5 Min Read

Ransoms - to pay or not to pay, that is the question

Read more

By Patrick Hill

|

Published 24 November 2022

Overview

To take some of the headlines at face value which followed the publication of the Information Commissioner's Office (ICO) and National Cyber Security Centre (NCSC) joint letter to the Law Society and Bar Council[1], one might be forgiven for thinking that the authors were seeking to direct the legal profession to advise their clients against paying ransomware demands should they fall victim to a cyber-attack.  It would be extraordinary, at least in this jurisdiction, for law enforcement agencies/regulators to seek to influence the advice which lawyers give to their clients, assuming that what they are advising is not unlawful.  So what does the letter say, and what are its implications for lawyers advising clients who have fallen victim to a ransomware attack?

Perhaps the logical starting point is to restate the position under English law which is that the payment of a ransom (whether directly or indirectly) is not of itself illegal or unlawful.  The authority for the proposition that the payment of a ransom cannot be against public policy was reaffirmed by the Court of Appeal in the decision of Masefield AG -v- Amlin Corporate Member.  Of course, that is not the end of the story by any stretch, and any party contemplating paying a ransom will also need to be satisfied that any payment does not breach any further civil or criminal regulations, including Section 17A of the Terrorism Act 2000 which forbids insurers from paying a ransom if there is reasonable cause to suspect that the ransom “will or may” be used for causes connected to terrorism.

Following the Russian invasion of Ukraine in 2014 (and in order to align its position with EU and the US post-Brexit) the UK imposed sanctions on a number of Russian entities and individuals through the Russia (sanctions) (EU exit) Regulations 2019.  After the full scale invasion of Ukraine earlier this year, the UK and other nations have responded by adding a number of significant Russian institutions and individuals to their respective sanctions lists; the sanctions regime is complex and fast moving, but suffice it to say that any party contemplating making a payment to a ransomware group will need to make extensive enquiries in order to ensure that the sanctions regime is not being breached, particularly bearing in mind that a significant number of the known threat actor groups are believed to be affiliated to Russia.

Assuming a payment can be made lawfully then, ultimately, the decision to pay or not pay a ransom is a commercial decision for the client to make.  The advisors should of course ensure that the client is in possession of all of the information necessary to reach an informed decision on whether or not the decision to pay is the correct one in all the circumstances.  The factors to be taken into account are necessarily varied and extensive, but will include the business impact of any encrypted/exfiltrated data, the availability of backups, the cost of restoring any data which cannot be recovered, the cost of the ransom, any reputational impact amongst employees, customers and shareholders, ethical or legal issues around funding criminal activity and of course the impact on any data subject whose personal data may have been accessed or exfiltrated by the threat actor.  This list is not exclusive by any stretch of the imagination, but it illustrates the complexity of the decision making process through which the advisors need to help their clients navigate.

The ICO’s letter to the Law Society and Bar Council seeks to address the argument (presumably put forward by a number of ransomware victims) that payment of the ransom constitutes mitigation of the risk to individuals and should be a factor taken into account by the ICO when assessing whether any enforcement action is appropriate.  The ICO states quite clearly that any belief that the payment of a ransom may protect the stolen data and the impact on individuals is mistaken.  This guidance is extremely helpful and welcome, as it provides clarity on this particular aspect, however, it is only one of a number of factors which the victim of a ransomware attack may choose to take into account when deciding whether or not to pay a ransom.

For its part, the Law Society has not responded directly to the suggestion that its members should not pay ransoms or advise their clients to do so; it has reiterated its previous position that they do not advise members to pay ransoms or advise that they should be paid. Therefore, the position on the lawfulness of paying ransoms remains unchanged.  It has also stated its desire to work with the ICO and NCSC in combatting ransomware criminals.

It is also worth pointing out that in addition to the ICO’s updated ransomware guidance[2] and the NCSC’s ransomware guidance[3], the LMA has also published its own guidance[4] for handling a ransomware incident, and which is referred to frequently by cyber insurers when supporting their insureds and lawyers and promoting best practice.  Whilst the exhortations of the ICO and NCSC to discourage the payment of ransoms in order to discourage criminal activity are laudable and extremely welcome, they do not mean that payment of a ransom is not a sensible course of action available to some targeted businesses, admittedly as a last resort, and subject to compliance with the relevant criminal, civil and regulatory regimes.

To pay or not to pay – I am not convinced that even Hamlet will always have the answer.

 

[1] https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/07/ico-and-ncsc-stand-together-against-ransomware-payments-being-made/

[2] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/ransomware-and-data-protection-compliance/#scenario-7

[3] https://www.ncsc.gov.uk/ransomware/home

[4] https://www.lmalloyds.com/lma/news/Blog/guidance_101221.aspx

Author