Our next guest on A Little Privacy, Please! is Louise Mehl, a partner with Implement Consulting Group in Copenhagen, Demark. A self-proclaimed privacy nerd at heart, Louise helps companies develop ambitious data protection and cyber and information security programs.
Watch this episode of A Little Privacy, Please!
Ransomware attacks are an all-too-common scenario for companies in the U.S. Are ransomware attacks as prevalent in the EU?
Absolutely. Ransomware attacks are a concern in the EU.
Just last month in Denmark, in the Northern Jutland, a targeted attack on five schools in Denmark compromised sensitive personal data. The compromised data included evaluations of children’s mental health (e.g., learning disabilities), employee information, and communications between teachers, parents, and kids. The attacks were discovered a month before disclosure to the public. The schools were embarrassed about the attacks and delayed their response, potentially making the damage even bigger.
When we have a client that’s hit with a ransomware attack, the starting point for us is assembling a team comprised of legal counsel, key decisionmakers within the company (i.e., IT, chief technology officer), and forensic investigation teams. And if the company is lucky enough to have a cyber insurance policy, we will also involve the insurer in the process. How is a ransomware attack addressed in the E.U.?
It’s rare to have cyber insurance in the EU because it tends to be very expensive, and you won’t find many insurance companies willing to insure cyberattacks.
When facing a ransomware attack involving personal data a common initial step is to notify the data protection authorities and, of course, law enforcement as to act in accordance with both GDPR and other regulations.
What are the timelines for breach notification in the EU? I believe they’re much stricter in the EU?
They absolutely are. If it involves personal data, we have the General Data Protection Regulation’s (GDPR’s) seventy-two (72) hour notification. We also have the coming Directive on Security of Network and Information Systems (NIS) 2 cybersecurity framework, which mandates twenty-four (24) hours for notification, so we are looking into very strict notification timelines.
On the contrary, if you don’t have the critical infrastructure, if it does not involve personal data, then the outcome is somewhat how you described—you would call local law enforcement, you would get into investigations. Of course, the pressure is always on if you are losing confidential and important data.
It seems there’s a fundamental difference between the U.S., where the emphasis is on getting more information before the notification, and the EU, where the notification comes first, and the information is investigated second.
It depends; if it's an attack of a certain size and amount of data, you make that assessment before notifying the authorities. But you should be able to make that within the first 72 hours.
Switching gears just a little. I know you’re very passionate about fighting for the privacy of children. Can you talk about some of the causes you’ve supported?
It is a cause very close to my heart. I have three children of my own.
I conduct free workshops with parents, schools, and various volunteer organizations to educate them about social media safety. I want to raise awareness about the challenges children face online, the potential risk of interacting with online predators, and the impact of sharing personal information, including photos and videos. I see that adults, parents in general, often give up on digital and social media because they don’t understand it, don’t want to interfere, or are just not present on the same platforms as the children. I try to empower adults with knowledge and strategies to protect children.