The Increasing Risks and Prohibitions Associated With Paying a Ransom After a Ransomware Attack

In 2021, the FBI received 3,729 complaints of ransomware, representing only a portion of the overall ransomware threat landscape.1 EXISTING RISKS FOR MAKING OR FACILITATING A RANSOMWARE PAYMENT The FBI, not surprisingly, does not advise organizations to pay criminals their ransom demands because the...

Full description

Saved in:
Bibliographic Details
Published inComputer and Internet Lawyer Vol. 40; no. 8; pp. 3 - 4
Main Authors Boyd, Alexander D, Shuler, Kayleigh S, Peel, Jessica L
Format Trade Publication Article
LanguageEnglish
Published Frederick Aspen Publishers, Inc 01.09.2023
Subjects
Communication
Cybercrime
Cybersecurity
Data integrity
Government agencies
Legislation
Malware
Prohibition
Ransomware
State laws
Threats
North Carolina
New York
United States > US
Texas
Florida
Pennsylvania
Online AccessGet full text

Cover

More Information
Summary:In 2021, the FBI received 3,729 complaints of ransomware, representing only a portion of the overall ransomware threat landscape.1 EXISTING RISKS FOR MAKING OR FACILITATING A RANSOMWARE PAYMENT The FBI, not surprisingly, does not advise organizations to pay criminals their ransom demands because the payment contributes to a criminal enterprise, does not guarantee that an organization will regain access to its data and may incentivize more attacks. [...]there is typically minimal legal benefit to paying a ransom because payment does not eliminate an organization's potential notification obligations under applicable data breach notification laws. The North Carolina law also goes a step further and prohibits government entities from even communicating with ransomware groups.2 Government entities experiencing a ransom request in connection with a cybersecurity incident are also required to notify the North Carolina Department of Information Technology.3 The applicability of the North Carolina law is broad and includes any "agency, department, institution, board, commission, committee, division, bureau, officer, official or other entity of the executive, judicial or legislative branches of State government" as well as "The University of North Carolina and any other entity for which the State has oversight responsibility"4 The law's prohibition on communicating with threat actors is notable, as even victims with no desire or need to pay a ransom will often communicate with threat actors to gain information that can aid the forensic investigation (e.g., information about what data was stolen and from what systems) and to buy time to investigate and inform involved individuals before data is leaked. [...]some argue that constraints on the ability to purchase decryption keys will force government entities to take a more proactive and aggressive approach to cybersecurity designed to prevent successful attacks in the first place.
ISSN:1531-4944