Cyber extortion – legal and ethical considerations if you receive a ransom demand
Key
insights:
While payment of a cyber ransom is a last resort in Australia it is generally not illegal.
However, possible offences under anti-terrorism and anti-money laundering legislation should be considered.
Ethical issues for lawyers to consider include duties to the administration of justice, to act in the client’s best interests and to maintain confidentiality.
This article was first published in September 2020 in the Law Society of NSW Journal and was updated in May 2021.
What is ransomware?
Ransomware is a type of malicious software (malware) that infects computers and makes data unreadable unless a ransom is paid. The ransom demanded will usually be in cryptocurrency such as Bitcoin. Where reliable backups of data are available it may be possible to recreate businesses’ records without paying a ransom. However, this is not always possible, particularly if backups have also been encrypted.
Ransomware is reported to be the fastest growing type of cybercrime. In May this year the New York Times reported that in the United States ransomware gangs have hit big businesses, schools and universities, local governments, hospitals and the police. Citing security firm Emisoft, Krebs on Security revealed that almost 2,400 U.S.-based governments, healthcare facilities and schools were victims of ransomware in 2020.
On 13 May President Biden confirmed that the US government was launching a task force aimed at cracking down on hackers responsible for ransomware attacks following the devastating impact of a ransomware attack on Colonial Pipeline which impacted fuel supplies across the east coast of America.
In Australia, organisations impacted include Nine Entertainment, Eastern Health, Law in Order, Toll, MyBudget, and Bluescope Steel.
Some ransomware threatens not only to encrypt data but also to publish or sell it. This threat can have serious implications for organisations including law firms with special duties to maintain confidentiality of information.
Ransomware is reported to be the fastest growing type of cybercrime.
Cases impacting law firms
In May 2020 US law firm Grubman Shire Meiselas & Sacks, which acts for numerous celebrity clients, confirmed it had been the victim of a cyberattack in which hackers accessed 756 gigabytes of data contained in legal files held on behalf of dozens of clients. When it became clear the ransom of US $42 million would not be paid, the hackers reportedly commenced auctioning off files to the highest bidder.
The threat to publish information is clearly a nightmare scenario for a legal practice that holds information it is required to keep confidential. While this is an extreme case, Australian law firms have also been victims of ransomware. Lawyers are of course expected to uphold the law, so what factors should be considered in the event of a ransomware attack?
Public policy considerations
There are strong public policy reasons why ransoms should not be paid, namely to discourage further escalation in this type of crime, and the Australian Cyber Security Centre and law enforcement bodies recommend against making ransom payments. There is no guarantee that cybercriminals can or will decrypt your records if a ransom is paid and paying a ransom could also make you a target for further attacks. In September 2020 the former head of the UK’s National Cyber Security Centre reportedly called for the UK government to make it illegal for companies to pay cyber hackers a ransom, describing ransomware as “the single biggest contemporary scourge in cyber space”.
In April 2021 the Wall Street Journal reported that the US Justice Department had formed a task force to limit the proliferation of ransomware attacks, with the aim of destroying the business model and the digital ecosystem that supports it. Here in Australia, in February the federal opposition has called for a national ransomware strategy to reduce the number of attacks on Australian targets.
Is it legal to pay a ransom?
While it is generally accepted that in Australia payment of a cyber ransom is not illegal, it is a serious offence to contravene anti-money laundering legislation (Criminal Code Act 1995 (Cth), division 400) or to make funds available to an organisation where a person knows or is reckless as to whether the organisation is a terrorist organisation (Criminal Code Act 1995 (Cth, s 102.7), or to an organisation proscribed by UN sanction (Charter of the United Nations Act 1945 (Cth)). Some commentators have suggested a defence of duress might be available in certain circumstances - where there is any possibility these issues could arise you should seek specialist advice. Organisations subject to anti-money laundering legislation may also be required to disclose the payment of a ransom.
Professional rules and fiduciary and other duties
The Legal Profession Uniform Law Australian Solicitors’ Conduct Rules (rule 3), provide that a lawyer’s paramount duty is to the Court and the administration of justice. However, where there is no clear contravention of that duty the obligation to protect the clients’ interests is otherwise paramount (see D. Bowles, “Is it Ethical (or legal) for law firms to pay cyber-ransom?”, Queensland Law Society, December 2017).
Where a lawyer receives what appears to be a credible threat to publish confidential information held on behalf of others, he or she will need to consider how professional obligations might apply. Under the Australian Solicitors Conduct Rules, which now apply to most Australian lawyers:
Rule 4.1.1 provides there is a duty to act in the client’s best interests; and
Rule 7 requires clear and timely advice to assist clients to understand legal issues and make informed choices.
Other factors to consider are the fiduciary relationship between solicitor and client, based on the trust that the client has placed in their lawyer, and the equitable duty to maintain the confidentiality of communications. There may also be duties to maintain the confidentiality of information pertaining to third parties and, if your firm is subject to the Privacy Act 1988, a duty to report an eligible data breach involving personal information where the data breach is likely to result in serious harm to any of the individuals to whom the information relates.
The choice between paying a ransom and either losing all your business records or seeing confidential client information lost or published is one that no legal practitioner ever wants to make.
Minimise your risk by making regular backups that aren’t connected to your network, use antivirus software, and keep operating systems and software up to date.
Ensure your business requires strong passwords, multifactor authentication and password managers.
With most ransomware delivered via a phishing email, ensure everyone in your practice is educated about cybercrime and how to recognise suspicious emails.
Lastly, if you have cyber insurance you should notify your cyber insurer immediately and obtain its consent before making any payment.