Legal Issues Around Paying Ransomware

Ransomware attacks are one of the most serious cybersecurity threats facing businesses 2024. This kind of attack involves a malicious actor encrypting a victim’s data and then making a demand for a ransom payment in exchange for the decryption key. Although the first instinct for many businesses is to pay the ransom and quickly regain access to their data, doing so is not without legal risk.

 The increasing frequency of ransomware attacks

The number of ransomware attacks has risen significantly in recent years, impacting large and small organizations across various sectors, including healthcare, finance, entertainment, and even critical infrastructure. High-profile incidents, such as the MGM and Caesars Casino attacks, have highlighted the grave consequences of ransomware, ranging from operational disruptions to huge financial losses.

These attacks are developing, becoming more sophisticated and frequent, increasing the pressure on businesses to resolve them quickly. Nonetheless, the payment of any form of ransom is a complex subject, fraught with legal and ethical dilemmas.

Legal considerations before paying ransomware demands

Federal Laws:

  • The Federal Government of the United States has taken a firm stance against paying ransoms on the grounds that such payments serve to encourage further criminal activity and finance illicit operations. In fact, paying a ransom to a sanctioned entity may violate federal law; e.g. the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA).

 Office of Foreign Assets Control Regulations:

  • The Office of Foreign Assets Control, more commonly referred to as OFAC, maintains the Specially Designated Nationals and Blocked Persons List (or SDN List) which is a register of individuals and entities currently subject to sanctions. In circumstances where a ransom payment is made to a person or group that is named on this list, the payer could face hefty fines. The OFAC issued an advisory warning in October 2020 stating that enforcement actions could be taken against those who facilitate ransomware payments to sanctioned individuals.

Encouragement of criminality:

  • Payment of a ransom may be seen as an incentivization of criminal behavior, which in turn may contribute to the further proliferation of ransomware attacks. The FBI and other law enforcement agencies strongly discourage paying ransoms. They argue that it emboldens cybercriminals and ultimately perpetuates the cycle of attacks.

Implications on insurance:

  • Many business entities possess cybersecurity insurance policies that provide coverage for ransomware incidents. That said, the cyber insurance  landscape is rapidly evolving. Some insurance companies might refuse to cover ransom payments because of the potential legal risks involved. This is particularly true should the payment violate federal regulations. Moreover, insurers are examining claims with increasing scrutiny and some may require proof that the payment was not made to a sanctioned entity.

Laws regarding data privacy and breach notification:

  • In circumstances where a ransomware attack includes the extraction of personal data, the victim is obliged to comply with data privacy and breach notification laws. Regulations can vary significantly by state and sector, but most require prompt notification to the individuals impacted and to the relevant authorities. Failing to comply with these obligations may result in significant fines and reputational damage. The situation can be rendered even more complex again by the legal obligation to disclose a ransomware payment, especially if it concerns sensitive personal data.

The legal landscape

In light of these legal considerations, every business needs a strategic approach when it comes to the management of ransomware incidents. The following are some key steps to assist in the navigation of the complexities:

Development of a ransomware attack response plan:

  • A comprehensive ransomware response plan which outlines the steps to take in the event of a cyberattack should be established by every business. Any plan of this type should, as a minimum, include containment measures, protocols for communication, and legal considerations. 

Obtaining legal advice:

  • Engaging with legal experts, specialized in cybersecurity and compliance, is essential. An expert attorney, well versed in cybersecurity law, provides guidance on the legal ramifications of paying a ransom, helps evaluate the risks, and ensures that the actions taken are fully compliant with relevant laws and regulations.

Cooperation with law enforcement agencies:

  • Ransomware attacks must be reported to relevant law enforcement agencies. In addition to it being a legal obligation to contact them, law enforcement can provide invaluable assistance post-attack, and the subsequent investigation may help prevent future attacks by identifying the and apprehending the perpetrators. 

Due diligence:

  • Thorough due diligence, to ensure the recipient is not a sanctioned entity, should be conducted before any ransom payment is even considered. This involves taking advice from cybersecurity experts and legal counsel to find the origin of the ransomware and verify the identities of the wrong-doers.

Cybersecurity measures:

  • Prevention is better than cure. A proactive approach to data security reduces the probability of falling victim to ransomware and therefore the need to consider paying a ransom. All companies should invest in comprehensive cybersecurity measures, including threat detection, regular data backups, and staff training. 

Cyber insurance:

  • Make sure that you understand the coverage of your cyber insurance policy regarding ransomware incidents. The policy must include provision for incident response, legal costs, and potential ransom payments. It should also clarify any exclusions that are related to payments to sanctioned entities.

Deciding whether or not to pay a ransom in the event of a ransomware attack is made more difficult due to the legal complexities and ethical considerations involved. Although the prompt recovery of data is an obvious reason to consider paying, businesses and organizations must carefully evaluate the legal risks and broader implications. By committing to the development of a robust ransomware response plan, consultation with legal experts, and investment in proactive cybersecurity measures, businesses which handle data can better navigate the challenges posed by ransomware attacks and better protect themselves in the future.

Photo Credit: zephyr_p / stock.adobe

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Eoin Campbell

Eoin P. Campbell is an honours law graduate (LL.B) from Queen's University Belfast and is a qualified lawyer. Eoin has moved from practicing law to lecturing. Eoin is currently lecturing in law at two universities in Lyon, France, including a master's degree course in cyberlaw. Eoin provides commentary with a legal perspective on cybersecurity and data privacy. He is an expert on data privacy laws.