To pay or not to pay, that is the question? Your business may be caught in a real Catch-22 situation when it comes to dealing with ransomware, on one hand you need to keep the business running and do what is in the best interest of the investors, and on the other you do not want to unknowingly violate federal law.  As more businesses turn to using online systems to conduct business during Covid-19, ransomware attacks have increased greatly, and such ransomware attacks have the ability to cripple transactions. Ransomware is software that blocks access to data and requires the user to make a ransom payment to be able to access and recover their own data. The Department of Treasury has recently issued advisory memos regarding making such payments to ransomware as these payments could ultimately be going to individuals and countries who are sanctioned under U.S. federal law. As these laws impose penalties based upon strict liability, if a business makes such payments even if they did not know the entity receiving the payment is prohibited, the innocent business can be held civilly liable. The links below provide contact information for the U.S. Department of Treasury in the event you become a victim of a ransomware attack.

https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf

https://www.fincen.gov/sites/default/files/advisory/2020-10-01/Advisory%20Ransomware%20FINAL%20508.pdf

Derek Luster

Attorney at Law