What is Ransomware?
Ransomware is malicious software (malware) installed on your device or system, including smartphones and tablets, that encrypts the hard drive or specific files then demands a ransom be paid before the device or information is decrypted. Importantly, hackers may access your data during the course of an attack.
Ransomware is typically spread via phishing where an attachment or link in an email or text message contains malware that is installed when opened. Ransomware on one device may spread to other devices through network vulnerabilities.
Variations of ransomware exist to attack most operating systems, including Windows, Android and iOS (Apple). Publicized instances of ransomware have occurred at hospitals and media organizations, as well as thousands of personal devices. There are several types of ransomware that you can learn more about online.
Alberta’s privacy laws require reasonable steps be taken to protect against risks to personal or health information. The OIPC recommends public bodies, health custodians and private sector organizations consider the following:
- Educate about phishing attacks. In particular, only download email attachments or click on links from trusted sources.
- Back up information and system files regularly, and test backups to ensure they are working as expected.
- Install internet security software and maintain updates.
- Configure internet security software to receive automatic malware notices and perform real-time malware scans, in addition to regularly scheduled malware scans.
- Install security patches for operating systems as soon as they become available.
- Bookmark trusted websites and access those websites via bookmarks.
- Avoid using administrator accounts for general use on your device. Administrator accounts that are exploited by malware may cause more damage.
- Ensure a breach response plan is in place and educate users about what to do if attacked.
When a Breach Occurs
Despite policies and guidance, breaches still occur. If an incident occurs, the OIPC has guidance available called “Key Steps in Responding to Privacy Breaches”.
Certain incidents under the Personal Information Protection Act and Health Information Act must be reported to the OIPC, or may voluntarily be reported under the Freedom of Information and Protection of Privacy Act.
The OIPC has guidance on its “How to Report a Privacy Breach” webpage at www.oipc.ab.ca for reporting breaches to the Information and Privacy Commissioner.
The OIPC may be able to provide general advice or guidance for responding to the privacy breach and ensuring steps are taken to comply with obligations under privacy legislation.
- Employees affected by a breach may need to take additional steps, such as:
Changing credentials for various employee or personal accounts, if applicable
- Monitoring personal accounts (online, financial, health, etc.)
- Contacting or reporting the breach to the Canadian Anti-Fraud Centre
This document is not intended as, nor is it a substitute for, legal advice, and is not binding on the Information and Privacy Commissioner of Alberta. Responsibility for compliance with the law (and any applicable professional or trade standards or requirements) remains with each organization, custodian or public body. All examples used are provided as illustrations. The official versions of the Freedom of Information and Protection of Privacy Act, Health Information Act and Personal Information Protection Act and their associated regulations should be consulted for the exact wording and for all purposes of interpreting and applying the legislation. The Acts are available on the website of the Alberta Queen’s Printer at www.qp.alberta.ca.