Ethical, Legal Implications of Paying Ransoms.

• Author: Sumner, Phyllis
• Position: Ethics Corner

Ransomware has emerged as one of the most virulent cybersecurity risks. In recent years, particularly during the pandemic, ransomware attacks have become more focused, sophisticated, costly and numerous. As ransomware tactics evolve, companies must make strategic and risk-based decisions on whether to engage with threat actors and/or pay the ransom.

According to Sophos, 51 percent of surveyed companies were impacted by a ransomware attack in the last year. By the end of 2021, it is estimated that a business will be targeted by a ransomware attack every 11 seconds, causing up to $20 billion in damage.

How should companies respond to a ransom demand?

They should follow their incident response plan, which should include immediately notifying the legal department at the beginning of a ransomware investigation or upon receiving a ransom demand. Their attorneys should establish a privileged protocol to protect attorney-client privileged communications and attorney work product prepared at the direction of counsel for the purpose of providing legal advice to the company.

Such protocols reduce the risk of exposing critical communications regarding the scope of and contributing factors to, the security incident, as well as risks to the company. Otherwise, communications and work product could become discoverable in any subsequent class-action lawsuits or other legal claims brought because of the security incident.

Even if the company has a "no pay" ransom policy, attorneys should review the organization's cyber insurance policy to determine whether the policy covers a ransom payment and notify the carrier early in the incident. They should consider whether to enter into a common interest agreement with the carrier to protect the privileged nature of the communications. In addition, carriers generally pre-approve ransom payments, which generally requires certain diligence before any payment is made.

If the company does not have a "no pay" policy, it should have a clear escalation process for decision points concerning payment. The incident response plan should outline the ultimate decision-makers, which may be the executive team or the board of directors. These decision-makers must weigh the risks to the company, including the ability to recover data through other means, reputational damage, potential legal liabilities and ethical considerations.

Organizations should weigh several ethical implications regarding the decision to pay the ransom. For...