The Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC) are calling for organisations to refuse to pay ransomware demands, submitting a joint letter to the Law Society and The Bar Council on 7 July 2022.
The letter highlights a steady increase in the number of ransomware attacks on organisations, which have more than doubled since 2020(1) , and the number of targeted organisations who agree to pay the demanded ransom. Conscious that law firms are often engaged to assist organisations in their response to an attack, it seeks to clarify the ICO’s position on the payment of ransoms and enable lawyers to play their part in tackling the increase.
Who are the ICO and NCSC?
The ICO is the UK’s data protection regulator and the NCSC is an organisation providing technical guidance on and assistance with cyber security. Both organisations have joined forces to promote resilience against cybercrime and the importance of keeping personal data secure.
What is ransomware?
Ransomware is a type of malicious software, also known as malware, designed to block access to a computer system and the data held within it. It is used by cyber criminals to target organisations and significantly disrupt their systems and operations, potentially preventing them from operating at all. A ransom payment is then demanded in exchange for restoring access to the affected systems or files.
During a ransomware attack, organisations may not be able to access certain systems or they may discover that information held on their systems has been encrypted. The attackers will threaten to permanently remove the organisation’s data or sometimes to publish personal data and other confidential information if the ransom is not paid.
A ransomware attack will generally constitute a personal data breach which, if it is likely to result in a risk to the rights and freedoms of individuals, must be reported to the ICO. This could be a privacy risk, such as disclosure of employee or customer personal data, or a wider impact on individuals such as inability to pay workers if access to payroll data is affected and no manual backup is available. A personal data breach is defined by the UK GDPR as “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Even where an organisation is unsure of the extent to which personal data might have been altered or removed by the attackers, the fact that it is unable to access the data unless or until it can retrieve it from any available backup, means that the attack is a personal data breach.
Why are organisations paying ransoms?
According to the ICO and NCSC, organisations are agreeing to pay the ransom in the hope of restoring their systems to full working order as soon as possible and because they believe that the ICO will look favourably upon the payment as a mitigating step toward the protection of confidential information and personal data and decide against taking any enforcement action against the organisation.
Why should organisations refuse to pay ransoms?
The ICO’s principal concern appears to be that the payment of ransoms acts as an incentive to cyber attackers encouraging further attacks by rewarding criminal practice, citing an overall figure of £1.1bn as the cost from computer misuse incidents against individuals in England and Wales, in the 2015/16 financial year alone, and not including the cost suffered by businesses (2) . There is also a possibility that the attacker might be operating from a country subject to sanctions regimes, such as Russia, which could make the payment itself unlawful.
Ultimately, there is simply no guarantee that the attacker would restore access to systems and data on receipt of the payment, nor that it would not misuse any data it has accessed and removed or copied from those systems.
The ICO is keen to disillusion holders of the belief that it will look favourably upon organisations who pay the ransom. The Information Commissioner John Edwards confirms in the joint letter that his team will look at whether or not an organisation has complied with its obligation to “take appropriate technical and organisational measures to keep personal information secure and to restore information in the event of an information security incident… For the avoidance of doubt the ICO does not consider the payment of monies to criminals who have attacked a system as mitigating the risk to individuals and this will not reduce any penalties incurred through ICO enforcement action.”
What initial steps should be taken in the event of a ransomware attack?
Organisations should immediately implement their disaster recovery plan on becoming aware of a ransomware attack, for the purposes of maintaining business continuity and investigating the personal data breach. They are encouraged to investigate the matter as far as possible to understand the level to which data has been compromised and the weak point at which the attacker successfully infiltrated its systems. Some business insurance providers will offer cyber cover with useful outreach resources to assist with this. Reportable personal data breaches must be notified to the ICO within 72 hours of the organisation becoming aware of the breach.
If upon investigation the breach is decided not to be reportable; for example, if the organisation has adequate backups of data to prevent permanent loss and be confident that no data has left its systems, it is still imperative to log the breach and any risk assessment undertaken, in relation to the decision not to report it. Without such records the organisation has no evidence to support its decision.
The ICO recommends that ransomware attacks are reported to the appropriate law enforcement body regardless of whether or not they have resulted in a reportable breach: a crime has still taken place. The report may be made online via ActionFraud. Organisations may also report cyber security breaches to the NCSC for their information or for technical assistance in managing the breach.
In its recently updated Guidance on Ransomware and Data Protection Compliance, the ICO sets out further detail about the steps referred to above and includes links to the NCSC technical guidance for organisations of various sizes relating to disaster recovery plans and general information security advice.
For more information on the issues raised in this article, please contact Kate Edwards.
(1)NCSC Weekly Threat Report 1 April 2022 (https://www.ncsc.gov.uk/report/weekly-threat-report-1st-april-2022#:~:text=Ransomware%20attacks%20in%20the%20UK,2020%20to%20654%20in%202021)
(2) ICO and NCSCs joint letter re ransomware https://ico.org.uk/media/about-the-ico/documents/4020874/ico-ncsc-joint-letter-ransomware-202207.pdf
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at August 2022.