Lawyers told to stop advising clients to pay cyber ransoms

Written by Sam Trendall on 11 July 2022 in News
News

Regulator and cyber intelligence agency write joint letter seeking engagement with trade body for solicitors

Credit: rawpixel.com/PxHere/Keith Hall//Clker-Free-Vector-Images/Pixabay/CC BY 2.0   Images have been remixed

Regulatory and intelligence agencies have teamed up to implore the legal profession not to advise clients to pay the ransoms demanded by cybercriminals.

A joint letter to the Law Society – undersigned by information commissioner John Edwards and Lindy Cameron, chief executive of the National Cyber Security Centre – told the professional body for solicitors that “in recent months, we have seen an increase in the number of ransomware attacks and ransom amounts being paid”.

“We are aware that legal advisers are often retained to advise clients who have fallen victim to ransomware on how to respond and whether to pay,” the letter added. “It has been suggested to us that a belief persists that payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO should it undertake an investigation. We would like to be clear that this is not the case.”

Edwards and Cameron noted that, while obliging with ransom demands is “not usually unlawful, payers should be mindful of how relevant sanctions regimes, particularly those related to Russia… may change that”.

The letter said: “More importantly, payment incentivises further harmful behaviour by malicious actors and does not guarantee decryption of networks or return of stolen data.”


Related content


It added: “For the avoidance of doubt the ICO does not consider the payment of monies to criminals who have attacked a system as mitigating the risk to individuals and this will not reduce any penalties incurred through ICO enforcement action.”

The two leaders told the Law Society that their organisations are “keen to engage” with the legal profession to ensure solicitors understand the standards and practices their clients should follow in the event of a data breach or cyberattack.

“If it would be helpful to meet to discuss how we might collaborate further on this we would be pleased to do so,” the letter said.

A report recently published by law firm RPC concluded that the number of ransomware attacks reported to the ICO doubled last year, rising from 326 to in 2020 to 654 in 2021.

As part of an eight-point compliance checklist for organisations, the data protection watchdog’s website says that it has “seen a steady increase in the number and severity caused by ransomware” in the past couple of years.

The NCSC – a GCHQ-based agency which helps set government’s cyber policy and guidance, and assists businesses and public bodies in responding to the gravest attacks – also has dedicated advice and support materials aimed at helping organisations understand the threat posed by ransomware, and what they should do in the event of a successful attack.

The letter from the two organisational leaders claimed that the annual cost to the UK of cybercrime is “billions” of pounds.

 

About the author

Sam Trendall is editor of PublicTechnology. He can be reached on sam.trendall@dodsgroup.com.

Share this page

Tags

Categories

CONTRIBUTIONS FROM READERS

Please login to post a comment or register for a free account.

Related Articles

HMRC warns over social media fraudsters
1 November 2022

Tax agency urges citizens to be on the lookout for scammers using online platforms

Government to study ‘key vulnerabilities’ of cloud sector and estimate national cost of outages
26 October 2022

Research will consider potential impact of system failure on the country’s finances and way of life

HMRC issues fraud warning after taking down 10,000 websites in a year
12 October 2022

Scammers will aim to take advantage during a time of year when many are completing tax returns, department warns

Digital Markets Unit grows headcount to 70
25 November 2022

Specialist unit of competition regulator builds staff numbers with legislation to provide it with powers slated for introduction before April 2024