Ransomware attacks are on the rise, and more organisations have been paying the ransoms in recent months. In light of this, the ICO and National Cyber Security Centre (‘NCSC)’ have published a joint letter they sent to the Law Society regarding ransomware payments. The letter discusses the issues with paying a ransom and asks the Law Society for assistance in “sharing key messages” with the legal profession to assist them “in better advising their clients who may have suffered a cybersecurity incident”. Interestingly, in their associated press release, the ICO goes further, stating that the letter asks the Law Society to “remind its members that they should not advise clients to pay ransomware demands should they fall victim to a cyber-attack”, although our reading of it does not support this view. So what does the letter actually say? And what are the key messages for the organisations facing an increased ransomware risk?
The problem with paying a ransom
The letter reiterates that law enforcement and regulators do not encourage or endorse the payment of ransoms – they are concerned that payment incentivises further criminal behaviour and does not guarantee decryption of your network or the return of any stolen data. It has been suggested to the ICO and NCSC that “a belief persists that payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO” and, following the recent rise in organisations paying out to ransomware criminals, they want to clarify that this is not the case.
Key messages for lawyers and their clients
The letter also contains some key messages for lawyers and their clients to consider (presumably when setting ransomware policies and/or facing a ransomware demand). In particular, it states that:
- While it is not usually unlawful to pay a ransom (subject to certain exceptions), recent changes to the sanctions regime, particularly those relating to Russia, may change that position. This is a live issue we are seeing clients currently face, and adds complexity to an already difficult and stressful situation.
- Paying a ransom will not protect the data or result in a lower penalty from the ICO. The ICO confirms in the letter that it does not consider that paying a ransom is mitigating the risk. Rather it expects organisations to take appropriate technical and organisational measures to keep personal information secure (as required by the GDPR). Ways in which organisations can mitigate risk include taking steps to understand what has happened and learn from it. Also, where appropriate, organisations should raise their incident with the NCSC, report it to Law Enforcement via Action Fraud, and record evidence to show they have taken advice from (or can demonstrate compliance with) NCSC guidance/support.
- The ICO and NCSC have different roles. In the event of a ransomware attack, there may be a requirement to notify the incident to the ICO in its regulatory capacity. The NCSC is the UK’s technical authority on cyber security. Its role is therefore to provide support and incident response to mitigate harm, as well as learn broader cyber security lessons from the incidents that occur. Interestingly, the letter stresses that neither the NCSC nor Law Enforcement share information on incidents with regulators. They may, however, share information on strategic trends to help combat new threats.
- Both the ICO and NCSC have published specific ransomware guidance for organisation to follow. The ICO published its ransomware guidance this summer (see our blog) and the NCSC has a range of advice available on its ransomware portal.
While it is interesting that the language in the press release (and the ICO's twitter feed) differs slightly from that in the letter, the letter itself does not expressly state that lawyers should not advise their clients to pay ransoms. In fact, when reading the letter it confirms a lot of what we already knew. Law enforcers and regulators (including the ICO) have publically stated before that they do not endorse or condone the payment of ransoms, but recognise that in many cases it will not be unlawful. The sanctions which followed the events in Ukraine have complicated this in some cases but, generally speaking, the letter serves as a useful reminder of the many issues organisations will need to consider if they ever face a ransomware attack.