According to the proceedings of the fifth Internet Organised Crime Threat Assessment (IOCTA), presented at the INTERPOL-Europol conference in Singapore on Tuesday 18 September 2018, companies are being tempted to dodge potential GDPR fines by entering into negotiations with cyber criminals.
Europol, the EU police agency has issued a stark warning that EU data protection laws could lead to a drastic increase in the incidence and frequency of cyber-extortion and to the amounts transacted in cyber-extortions. With GDPR and the exorbitant fines that it makes for, the amounts of money that can be extorted by cyber-criminals has suddenly ballooned as the other option has become much more expensive. From a purely financial perspective, therefore, it could be in cyber-victim companies’ interest to pay cyber-criminals rather than information protection offices and data subjects whose rights have been violated, if they can be certain that the cyber-criminals will abide by the terms of the negotiations. This is, of course, not always the case, but has certainly made cybercrime and extortion much more lucrative as a ‘profession’.
Europol’s research, in fact, highlights the fact that Companies that have suffered a cyber-attack may be inclined to pay a smaller ransom to a cybercriminal for non-disclosure than the fine that could be imposed by their competent information protection supervisory authorities.
The European Commission, which has had to deal with a significant amount of scorn, complaints and all sorts of other flak over GDPR was seemingly vexed by this analysis. The Commission has subsequently issued a dry reply saying that the GDPR includes a clear obligation for companies to notify data breaches”.
This revelation is quite worrying as it substantiates the fact that GDPR provides perverse incentives, and has added to the substantially lengthy list of unintended policy consequences stemming from GDPR.