Legal Professionals Warned Not To Pay Cyber Ransoms

| General

On 11th July 2022, the Law Society sent a response to a joint letter it had received from the National Cyber Security Centre and the Information Commissioner’s Office. 

How Damaging Is Cyber-Crime?

In its letter dated 7th July 2022 the two agencies referred to the Economic and Social Costs of Crime Report which approximated that just over £ 1 billion worth of damage was inflicted by cyber-crime-related incidents in 2016.

What Did The National Cyber Security Centre and the Information Commissioner’s Office Say?

The Information Commissioners Office and the National Cyber Security Centre sent a letter dated 7th July 2022 in which it communicated numerous concerns regarding the part legal professionals have been playing in meeting the demands of what was termed ‘cyber blackmailers’. The letter highlighted the increasing trend of legal professionals and their clients falling foul of sophisticated ransomware attacks. Many have found themselves with the unwanted dilemma of deciding whether to meet the demands of those demanding ransom payments. 

Interestingly in their letter, The National Cyber Security Centre and the Information Commissioners Office sought to debunk the myth surrounding this area of law. There was a belief circulating in the legal profession along the lines that if a ransom payment was made it would correlate with a less severe penalty at the hands of the Information Commissioner’s Office in the event of an investigation and/or the data which has been stolen will be safeguarded. 

However, the two agencies made it clear in no uncertain terms that this was not the case and the opposite is true. The National Cyber Security Centre and the Information Commissioners Office said Law Enforcement does not urge, approve or overlook the paying of ransom demands.

Why Did The Information Commissioner and The National Cyber Security Centre Hold This View?

In the letter dated 7th July 2022 the two agencies made clear they are holding this position because they believe the satisfaction of said ransom demands seemingly encourages additional conduct of a damaging nature to be inflicted by the legal profession and the public by unscrupulous perpetrators and does not guarantee the retrieval of said ill-gotten data or the interpretation of data from systems.

Mitigation Action?

The two respective agencies clarified the position under Data Protection Law and confirmed that businesses are under strict legal obligations to assess and take steps from an organisation and technical perspective to maintain the security of information and if a breach of data security does take place, data protection law places obligations upon parties to reinstate the relevant information. The agencies jointly clarified their position under this area and advised that the Information Commissioner does not see the payment of monies to those of a criminal persuasion who have acted illegally by seeking to compromise a system as mitigating the risk to individual persons. They also made it clear that this will not limit any sanctions which may have been incurred via Information Commissioner enforcement action. 

What Will The Information Commissioner Classify As Mitigation?

In their joint letter the National Cyber Security Centre and the Information Commissioners Office both emphasised that parties will be given some credit where evidence suggests that affected businesses have completely comprehended what has taken place, taken the lessons on board, have informed agencies such as the National Cyber Security Centre, Action Fraud and the Information Commissioners Office of any incidents and can provide documentary proof that they have approached the National Cyber Security Centre for advice and guidance.

How Did The Law Society Respond to The Letter?

The Law Society responded by advising legal professionals and their clients not to indulge in the paying of ransoms.

ASSESSING FIRMS

#AddleshawGoddard #BakerMcKenzie #DLAPiper #HoganLovellsInternational #PinsentMasonsLLP #RPC #TraverSmithLLP #Ashurst #Bird&Bird #BryanCaveLeightonPaisnerLLP #CharlesRussellSpeechlysLLP #CMS #Dentons #GowlingWLG #Slaughter&May

THE ARTICLE WAS WRITTEN USING THE FOLLOWING SOURCES 

[SOURCE 1] Cross, Michael – Don’t encourage cyber blackmail, solicitors told – Law Society Gazette - 11 July 2022 - Don’t encourage cyber blackmail, solicitors told | News | Law Gazette

[SOURCE 2] Information Commissioners Office and National Cyber Security Centre – 7 July 2022 - Joint ICO and NCSC letter to The Law Society and The Bar Council

[SOURCE 3] Information Commissioners Office – Ransomware and data protection compliance - Ransomware and data protection compliance | ICO

[SOURCE 4] The National Cyber Security Centre – A Guide to ransomware - A guide to ransomware - NCSC.GOV.UK


 

banner

Articles

  • Meeting Targets and Getting Paid

    Meeting Targets and Getting Paid

    General 12.06.2024

    Any ambiguity to the fulfilment of these clauses can lead to a contract dispute, where lawyers may get involved to resolve the issue through negotiation, mediation, or even legal action if necessary

  • Proactive Lawyers in Sports Law

    Proactive Lawyers in Sports Law

    General 20.05.2024

    Many football disputes are resolved behind closed doors. This is because there is often the need to be amicable so to no disrupt the team harmony and function. The demands of star players are often

Stay Tuned

Receive regular news, updates, upcoming events and more...