The latin legal maxim ‘Caveat Emptor’ or ‘Let the Buyer Beware’ was born out of early common law and has become a proverb in English that is familiar to lawyer and layperson alike. So, now in 2022 what new legal maxim might emerge from developments? A front runner I would suggest is ‘Let the Payer Beware’.
In a digital world where cybercrime is fast becoming the greatest and likeliest risk a business will face and where ransomware is increasingly the method of attack, 78% of UK businesses were hit with a ransomware demand and 80% of those entities paid up (Proofpoint, Threat Report: 2022 State of the Phish). This figure is all the more notable as a UK business is twice as likely to pay a ransomware demand than in the rest of the world; where the global average is around 40%. So what is driving this desire to pay up?
To pay or not to pay?
The answer appears to lie in a letter dated 7 July 2022 from the Information Commissioner’s Office (“ICO”) and National Cyber Security Centre (“NCSC”) to the Law Society and Bar Council. It notes that they “have seen an increase in the number of ransomware attacks and ransom amounts being paid and are aware that legal advisers are often retained to advise clients who have fallen victim to ransomware on how to respond and whether to pay.” According to the ICO/NCSC the critical decision to pay or not to pay, often falls to legal advisers. They continue, “it has been suggested to us that a belief persists that payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO should it undertake an investigation.” So, a belief that the ransom’s payment will rescue the information-hostage and mitigate any ICO action that results, is identified as the key driver. And, since the lawyers are in the hot seat they are turning this belief in to advice. The coup de grace or to stick with latin, the plaga mortifera misericors, is delivered with the words, “we would like to be clear that this is not the case.” Let’s be clear here, lawyers are giving bad advice based on their mistaken belief that by paying a ransom the data and regulator outcomes are improved.
There are many problems that will arise in paying a ransom, if you’re a victim of a ransomware attack. The (7 July) letter mentions the risk of sanctions and Russian sanctions in particular. It could also mention the risks of terrorist financing and money laundering to name but two. It does reference data protection/cybersecurity legislation, often overlooked in the author’s experience, that organisations must take appropriate technical and organisational measures to keep personal information secure and to restore information in the event of an information security incident. Let’s be clear, the obligation to restore information is not a green light to paying the ransom but rather an obligation that should be fulfillable because appropriate measures where implemented in advance.
A lazy finale to this would be to conclude that a demand should never be paid. That’s lazy because the letter does not go that far, indeed it can’t because such decisions are often complex and there may be scenarios where payment is the best-advised response.
As first movers and cyber law pioneers, we can attest to the importance of taking counsel from lawyers with a deep understanding of not only the laws and risks but also the myriad strategic and nuanced factors that influence such a critical decision. In our view advisers that aren’t true specialists should resist the temptation to advise in ransomware scenarios as otherwise they add additional risk to an already fraught situation. If faced with a ransomware attack it is critical you get early expert guidance. ‘Let the Payer Beware as to who it relies on for advice’ might become another English proverb if true cyber law experts aren’t on-boarded.