Contents
On 11th July 2022, the Law Society sent a response to a joint letter it had received from the National Cyber Security Centre and the Information Commissioner’s Office.
In its letter dated 7th July 2022 the two agencies referred to the Economic and Social Costs of Crime Report which approximated that just over £ 1 billion worth of damage was inflicted by cyber-crime-related incidents in 2016.
The Information Commissioners Office and the National Cyber Security Centre sent a letter dated 7th July 2022 in which it communicated numerous concerns regarding the part legal professionals have been playing in meeting the demands of what was termed ‘cyber blackmailers’. The letter highlighted the increasing trend of legal professionals and their clients falling foul of sophisticated ransomware attacks. Many have found themselves with the unwanted dilemma of deciding whether to meet the demands of those demanding ransom payments.
Interestingly in their letter, The National Cyber Security Centre and the Information Commissioners Office sought to debunk the myth surrounding this area of law. There was a belief circulating in the legal profession along the lines that if a ransom payment was made it would correlate with a less severe penalty at the hands of the Information Commissioner’s Office in the event of an investigation and/or the data which has been stolen will be safeguarded.
However, the two agencies made it clear in no uncertain terms that this was not the case and the opposite is true. The National Cyber Security Centre and the Information Commissioners Office said Law Enforcement does not urge, approve or overlook the paying of ransom demands.
In the letter dated 7th July 2022 the two agencies made clear they are holding this position because they believe the satisfaction of said ransom demands seemingly encourages additional conduct of a damaging nature to be inflicted by the legal profession and the public by unscrupulous perpetrators and does not guarantee the retrieval of said ill-gotten data or the interpretation of data from systems.
The two respective agencies clarified the position under Data Protection Law and confirmed that businesses are under strict legal obligations to assess and take steps from an organisation and technical perspective to maintain the security of information and if a breach of data security does take place, data protection law places obligations upon parties to reinstate the relevant information. The agencies jointly clarified their position under this area and advised that the Information Commissioner does not see the payment of monies to those of a criminal persuasion who have acted illegally by seeking to compromise a system as mitigating the risk to individual persons. They also made it clear that this will not limit any sanctions which may have been incurred via Information Commissioner enforcement action.
In their joint letter the National Cyber Security Centre and the Information Commissioners Office both emphasised that parties will be given some credit where evidence suggests that affected businesses have completely comprehended what has taken place, taken the lessons on board, have informed agencies such as the National Cyber Security Centre, Action Fraud and the Information Commissioners Office of any incidents and can provide documentary proof that they have approached the National Cyber Security Centre for advice and guidance.
The Law Society responded by advising legal professionals and their clients not to indulge in the paying of ransoms.
#AddleshawGoddard #BakerMcKenzie #DLAPiper #HoganLovellsInternational #PinsentMasonsLLP #RPC #TraverSmithLLP #Ashurst #Bird&Bird #BryanCaveLeightonPaisnerLLP #CharlesRussellSpeechlysLLP #CMS #Dentons #GowlingWLG #Slaughter&May
[SOURCE 1] Cross, Michael – Don’t encourage cyber blackmail, solicitors told – Law Society Gazette - 11 July 2022 - Don’t encourage cyber blackmail, solicitors told | News | Law Gazette
[SOURCE 2] Information Commissioners Office and National Cyber Security Centre – 7 July 2022 - Joint ICO and NCSC letter to The Law Society and The Bar Council
[SOURCE 3] Information Commissioners Office – Ransomware and data protection compliance - Ransomware and data protection compliance | ICO
[SOURCE 4] The National Cyber Security Centre – A Guide to ransomware - A guide to ransomware - NCSC.GOV.UK
General 13.11.2023
In mid-March 2023 the Health and Safety Executive handed down a financial sanction to a wheel-making enterprise after a member of the workforce sustained vibration injuries whilst using work-related
General 11.11.2023
In late February 2023 the Judicial Conduct Investigations Office handed down its decision in the form of what it termed formal advice for misconduct to a person operating in her capacity as a member
General 10.11.2023
In early March 2023, TELUS Health released its report into the public domain which seems to highlight the increasing worries from the age twenty demographic when reporting mental health issues to
Receive regular news, updates, upcoming events and more...
Please complete all the required fields.
Please provide a valid email address.
