Experts and authorities typically discourage companies under threat of ransomware from paying the crypto fees requested to release their encrypted data. But this common response may soon become a thing of the past as fresh EU legislation that took effect last month, now known as the General Data Protection Regulation (GDPR), will leverage hefty fines against enterprises who fail to protect customer data.
The passing of the GPDR has made paying ransom to cybercriminals much cheaper compared to the penalties imposed by the new EU regulation. In a recent reaction to the policy, George Kurtz, CEO of cybersecurity company CrowdStrike, said, “The price of admission of ransomware just went up.” Given how governments have been advising firms to deny any form of communication with the cyber syndicates that are spreading malware, this feels somewhat counterproductive. With GDPR’s heavy penalty, it is becoming much more economical for a corporation to pay the ransom instead of admitting infection and face the burden of paying a bigger sum to GDPR regulators.
Any company that fails to comply with GDPR is obliged to pay a maximum of £17.5m (around €20 million or 4% of their global revenue, whichever is higher. Contrast this to a typical ransomware asking for a mere 1 or 2 Bitcoins, the latter is a much more affordable option. Kurtz further explained: “If [you have] a 4 percent fine on your overall top-line revenue, or you have ransomware that you can pay off and maybe quietly make it go away, I think there’s going to be an interesting dynamic in the amount that the market values paying off enterprise ransomware.”
This claim of Kurtz has been countered by Renzo Marchini, a data protection lawyer from a law firm, Fieldfisher: “I think it’d be misplaced to pay the ransom in order to avoid the fine as the ICO should find out anyway if you’re a law-abiding company.”
Marchini further reminded companies, especially those operating in the United Kingdom, that they are lawfully required to immediately report all incidents of ransomware in their computer installations to the UK’s Information Commissioner’s Office.