The Law Society has responded to a warning about the role of solicitors in paying off cyber blackmailers by saying that members should steer clear of any such action. 'We do not advise members to pay ransoms, nor suggest that is what they should advise their clients,' a Law Society spokesperson said.
Chancery Lane was responding to an unprecedented joint letter by the government’s National Cyber Security Centre (NCSC) and the Information Commissioner’s office urging legal professional bodies about so-called 'ransomware' attacks. These typically involve an outside party seizing control of an organisation's IT systems or data through hacking and encryption and demanding payment, usually in cryptocurrency.
Such attacks have been associated with foreign government agencies. The NCSC's chief executive, Lindy Cameron, described ransomware attacks as 'the biggest online threat to the UK and we do not encourage or condone paying ransom demands to criminal organisations'.
In their letter, the NCSC – set up by the security services – and the information commissioner's office state that they have seen evidence of a rise in ransomware payments, and that solicitors may have advised clients to pay, in the belief that it will keep data safe or lead to a lower penalty from the ICO. The letter asks the Law Society and Bar Council to remind members that this is not the case.
John Edwards, information commissioner, said: 'Engaging with cyber criminals and paying ransoms only incentivises other criminals and will not guarantee that compromised files are released. It certainly does not reduce the scale or type of enforcement action from the ICO or the risk to individuals affected by an attack.
'I want to work with the legal profession and NCSC to ensure that companies understand how we will consider cases and how they can take practical steps to safeguard themselves in a way that we will recognise in our response should the worst happen.'
The Society said: 'We welcome the offer to meet to discuss future collaboration with both the ICO and NCSC and are keen to play our part in helping combat ransomware criminals.'
Organisations hit by cyber crimes should report an ongoing incident directly to Action Fraud, the Information Commissioner’s Office (for data breaches), or to the NCSC for major cyber incidents.
9 Readers' comments