Savvas Daginis, a tech and privacy lawyer with Siskinds LLP, was recently published in Law360.
This article was originally published by Law360™ Canada, part of LexisNexis Canada Inc.
Read the full article below.
Ransomware attacks have become increasingly common and affect business of all sizes. When attackers strike, many businesses are faced with a difficult decision – to pay or not to pay? Attackers prey upon the belief that paying the ransom is the best way to get your data back and resume business as usual. However, it is important to consider the practical and legal impacts that remain after a payment is made.
Considerations
First, and most obviously, there is no guarantee your data will be returned to you after payment. Unlike a business deal where parties come to the table ready to negotiate, your attackers will have you right where they want you – stressed and under duress. Also, unlike a business deal, you don’t know who is sitting across from you at the table. In the ransomware context, the attackers are usually very difficult to find or practically untraceable. If you do pay and don’t receive your data back, or if your attackers subsequently demand more money, it is extremely difficult to negotiate with, and indeed to sue, anonymous parties.
Second, paying the ransom incentivizes attackers to continue their criminal activities. On a broader level, if ransomware attacks are profitable, their frequency will increase. On an individual level as well, your business may become the target of continued ransomware attacks if it is known you will pay a ransom when demanded.
Third, paying ransoms can jeopardize the peace of mind that cybersecurity policies are intended to provide. In the event you pay the ransom, your cyber insurance policy could leave you responsible for the cost of the attack. If you have cyber insurance (which the author strongly recommends), some cyber insurance policies prohibit paying ransoms as a condition of coverage and will deny your claim if payment is made. Please note that some cyber insurers may provide coverage to assist you with paying the ransom, possibly in cryptocurrency, but certain conditions may apply. It would be best to speak with your insurance broker.
Fourth, is paying the ransom even legal? Paying a ransom may violate laws and regulations in your jurisdiction resulting in legal and financial consequences for your business. If the identity of your attacker is known, paying ransom could provide funding to certain individuals and groups on economic sanctions lists. Consider the recent Indigo ransomware incident for example. Indigo stated it has not, to date, paid the ransom because it could not receive assurance that the payment “would not end up in the hands of terrorists or others on sanctions lists.”
Fifth, assuming your attacker will return your data upon payment, you can’t guarantee you will get back exactly what was taken from your business. For example, the returned data could be a trap and include additional malicious code which will allow the attacker to breach your business’ systems again in the future. Additionally, you could receive the confidential or proprietary information of other businesses (such as your competitors) which could increase the risk of subsequent litigation. For example, the businesses that owned the confidential or proprietary information could claim misappropriation of trade secrets.
Lastly, in regard to personal information held by your business, if the ransomware attack objectively gave you no reason to believe any personal information was taken, depending on the jurisdiction, you may have no breach notification requirements. However, if you pay the ransom and receive information back that gives you notice personal information was taken, then your breach notification obligations may be triggered.
How to prevent ransomware attacks
The best offence is good defence. Be proactive and take measures to ensure your business’ technological assets. For example:
• Have a robust backup and recovery plan. Remember the 3-2-1 rule: Back up three copies of your information in two different formats, with one copy stored off-site.
• Educate your business’ personnel to watch for and report suspicious activity and to have an incident response plan that rapidly enables your business to identify, contain, eradicate and recover from security incidents.
• Keep all assets up to date with the latest security patches.
Importantly, when (not if) you have a ransomware attack (or any security incident), among your first calls should be your lawyer. As lawyers, we help organize your incident response, ensure attorney client privilege applies and provide support remediation.