ETHICS CORNER CYBERSECURITY
Ethical, Legal Implications of Paying Ransoms (Updated)
Ransomware has emerged as one of the most virulent cybersecurity risks. In recent years, particularly during the pandemic, ransomware attacks have become more focused, sophisticated, costly and numerous. As ransomware tactics evolve, companies must make strategic and risk-based decisions on whether to engage with threat actors and/or pay the ransom.
According to Sophos, 51 percent of surveyed companies were impacted by a ransomware attack in the last year. By the end of 2021, it is estimated that a business will be targeted by a ransomware attack every 11 seconds, causing up to $20 billion in damage, according to Cybersecurity Ventures.
How should companies respond to a ransom demand?
They should follow their incident response plan, which should include immediately notifying the legal department at the beginning of a ransomware investigation or upon receiving a ransom demand. Their attorneys should establish a privileged protocol to protect attorney-client privileged communications and attorney work product prepared at the direction of counsel for the purpose of providing legal advice to the company.
Such protocols reduce the risk of exposing critical communications regarding the scope of, and contributing factors to, the security incident, as well as risks to the company. Otherwise, communications and work product could become discoverable in any subsequent class-action lawsuits or other legal claims brought because of the security incident.
Even if the company has a “no pay” ransom policy, attorneys should review the organization’s cyber insurance policy to determine whether the policy covers a ransom payment and notify the carrier early in the incident. They should consider whether to enter into a common interest agreement with the carrier to protect the privileged nature of the communications. In addition, carriers generally pre-approve ransom payments, which generally requires certain diligence before any payment is made.
If the company does not have a “no pay” policy, it should have a clear escalation process for decision points concerning payment. The incident response plan should outline the ultimate decision-makers, which may be the executive team or the board of directors. These decision-makers must weigh the risks to the company, including the ability to recover data through other means, reputational damage, potential legal liabilities and ethical considerations.
Organizations should weigh several ethical implications regarding the decision to pay the ransom. For example, the company may gain the reputation as a paying entity, which makes it a lucrative target. And if paying through cyber insurance, threat actors sometimes research other companies holding such cyber policies, which is often reported in investor disclosures for publicly traded companies.
According to cyber insurance firm Coalition, ransomware attacks are the most reported cyber insurance claim. By paying, even with a negotiated discount, hackers can sustain their current business operations and reinvest in enhanced tactics, tools and procedures, or other criminal or illicit activities.
Additionally, the profitability of ransomware incentivizes threat actor engagement in this practice. According to the Department of Homeland Security, approximately $350 million in ransom was paid in 2020, a more than 300 percent increase from the previous year.
The FBI “advocate[s]” against paying ransoms, in part because it does not guarantee access to or the deletion of the stolen data. Companies should weigh how to respond to the ransom demand and whether engagement or payment would violate government regulations, risk the privacy of customers, breach commercial agreements, waive attorney-client or work product privileges, or have any other legal/compliance consequences.
Payment by the company or insurance carrier may trigger questions as to whether the payment constitutes funding criminal groups, terrorism, rogue states and/or violating anti-money laundering laws. However, actions taken under duress do not ordinarily constitute a crime.
Before engaging with the threat actor, companies should be mindful of the recent advisory from the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) on potential sanctions risks associated with ransomware payments.
For example, OFAC has designated “numerous” malicious cyber actors under its sanctions programs, including ransomware attackers and the transaction facilitators.
Under the International Emergency Economic Powers Act and Trading with the Enemy Act, U.S. persons generally are prohibited from engaging in transactions, directly or indirectly, with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List, other blocked persons, and those covered by comprehensive country or region embargoes. Numerous cyber threat actors are on these lists.
OFAC can impose civil penalties for sanctions violations based on strict liability. Meanwhile, it will consider a company’s cooperation with and report of a ransomware attack to law enforcement to be a “significant mitigating factor” in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.
From a commercial lens, production or delivery problems as a result of a ransomware attack may cause a company to be in breach of service agreements, purchase orders, or other contractual provisions. Therefore, companies should consider the force majeure, early termination and cure clauses in its commercial agreements. In addition, there may be provisions that require the company to inform its investors, business suppliers and/or customers that it paid the ransom.
Waiting until right-of-boom to assess these legal and ethical issues will only complicate the situation. As OFAC’s advisory makes clear, companies should have an incident response plan that contemplates a potential ransomware attack before an attack occurs.
Correction: This article has been updated to include attribution for Cybersecurity Ventures' estimates for the frequency and cost of ransomware attacks.
Phyllis Sumner is a partner and chief privacy officer at King & Spalding. Jillian Simons is a law clerk at the firm.