Ransomware Settlements – Legal and Ethical Considerations

Ransomware is one of the most severe cyber threats that organizations face. Not only can it disrupt business operations, but it also causes extensive reputational damage and legal exposure.

Organizations are pressured to respond quickly to these attacks, and many are choosing to pay cybercriminals to regain access to encrypted data and systems. However, it is essential to consider legal and ethical considerations before deciding whether to pay.

Legal Requirements

Before you make a ransomware payment, you must understand your legal and regulatory requirements. Depending on your company’s jurisdiction, you may need to determine whether a specific ransomware attack amounts to a security breach under applicable state data breach notification laws or other laws.

Similarly, your organization may be required to notify affected individuals and, in some cases, regulators. This obligation is generally triggered by the unauthorized acquisition of or access to personal information, as regulated under applicable state and federal privacy laws (such as HIPAA) and sector-specific laws.

A legal analysis of your situation is critical to determining whether you must notify those affected by your incident and whether you have any contractual notification obligations. Moreover, you may need to consider whether any entities or parties involved in your incident have been sanctioned by the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) or other governments.

The risk of lawsuits and related claims is another primary concern. These lawsuits can result in significant damage and reputational damage. In addition, companies may be liable for damages resulting from the cybersecurity attacks themselves or for reimbursing their affected customers or suppliers for breach-related losses.

To avoid a potential liability issue, it’s recommended that your business consults with an experienced cybercrime attorney and I.T. forensics consultant to ensure that your organization meets its legal obligations following a ransomware incident. This is especially true if your organization has suffered a large-scale incident or is facing regulatory scrutiny.

Regulatory Requirements

Ransomware is a cyber attack that locks or blocks access to computers and data, demanding payment in exchange for unlocking the files. Its resurgence during the COVID-19 pandemic has increased the threat and impacted business operations worldwide.

The cost of ransomware attacks has skyrocketed over the past several years, and they are projected to continue increasing in 2021. According to one report, the global amount of ransomware payments is expected to be $20 billion in 2021, a 57-fold increase from 2015 to 2020.

Cyber security Industry experts like Fortinet warn that attacks demanding ransomware payment are often the result of social engineering techniques and phishing campaigns. They can be difficult to avoid and prevent, but basic cyber hygiene remains critical. First, organizations should take the time to map their network configurations, including systems, servers, and networks.

Second, companies should regularly perform vulnerability scans. These scans can help assess the risk of malware or ransomware attacks and identify vulnerabilities.

In addition to identifying potential security risks, these scans can help determine the effectiveness of a company’s cybersecurity measures.

While some companies may be able to mitigate the risk of a ransomware attack, the fact remains that these attacks are becoming more commonplace. Moreover, they can be costly and impact the continuity of a company’s operations.

For this reason, businesses and government agencies need to make sure they’re adequately prepared for ransomware attacks before they happen. As a starting point, companies should be aware of the potential regulatory issues associated with ransomware settlements, including that they may run afoul of the U.S. Treasury Department’s Office of Foreign Asset Control guidance and any underlying risks that may arise from the actual payment.

Ethical Considerations

While there are no hard and fast rules around ransomware settlements, weighing the legal, regulatory, reputational, and practical implications is essential. It is especially crucial to consider whether a payment violates government regulations, risks customers’ privacy, breaches commercial agreements, waives attorney-client or work product privileges, or has other legal/compliance consequences.

Ethical considerations should also be considered. A business’s obligation to its stakeholders, clients, shareholders, and employees should be balanced with the potential costs of running operations while systems are compromised. In some cases, the ethical choice is to pay out the ransom – as a last resort – despite being unable to restore critical business operations.

The profitability of ransomware attacks incentivizes threat actors to engage in this practice. Often, these entities threaten to leak exfiltrated data if they are not paid the ransom, which could present significant legal and reputational risks to the entity paying out the ransom.

In addition to weighing the legal, regulatory, reputational, and practical issues, companies must also consider whether a ransomware payment would violate the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) guidance.

The United Kingdom has also placed financial sanctions on many cybercriminal groups. As such, businesses that facilitate ransomware payments to sanctioned entities may be subject to monetary penalties under the U.K. Terrorism Act 2000.

Practical Considerations

In the face of a ransomware attack, companies face a difficult decision: pay a ransom to restore access to computer systems or risk losing vital information. These decisions are complicated because ransomware often locks down computer systems in minutes, making them inoperable and preventing access to critical data.

When assessing whether or not to pay a ransom, senior management must consider several practical issues, including (i) the viability of available backups; and (ii) the nature and extent of affected data. They may also have to consider the reputational risk of paying a ransom, particularly where public knowledge of this decision would deteriorate a company’s reputation.