Despite your best efforts, you have been hit by ransomware. You are locked out of your system, and you can provide no services to your customers, clients or patients. From a business perspective, you need to get your system unlocked so you can get back to work. But from a legal perspective, what should you do?
Paying the Ransom
Recent changes in the law have made one option – paying the ransom – significantly more complicated, and those who choose this route may actually find themselves in legal trouble. First, the federal government has been threatening to go after ransomware victims who pay ransoms for violations of federal money laundering, money transfer and international sanctions laws. Second, states are actually prohibiting entities (both municipalities and some private companies) from paying ransom to get their data restored. For victims, this can mean both excess time without the ability to access your data and paying millions of dollars in damages or restoration costs rather than a more modest payment of ransom to the threat actor.
Effective July 1, 2022, Florida became one of an increasing number of states that banned the payment of ransom in certain circumstances. Florida Stat.282.3186 specifically provides that
“A state agency … a county, or a municipality experiencing a ransomware incident may not pay or otherwise comply with a ransom demand.”
This is similar to the laws in North Carolina, Pennsylvania, Texas, Arizona (HB 2145) and the proposed law in New York, all of which have either banned, or seek to ban, the payment of ransom in ransomware cases. Some of these laws apply only to state or municipal agencies (including public hospitals), but others, like that proposed in New York would apply to any businesses or health care entity.
In addition, a proposed federal law, the Ransomware and Financial Stability Act of 2021, 117 H.R. 5936, would prohibit any U.S. financial institution from making a ransomware payment in excess of $100,000 without authorization from the treasury department. Federal law also requires critical infrastructure companies to notify the government within 24 hours if they have made a ransomware payment. The laws also prohibit payment of so-called “extortionware” — a payment to regain custody of data, to prevent the release of data, prevent the release of vulnerabilities or exploit code, prevent the release of the fact that an entity has been hacked, or prevent the release of embarrassing or proprietary information.
Why Prohibit Ransomware Payments?
The purpose of prohibiting ransomware payments relates to the “supply and demand” concern about ransomware. Threat actors attack victims in the hopes of being paid. If all victims agree not to pay (or are prohibited by law from paying), the theory goes that threat actors will stop going after these companies. In practice, however, this may not be the case, as companies seek the most cost effective means of restoring their data — which can often present an incentive to avoid the prohibition. For example, when Baltimore and Atlanta were attacked by ransomware, the threat actor demands were relatively modest – $52,000 in the case of Atlanta and Baltimore $76,000. Adhering to a policy (not a law) not to pay ransom, the municipalities attempted to restore their data from backups. In both cases, critical municipal functions were disrupted, including law enforcement and healthcare, as well as preventing entities from, for example, registering deeds, liens, or other legal documents. In order to avoid making a payment of thousands of dollars, the City of Baltimore lost more than $18.2 million and Atlanta more than $11 million not including the damages and losses to those depending on critical municipal functions.
As a practical matter, however, it is unclear if prohibiting such payments will really have much impact on the problem. While these crimes are difficult to investigate and prosecute, laws and regulations like data security requirements, data breach disclosure requirements and security incident notification requirements often take the focus away from the threat actors – hackers, organized criminals, state actors and terrorist organizations – and place the focus on the victims of ransomware or extortionware attacks. So, while the victim of any cyber-attack has to understand the legal risk, they also have a continuing duty of due care to those it does business with (and a duty to disclose certain things to customers).
A Legal Perspective
There’s a lot a company can do before a ransomware incident to protect itself, both technologically and legally, in the event of a ransomware incident. Instances of ransomware have exploded in the past 5-7 years, principally because of the ready availability of anonymous crypto-currency payment systems. Hackers no longer have to steal and sell data, they can threaten to do so (extortionware) or they can simply lock up data or computers (denial of service) in return for a demand for payment. Ransomware readiness, as part of an overall security posture, includes things like anti-phishing training (phishing and credential theft are the single largest vector for introduction of ransomware), data and network segmentation (ensuring that ransomware cannot impact an entire enterprise), anti-malware (to find “known” ransomware), as well as regular data backup, archival, and restoration to survive an attack.
Even where paying ransom or extortion payments are not prohibited by state or federal law, government regulation may make it a crime to engage in a financial transaction with certain prohibited persons, entities, or countries. Guidance promulgated by the Treasury Department’s Office of Foreign Asset Control make it clear that U.S. companies that make payments, including ransom payments, to these entities will be held strictly liable for violating the sanctions regime, regardless of the fact that they not only don’t know they are making a prohibited payment, but have no effective way to find this out. Despite the strict liability provisions, companies which operate in good faith (e.g., check the OFAC and other sanctions lists for prohibited “wallets,” coordinate their response with state, federal or international law enforcement agencies, and cooperate in financial investigations related to cryptocurrency) are not likely to be subject to civil and criminal sanctions. The same is true for certain Know Your Customer (KYC) and Anti-Money Laundering (AML) provisions enforced by FinCEN which has issued its own advisory on making ransomware payments. The key is to disclose enough to be cooperative, but not so much as to make your company a target for enforcement. Other statutes prohibit certain “funds transfers” except by licensed money transfer agents which may, or may not, apply to the transfer of cryptocurrency as payment for unlock codes or return of data.
What You Should Do
From a legal perspective, in contemplation of a possible attack, a company should do the following:
- Understand the business and legal risks.
- Make sure the company had adequate data breach, business interruption, critical documents, false personation, kidnap ransom and extortion and ransomware/extortionware insurance, including first and third party coverage, D&O coverage and coverage for regulatory compliance. A ransomware incident is likely to also be a data breach or theft, the presentation of false, spoofed or stolen credentials, a distribution of the flow of data and normal processes of the company, a reputational harm to the company and its executives, may induce the company to breach or fail to perform on many of its contractual obligations. Beware language in an insurance policy that only relates to data that is “destroyed” or “damaged” as the carrier may consider data subject to ransomware to be “inaccessible” but not “damaged.” Read the policies carefully, not only for coverages and exclusions, but also for timing of notifications, who chooses forensic and legal teams, and which entity is responsible for ransomware payment, negotiation and compliance.
- Review force majeure provisions in contracts. If you are the provider, you want to make sure that a ransomware attack is a force majeure which may excuse performance (or timely performance) of contractual obligations if possible. If you are relying on others’ performance, you may want the opposite.
- Ensure that your contracts with vendors, suppliers and others compel them to adhere to a reasonable set of data security requirements (the NIST Cybersecurity Framework is a good place to start) together with rights to audit or ensure compliance. This should include ransomware resilience and response, data backup and recovery.
- Have an effective and tested Disaster Recovery/Business Continuity Plan (DR/BCP). This may mean the difference between surviving a ransomware attack or being out of business.
- Review Cloud and SAAS contracts to determine responsibility and liability for ransomware disruptions.
- Establish relationships with data forensics and investigation firms (in addition to cybersecurity firms) whether independent or selected by your insurer. The more these firms know about your infrastructure and procedures before a ransomware incident, the more they can do to help you prevent or survive such an attack.
- Establish a relationship with threat intelligence or other tech companies. There are sophisticated ransomware inoculation procedures and ransomware “hacking” procedures (exploiting vulnerabilities in the ransomware itself) which may provide an alternative to either restoring lost data or paying ransom (Disclaimer: the author is on the Board of Directors of one such company).
- Ensure that you have data security, privacy and incident response (and data classification, backup and recovery) that are compliant with your regulatory and contractual environment.
- If appropriate, establish a liaison with appropriate law enforcement and regulatory agencies, either directly or through your counsel, so that you have a level of trust in the event of an incident. This may include the FBI or other law enforcement agencies through the Infraguard program, the Treasury Department’s Financial Crimes Information Center (FinCEN), the Office of Foreign Asset Control (OFAC), as well as state cybersecurity agencies.
- If you are a reporting entity, make ransomware response part of your SEC compliance program and part of your public relations/crisis communications plan.
- Ensure that you have competent legal counsel with knowledge of cybersecurity, data privacy, financial regulation, incident response, policy development and ransomware generally on retainer. Remember, a ransomware attack may also be a data breach, which might require notification of customers.
We can expect significant changes with respect to the law of ransomware, including assignment of liability, duties to third parties and, of course, the legality of making ransom payments. In any rapidly changing environment, it is essential that you have competent legal counsel to assist you.
For further questions or clarifications regarding the content of this article, please contact KJK Cyber Security & Data Breach attorney’s Mark Rasch (MDR@kjk.com; 301.547.6925) or Brett Krantz (BK@kjk.com; 216.736.7238).