ICO and NCSC make statement advising against making ransomware payments amid uptick in cases

July 8, 2022

The National Cyber Security Centre (NCSC) and the Information Commissioner's Office (ICO) have issued a joint letter asking the Law Society to remind solicitors that they should not advise clients to pay ransomware demands should they fall victim to a cyber-attack.

Both bodies say they are aware that some organisations are paying the ransoms with the expectation that they do not need to engage with the ICO as a regulator or will gain benefit from it by way of reduced enforcement.

Ransomware involves the encrypting of an organisation's files by cyber criminals, who demand money in exchange for providing access to them.

In the event of a ransomware attack, there is a regulatory requirement to report to ICO as the data regulator if people are put at high risk, whereas NCSC – as the technical authority on cyber security – provides support and incident response to mitigate harm and learn broader cyber security lessons.

Paying a ransom to release locked data does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered a reasonable step to safeguard data, the NCSC and ICO said.

John Edwards, UK Information Commissioner, said engaging with cyber criminals and paying ransoms "only incentivises other criminals and will not guarantee that compromised files are released".

Mr Edwards added: "We've seen cyber-crime costing UK firms billions over the last five years. The response to that must be vigilance, good cyber hygiene, including keeping appropriate back up files, and proper staff training to identify and stop attacks. Organisations will get more credit from those arrangements than by paying off the criminals.

"I want to work with the legal profession and NCSC to ensure that companies understand how we will consider cases and how they can take practical steps to safeguard themselves in a way that we will recognise in our response should the worst happen."

NCSC CEO Lindy Cameron added that the legal sector has a "vital role" to play in helping reverse the trend of organisations making payments to ransomware criminals.

A number of local authorities have been affected by ransomware attacks, with at least ten councils having had their operations significantly disrupted as a result.

Adam Carey

ICO and NCSC make statement advising against making ransomware payments amid uptick in cases

Judge remits FOI case after finding First-Tier Tribunal was wrong to strike out proceedings, amid doubts over reliability of previous evidence from council

Information watchdog publishes guidance on transparency in health and social care

Council loses appeal over FOI request for names of those who submitted consultation responses as part of their public-facing roles

Information watchdog seeks views on accuracy of generative AI models in third call for evidence

A Practical Guide to GDPR for Schools

Cornerstone on Information Law

Making Decisions Judicially - A Guide for Decision-Makers

A guide to UK data protection law with relevant provisions of the Data Protection Act 2018

Information Rights

Cornerstone on Social Housing Fraud

Essential Law for Cemetery and Crematorium Managers

Governance & Contracts Manager

Director of Law and Governance