EN
DE
Getting hit by a ransomware attack means dealing with hard realities. A well organized and appropriate response can make the process much easier and help to safeguard against more headaches in the future. This topic is explored in depth in our complete ransomware response guide. One part of a ransomware response many people overlook is the importance of compliance with ransomware law and regulations. This page will give you a brief introduction to the topic, as well as some important contacts.
The Importance of Ransomware Laws, Regulations, and Compliance
There are some important procedures to follow in the aftermath of a ransomware attack, and neglecting these procedures can result in liability, and even fines and penalties. The requirements differ according to the country and the industry your company works in.
For example, the United States has special requirements for health care providers affected by hackers. For general data breaches, 47 of 50 US states have some form of regulation requiring data breach reporting. In Europe, the EU’s General Data Protection Regulation (GDPR) does not require reporting data breaches, but some EU member states do. If you are required to report the data breach, the report must be filed within 72 hours of becoming aware of the breach. Non-compliance can carry stiff fines, in some cases ranging up to €10-20 million.
These regulations are intended to protect consumers in the event of sensitive data being leaked. The exact requirements for notifying authorities may also depend on the extent of the breach.
In many cases, victims of ransomware attacks have no choice but to deal with the attackers. In such an event, it is also important to be aware of international sanctions. The United States’ Office of Foreign Asset Control (OFAC) maintains a list of sanctioned entities and individuals. Violations of OFAC sanctions can result in punitive action, including fines as high as $20 million USD, or up to 30 years in prison,
Of course, if there are no bad intentions, it is unlikely that a victim of ransomware would be subject to such heavy penalties. Still, there is no doubt that it would be better to avoid any unwanted letters from the OFAC.
Authorities in most jurisdictions encourage victims of ransomware attacks to file a report, even if there is no legal requirement to do so. It’s generally a good practice, because information contained in reports can also help law enforcement to bring attackers to justice. Regardless of the ransomware laws and regulations in your country, we believe it is a good policy to always file a report.
What Information is Needed?
The ransomware laws in your country may affect the type of reports you need to file. It may depend on your location, industry, and your chosen response for dealing with the attack. The most important items usually include.
- Information on your company or organization.
- Date and time that the attack was discovered.
- A screenshot or photograph of the ransom demand.
- Ransom amount demanded.
- Any unusual IP addresses connected to your network.
- The file extension of encrypted files.
- Any other communications or correspondence with the attackers.
- Total losses associated with the attack.
There may be additional requirements depending on the law enforcement agency responsible for your jurisdiction.
General Data Protection Regulations
Under the General Data Protection Regulations, certain types of data breaches must be reported within 72 hours. In some cases, companies may be required to inform the individuals affected by data breaches. In some countries, data protection and ransomware laws require to inform both the relevant GDPR authority and the customers affected.
Even if the nature of the data breach does not require informing either the GDPR office or customers, companies are still required to document all data breaches and keep records. Below are the contact details for local GDPR authorities.
GDPR Contacts
Law Enforcement Offices Responsible for Ransomware Attacks
We’ve compiled a list of contact details for law enforcement agencies that handle ransomware attack reports in various jurisdictions. Depending on your location, you may need to send reports to more than one office. It’s good to check in with your local police agency to learn more about ransomware laws before taking any action.
