The statistics maintained by the FBI indicate that between 2018 and 2019 there has been a 37% increase in reported ransomware attacks. In light of the fact that these are the reported cases, it is likely that this increase has been higher. Most recently, high profile businesses such as the Colonial Pipeline have been become the target of these attacks.
Many businesses have taken the position that paying the ransom as a matter of business practice is less expensive than potentially losing data, decreased productivity and potential harm to their reputation. This analysis, however, overlooks several important factors.
On October 1, 2020, the Department of the Treasury released an advisory opinion on potential risks for facilitating ransomware payments. The Treasury Office of Foreign Assets for Control stated that companies who facilitate ransomware payments to cyber criminals on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensic and incident responses, only serve to encourage future ransomware attacks. Moreover, these facilitators may risk violating regulations promulgated by the Office of Foreign Asset Control.
By way of definition, ransomware is malicious software that is utilized to block access to a company’s computer system or data. The criminals demand a ransom payment in exchange for a key to decrypt the files and restore access to the systems or data. In addition to encouraging future hacks, the victim paying the ransom risks not receiving the key to decode the computers. The victim is relying on the word of a criminal in exchange for money.
An additional area of concern for the federal government is that the ransomware payment may be utilized by foreign actors for the purchase of arms or other elements that jeopardize the security of the United States. Under various laws enacted in the United States, including but not limited to, the International Emergency Powers Act (IEPA) and the Trading With the Enemy Act (TWEA), there is a prohibition against dealing with entities from certain regions or countries. Since the location of of most of the ransomware attackers are unknown, these laws can be easily broken and sanctions apply.
Companies as well as their financial partners and insurers are encouraged to contact the appropriate government agency including the Federal Bureau of Investigation Cyber Task Force, the United States Secret Service Cyber Fraud Task Force or Homeland Security Investigation Field Office before paying any such ransom. In light of the fact that these cybercrimes are increasing in frequency as well as the amounts being requested, it is likely that more laws will be enacted and investigations will continue.
In light of the Colonial Pipeline allegedly huge payment, experts believe that it is now more likely that rather than merely provide an advisory opinion, stronger laws to sanction the payers of ransom may be enacted. In any event, prior to issuing such payments, it is prudent to contact any insurer and computer expert to help mitigate any damages. The current prediction is that the Colonial Pipeline payment will result in many more such high profile hacks as well as many more not so high profile attacks.
Joan Cerniglia-Lowensen is a Member with Pessin Katz Law, P.A. (PK Law). She has over twenty five years of civil litigation experience throughout the State of Maryland in both state and federal courts. Prior to becoming an attorney, Ms. Cerniglia-Lowensen was a registered nurse achieving both a BSN and a MS with a major in nursing. As an attorney, she primarily practices in the health care defense field. She defends nurses, doctors, veterinarians, dentists, healthcare providers, healthcare facilities, mental healthcare workers, urgent care facilities and nursing homes in medical malpractice matters; professional liability and tort claims; and disciplinary actions before various regulatory boards. She provides risk management advice to a variety of healthcare entities, insurers and individuals and continuing education to healthcare workers and entities; and has been published in both journals and texts on issues of risk management and liability of healthcare professionals. She also defends individuals and entities in a variety of civil litigation matters. She can be reached at 410-339-6753 or firstname.lastname@example.org.