ARTICLE
12 July 2022

UK ICO And NCSC Issues Caution About Making Ransomware Payments

SM
Sheppard, Mullin, Richter & Hampton LLP

Contributor

Sheppard, Mullin, Richter & Hampton LLP logo
Businesses turn to Sheppard to deliver sophisticated counsel to help clients move ahead. With more than 1,200 lawyers located in 16 offices worldwide, our client-centered approach is grounded in nearly a century of building enduring relationships on trust and collaboration. Our broad and diversified practices serve global clients—from startups to Fortune 500 companies—at every stage of the business cycle, including high-stakes litigation, complex transactions, sophisticated financings and regulatory issues. With leading edge technologies and innovation behind our team, we pride ourselves on being a strategic partner to our clients.
Explore Firm Details
The agencies reminded lawyers that paying ransoms may instead incentivize threat actors, could impact sanction regimes, and further will not guarantee the decryption of data.
United Kingdom Technology
Liisa M. Thomas and Kari M. Rollins
Your Author LinkedIn Connections
Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • within Cannabis & Hemp topic(s)

In a recent letter to the UK law society, the UK Information Commissioner's Office and the National Cyber Security Centre have provided lawyers with advice about ransomware payments. The two agencies cautioned lawyers that such payments would not help "protect" the data, mitigate the risk to individuals, or result in a lower ICO penalty in the event of a regulatory investigation. Instead, they stated in a release that accompanied the letter, lawyers "should not advise clients to pay ransomware demands should they fall victim to a cyber-attack."

The agencies reminded lawyers that paying ransoms may instead incentivize threat actors, could impact sanction regimes, and further will not guarantee the decryption of data. This caution about sanctions echoes similar guidance from the US Department of Treasury from late last year. The concerns about ransoms generally echoes advice from the New York State Department of Financial Services.

In this letter, the agencies reminded entities what steps could help mitigate risk. These include taking steps to fully understand what has occurred, "learn[ing] from it," and showing that the entity has followed NCSC guidance. Additionally, mitigation includes working with the NCSC "where appropriate." The agencies point to the ICO's ransomware guide, which recommends treating exfiltrated personally identifiable information as "breached" even if a ransom has been paid to avoid its publication.

Putting It Into Practice: Navigating a ransomware incident can be thorny. This letter is a reminder that paying the ransom will not solve all. When faced with a ransomware demand, take into account these cautions as well as those from other agencies regarding sanctions/prohibitions on ransom payments to criminal organizations. Companies will also still need to make assessments of whether there has been a breach of personal information and address potential resulting notification obligations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Liisa M. Thomas
Liisa M. Thomas
Photo of Kari M. Rollins
Kari M. Rollins
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More