YOU’VE BEEN HACKED: SHOULD YOU (OR YOUR INSURER) PAY THE RANSOM?

By Brian J. Lamoureux June 30, 2021Cybersecurity

It’s 4:00pm on a Friday. You get a text message from a colleague saying they can’t log into their email. Then others start texting you with a similar message. Your IT person reports that there’s unusual activity on your computer network and they’re having trouble remoting into the system. An hour or so later, you get the weekend-ruining-news: your systems have been hacked and the hackers are demanding ransom in Bitcoin to get your files back.

What you do next largely depends on the nature of your business, whether you have recent backups of your critical files, and whether you have cybersecurity insurance (which almost all businesses should). The specifics of a proper ransomware response are outside of the scope of this article and will vary widely depending on the circumstances of each attack. Here, we focus on the single critical question: should you (or your insurer) pay the hackers the ransom they are demanding?

Unsurprisingly, the answer is, “It depends.” Most likely, your business is not in the financial position to pay the six or seven-figure sums demanded by the hackers, so you rely upon your insurer for advice and guidance. Naturally, you probably would be very much inclined to tell your insurer to “do whatever it takes” to get access to your systems back. But, it’s not that simple, especially in light of recent guidance from the United States Department of the Treasury.

That guidance warns businesses who have been victimized by ransomware attacks to carefully consider whether they or their insurers should pay ransom to hackers. Putting aside the obvious ethical issues associated with continuing to fund bad actors who do bad things, the government wants businesses and insurers to know that directly or indirectly facilitating payments to hackers may violate federal law and regulations if it turns out that the ransomware payments were made to groups or individuals on the government’s “Specially Designated Nationals and Blocked Persons List.” In other words, if the government subsequently learns that you or your insurer made a payment to a person or entity on this list, you may face legal consequences even if you did not know that the recipient of the payment was on the government’s list. (Helpfully, however, the government notes that if you promptly consulted with law enforcement before making any ransomware payment, the government will consider that consultation with law enforcement a mitigating factor in your favor.)

Does this mean that your insurer should never pay ransom? No, because again, the complexities associated with that question vary widely on the facts and circumstances of each ransomware attack. If a business believes it may have experienced or is experiencing a ransomware attack, it should promptly contact their insurer, a qualified cybersecurity expert, competent legal counsel, and perhaps law enforcement to determine the best path forward.

In any cybersecurity incident, a business is often faced with lots of really bad options. They key is to pick the approach that allows the business to continue to operate while minimizing any potential legal fallout as much as possible. This may or may not include paying the ransom demanded. If you have questions and would like further information or a review of your organization’s cybersecurity policy, please contact PLDO Partner Brian J. Lamoureux at 401-824-5155 or email bjl@pldolaw.com. Attorney Lamoureux is a member of the firm’s litigation, employment, and cybersecurity teams.

 

 

Disclaimer: This blog post is for informational purposes only. This blog is not legal advice and you should not use or rely on it as such. By reading this blog or our website, no attorney-client relationship is created. We do not provide legal advice to anyone except clients of the firm who have formally engaged us in writing to do so. This blog post may be considered attorney advertising in certain jurisdictions. The jurisdictions in which we practice license lawyers in the general practice of law, but do not license or certify any lawyer as an expert or specialist in any field of practice.

Back to Blog
Brian J. Lamoureux is a Partner with Pannone Lopes Devereaux & O'Gara LLC and a member of the Employment Law, Cyber Law, Litigation and Corporate & Business Teams. He is also Practitioner Faculty in Management (Business Law) at Providence College, his alma mater.

His extensive practice areas include complex commercial litigation, employment law, construction law, social media law, and creditors' rights. In addition to being an accomplished business litigator, he has developed into a nationally-recognized voice on cutting-edge legal issues relating to social media. He is a frequent presenter, published author, and broadcast commentator on the topic and regularly appears on WPRI-TV, NBC10 and NECN-TV, the nation's largest 24-hour regional news network. His recent newspaper columns and articles include Social Media Privacy Law Impacts EmployersShould Employees Use Facebook at Work?Privacy Rights Being Tested in the Digital AgeDigital Age Hiring Process Filled With DangerTexting in the Workplace? Dangers Abound, Email Privacy Not a Guarantee in Workplace, and Worry About Workplace Prejudice? Clean Up. Mr. Lamoureux's work has also been published in the Providence Business News and Rhode Island Lawyers Weekly.

He successfully briefed and argued before the First Circuit Court of Appeals in a case confirming surety's rights to indemnification. He was lead counsel in a successfully resolved certified class action regarding the demutualization of an insurance company before the U.S. Bankruptcy Court for the District of Rhode Island, and served as trial co-counsel in one of the largest defense jury verdicts in the Federal District Court in Massachusetts.

Mr. Lamoureux has been honored for his achievements by the Providence Business News and was selected as a member of its 2011 Class of "40 Under Forty."

He earned his J.D., magna cum laude, from the Syracuse University College of Law, where he was a member of the Syracuse Law Review and Moot Court Honor Society. At the same time, he received a Master of Public Administration from the Maxwell School of Citizenship and Public Affairs. He also holds a Master of Arts degree in Political Science from the University of Rhode Island, where he was a teaching assistant in American Government and International Relations, and a B.A. in Political Science, cum laude, from Providence College.

Prior to joining PLDO, Mr. Lamoureux was a litigation partner in a large international AMLaw 200 firm. He is admitted to practice in state and federal courts in Rhode Island and Massachusetts, and is qualified to serve as a receiver in Rhode Island Superior Court. Mr. Lamoureux is also admitted to practice before the U.S. Supreme Court. To reach Attorney Lamoureux, please call 401-824-5100 or email bjl@pldolaw.com.