More than 40% of legal and compliance professionals would authorise the payment of a ransom in a ransomware attack against their organisation under certain conditions, according to a survey carried out by law firm Arthur Cox.
The firm conducted the survey among 150 in-house lawyers, compliance officers and data-protection officers (DPOs).
Asked if they would back payment of a ransom “assuming it is legally and economically viable”, 56% said ‘no’, but 44% said ‘yes’.
Richard Willis (partner, litigation, dispute resolution and investigations) said that ransomware attacks were becoming more sophisticated and frequent, and posed “a significant risk” to the security and integrity of data and systems.
Pros and cons
“Legal and compliance professionals need to be prepared for such scenarios, and weigh the pros and cons of paying a ransom versus restoring from back-ups, reporting to authorities and dealing with potential litigation and reputational damage," he stated.
According to the survey, more than half of the respondents (57%) use generative AI tools in their organisation, but only 16% rated their impact as significant.
Rob Corbet (head of technology and innovation) said that, despite the transformative potential of generative AI tools, the survey suggested that there was still room for improvement in terms of their adoption, integration and effectiveness.
Olivia Mullooly (partner, technology and innovation) stressed that organisations using generative AI tools needed to consider the IP and confidentiality aspects of such technology.
"While the legal position on the ownership of AI created works is the subject of significant debate internationally, it’s also worth keeping in mind that data that is fed into generative AI tools is protected by copyright, carrying the risk of potential infringement in the absence of oversight and governance on the use of the AI tool,” she said.
Data transfers to third countries were rated as the most difficult exercise by 33% of respondents, with Arthur Cox technology partner Colin Rooney pointing to the uncertainty and complexity created by “seemingly constant legal changes” in the EU-US data transfer landscape.
Further challenges identified by respondents included new and evolving regulation (25%), advances in technology and technology adoption (23%), and effectively prioritising work and areas of focus (17%).
The survey found that the majority of DPOs in organisations (61%) report to their board of directors on at least a quarterly basis, with only 9% never reporting to the board.