As we have noted in previous issues, law firms are a target for cyber attacks. Larger firms may for example hold valuable data in connection with intellectual property and mergers and acquisitions, as happened a decade ago in an attack on Canadian firms by Chinese-based computers, and smaller firms are no less exposed because they hold personal data, as shown by a recent example involving medical records for personal injury claims, which can be monetised through ransomware attacks.

A report by information security provider Sophos, The State of Ransomware 2021, addresses the prevalence and costs associated with ransomware. A link is on

Of the companies which paid up, whether for speed of recovery or inadequacy of backups, on average, only 65% of the encrypted data was restored after the ransom was paid. 4 per cent of victims who paid up received nothing in return, and only 8% claim to have recovered everything after submitting to the black- mail.

Perhaps the biggest risk identified in the report, however, is not the loss of confidential data but having it exposed on the internet. Payment of ransomware to decrypt data may not be the end of the matter: a second payment may be demanded to prevent the release of data.

Cyber security was addressed at the ICO’s Data Protection Practitioners’ Conference 2021 on 5 May 2021. In the last 12 months the ICO opened investigations into 1700 data controllers; there was a monthly average of 42 incidents, up from 13.4 in previous year. Guidance is expected shortly on ransomware and incident response, covering notification, and demonstrating compliance in the event of a successful attack.

Firms should have the support provided by cyber insurers. Advice and details of private sector support may also be found on the National Cyber Security Centre website.

The ICO have a cyber investigations department and will want to know what personal data were held on which servers, recovery time objectives, whether intruders are still present in the system, interim systems which are being deployed and the policies and procedures in place to mitigate the risks associated with them (such as staff using gmail or similar personal accounts).

Risks include erasure and encryption of backups; even temporary unavailability for a few hours may amount to a personal data breach, though it may not be necessary to report to the ICO if there is no threat to the rights and freedoms of individuals (but it will still be necessary to consider reporting to the SRA). Paying a ransom fee may prompt questions as to whether backups were segregated from the live environment so as to prevent access. It is not currently an offence in the UK to pay a ransom unless it involves terrorist funding or financial sanctions. Criminalising payments would raise difficult questions—criminalising victims, focusing investigations on victims rather than perpetrators, and discouraging reporting.

See also the next section on insurance.

‹ Back to Publications