Ransomware attacks have become an increasingly common threat for businesses of all sizes, and it is essential for your business to have a plan in place for how to respond if your organization is ever targeted. During the ransomware attack, among the most critical decisions that your business will have to make is whether or not to pay the ransom that the attackers are demanding.
The choice is a difficult one. Although paying the ransom may seem like the easiest way to get your data back and resume normal business operations, the answer is unfortunately not so simple. There are many practical and legal factors you need to consider.
First, it is not guaranteed the malicious actor will honour the arrangement. In regular business disputes, when a contracting party breaches a contract, you generally have three options: (1) negotiate; (2) sue the other side in court; or (3) buy a nice wine and forget about the experience. However, in the ransomware context, the malicious actor is usually very difficult to find. If the actor is practically untraceable, then it will be difficult to negotiate with them or sue them in court. If they decide not to give back the information, or if they subsequently ask for more money, Liam Neeson will not be hunting them down for you.
Second, paying the ransom incentivizes attackers to continue their criminal activities. Paying also creates the risk that your business will get a reputation as being “the one” that will “pay up.” Such a reputation would make your business a more attractive target for future attacks.
Third, there is the issue of legality. Paying a ransom may violate laws and regulations in your jurisdiction, which would lead to legal and financial consequences down the line. Paying ransoms to certain individuals and groups on sanctions lists would violate economic sanctions laws. For example, consider the recent Indigo ransomware incident where Indigo stated that it has not, to date, paid the ransom because it could not receive assurance that the payment “would not end up in the hands of terrorists or others on sanctions lists.”
Fourth, assuming the attacker will honour the arrangement, assuming they took your information off your business’ servers and are offering to “return it,” you don’t necessarily know what information you will get back when they return it to you. The information may include additional malicious code that will allow them to breach your business’ systems again in the future.
Additionally, you could receive the confidential or proprietary information of other businesses (such as your competitors), which, depending on the circumstances, could increase the risk of subsequent litigation. For example, depending on the factual circumstances, the businesses that owned the confidential or proprietary information could claim misappropriation of trade secrets, or the government could even hypothetically claim receipt of stolen property.
In regard to personal information held by your business, if the ransomware attack objectively gave you no reason to believe any personal information was taken, depending on the jurisdiction, you may have no breach notification requirements. However, if you pay the ransom and receive information back that gives you notice personal information was taken, then your breach notification obligations may be triggered.
Lastly, if you have cyber insurance (which I hope you do), some cyber insurance policies prohibit paying ransoms as a condition of coverage. Therefore, paying a ransom could result in your insurer denying your claim, leaving your organization responsible for the cost of the incident. With that being said, other cyber insurers may provide you coverage to pay the ransom, depending on certain criteria. Some may even offer coverage to pay the ransom in cryptocurrency.
What’s your best course of action?
Be proactive and defend your business’ informational technology and operational technology assets. For example:
- Have a robust backup and recovery plan. If your business regularly backs up your data and stores it in a secure offsite location, you can ensure that you can recover your files quickly and easily if your systems become compromised. Remember the 3-2-1 rule: Back up three copies of your information in two different formats, with one copy stored off-site.
- Educate your business’ personnel to watch for and report suspicious activity and to have an incident response plan that rapidly enables your business to identify, contain, eradicate, and recover from security incidents.
- Keep all assets up to date with the latest security patches.
Importantly, when (not if) you have a ransomware attack (or any security incident), among your first calls should be your lawyer. As lawyers, we help organize your incident response, ensure attorney-client privilege applies, and provide support remediation.
If you have any questions related to this Article’s content, you may reach out to any lawyer in Siskinds’ Privacy, Cyber & Data Governance Team. You can also reach out to the author, Savvas Daginis—a Canadian and American Business, Technology, and Privacy Lawyer—at [email protected] if you have any questions.