ICO tells lawyers: don't advise clients to make ransom payments

| Author: Secretariat | Filed under: General News
ICO tells lawyers: don't advise clients to make ransom payments

To pay, or not to pay, that is the question:

Whether ‘tis nobler in the mind to suffer

The slings and arrows of outrageous data loss

Or to take arms against a sea of troubles

And, by paying in bitcoin, end them?

Last Thursday, the Information Commissioner’s Office and the National Cyber Security Centre wrote to the Law Society urging solicitors in England and Wales to advise their clients who fall victim to cyber attacks not to pay ransoms.

That stance is worth unpicking, for a couple of reasons.

First, we know that that most lawyers tend to be non-conformist, rule-breaking rebels who like nothing better than thumbing their nose to The Man. Telling them how to advise their clients is going to stick in the craw. In all seriousness, provided that the solicitor isn’t counselling the client to act illegally or unethically (paying ransoms doesn’t in most cases fall into the first category, and arguably neither does the second), it's a reasonable question to ask who is best placed to determine how to act in the best interests of the client.

Second, as anyone who’s lived through even one serious data breach can attest, things are rarely as simple as to pay or not to pay. It’s all contextual — and most of us will have seen both approaches 'work'. But I’m not convinced that judging or penalising companies for taking what they think is the least worst approach in the circumstances, particularly if that approach involves paying a ransom, will always be the best way forward.

Of course, in an ideal world nobody would pay criminals and the ransomware industry would wither and die. Continuing to cough up means the attacks will continue – the next time, perhaps against a business that doesn’t want, or can’t afford, to pay the ransom. And there’s no guarantee that payment leads to the return of data.

That is all true. But if a company takes the position that unencrypting its customer database is a price worth paying in order to save the business, is it really the solicitor’s duty to advise them not to do that?

The ICO’s letter makes clear that a ransom payment (1) does not mitigate the risk of harm to individuals, and (2) will not reduce any penalties incurred through ICO enforcement action. That may not be news to many organisations, for whom regulatory enforcement is one of numerous factors to be considered when deciding whether to pay a ransom.

But doing so also doesn't appear to be an aggravating factor for the ICO, so it'll be interesting times ahead for companies and their advisors when assessing the merits of ransom payments. The ICO's view is clear.

For the avoidance of doubt the ICO does not consider the payment of monies to criminals who have attacked a system as mitigating the risk to individuals and this will not reduce any penalties incurred through ICO enforcement action.

https://ico.org.uk/media/about-the-ico/documents/4020874/ico

Source:  Ropes & Gray Insights

Working with the Law Society

The ABI is the only association in this industry to be recognised by the Law Society of England and Wales, and included in the Law Society of Scotland's approved Supplier Scheme.

The highest independent professional bodies for solicitors put their trust in us. We’re confident you can do the same.

The ABI other partners also recognise the value of affiliation to the principal professional body in the investigation and litigation support sector:

COURTSDESK SEARCHER is an on-demand search for court cases, or parties involved in court cases, in England and Wales and the Republic of Ireland.

https://www.lawsociety.org.uk/membership/offers/abi
Scotland Law Society logo
Professional Indemnity Insurance
Thank you, your message has been sent.
A member of our team will be in touch shortly.
Loading...
Working...