It’s 4:00pm on a Friday. You get a text message from a colleague saying they can’t log into their email. Then others start texting you with a similar message. Your IT person reports that there’s unusual activity on your computer network and they’re having trouble remoting into the system. An hour or so later, you get the weekend-ruining-news: your systems have been hacked and the hackers are demanding ransom in Bitcoin to get your files back.
What you do next largely depends on the nature of your business, whether you have recent backups of your critical files, and whether you have cybersecurity insurance (which almost all businesses should). The specifics of a proper ransomware response are outside of the scope of this article and will vary widely depending on the circumstances of each attack. Here, we focus on the single critical question: should you (or your insurer) pay the hackers the ransom they are demanding?
Unsurprisingly, the answer is, “It depends.” Most likely, your business is not in the financial position to pay the six or seven-figure sums demanded by the hackers, so you rely upon your insurer for advice and guidance. Naturally, you probably would be very much inclined to tell your insurer to “do whatever it takes” to get access to your systems back. But, it’s not that simple, especially in light of recent guidance from the United States Department of the Treasury.
That guidance warns businesses who have been victimized by ransomware attacks to carefully consider whether they or their insurers should pay ransom to hackers. Putting aside the obvious ethical issues associated with continuing to fund bad actors who do bad things, the government wants businesses and insurers to know that directly or indirectly facilitating payments to hackers may violate federal law and regulations if it turns out that the ransomware payments were made to groups or individuals on the government’s “Specially Designated Nationals and Blocked Persons List.” In other words, if the government subsequently learns that you or your insurer made a payment to a person or entity on this list, you may face legal consequences even if you did not know that the recipient of the payment was on the government’s list. (Helpfully, however, the government notes that if you promptly consulted with law enforcement before making any ransomware payment, the government will consider that consultation with law enforcement a mitigating factor in your favor.)
Does this mean that your insurer should never pay ransom? No, because again, the complexities associated with that question vary widely on the facts and circumstances of each ransomware attack. If a business believes it may have experienced or is experiencing a ransomware attack, it should promptly contact their insurer, a qualified cybersecurity expert, competent legal counsel, and perhaps law enforcement to determine the best path forward.
In any cybersecurity incident, a business is often faced with lots of really bad options. They key is to pick the approach that allows the business to continue to operate while minimizing any potential legal fallout as much as possible. This may or may not include paying the ransom demanded. If you have questions and would like further information or a review of your organization’s cybersecurity policy, please contact PLDO Partner Brian J. Lamoureux at 401-824-5155 or email [email protected]. Attorney Lamoureux is a member of the firm’s litigation, employment, and cybersecurity teams.
Disclaimer: This blog post is for informational purposes only. This blog is not legal advice and you should not use or rely on it as such. By reading this blog or our website, no attorney-client relationship is created. We do not provide legal advice to anyone except clients of the firm who have formally engaged us in writing to do so. This blog post may be considered attorney advertising in certain jurisdictions. The jurisdictions in which we practice license lawyers in the general practice of law, but do not license or certify any lawyer as an expert or specialist in any field of practice.