In recent years thousands of organisations have fallen victim to ransomware attacks. This malicious software disables access to users’ data and demands payment of a ransom for its restoration. Cyberattacks like these are usually thought of in the context of cybercrime, but because the data affected by ransomware is often personal data, such attacks also raise pertinent questions that need to be examined under the light of data privacy laws. Considering that security has always been central to the protection of personal data, this chapter proposes an analysis of ransomware attacks through the lens of the well-established information security model, i.e. the CIA (confidentiality, integrity, and availability) triad. Using these three basic security principles, we examine whether ransomware will be considered a data breach under data privacy laws and what the legal implications of such breaches are. In order to illustrate these points, we will focus on ransomware attacks that target organisations that process personal data and highlight three examples of jurisdictions, namely the European Union (EU), Canada and Israel.
