Moved by
Lord Kennedy of Southwark
78A: After Clause 18, insert the following new Clause—
“Duty to notify of data protection breaches due to ransomware attacks
(1) In addition to notifying the Commissioner of a personal data breach under Article 33 of the GDPR, a data controller must also notify the relevant police force if the data breach was the result of a ransomware attack.
(2) In this section,
“ransomware attack” means an attack of a form of malware which holds the information on a user's computer hostage until a ransom fee is paid; and
“police force” has the same meaning as in section 3 of the Prosecution of Offences Act 1985.”