UK Information Commissioner’s Office issues warning over ransomware payments | Alston and bird

On July 8, 2022, the UK Information Commissioner’s Office (UK ICO) and the UK’s National Cyber ​​Security Center (NCSC) issued a joint letter asking the Law Society of England & Wales to remind its members that they should not advise customers to pay ransomware claims if they are victims of a cyberattack. The Law Society of England & Wales is the professional body for all lawyers in England and Wales.

The letter clarifies that the UK ICO does not consider paying for a ransomware claim to protect the personal data involved, and that the UK ICO will not consider such payments as a mitigating factor when considering the type or the extent of enforcement measures, such as the imposition of financial penalties.

On the other hand, the ICO will recognize risk mitigation when organizations have taken steps to fully understand what happened and learn from it, and, where applicable, they have:

  • discussed their incident with the UK NCSC;
  • reported to Action Fraud (the UK national reporting center for fraud and cybercrime); and
  • can demonstrate that they have followed the advice or can demonstrate that they are complying with the appropriate UK NCSC guidance and support.

The letter also points out that the UK ICO recently published updated ransomware regulatory guidelines. These guidelines emphasize that the UK ICO does not consider paying a ransom as an “appropriate measure” to restore personal data, but rather encourages measures such as threat assessments, risk assessments and checks such as offline and separate backups.

Ultimately, the UK ICO’s regulatory guidelines recognize that UK GDPR-targeted organizations in some cases pay for ransomware demands – and the joint letter notes that “payments are generally not illegal” at the time of writing. However, the UK ICO warns that organizations making payments in response to ransomware demands still need to consider how to mitigate the risk of attackers still deciding to publish personal data, share personal data offline with other attack groups, or exploit it further for their own gain.

The joint letter can be found hereand the UK ICO statement on this can be found here.

[View source.]

Comments are closed.