Updates to Chapter 15
Ransomware: To Pay or Not to Pay?
UPDATES TO THE SECOND EDITION
15.6 Civil Litigation Arising from Ransomware Incidents
Lawsuits by Business Customers. POC USA LLC v. Expeditors International of Washington Inc., no. 2:23-cv-01816 (W.D. Wa. Apr. 11, 2024) illustrates the potential for B2B litigation arising out of a ransomware incident. Plaintiff entered into a contract with defendant to warehouse and distribute plaintiff’s products. When defendant suffered a ransomware attack, it allegedly refused to pay and instead shut down most of its operating systems. According to the complaint, defendant did not provide services to plaintiff for almost 90 days. Plaintiff sued, claiming economic loss from failure to deliver products for those 90 days plus the loss of customers to competitors. At the motions stage, defendant did not challenge plaintiff’s breach of contract claim. On a 12(b)(6) motion, defendant won some and lost some:
Defendant moved to dismiss plaintiff’s breach of implied duty of good faith and fair dealing claim by arguing there was no specific contractual provision obligating it to protect plaintiff from cyber-attacks but only to upkeep shipment management services. “This is obtuse,” said the court. “Defendant chose and operated the computer systems the ransomware breached. Defendant presented itself as having competent security and networks for plaintiff to rely on. … Drawing all inferences in Plaintiff’s favor at this stage, the Court finds Plaintiffs have sufficiently alleged that Defendant breached its implied duty of good faith and fair dealing to upkeep a safe, reliable, and working software system.”
On the other hand, the court dismissed claims of negligence and gross negligence, because they were duplicative of plaintiff’s contractual arguments and because there were only allegations, at most, of omissions or nonfeasance and no allegation of misfeasance that might have create a special relationship or an enhanced duty of care under Washington state law.
The court also dismissed a bailment claim, finding that defendant is not a professional bailee. The court also concluded that plaintiff’s bailment claim was duplicative of other claims. Any bailee/bailor relationship between the parties was created by the parties’ contract, the terms of which governed any bailment duties here over the common law bailment duties and principles.
The court declined to dismiss a claim under the Washington Consumer Protection Act (WCPA), citing multiple cases holding that a failure to employ adequate data security measures that result in harm to customers is sufficient to constitute an “unfair” act under the WCPA.
Finally, the court concluded that plaintiff had sufficiently alleged a claim for unjust enrichment, as an alternative to its express breach of contract claim. (The defendant hurt itself here by arguing that the contract did not cover security; if that turned out to be the case, the court reasoned, then unjust enrichment was available.)
_____________________________________________________________________________
ARCHIVED UPDATES TO THE FIRST EDITION, INCORPORATED INTO THE SECOND EDITION
Limitations under IEEPA and TWEA
On September 21, 2021, the Department of the Treasury’s Office of Foreign Assets Control added the virtual currency exchange SUEX (aka Successful Exchange) to its list of Specially Designated Nationals for its part in facilitating financial transactions for ransomware actors. As a result of the designation, all property and interests in property of SUEX that are subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with the entity. Financial institutions and other persons that engage in certain transactions or activities with a sanctioned entity may expose themselves to sanctions or be subject to an enforcement action. The designation, while the first of a cryptocurrency exchange, will surely not be the last designation of an entity in the ecosystem of ransomware payments.
At the same time, OFAC also released an Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. The Advisory differed from the October 2020 version in two respects: First, the 2021 version states, in a way that the 2020 version never did, that the U.S. government “strongly discourages all private companies and citizens from paying ransom or extortion demands.” Second, the revised advisory states:
Meaningful steps taken to reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices, such as those highlighted in the Cybersecurity and Infrastructure Security Agency’s (CISA) September 2020 Ransomware Guide, will be considered a significant mitigating factor in any OFAC enforcement response. Such steps could include maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols, among others.
The 2020 guidance had stated that, under OFAC enforcement guidelines, the existence, nature, and adequacy of a sanctions compliance program is a factor that OFAC may consider when determining, in the event of an apparent violation of U.S. sanctions laws or regulations, an appropriate enforcement response (including the amount of civil monetary penalty, if any).
That point is still in the revised guidance, but the quoted language above signals an additional consideration: that OFAC is less likely to fine an entity if it had good cybersecurity practices. Even well-defended entities may fall prey to ransomware, OFAC recognized, but the office is more likely to punish those that have lax cybersecurity practices, get hit, and then pay ransom to a sanctioned entity.
The updated Advisory emphasized the importance of reporting ransomware attacks to appropriate U.S. government agencies and the nature and extent of a subject person’s cooperation with OFAC, law enforcement, and other relevant agencies:
While the resolution of each potential enforcement matter depends on the specific facts and circumstances, OFAC would be more likely to resolve apparent violations involving ransomware attacks with a non-public response (i.e., a No Action Letter or a Cautionary Letter) when the affected party took the mitigating steps described above, particularly reporting the ransomware attack to law enforcement as soon as possible and providing ongoing cooperation.
In October 2021, the Treasury Department issued sanctions compliance guidance for the virtual currency industry. The guidance, which is not specific to ransomware, is based on the proposition that “OFAC sanctions compliance obligations apply equally to transactions involving virtual currencies and those involving traditional fiat currencies.” Accordingly, members of the virtual currency industry subject to U.S. jurisdiction, “including technology companies, exchangers, administrators, miners, wallet providers, and users,” are responsible for ensuring that they do not engage, directly or indirectly, in transactions prohibited by OFAC sanctions, such as dealings with blocked persons or property, or engaging in prohibited trade- or investment-related transactions. In cybersecurity terms: virtual currency entities must take risk-based steps to ensure that their services are not used to send or receive ransomware payments involving sanctioned persons or countries. “Such compliance programs generally should include sanctions list and geographic screening and other appropriate measures as determined by the company’s unique risk profile.” The guidance notes that, in 2018, OFAC began including certain known virtual currency addresses as identifying information for persons listed on the SDN List. “Moreover, OFAC’s inclusion of virtual currency addresses on the SDN List may assist the industry in identifying other virtual currency addresses that may be associated with blocked persons or otherwise pose sanctions risk, even if those other addresses are not explicitly listed on the SDN List. For example, unlisted virtual currency addresses that share a wallet with a listed virtual currency address may pose sanctions risk because the sharing of a wallet may indicate an association with a blocked person.”
SAR guidance: On November 8, 2021, the Financial Crimes Enforcement Network (FinCEN) updated and replaced its October 1, 2020 Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments. The new guidance lists twelve financial red flag indicators of ransomware-related illicit activity, intended to assist financial institutions in detecting, preventing, and reporting suspicious transactions associated with ransomware attacks. The guidance reminded the industry that a financial institution is required to file a suspicious activity report (SAR) if it knows, suspects, or has reason to suspect a transaction conducted or attempted by, at, or or through the institution involves or aggregates to $5,000 (or, with one exception, $2,000 for money services businesses) or more in funds or other assets and involves funds derived from illegal activity, or attempts to disguise funds derived from illegal activity; is designed to evade regulations promulgated under the Bank Secrecy Act; lacks a business or apparent lawful purpose; or involves the use of the financial institution to facilitate criminal activity. Reportable activity can involve transactions, including payments made by financial institutions, related to criminal activity like extortion and unauthorized electronic intrusions that damage, disable, or otherwise affect critical systems. SAR obligations apply to transactions, including both attempted and successful.
Another risk of paying: Monetary payments to foreign terrorist organizations may be considered material support under 18 U.S.C. § 2339B.
Good overview on OFAC and ransomware: John Reed Stark, An OFAC Compliance Checklist for Ransomware Payments Law360 (Feb. 2, 2021).
Mandatory Notice of Ransomware Payments
The Cyber Incident Reporting for Critical Infrastructure Act of 2022, adopted in March 2022, requires critical infrastructure entities to report ransom payments in response to ransomware attacks to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency within 24 hours. 6 U.S.C. 2242(a)(2). The requirement does not take effect until after CISA issues a final rule, and it has 24 months to issue a notice of proposed rulemaking, so it could be some time before the law takes effect.
Bans on Payment of Ransom
In November 2021, North Carolina became the first jurisdiction to ban ransomware payments. The ban, limited to state and local government entities, including the University of North Carolina, prohibits even communicating with the ransomware attacker:
(a) No State agency or local government entity shall submit payment or otherwise communicate with an entity that has engaged in a cybersecurity incident on an information technology system by encrypting data and then subsequently offering to decrypt that data in exchange for a ransom payment.
N.C. Gen. Stat. § 143-800, added by 2021 N.C. Sess. Laws 180,s. 38.13-a, effective 11/18/2021.
In Pennsylvania, SB 726 (2021) would prohibit use of State and local taxpayer money or other public money to pay an extortion attempt involving ransomware, except where the governor has made a declaration of a disaster emergency and authorized the payment. The bill was approved by the Pennsylvania Senate in January 2022 and referred to the House.
In New York, Senate Bill S6806A would ban ransomware payments by public agencies, health care entities, and businesses. On February 1, 2022, the bill was reported out of one Senate committee and referred to another.
Last updated: April 15, 2024.
Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.