A blog article from the ICO has given clear guidance on their view of data lost through a ransomware attack. In it, it highlights the responsibility that organisations including schools have to take under Principle 7 of the Data Protection Act;
“The Data Protection Act requires data controllers to take appropriate technical and security measures to keep personal data secure against loss or destruction.
If the personal data which you are responsible for has been encrypted as a result of a ransomware attack and you are unable to restore that data then the ICO could be of the view that you have not taken appropriate measures to keep it secure and have therefore breached the Data Protection Act.
If you have a back-up from which you can restore a working copy of the data, then a permanent loss of data would not be considered to have occurred. However the ICO would still need to look at the circumstances of the case to determine whether or not there were appropriate measures in place which could have prevented the attack from succeeding.”
What is interesting is that it mentions destruction directly rather than just loss and a ransomware attack may well lead to this.
Do you know if the technical support for the school have you taken the right steps so that the ICO would feel comfortable? These include:
- Suitable and up to date anti-virus/anti-malware
- Data backup located in a secure location that cannot be attacked by the same malware
- Fully tested recovery processes
A good place to start the conversation is with the Governments Cyber Essentials guide which has easy to understand information and advice.
If you think it wont happen to your school, an article in the Guardian tends to say this may not be the case. These attacks are not just targeted at business but can some in the form of random emails sent out on the off chance that a user might click on an attachment or visit a site that is infected with the malware. Make sure you are secure and that your staff have received training to make them aware and alert to the threat.
For more details on how to deal with Ransomware and being proactive to the risk, don’t hesitate to get in touch with us at ICT4C for both technical solutions and staff training.