Lawyers told to stop advising clients to pay cyber ransoms

Written by Sam Trendall on 11 July 2022 in News
News

Regulator and cyber intelligence agency write joint letter seeking engagement with trade body for solicitors

Credit: rawpixel.com/PxHere/Keith Hall//Clker-Free-Vector-Images/Pixabay/CC BY 2.0   Images have been remixed

Regulatory and intelligence agencies have teamed up to implore the legal profession not to advise clients to pay the ransoms demanded by cybercriminals.

A joint letter to the Law Society – undersigned by information commissioner John Edwards and Lindy Cameron, chief executive of the National Cyber Security Centre – told the professional body for solicitors that “in recent months, we have seen an increase in the number of ransomware attacks and ransom amounts being paid”.

“We are aware that legal advisers are often retained to advise clients who have fallen victim to ransomware on how to respond and whether to pay,” the letter added. “It has been suggested to us that a belief persists that payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO should it undertake an investigation. We would like to be clear that this is not the case.”

Edwards and Cameron noted that, while obliging with ransom demands is “not usually unlawful, payers should be mindful of how relevant sanctions regimes, particularly those related to Russia… may change that”.

The letter said: “More importantly, payment incentivises further harmful behaviour by malicious actors and does not guarantee decryption of networks or return of stolen data.”


Related content


It added: “For the avoidance of doubt the ICO does not consider the payment of monies to criminals who have attacked a system as mitigating the risk to individuals and this will not reduce any penalties incurred through ICO enforcement action.”

The two leaders told the Law Society that their organisations are “keen to engage” with the legal profession to ensure solicitors understand the standards and practices their clients should follow in the event of a data breach or cyberattack.

“If it would be helpful to meet to discuss how we might collaborate further on this we would be pleased to do so,” the letter said.

A report recently published by law firm RPC concluded that the number of ransomware attacks reported to the ICO doubled last year, rising from 326 to in 2020 to 654 in 2021.

As part of an eight-point compliance checklist for organisations, the data protection watchdog’s website says that it has “seen a steady increase in the number and severity caused by ransomware” in the past couple of years.

The NCSC – a GCHQ-based agency which helps set government’s cyber policy and guidance, and assists businesses and public bodies in responding to the gravest attacks – also has dedicated advice and support materials aimed at helping organisations understand the threat posed by ransomware, and what they should do in the event of a successful attack.

The letter from the two organisational leaders claimed that the annual cost to the UK of cybercrime is “billions” of pounds.

 

About the author

Sam Trendall is editor of PublicTechnology. He can be reached on sam.trendall@dodsgroup.com.

Share this page

Tags

Categories

CONTRIBUTIONS FROM READERS

Please login to post a comment or register for a free account.

Related Articles

Regulator urges review of ‘systemic risks’ of government use of private messaging
14 July 2022

ICO reveals findings of year-long investigation

Russia: sanctions tightened on exports of monitoring and military tech
24 June 2022

New measures prohibit supply of any tech used for ‘internal repression’

Police investigated 4,300 cyber offences last year – but charged fewer than 100 criminals
12 August 2022

The proportion of offences resulting in a formal charge increased slightly, but remains at barely more than one in every 50

Scottish Government expands cyber-resilience programme for businesses
8 August 2022

Contract worth £500,000 will see an additional 250 firms offered training