Getting hit by a ransomware attack means dealing with hard realities. A well organized and appropriate response can make the process much easier and help to safeguard against more headaches in the future. This topic is explored in depth in our complete ransomware response guide. One part of a ransomware response many people overlook is the importance of compliance with ransomware law and regulations. This page will give you a brief introduction to the topic, as well as some important contacts.
The Importance of Ransomware Laws, Regulations, and Compliance
There are some important procedures to follow in the aftermath of a ransomware attack, and neglecting these procedures can result in liability, and even fines and penalties. The requirements differ according to the country and the industry your company works in.
For example, the United States has special requirements for health care providers affected by hackers. For general data breaches, 47 of 50 US states have some form of regulation requiring data breach reporting.
In Europe, the EU’s General Data Protection Regulation (GDPR) does not require reporting data breaches, but some EU member states do. If you are required to report the data breach, the report must be filed within 72 hours of becoming aware of the breach. Non-compliance can carry stiff fines, in some cases ranging up to €10-20 million.
These regulations are intended to protect consumers in the event of sensitive data being leaked. The exact requirements for notifying authorities may also depend on the extent of the breach.
In many cases, victims of ransomware attacks have no choice but to deal with the attackers. In such an event, it is also important to be aware of international sanctions. The United States’ Office of Foreign Asset Control (OFAC) maintains a list of sanctioned entities and individuals. Violations of OFAC sanctions can result in punitive action, including fines as high as $20 million USD, or up to 30 years in prison,
Of course, if there are no bad intentions, it is unlikely that a victim of ransomware would be subject to such heavy penalties. Still, there is no doubt that it would be better to avoid any unwanted letters from the OFAC.
Authorities in most jurisdictions encourage victims of ransomware attacks to file a report, even if there is no legal requirement to do so. It’s generally a good practice, because information contained in reports can also help law enforcement to bring attackers to justice. Regardless of the ransomware laws and regulations in your country, we believe it is a good policy to always file a report.
What Information is Needed?
The ransomware laws in your country may affect the type of reports you need to file. It may depend on your location, industry, and your chosen response for dealing with the attack. The most important items usually include:
- Information on your company or organization.
- Date and time that the attack was discovered.
- A screenshot or photograph of the ransom demand.
- Ransom amount demanded.
- Any unusual IP addresses connected to your network.
- The file extension of encrypted files.
- Any other communications or correspondence with the attackers.
- Total losses associated with the attack.
There may be additional requirements depending on the law enforcement agency responsible for your jurisdiction.
General Data Protection Regulations
Under the General Data Protection Regulations, certain types of data breaches must be reported within 72 hours. In some cases, companies may be required to inform the individuals affected by data breaches. In some countries, data protection and ransomware laws require to inform both the relevant GDPR authority and the customers affected.
Even if the nature of the data breach does not require informing either the GDPR office or customers, companies are still required to document all data breaches and keep records. Below are the contact details for local GDPR authorities.
GDPR CONTACTS
Austria
Website: https://www.dsb.gv.at/
E-mail contact: [email protected]
Belgium
Website: https://www.gegevensbeschermingsautoriteit.be/
E-mail contact: [email protected]
Croatia
Website: https://azop.hr/
E-mail contact: [email protected]
Cyprus
Website: http://www.dataprotection.gov.cy/
E-mail contact: [email protected]
Czech Republic
Website: http://www.uoou.cz/
E-mail contact: [email protected]
Denmark
Website: https://www.datatilsynet.dk/
E-mail contact: [email protected]
Estonia
Website: https://www.aki.ee/et
E-mail contact: [email protected]
Europe
Website: http://www.edps.europa.eu/EDPSWEB/
E-mail contact: [email protected]
Finland
Website: http://www.tietosuoja.fi/en/
E-mail contact: [email protected]
Germany
Website: http://www.bfdi.bund.de/
Direct links for the GDPR Reporting: https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html
Relevant for the data protection notification is above all §33 and §34 of the data protection mishap notification
https://dsgvo-gesetz.de/art-33-dsgvo/
E-mail contact: [email protected]
Greece
Website: http://www.dpa.gr/
E-mail contact: [email protected]
Hungary
Website: https://www.naih.hu/
E-mail contact: [email protected]
Ireland
Website: https://www.dataprotection.ie/
E-mail contact: [email protected]
Italy
Website: https://www.garanteprivacy.it/
E-mail contact: [email protected]
Latvia
Website: http://www.dvi.gov.lv/
E-mail contact: [email protected]
Lithuania
Website: https://vdai.lrv.lt/
E-mail contact: [email protected]
Luxembourg
Website: http://www.cnpd.lu/
E-mail contact: [email protected]
Malta
Website: http://www.idpc.org.mt/
E-mail contact: [email protected]
Poland
Website: https://uodo.gov.pl/
E-mail contact: [email protected]
Portugal
Website: https://www.cnpd.pt/
E-mail contact: [email protected]
Romania
Website: http://www.dataprotection.ro/
E-mail contact: [email protected]
Slovakia
Website: https://dataprotection.gov.sk/
E-mail contact: [email protected]
Slovenia
Website: https://www.ip-rs.si/
E-mail contact: [email protected]
Spain
Website: https://www.aepd.es/
E-mail contact: [email protected]
Sweden
Website: https://www.datainspektionen.se/
E-mail contact: [email protected]
Iceland
Website: https://www.personuvernd.is/
E-mail contact: [email protected]
Liechtenstein
Website: https://www.datenschutzstelle.li/
E-mail contact: [email protected]
Norway
Website: https://www.datatilsynet.no/
E-mail contact: [email protected]
Law Enforcement Offices Responsible for Ransomware Attacks
We’ve compiled a list of contact details for law enforcement agencies that handle ransomware attack reports in various jurisdictions. Depending on your location, you may need to send reports to more than one office. It’s good to check in with your local police agency to learn more about ransomware laws before taking any action.
Austria
Website: https://bundeskriminalamt.at/306/start.aspx
E-mail contact:
Belgium
Website: https://www.police.be/fr
E-mail contact: [email protected]
Croatia
Website: https://mup.gov.hr/
E-mail contact:[email protected]
Cyprus
Website: http://www.dataprotection.gov.cy/
E-mail contact: [email protected]
Czech Republic
Website: https://www.uoou.cz/
E-mail contact: [email protected]
Denmark
Website: https://www.datatilsynet.dk/
E-mail contact: [email protected]
Estonia
Website: https://www.aki.ee/
E-mail contact: [email protected]
Finland
Website: https://tietosuoja.fi/en/home
E-mail contact: [email protected]
France
Website: https://www.cnil.fr/
E-mail contact: https://www.cnil.fr/fr/webform/contacter-la-redaction-du-site-cnilfr
Germany
Bundeskriminalamt
Website: https://www.bka.de/DE/Home/home_node.html
E-mail contact: [email protected]
Bundespolizei
Website: https://www.bundespolizei.de/Web/DE/_Home/home_node.html
E-mail contact: https://www.bundespolizei.de/Web/DE/Service/Kontakt/kontakt_node.html
Baden-Württemberg
Website: https://www.polizei-bw.de/
E-mail contact: [email protected]
Bavaria
Website: https://www.polizei.bayern.de/
E-mail contact: [email protected]
Berlin
Website: https://www.internetwache-polizei-berlin.de/index_5.html
E-mail contact: [email protected]
Brandenburg
Website: https://polizei.brandenburg.de/
E-mail contact:[email protected]
Bremen
Website: https://www.polizei.bremen.de/
E-mail contact:[email protected]
Hamburg
Website: https://www.polizei.hamburg/
Hessen
Website: https://www.polizei.hessen.de/Startseite/
E-mail contact: [email protected]
Mecklenburg-Vorpommen
Website: https://www.polizei.mvnet.de/
E-mail contact: https://www.polizei.mvnet.de/Kontakt/
Niedersachsen
Website: https://www.polizei-nds.de/startseite/
E-mail contact: https://www.polizei-nds.de/wir_ueber_uns/kontakt-26.html
Nordrhein-Westfalen
Website: https://polizei.nrw/
E-mail contact: [email protected]
Rheinland-Pfalz
Website: https://www.polizei.rlp.de/onlinewache
E-mail contact: [email protected]
Saarland
Website: https://www.saarland.de/polizei/DE/home/home_node.html
E-mail contact: https://www.saarland.de/polizei/DE/service/kontakt/kontaktformular/kontaktformular_node.html
Sachsen
Website: https://www.polizei.sachsen.de/de/index.htm
E-mail contact: [email protected]
Sachsen Anhalt
Website: https://polizei.sachsen-anhalt.de/
E-mail contact: https://www.sachsen-anhalt.de/meta/kontaktformular/?no_cache=1&tx_tsacontactform_pi1%5Bcaller%5D=44404
Schleswig-Holstein
Website: https://www.schleswig-holstein.de/DE/Landesregierung/POLIZEI/Polizei_node.html
E-mail contact: https://www.schleswig-holstein.de/DE/Landesregierung/POLIZEI/Kontakt/kontakt_node.html
Thueringen
Website:https://www.thueringen.de/th3/polizei/
E-mail contact: [email protected]
Greece
Website: http://www.astynomia.gr/index.php?option=ozo_content&perform=view&id=8194&Itemid=378&lang=
E-mail contact: [email protected]
Hungary
Website: http://www.police.hu/ugyintezes
E-mail contact: [email protected]
Iceland
Website: https://www.personuvernd.is/
E-mail contact: [email protected]
Italy
Website: https://www.commissariatodips.it/
E-mail contact: [email protected]
Ireland
Website: https://www.garda.ie/en/
E-mail contact: [email protected]
Latvia
Website: http://www.dvi.gov.lv/
E-mail contact: [email protected]
Liechtenstein
Website: https://www.datenschutzstelle.li/
E-mail contact: [email protected]
Lithuania
Website: https://vdai.lrv.lt/
E-mail contact: [email protected]
Luxemburg
Website: https://cnpd.public.lu/fr.html
E-mail contact: [email protected]
Malta
Website: https://idpc.org.mt/
E-mail contact: [email protected]
Netherlands
Website: https://autoriteitpersoonsgegevens.nl/nl
E-mail contact: [email protected]
Norway
Website: https://www.datatilsynet.no/
E-mail contact: [email protected]
Poland
Website: https://policja.pl/
E-mail contact: [email protected]
Portugal
Website: https://www.cnpd.pt/
E-mail contact: [email protected]
Romania
Website: https://www.dataprotection.ro/
E-mail contact: [email protected]
Spain
Website: https://www.aepd.es/es
E-mail contact: [email protected]
Sweden
Website: https://www.datainspektionen.se/
E-mail contact: [email protected]
European Data Protection Supervisor
Website: https://edps.europa.eu/
E-mail contact: [email protected]
If this seems too complicated to you, and you want to take advantage of expert ransomware recovery services, reach out to us for a free consultation.