Despite your best efforts, you have been hit by ransomware. You are locked out of your system, and you can provide no services to your customers, clients or patients. From a business perspective, you need to get your system unlocked so you can get back to work. But, from a legal perspective, what should you do?
PAYING THE RANSOM
Recent changes in the law have made one option – paying the ransom – significantly more complicated, and those who choose this route may actually find themselves in legal trouble. First, the federal government has been threatening to go after ransomware victims who pay ransoms for violations of federal money laundering, money transfer and international sanctions laws. Second, states are actually prohibiting entities (both municipalities and some private companies) from paying ransom to get their data restored. For victims, this can mean both excess time without the ability to access your data and paying millions of dollars in damages or restoration costs rather than a more modest payment of ransom to the threat actor.
Effective July 1, 2022, Florida became one of an increasing number of states that banned the payment of ransom in certain circumstances. Florida Stat.282.3186 specifically provides that
“A state agency … a county, or a municipality experiencing a ransomware incident may not pay or otherwise comply with a ransom demand.”
This is similar to the laws in North Carolina, Pennsylvania, Texas, Arizona (HB 2145) and the proposed law in New York, all of which have either banned, or seek to ban, the payment of ransom in ransomware cases. Some of these laws apply only to state or municipal agencies (including public hospitals), but others, like that proposed in New York would apply to any businesses or health care entity.
In addition, a proposed federal law, the Ransomware and Financial Stability Act of 2021, 117 H.R. 5936, would prohibit any U.S. financial institution from making a ransomware payment in excess of $100,000 without authorization from the treasury department. Federal law also requires critical infrastructure companies to notify the government within 24 hours if they have made a ransomware payment. The laws also prohibit…