Cyber-Extortion: Duties and Liabilities Related to the Elephant in the Server Room

43 Pages Posted: 13 Jan 2007 Last revised: 4 Apr 2015

Date Written: January 8, 2007


This is a comprehensive analysis of the legal frameworks related to cyber-extortion - the practice of demanding money in exchange for not carrying out threats to commit harm that would involve a victim's information systems. The author hopes it will catalyze an urgently needed discussion of relevant public policy concerns.

Cyber-extortion has, by all accounts, become a common, professionalized and profit-driven criminal pursuit targeting businesses. 17% of respondents in a recent survey indicated having received a cyber-extortion demand. An additional 13% of respondents were not sure if their business had received such a demand.

Awareness of the risks of cybercrime has spread. Advancements have been made in the field of cyber-security. Furthermore, statutes, regulations and recent FTC settlements have begun to articulate a minimum standard of care that businesses should maintain with regard to the security of information systems. Yet not all businesses have taken readily available precautions.

To complicate matters, cyber-extortions often involve a threat to commit a harm using hijacked networks of computers owned by other businesses. Thus, an analysis specifically dedicated to cyber-extortion is required because of the unique web of liabilities that may arise from a typical cyber-extortion scenario.

This article first reviews the available means for prosecuting or recovering damages from a cyber-extortionist. The article then considers the duties and potential liabilities of businesses that are victims of cyber-extortion. For example, an extortionist may follow-through on a threat to disclose or sell private customer data, resulting in the targeted enterprise being liable to its customers. However, a victimized business could conceivably be able to recover damages against a business that failed to take adequate steps to secure its information systems, such that its systems became the tools of the crime. This article reviews current trends and possible theories for recovering damages in such a scenario.

This article has a companion piece - Cyber-Extortion: The Elephant in the Server Room - which was co-authored with Dr. Timothy Shea, Associate Professor of Management Information Systems at the Charlton College of Business at UMass Dartmouth. The companion piece is currently under review but is also available on That article describes in greater detail the phenomenon of cyber-extortion, explores why attorneys are apparently the last to know when their clients are the victims of cyber-crime and recommends proactive steps that attorneys may take to prevent or mitigate the impacts of cyber-extortion.

Keywords: cybercrime, extortion, cyber, crime, online, damages, duty, liability, downstream

Suggested Citation

Sulkowski, Adam J., Cyber-Extortion: Duties and Liabilities Related to the Elephant in the Server Room (January 8, 2007). Available at SSRN: or

Adam J. Sulkowski (Contact Author)

Babson College ( email )

231 Forest St.
Babson Park, MA 02457-0310
United States


Here is the Coronavirus
related research on SSRN

Paper statistics

Abstract Views
PlumX Metrics