Treasury Department Warns of Potential Sanctions to Organizations Paying to Resolve Ransomware Attacks

Nutter McClennen & Fish LLP

Ransomware attacks – cyber attacks in which the hackers encrypt and disable an organization’s computers and demand a ransom to provide the decryption key – continue to hit organizations throughout the country. Perhaps even more worrisome, the size of the ransom demands has grown substantially – multi-million dollar asks are now common – and appear to be based on the attacker's research into how much a particular company can afford to pay.

Organizations (and their insurers) often feel they have no choice but to pay the ransoms to restore their crippled systems, believing that rebuilding their systems (and remaining offline while they do) will cost far more than the amount of the ransom. Yesterday the Office of Foreign Assets Control (“OFAC”) of the Department of the Treasury issued an advisory that will complicate that calculation.

Though paying ransoms is not in and of itself illegal, it is illegal to make any payment to entities or persons on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List). What’s more, despite it being nearly impossible for a victim to know the identity of the person or group attacking it, the Treasury Department warned that “OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”

To address this danger the advisory encourages companies to implement risk-based compliance programs in order to mitigate exposure to sanctions-related violations, noting that the OFAC will consider whether such a program is in place (as well as other factors) in determining the appropriate response to an apparent sanctions violation.

The Treasury Department is not alone in looking more closely at ransomware payments. Other federal and state agencies have also started questioning how companies decide to make these payments, the notifications they provide to consumers or investors about these kinds of attacks, and the security protocols whose failure may have allowed an attack to occur. Companies need to remain vigilant – before and after an attack – to ensure that they can navigate these rough waters.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Nutter McClennen & Fish LLP | Attorney Advertising

Written by:

Nutter McClennen & Fish LLP

Nutter McClennen & Fish LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.