An expert has warned that the General Data Protection Regulation (GDPR) may cause businesses to pay ransom demands from criminals as they could be a cheaper option when compared with GDPR fines. George Kurtz, chief executive of cybersecurity company CrowdStrike, said that “the price of admission of ransomware just went up” after the introduction of GDPR. He claimed that the high fines introduced with GDPR could make businesses consider paying the cyber ransoms. The new fines for businesses that suffer data breaches, which came into play last month, are 4% of their global annual turnover or up to €20m (£17.5m), whichever is higher. However, the Government advises businesses not to pay ransomware demands. If [you have] a 4% fine on your overall top line revenue, or you have a ransomware that you can pay off and maybe quietly make it go away, I think there’s going to be an interesting dynamic in the amount that the market values paying off enterprise ransomware,” Mr Kurtz said. However, data protection lawyer Renzo Marchini, from law firm Fieldfisher, pointed out that companies in the UK have a duty to report any ransomware incidents to the Information Commissioner’s Office (ICO). “I think it’d be misplaced to pay the ransom in order to avoid the fine as the ICO should find out anyway, if you’re a law-abiding company,” he said.
