Written evidence submitted by Norton Rose Fulbright LLP
We refer to the Joint Committee on the National Security Strategy’s call for evidence in relation to the enquiry into ransomware, released on 31 October 2022 (the “Call for Evidence”). Norton Rose Fulbright’s response to the Call for Evidence is set out in this letter.
Among other things, the Call for Evidence seeks input on the following:
a) The UK victim experience, including… regulatory requirements placed on ransomware victims; and
b) The effectiveness of the response to ransomware by Government, law enforcement agencies and other UK state actors…;
Norton Rose Fulbright is an international law firm. Its Information Governance, Privacy and Cybersecurity team frequently advises clients – principally large corporations – that fall victim to ransomware attacks. Our advice in this context relates to the investigation of and response to those attacks, as well as interactions with regulators, law enforcement agencies and intelligence agencies. Our evidence below arises from advising clients in this context.
The ICO and NCSC recently issued a public letter to the Law Society and the Bar Council of England and Wales[1]. The stated purpose of the letter was as follows:
We [ICO and NCSC] are writing to ask for your [Law Society’s and Bar Council’s] assistance in sharing some key messages with the legal profession in England and Wales to assist them in better advising their clients who may have suffered a cybersecurity incident.
The letter contained commentary relating to the payment of ransom, as follows:
It has been suggested to us that a belief persists that payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO should it undertake an investigation. We would like to be clear that this is not the case.
For the avoidance of doubt the ICO does not consider the payment of monies to criminals who have attacked a system as mitigating the risk to individuals and this will not reduce any penalties incurred through ICO enforcement action.
Our view is that this commentary conflates two distinct positions which the ICO and NCSC appear to be adopting. These are:
a) That payment of ransom will not be an effective means of reducing any penalty which the ICO imposes on a data controller following a breach of that controller’s obligations under the GDPR; and
b) That payment of ransom will not mitigate risk to individuals whose data has been encrypted and / or stolen by malicious third parties.
Point (a) is a policy position adopted by the ICO, in relation to which we do not propose to comment.
Point (b) however is a statement of fact, and one which we do not believe to be correct. Our experience, which is reflected in published research[2], suggests that payment of ransom does in the majority of cases prevent publication of data stolen by third parties, and often leads to stolen data being removed from third-party hands. It also usually leads to the provision of decryption keys which can be used to restore encrypted data where necessary (most notably, where backups are unavailable). This in turn mitigates risk to individuals whose data would otherwise have been published, sold or otherwise made available to potentially malicious third parties, or whose data would have remained inaccessible for the use of decryption keys.
While it is not our role to encourage, endorse or condone the payment of ransom, we feel it is incumbent on us to ask that point (b) be corrected by the ICO so that all stakeholders are provided with an evidence-based understanding of the competing risk considerations relating to the payment of ransom and the protection of individuals impacted by personal data breaches.
16 December 2022
2
[1] Joint ICO and NCSC letter to The Law Society and the The Bar Council
[2] See for example sophos-state-of-ransomware-2022-wp.pdf and veeam_ransomware_trends_report_2022_wpp.pdf