On July 8, 2022, the UK Information Commissioner’s Office (UK ICO) together with the UK National Cyber Security Centre (NCSC), published a joint letter asking the Law Society of England & Wales to remind its members that they should not advise clients to pay ransomware demands should they fall victim to a cyber-attack. The Law Society of England & Wales is the professional body for all solicitors in England & Wales.
The letter clarifies that the UK ICO does not consider that payment of a ransomware demand protects the affected personal data, and that the UK ICO will not take into account such payments as a mitigating factor when considering the type or scale of enforcement action, such as the imposition of monetary penalties.
On the other hand, the ICO will recognize mitigation of risk where organizations have taken steps to fully understand what has happened and to learn from it, and, where appropriate, they have:
- raised their incident with the UK NCSC;
- reported to Action Fraud (the UK’s national reporting center for fraud and cybercrime); and
- can evidence that they have taken advice from or can demonstrate compliance with appropriate UK NCSC guidance and support.
The letter also highlights that the UK ICO has recently published updated regulatory guidance on ransomware. That guidance underscores that the UK ICO does not consider the payment of a ransom as an “appropriate measure” to restore personal data, but instead encourages measures such as threat assessments, risk assessments and controls such as offline and segregated backups.
Ultimately, the UK ICO’s regulatory guidance acknowledges that organizations in scope of the UK GDPR do in some cases pay ransomware demands – and the joint letter notes that “payments are not usually unlawful” at time of writing. However, the UK ICO warns that organizations which do make payments in response to ransomware demands still need to consider how to mitigate against the risk that the attackers may still decide to publish the personal data, share the personal data offline with other attack groups, or further exploit it for their own gains.
The joint letter can be found here, and the UK ICO’s statement on it can be found here.