The ICO exists to empower you through information.

Solicitors are today being asked to play their part in keeping the UK safe online by helping to tackle the rise in organisations paying out to ransomware criminals.

The National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) have been told that some firms are paying ransoms with the expectation that this is the right thing to do and they do not need to engage with the ICO as a regulator, or will gain benefit from it by way of reduced enforcement. This is incorrect.

Ransomware involves the encrypting of an organisation’s files by cyber criminals, who demand money in exchange for providing access to them.

In a joint letter, NCSC and the ICO ask the Law Society to remind its members that they should not advise clients to pay ransomware demands should they fall victim to a cyber-attack.

Paying ransoms to release locked data does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered as a reasonable step to safeguard data.

The ICO has clarified that it will not take this into account as a mitigating factor when considering the type or scale of enforcement action. It will however consider early engagement and co-operation with the NCSC positively when setting its response.

NCSC CEO Lindy Cameron said:

“Ransomware remains the biggest online threat to the UK and we are clear that organisations should not pay ransom demands.

“Unfortunately we have seen a recent rise in payments to ransomware criminals and the legal sector has a vital role to play in helping reverse that trend.

“Cyber security is a collective effort and we urge the legal sector to help us tackle ransomware and keep the UK safe online.”

John Edwards, UK Information Commissioner, added: 

“Engaging with cyber criminals and paying ransoms only incentivises other criminals and will not guarantee that compromised files are released. It certainly does not reduce the scale or type of enforcement action from the ICO or the risk to individuals affected by an attack.

“We’ve seen cyber-crime costing UK firms billions over the last five years. The response to that must be vigilance, good cyber hygiene, including keeping appropriate back up files, and proper staff training to identify and stop attacks. Organisations will get more credit from those arrangements than by paying off the criminals.

“I want to work with the legal profession and NCSC to ensure that companies understand how we will consider cases and how they can take practical steps to safeguard themselves in a way that we will recognise in our response should the worst happen.”

What should organisations do?

In the event of a ransomware attack there is a regulatory requirement to report to ICO as the data regulator if people are put at high risk whereas NCSC – as the technical authority on cyber security – provides support and incident response to mitigate harm and learn broader cyber security lessons.

The ICO will recognise when organisations have taken steps to fully understand what has happened and learn from it, and, where appropriate, they have raised their incident with NCSC and they can evidence that they have taken advice from or can demonstrate compliance with appropriate NCSC guidance and support. 

The NCSC has a wide range of guidance on mitigating the ransomware threat, for example advising companies to keep offline back-ups. All of its advice can be found on its ransomware portal.

The ICO recently updated ransomware guidance, which can be found on its website.

Notes to Editors

  1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals. It has its head office in Wilmslow, Cheshire, and regional offices in Edinburgh, Cardiff and Belfast.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five Acts / Regulations. 
  3. The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. 
  4. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.