The Law Society of England and Wales has advised its members to steer clear of paying off cyber-criminals.
“We do not advise members to pay ransoms, nor suggest that is what they should advise their clients,” a Law Society spokeswoman told the Law Society Gazette of England and Wales.
The organisation was responding to what the Gazette describes as “an unprecedented” joint letter by the British government’s National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO).
‘Evidence of a rise in payments’
The letter, to legal professional bodies, concerned so-called 'ransomware' attacks, which typically involve an outside party seizing control of an organisation's IT systems or data through hacking and encryption, and demanding payment, usually in crypto-currency.
The NCSC's chief executive, Lindy Cameron, described ransomware attacks as “the biggest online threat to the UK, and we do not encourage or condone paying ransom demands to criminal organisations”.
In their letter, the NCSC – set up by the security services – and the ICO state that they have seen evidence of a rise in ransomware payments, and that solicitors may have advised clients to pay, in the belief that it will keep data safe or lead to a lower penalty from the ICO.
The letter asks the Law Society of England and Wales and the Bar Council of England and Wales to remind members that this is not the case.
ICO offers talks
John Edwards (information commissioner) said: “Engaging with cyber criminals and paying ransoms only incentivises other criminals, and will not guarantee that compromised files are released.
“It certainly does not reduce the scale or type of enforcement action from the ICO or the risk to individuals affected by an attack.”
Edwards added that he wanted to work with the legal profession and the NCSC to ensure that companies understood how his office considered cases, and how they could take practical steps to safeguard themselves.
The solicitors’ body welcomed the offer to meet, adding that it was keen to play its part in helping combat ransomware criminals.