To pay, or not to pay, that is the question:
Whether ‘tis nobler in the mind to suffer
The slings and arrows of outrageous data loss
Or to take arms against a sea of troubles
And, by paying in bitcoin, end them?
Last Thursday, the Information Commissioner’s Office and the National Cyber Security Centre wrote to the Law Society urging solicitors in England and Wales to advise their clients who fall victim to cyber attacks not to pay ransoms.
That stance is worth unpicking, for a couple of reasons.
First, we know that that most lawyers tend to be non-conformist, rule-breaking rebels who like nothing better than thumbing their nose to The Man. Telling them how to advise their clients is going to stick in the craw. In all seriousness, provided that the solicitor isn’t counselling the client to act illegally or unethically (paying ransoms doesn’t in most cases fall into the first category, and arguably neither does the second), it's a reasonable question to ask who is best placed to determine how to act in the best interests of the client.
Second, as anyone who’s lived through even one serious data breach can attest, things are rarely as simple as to pay or not to pay. It’s all contextual — and most of us will have seen both approaches 'work'. But I’m not convinced that judging or penalising companies for taking what they think is the least worst approach in the circumstances, particularly if that approach involves paying a ransom, will always be the best way forward.
Of course, in an ideal world nobody would pay criminals and the ransomware industry would wither and die. Continuing to cough up means the attacks will continue – the next time, perhaps against a business that doesn’t want, or can’t afford, to pay the ransom. And there’s no guarantee that payment leads to the return of data.
That is all true. But if a company takes the position that unencrypting its customer database is a price worth paying in order to save the business, is it really the solicitor’s duty to advise them not to do that?
The ICO’s letter makes clear that a ransom payment (1) does not mitigate the risk of harm to individuals, and (2) will not reduce any penalties incurred through ICO enforcement action. That may not be news to many organisations, for whom regulatory enforcement is one of numerous factors to be considered when deciding whether to pay a ransom.
But doing so also doesn't appear to be an aggravating factor for the ICO, so it'll be interesting times ahead for companies and their advisors when assessing the merits of ransom payments. The ICO's view is clear.
For the avoidance of doubt the ICO does not consider the payment of monies to criminals who have attacked a system as mitigating the risk to individuals and this will not reduce any penalties incurred through ICO enforcement action.