Publication date: 07/04/2020
The outbreak of the COVID-19 pandemic changed our lives drastically as it impacts our health system, our economy and our daily interactions. But in addition to these persistent threats, the virus created an environment in which cybercriminals thrive.
While some leading cybercrime groups – such as the DoppelPaymer and the Maze cybercrime groups – seem to have promised not to attack health and medical organisations during the COVID-19 crisis, many cybercriminals have been quick to benefit from the current crisis.
According to Europol’s report “Pandemic profiteering: how criminals exploit the COVID-19 crisis”, the number of cyberattacks against organisations and individuals is significant and is expected to increase.
Cybercriminals swiftly took advantage of the increasing amount of time that people spend online and the increasing number of employees that telework due to extensive quarantine measures imposed by EU Member States to prevent the spread of the COVID-19 virus. They have used this crisis to carry out social engineering attacks, namely phishing emails through spam campaigns and more targeted attempts such as business email compromise (BEC).
Meanwhile, more and more hospitals, research hubs and medical centres are being targeted by several cyberattacks. Yet, the vast majority of these attacks are (a) ransomware attacks: these imply encrypting all files on an organisation’s system and demanding a large ransom fee to restore and unlock the files or (b) DDoS attacks: they make an organisation’s system unavailable by overwhelming it with traffic from multiple sources.
Recent examples are the ransomware attack on the system of the University Hospital of Brno in Czech Republic – a major COVID-19 testing hub, the DDoS attack on the US Health and Human Services Department’s system and the failed DDoS attack on a group of hospitals in Paris.
Prepare for a cyberattack
Considering that the number of cyberattacks are expected to increase further, it is needless to say that organisations must be well-prepared for them.
Make therefore sure that your organisation is ready to act swiftly and correctly once a cyberattack occurs. Your organisation must at least implement:
- An internal escalation procedure, consisting of appropriate detection, notification and escalation obligations;
- An incident response plan, including a tested business continuity plan and;
- A disaster recovery plan.
Notification of a cyberattack
Next to that, if a cyberattack occurs, you must simultaneously comply with numerous legal and contractual incident reporting obligations and you must notify the same incident to several authorities and/or third parties.
1. Notification obligation under the NIS Directive
A breach of security may trigger the application of the incident notification obligations introduced by the NIS Directive and the implementing legislation thereof in the EU Member States, in particular the ones that are relevant for your organisation’s business.
The aim hereof is to boost the overall level of cybersecurity in the EU. Hence, certain service providers must notify, the competent authority or the Computer Security Incident Response Team (CSIRT) without undue delay of a security incident.
This is in particular the case for:
- operators of essential services (OES), being organisations in vital sectors in the EU economy and society, such as the healthcare sector. They must notify of any incident having a significant impact on the continuity of the essential services they provide.
- digital service providers (DSP), being online marketplaces, online search engines and cloud computing service providers. They must notify of incidents having a substantial impact on the provision of the services they offer within the EU.Notification obligation under the GDPR
2. Notification obligation under the GDPR
Whenever security breach has led to a personal data breach, the notification obligations of the GDPR may apply. A personal data breach is defined as the accidental or unlawful destruction, loss or alteration, unauthorised disclosure of, or access to, personal data processed.
To the extent that you are a controller, you must notify:
- The competent supervisory authority without undue delay and within 72 hours after having become aware of the personal data breach, unless the breach is unlikely to put the rights and freedoms of natural persons at risk. Whenever a breach affects individuals’ data in more than one Member State and notification is due, the controller will however need to notify the lead supervisory authority.
- Data subjects without undue delay, unless one of the exceptions listed in Article 34.3 GDPR applies if the personal data breach is likely to result in a high risk to the rights and freedoms of individuals.
To the extent that you are a processor, you must notify your controller without undue delay.
Our team has created a cybersecurity series:
- Help! I’ve been hacked.
- Your service provider goes down. What now?
- Who do I need to notify, what are my legal obligations?
Do you need immediate assistance? Call our cybersecurity hotline.