping a copy in the cloud is a good strategy…
Data governing bodies are sensitive to the locality of data – and we don’t mean in a latency sense. If you are using the cloud to store PII, make sure that you are using an Azure cloud or S3 bucket spun up in your region of the world.
Lock Down Your Backups
We don’t mean with handcuffs (though a solid physical security plan is also key). Make sure your backups can’t be erased or moved for a set period. Long-term retention and immutability are two key technologies to staying safe and compliant in the world of ransomware and GDPR.
Stay compliant and be prepared
The best scenario is to defend yourself against an attack by securing and maintaining access to data. A cybercriminal is no match for an effective, GDPR-compliant data protection strategy.