LATEST INTELLIGENCE
RANSOMWARE:
TO PAY OR NOT TO PAY?
PRESENTED BY
Download whitepaper here
IIs paying a ransom to stop a
Ransomware Attack Illegal?
It may seem odd to some, but it isn’t illegal to pay
a ransomware demand, even though the forced
encryption of someone else’s data and demand for
payment is itself a federal crime under at least the
Computer Fraud and Abuse Act and the Electronic
Communications Privacy Act, as well as many laws
passed by State legislatures.
One might argue that the best way to solve the
ransomware epidemic would be to make it illegal
for organizations to pay. Criminals are naturally
only interested in the pay off, and if that route to
the payday was simply prescribed by law, it would
very quickly lead both to companies exploring other
options to deal with ransomware and, at least
in theory, criminals moving toward some other
endeavour with an easier payout.
The idea of outlawing the payment of
ransomware demands might seem appealing at
first, until you unpack the idea to think how it
would work in practice. Publicly traded companies
have a legal duty to shareholders; public service
companies have legally binding commitments to
serve their communities. A law that threatened
to fine organizations, or perhaps imprison staff,
would be hugely controversial in principle and
likely difficult to enforce in practice, quite aside
from the ethics of criminalizing the victim of a
crime whose sole intent is to coerce that victim
into making a payment. •
22 INTELLIGENTCIO www.intelligentcio.com