A Safe Harbor for Ransomware Payments: Protecting Stakeholders, Hardening Targets, and Defending National Security

79 Pages Posted: 30 Aug 2021 Last revised: 6 May 2022

See all articles by Amy Westbrook

Amy Westbrook

Washburn University School of Law

Date Written: December 1, 2021

Abstract

Ransomware attacks have become common. Victims range from small municipalities to non-profits to giant multi-national corporations. These attacks disable the victim’s cyber-systems and may result in financial losses, data leaks, business failures, and, in some cases, even loss of life. The hackers may be lone actors or infamous cyber-gangs; they may be hostile foreign countries or non-state actors such as terrorist groups.

Most victims pay the ransom. But payment does not guarantee the recovery of data as promised. In addition, payment transfers value to criminals and may jeopardize national security.

In an effort to cut off financial flows to the hackers, several U.S. agencies have targeted ransomware payments. Both the Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) have issued advisories emphasizing the potential liability for ransomware victims (and those assisting them) who pay prohibited persons or transmit funds without the required procedures.

This Article argues that the threat of legal liability for ransomware victims who pay the ransom, with no positive incentive, is unlikely to improve cybersecurity or even to stop payments. In fact, such threats may be counterproductive if they lead victims to conceal attacks. Instead, this article suggests the creation of a safe harbor for ransomware payment that (i) enables the victim and those who assist the victim to pay when necessary (protecting stakeholders), but that also (ii) deters attacks (hardening targets) and (iii) facilitates interdiction of attacks that do occur (defending national security).

Suggested Citation

Westbrook, Amy, A Safe Harbor for Ransomware Payments: Protecting Stakeholders, Hardening Targets, and Defending National Security (December 1, 2021). New York University Journal of Law and Business, Vol. 18, No. 2, 2022, Available at SSRN: https://ssrn.com/abstract=3899370 or http://dx.doi.org/10.2139/ssrn.3899370

Amy Westbrook (Contact Author)

Washburn University School of Law ( email )

1700 College Avenue
Topeka, KS 66621
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
217
Abstract Views
756
rank
196,172
PlumX Metrics