- While payment of a cyber ransom is a last resort, it is generally not illegal.
- However, offences under anti-terrorism and anti-money laundering legislation should be considered.
- Ethical issues to consider include duties to the administration of justice, to act in the client’s best interests, and to maintain confidentiality.
Ransomware is reported to be the fastest growing type of cybercrime. It is a type of malicious software (malware) that infects computers and makes data unreadable unless a ransom is paid. The ransom demanded will usually be in cryptocurrency such as Bitcoin. Where reliable backups of data are available, it may be possible to recreate businesses’ records without paying a ransom. However, this is not always possible, particularly if backups have also been encrypted. Recent months have seen media reports concerning ransomware attacks impacting businesses globally including Garmin and Travelex. In Australia, organisations impacted include Toll, MyBudget, and Bluescope Steel. Some ransomware threatens not only to encrypt data but also to publish or sell it.
Cases impacting law firms: In May this year, US law firm Grubman Shire Meiselas & Sacks, which acts for numerous celebrity clients, confirmed it had been the victim of a cyber attack in which hackers accessed 756 gigabytes of data contained in legal files held on behalf of dozens of clients. When it became clear the ransom of US$42 million would not be paid, the hackers reportedly commenced auctioning off files to the highest bidder. The threat to publish information is clearly a nightmare scenario for a legal practice that holds information it is required to keep confidential. While this is an extreme case, Australian law firms have also been victims of ransomware. Lawyers are of course expected to uphold the law, so what factors should be considered in this situation?
Public policy considerations: There are strong public policy reasons why ransoms should not be paid, to discourage further escalation in this type of crime, and the Australian Cyber Security Centre and law enforcement bodies recommend against making ransom payments. There is no guarantee that cybercriminals can or will decrypt your records if a ransom is paid and paying a ransom could also make you a target for further attacks.