In a recent letter to the UK law society, the UK Information Commissioner’s Office and the National Cyber Security Centre have provided lawyers with advice about ransomware payments. The two agencies cautioned lawyers that such payments would not help “protect” the data, mitigate the risk to individuals, or result in a lower ICO penalty in the event of a regulatory investigation. Instead, they stated in a release that accompanied the letter, lawyers “should not advise clients to pay ransomware demands should they fall victim to a cyber-attack.”
The agencies reminded lawyers that paying ransoms may instead incentivize threat actors, could impact sanction regimes, and further will not guarantee the decryption of data. This caution about sanctions echoes similar guidance from the US Department of Treasury from late last year. The concerns about ransoms generally echoes advice from the New York State Department of Financial Services.
In this letter, the agencies reminded entities what steps could help mitigate risk. These include taking steps to fully understand what has occurred, “learn[ing] from it,” and showing that the entity has followed NCSC guidance. Additionally, mitigation includes working with the NCSC “where appropriate.” The agencies point to the ICO’s ransomware guide, which recommends treating exfiltrated personally identifiable information as “breached” even if a ransom has been paid to avoid its publication.
Putting It Into Practice: Navigating a ransomware incident can be thorny. This letter is a reminder that paying the ransom will not solve all. When faced with a ransomware demand, take into account these cautions as well as those from other agencies regarding sanctions/prohibitions on ransom payments to criminal organizations. Companies will also still need to make assessments of whether there has been a breach of personal information and address potential resulting notification obligations.