September 25, 2022

Volume XII, Number 268

Advertisement

September 23, 2022

Subscribe to Latest Legal News and Analysis

September 22, 2022

Subscribe to Latest Legal News and Analysis

UK ICO and NCSC Issues Caution About Making Ransomware Payments

In a recent letter to the UK law society, the UK Information Commissioner’s Office and the National Cyber Security Centre have provided lawyers with advice about ransomware payments. The two agencies cautioned lawyers that such payments would not help “protect” the data, mitigate the risk to individuals, or result in a lower ICO penalty in the event of a regulatory investigation. Instead, they stated in a release that accompanied the letter, lawyers “should not advise clients to pay ransomware demands should they fall victim to a cyber-attack.”

The agencies reminded lawyers that paying ransoms may instead incentivize threat actors, could impact sanction regimes, and further will not guarantee the decryption of data. This caution about sanctions echoes similar guidance from the US Department of Treasury from late last year. The concerns about ransoms generally echoes advice from the New York State Department of Financial Services.

In this letter, the agencies reminded entities what steps could help mitigate risk. These include taking steps to fully understand what has occurred, “learn[ing] from it,” and showing that the entity has followed NCSC guidance. Additionally, mitigation includes working with the NCSC “where appropriate.” The agencies point to the ICO’s ransomware guide, which recommends treating exfiltrated personally identifiable information as “breached” even if a ransom has been paid to avoid its publication.

Putting It Into Practice: Navigating a ransomware incident can be thorny. This letter is a reminder that paying the ransom will not solve all. When faced with a ransomware demand, take into account these cautions as well as those from other agencies regarding sanctions/prohibitions on ransom payments to criminal organizations. Companies will also still need to make assessments of whether there has been a breach of personal information and address potential resulting notification obligations.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 192
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Kari Rollins Intellectual Property Lawyer Sheppard
Partner

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums....

212.634.3077
Advertisement
Advertisement
Advertisement