While organizations may think the best strategy during a ransomware attack is to meet the attacker’s demands, doing so could land them in legal hot water. Once the federal government gets involved, the financial repercussions will be more significant than the ransom itself. Here’s what companies should do and avoid in this situation to protect their assets. Do Most Organizations Pay the Ransom? Ransomware attacks heavily impact every industry. Unfortunately, they are getting more severe. The incidents’ in 2020, four times higher than the 2019 total. These attacks threaten people’s livelihoods, so many feel extreme pressure to pay the ransom. costs exceeded $400 million In fact, pay the ransom. However, even though most give in to attackers’ demands, only 4% get all their data back decrypted and intact. Although complying can seem like the best approach, it often doesn’t pay off. roughly 50% of victims Is It Illegal to Pay the Ransom? It is technically illegal to pay a ransom during a ransomware attack. After all, it’s nearly impossible to trace where the attacker is or find out who they work for — and the government frowns on U.S. entities funding terror groups or countries under an embargo. Why do organizations pay the ransom even though it’s illegal? While many may not know about its legality, some go through with it because they believe it’s the best choice. After a cost analysis, they realize paying the fines may be less expensive. Containing a malware attack on average — this extended downtime could tank a brand’s sales and reputation. Instead of permanently losing their data, facing government scrutiny, and getting public backlash, some quietly pay the attacker. It may seem like a calculated risk, but the potential repercussions aren’t usually worth it. takes around 50 days Legal Considerations for Ransomware Attacks Many local and federal mandates surround cyberattacks and ransomware. People living in or doing business in the United States must comply with these legal requirements. Here are the primary laws and considerations for organizations: Informing stakeholders: Organizations typically must inform their stakeholders of a ransomware attack. Depending on local laws, they may have to make public statements or notify all customers. Paying ransoms: The federal and local governments have strict rules against it because it is a matter of security — they view it as funding or support. Notifying law enforcement: The Cybersecurity and Infrastructure Security Agency (CISA) states for all ransomware incidents. Victims must inform relevant U.S. government agencies. timely reporting is mandatory Informing customers: Organizations must notify customers if a ransomware attack impacts data security. After all, their privacy is at risk if the attackers expose their personal or financial information. While the exact reporting mandates vary by state and industry, they all require organizations to inform law enforcement agencies. Even if people have the situation under control, they still must disclose it to relevant authorities. What Are the Federal Government’s Requirements? While the federal government has no explicit, comprehensive laws regarding ransomware, it considers ransom payments a type of transaction. Because of this technicality, it is illegal to engage with the attacker — doing so could result in harsh penalties. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) oversees most of these incidents. The International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) have strict rules against foreign financial engagement. It with any person or entity on the OFAC’s Specially Designated Nationals and Blocked Persons list. Also, doing business with those under an embargo is a crime. is illegal to conduct a transaction These acts and laws may not explicitly discuss ransom payments, but they cover ransomware. Sanctions violations typically result in civil penalties, meaning organizations must pay hefty fines or settlements. Some people may even face jail time if the government believes their actions are criminal or criminally negligent. Crucially, the government notes even those unaware of the acts can face legal repercussions — it can hold people civilly liable even if they didn’t know their actions were illegal. If a company goes into a panic and pays the ransom as soon as an attack occurs, it will still have to answer to OFAC, CISA, and other agencies. What Are Local Governments’ Requirements? Organizations must remember their local government also has a stance on ransomware — most impose fines and legal repercussions. Every state and U.S. territory has its own data breach reporting mandates and penalties. While every state’s specific laws differ, each one and law enforcement. Local facilities typically aren’t equipped to deal with ransomware, so the responsibility falls to federal agencies like the FBI, CISA or The Department of Homeland Security. requires entities to notify stakeholders While many states discourage ransom payments — some have even banned communication with ransomware attackers — their fines usually relate to data privacy. Local law enforcement and public entities don’t have as much power as the federal government, so they typically don’t involve themselves in people’s private affairs. They can still react swiftly to data breaches and will hand out fines if they feel the need to. Since steal data before beginning the ransomware attack, organizations will likely have to answer to their state’s laws. almost 50% of attackers Why Should Organizations Not Pay the Ransom? Organizations will have legal issues if they pay a ransomware demand. Since the federal government considers payments to be funding for criminal entities, they will react swiftly. Fines range from a few thousand dollars to millions — often more of a financial hit than the initial ransom. In addition to fines, law enforcement agencies could hand a case over to the Department of Justice. They also can take the noncompliant organization to court, where financial and reputational penalties will be much more severe. Further, if the government finds a business went out of its way to cover up a ransomware payment, it may find it criminally liable. Criminal penalties are much more severe and — depending on the specifics — could even result in jail time. What Should Organizations Do Instead? Instead of paying the ransom, organizations should contact the relevant authorities. The 2022 Strengthening American Cybersecurity Act (SAC) states all critical national infrastructure organizations must disclose ransomware attacks to the Cybersecurity and Infrastructure Security Agency (CISA) or face penalties. If the victim pays a ransom, the timeline shrinks to 24 hours. in less than 72 hours However, CISA’s presence is only the first step. They should also contact The Department of Homeland Security, OFAC’s sanctions and compliance evaluation department, and the FBI’s cyber task force. These agencies deal with ransomware attacks all the time and know the best way to handle them. Ignoring Ransomware Demands Is the Best Approach Most companies panic when they realize an attacker has locked their data behind a malicious paywall. Still, meeting their demands is one of the worst approaches. While an organization may receive security and privacy fines once it goes to law enforcement, it avoids having to pay hundreds of thousands for violating IEEPA, TWEA, or the Strengthening American Cybersecurity Act.

The is an opinion piece based on the author’s POV and does not necessarily reflect the views of HackerNoon.

What Are the Legal Implications of Paying Ransomware Demands?

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

10 Common Scams Targeting Healthcare Workers

3 Cybersecurity Priorities for 2021: Threat Fatigue; Remote Work; Budget

2gether compensates for its crypto cyber-attack losses

3 Simple Upgrades to Improve SMB Cybersecurity

3 Steps Retailers Should Take to Prevent Holiday Data Breaches

10 Common Scams Targeting Healthcare Workers

3 Cybersecurity Priorities for 2021: Threat Fatigue; Remote Work; Budget

2gether compensates for its crypto cyber-attack losses

3 Simple Upgrades to Improve SMB Cybersecurity

3 Steps Retailers Should Take to Prevent Holiday Data Breaches

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps