Getting hit by a ransomware attack means dealing with hard realities. A well organized and appropriate response can make the process much easier and help to safeguard against more headaches in the future. This topic is explored in depth in our complete ransomware response guide. One part of a ransomware response many people overlook is the importance of compliance with ransomware law and regulations. This page will give you a brief introduction to the topic, as well as some important contacts. 

The Importance of Ransomware Laws, Regulations, and Compliance

There are some important procedures to follow in the aftermath of a ransomware attack, and neglecting these procedures can result in liability, and even fines and penalties. The requirements differ according to the country and the industry your company works in. 

For example, the United States has special requirements for health care providers affected by hackers. For general data breaches, 47 of 50 US states have some form of regulation requiring data breach reporting.

In Europe, the EU’s General Data Protection Regulation (GDPR) does not require reporting data breaches, but some EU member states do. If you are required to report the data breach, the report must be filed within 72 hours of becoming aware of the breach. Non-compliance can carry stiff fines, in some cases ranging up to €10-20 million.

These regulations are intended to protect consumers in the event of sensitive data being leaked. The exact requirements for notifying authorities may also depend on the extent of the breach. 

In many cases, victims of ransomware attacks have no choice but to deal with the attackers. In such an event, it is also important to be aware of international sanctions. The United States’ Office of Foreign Asset Control (OFAC) maintains a list of sanctioned entities and individuals. Violations of OFAC sanctions can result in punitive action, including fines as high as $20 million USD, or up to 30 years in prison, 

Of course, if there are no bad intentions, it is unlikely that a victim of ransomware would be subject to such heavy penalties. Still, there is no doubt that it would be better to avoid any unwanted letters from the OFAC. 

Authorities in most jurisdictions encourage victims of ransomware attacks to file a report, even if there is no legal requirement to do so. It’s generally a good practice, because information contained in reports can also help law enforcement to bring attackers to justice. Regardless of the ransomware laws and regulations in your country, we believe it is a good policy to always file a report.

 

What Information is Needed?

The ransomware laws in your country may affect the type of reports you need to file. It may depend on your location, industry, and your chosen response for dealing with the attack. The most important items usually include:

  • Information on your company or organization.
  • Date and time that the attack was discovered.
  • A screenshot or photograph of the ransom demand.
  • Ransom amount demanded.
  • Any unusual IP addresses connected to your network.
  • The file extension of encrypted files.
  • Any other communications or correspondence with the attackers.
  • Total losses associated with the attack.

There may be additional requirements depending on the law enforcement agency responsible for your jurisdiction.

 

General Data Protection Regulations

Under the General Data Protection Regulations, certain types of data breaches must be reported within 72 hours. In some cases, companies may be required to inform the individuals affected by data breaches. In some countries, data protection and ransomware laws require to inform both the relevant GDPR authority and the customers affected. 

Even if the nature of the data breach does not require informing either the GDPR office or customers, companies are still required to document all data breaches and keep records. Below are the contact details for local GDPR authorities. 

 

GDPR CONTACTS

Austria

Website: https://www.dsb.gv.at/

E-mail contact: [email protected]

Belgium

Website: https://www.gegevensbeschermingsautoriteit.be/

E-mail contact: [email protected]

Croatia

Website: https://azop.hr/

E-mail contact: [email protected]

Cyprus

Website: http://www.dataprotection.gov.cy/

E-mail contact: [email protected]

Czech Republic

Website: http://www.uoou.cz/

E-mail contact: [email protected]

Denmark

Website: https://www.datatilsynet.dk/

E-mail contact: [email protected]

Estonia

Website: https://www.aki.ee/et

E-mail contact: [email protected]

Europe

Website: http://www.edps.europa.eu/EDPSWEB/

E-mail contact: [email protected]

Finland

Website: http://www.tietosuoja.fi/en/

E-mail contact: [email protected]

Germany

Website: http://www.bfdi.bund.de/
Direct links for the GDPR Reporting: https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html

Relevant for the data protection notification is above all §33 and §34 of the data protection mishap notification
https://dsgvo-gesetz.de/art-33-dsgvo/ 

E-mail contact: [email protected]

 

Greece

Website: http://www.dpa.gr/

E-mail contact: [email protected]

Hungary

Website: https://www.naih.hu/

E-mail contact: [email protected]

Ireland

Website: https://www.dataprotection.ie/

E-mail contact: [email protected]

Italy

Website: https://www.garanteprivacy.it/

E-mail contact: [email protected]

Latvia

Website: http://www.dvi.gov.lv/

E-mail contact: [email protected]

Lithuania

Website: https://vdai.lrv.lt/

E-mail contact: [email protected]

Luxembourg

Website: http://www.cnpd.lu/

E-mail contact: [email protected]

Malta

Website: http://www.idpc.org.mt/

E-mail contact: [email protected]

Poland

Website: https://uodo.gov.pl/

E-mail contact: [email protected]

Portugal

Website: https://www.cnpd.pt/

E-mail contact: [email protected]

Romania

Website: http://www.dataprotection.ro/

E-mail contact: [email protected]

Slovakia

Website: https://dataprotection.gov.sk/

E-mail contact: [email protected]

Slovenia

Website: https://www.ip-rs.si/

E-mail contact: [email protected]

Spain

Website: https://www.aepd.es/

E-mail contact: [email protected]

Sweden

Website: https://www.datainspektionen.se/

E-mail contact: [email protected]

Iceland

Website: https://www.personuvernd.is/

E-mail contact: [email protected]

Liechtenstein

Website: https://www.datenschutzstelle.li/

E-mail contact: [email protected]

Norway

Website: https://www.datatilsynet.no/

E-mail contact: [email protected]

 

 

Law Enforcement Offices Responsible for Ransomware Attacks 

We’ve compiled a list of contact details for law enforcement agencies that handle ransomware attack reports in various jurisdictions. Depending on your location, you may need to send reports to more than one office. It’s good to check in with your local police agency to learn more about ransomware laws before taking any action.

 

Austria

Website: https://bundeskriminalamt.at/306/start.aspx

E-mail contact:

[email protected]

Belgium

Website: https://www.police.be/fr

E-mail contact: [email protected]

Bulgaria 

Website: https://www.cybercrime.bg/bg

E-mail contact:[email protected]

Croatia

Website: https://mup.gov.hr/

E-mail contact:[email protected]

Cyprus

Website: http://www.dataprotection.gov.cy/

E-mail contact: [email protected]

Czech Republic

Website: https://www.uoou.cz/

E-mail contact: [email protected]

Denmark

Website: https://www.datatilsynet.dk/

E-mail contact: [email protected]

Estonia

Website: https://www.aki.ee/

E-mail contact: [email protected]

Finland

Website: https://tietosuoja.fi/en/home

E-mail contact: [email protected]

France

Website: https://www.cnil.fr/

E-mail contact: https://www.cnil.fr/fr/webform/contacter-la-redaction-du-site-cnilfr

Germany

Bundeskriminalamt

Website: https://www.bka.de/DE/Home/home_node.html

E-mail contact: [email protected]

Bundespolizei

Website: https://www.bundespolizei.de/Web/DE/_Home/home_node.html

E-mail contact: https://www.bundespolizei.de/Web/DE/Service/Kontakt/kontakt_node.html

Baden-Württemberg

Website: https://www.polizei-bw.de/

E-mail contact: [email protected]

Bavaria

Website: https://www.polizei.bayern.de/

E-mail contact: [email protected]

Berlin

Website: https://www.internetwache-polizei-berlin.de/index_5.html

E-mail contact: [email protected]

Brandenburg

Website: https://polizei.brandenburg.de/

E-mail contact:[email protected]

Bremen

Website: https://www.polizei.bremen.de/

E-mail contact:[email protected]

Hamburg

Website: https://www.polizei.hamburg/

E-mail contact: https://www.polizei.hamburg/ansprechpartner/

Hessen

Website: https://www.polizei.hessen.de/Startseite/

E-mail contact: [email protected]

Mecklenburg-Vorpommen

Website: https://www.polizei.mvnet.de/

E-mail contact: https://www.polizei.mvnet.de/Kontakt/

Niedersachsen

Website: https://www.polizei-nds.de/startseite/ 

E-mail contact: https://www.polizei-nds.de/wir_ueber_uns/kontakt-26.html

Nordrhein-Westfalen

Website: https://polizei.nrw/

E-mail contact: [email protected]

Rheinland-Pfalz

Website: https://www.polizei.rlp.de/de/onlinewache/lob-beschwerde/

E-mail contact: [email protected]

Saarland

Website: https://www.saarland.de/polizei/DE/home/home_node.html

E-mail contact: https://www.saarland.de/polizei/DE/service/kontakt/kontaktformular/kontaktformular_node.html

Sachsen

Website: https://www.polizei.sachsen.de/de/index.htm

E-mail contact: [email protected]

Sachsen Anhalt

Website: https://polizei-web.sachsen-anhalt.de/

E-mail contact: https://www.sachsen-anhalt.de/meta/kontaktformular/?no_cache=1&tx_tsacontactform_pi1%5Bcaller%5D=44404

Schleswig-Holstein

Website: https://www.schleswig-holstein.de/DE/Landesregierung/POLIZEI/Polizei_node.html 

E-mail contact: https://www.schleswig-holstein.de/DE/Landesregierung/POLIZEI/Kontakt/kontakt_node.html

Thueringen

Website:https://www.thueringen.de/th3/polizei/

E-mail contact: [email protected]

Greece

Website: http://www.astynomia.gr/index.php?option=ozo_content&perform=view&id=8194&Itemid=378&lang=

E-mail contact: [email protected]

Hungary 

Website: http://www.police.hu/ugyintezes

E-mail contact: [email protected]

Iceland

Website: https://www.personuvernd.is/

E-mail contact: [email protected]

Italy 

Website: https://www.commissariatodips.it/

E-mail contact: [email protected]

Ireland

Website: https://www.garda.ie/en/

E-mail contact: [email protected]

Latvia

Website: http://www.dvi.gov.lv/

E-mail contact: [email protected]

Liechtenstein

Website: https://www.datenschutzstelle.li/

E-mail contact: [email protected]

Lithuania

Website: https://vdai.lrv.lt/

E-mail contact: [email protected]

Luxemburg 

Website: https://cnpd.public.lu/fr.html

E-mail contact: [email protected]

Malta

Website: https://idpc.org.mt/

E-mail contact: [email protected]

Netherlands

Website: https://autoriteitpersoonsgegevens.nl/nl

E-mail contact: [email protected]

Norway

Website: https://www.datatilsynet.no/

E-mail contact: [email protected]

Poland

Website: https://policja.pl/

E-mail contact: [email protected]

Portugal

Website: https://www.cnpd.pt/

E-mail contact: [email protected]

Romania

Website: https://www.dataprotection.ro/

E-mail contact: [email protected]

Spain

Website: https://www.aepd.es/es

E-mail contact: [email protected]

Sweden

Website: https://www.datainspektionen.se/

E-mail contact: [email protected]

European Data Protection Supervisor

Website: https://edps.europa.eu/

E-mail contact: [email protected]

 

 

If this seems too complicated to you, and you want to take advantage of expert ransomware recovery services, reach out to us for a free consultation.