The increasing prevalence of ransomware attacks has forced law practices to confront the challenging question of whether payment of ransom may be a viable and, indeed, lawful option. Ransomware attacks involve malware that encrypts files, making them inaccessible to the target. Exfiltration of data may also be involved. The attackers typically demand a ransom, often in the form of cryptocurrency, in exchange for restoring access to the encrypted files or a promise not to release sensitive data.
This is a topical issue in light of recent high-profile ransomware attacks against law practices and other organisations. This article explores the potential legal consequences faced by law practices when deciding whether to pay a ransom. This is a complex issue in which ethical and legal considerations play a significant part. Payment of ransom is always a last resort. Vigilance through training of employees and updated security measures, together with diligent and frequent backups, is the first line of defence. Recent events illustrate that even sophisticated defences can be breached by threat actors, often preying on human error.