October 16, 2021

Volume XI, Number 289

Advertisement
Advertisement

October 15, 2021

Subscribe to Latest Legal News and Analysis

October 14, 2021

Subscribe to Latest Legal News and Analysis

October 13, 2021

Subscribe to Latest Legal News and Analysis

Department of the Treasury Issues New Advisory Regarding Ransomware Payments

On September 21, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) released its Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (the “Updated Advisory”). The Updated Advisory follows on OFAC’s October 1, 2020 Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments and provides additional guidance for companies that may make or facilitate ransomware payments. 

In the first portion of the Updated Advisory, OFAC reiterates the reasons why the U.S. government has, and continues to, strongly discourage anyone from paying a ransom demanded in a cyber-attack. In particular, OFAC notes that making a ransom payment does not guarantee that a malicious actor will reprovision a company’s access to data or refrain from further attacks against the company, and that the availability of payments may encourage malicious actors to perpetrate more attacks. OFAC also highlights that paid ransom money can be used to fund activities adverse to U.S. interests, and that the law prohibits any U.S. person from engaging in a transaction, whether directly or indirectly, with a group or individual on its Specially Designated Nationals and Blocked Persons (“SDN”) List (or other block list). Related to this last point, OFAC reminds of its authority to enforce the law through both non-public responses like issuing a warning letter and public responses like imposing civil penalties. OFAC further reminds that, in the latter case, penalties can be imposed on a strict liability basis, meaning without regard to whether the company paying a ransom knew (or even had reason to know) its payment was legally prohibited.

While OFAC has previously expressed its position regarding the payment of ransoms, including reminders that companies who pay blocked individuals or groups risk breaking the law, the Updated Advisory provides some new guidance to those nonetheless making or facilitating payments.  Specifically, in the second portion of the Updated Advisory, OFAC describes certain “mitigating” factors it will take into consideration when determining how to respond to an apparent illegal ransom payment. OFAC explains that where these factors are present, it will be more likely to utilize a non-public resolution (like a letter) than a public resolution (like a monetary penalty). OFAC identifies three (3) mitigating factors:

  • First, OFAC will consider a company’s implementation of a regulatory compliance program. The program, OFAC instructs, should be risk-based and account for the possibility that a ransom demand may involve a malicious actor on the SDN or other block list.

  • Second, OFAC will consider a company’s “meaningful steps” to reduce the risk of cyber extortion.Here, OFAC suggests it will look for measures that decrease the likelihood that a company finds itself in a position where it needs to consider paying a malicious actor, such as regularly updating anti-malware software and maintaining offline backups, and points to the Cybersecurity and Infrastructure Security Agency’s (CISA) September 2020 Ransomware Guide as a resource for organizations looking to take such meaningful steps.

  • Third, OFAC will consider a company’s decision to self-report a ransomware attack to OFAC, law enforcement, and other regulatory agencies, and to thereafter fully cooperate with any investigation from these groups. OFAC suggests a company should report an and provide all relevant details as soon as possible.

Given the frequency with which ransomware events are occurring and the difficulty in specifically identifying the perpetrator of the attacks, organizations should strongly consider following the guidance, including taking meaningful steps to adopt or improve cybersecurity practices. Through improved cybersecurity, an organization can hopefully avoid finding itself in a position in which it feels that it must make a ransom payment, but if it becomes necessary, by taking such steps, OFAC may be more likely to forego issuance of a public monetary penalty if it later turns out that payment was made to a blocked person or entity. 

© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume XI, Number 267
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Michael J. Waters Cybersecurity Attorney Polsinelli Chicago
Shareholder

Michael Waters is an experienced litigator and Co-Chair of the firm’s Privacy & Cybersecurity practice group. He handled one of the first data breach matters shortly after California passed its breach notification law in 2003 and has become one of the country’s leading data breach attorneys. He has counseled thousands of clients across industries through nearly every conceivable type of breach, from system-wide network intrusions and ransomware attacks to situations involving cyber extortion, stolen laptops and computer hardware, ATM skimmers, email compromises, wire...

312-463-6212
Kayleigh S. Shuler Data Privacy Attorney Polsinelli Kansas City
Associate

Kayleigh Shuler is an associate attorney in the Technology Transactions and Data Privacy practice group. Kayleigh advises clients of all sizes and industries on privacy and data security compliance matters, including issues related to the California Consumer Privacy Act (CCPA), the Children’s Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act (HIPAA) and the European Union’s General Data Protection Regulation (GDPR). As part of that advice, Kayleigh assists clients with...

816-360-4181
Advertisement
Advertisement
Advertisement