Yesterday, The Sedona Conference® (TSC) announced that its Commentary on U.S. Sanctions-Related Risks for Ransomware Payments has been published for public comment.
The Commentary on U.S. Sanctions-Related Risks for Ransomware Payments has been released by TSC’s Working Group 11 on Data Security and Privacy Liability (WG11).
In the United States, no federal laws have been enacted specifically to limit the payment of cyber ransoms. However, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) has explained that such payments may subject ransomware victims to liability under the Trading With The Enemy Act (TWEA) and/or the International Emergency Economic Powers Act (IEEPA). Generally, those laws prohibit U.S. persons from transacting or attempting to transact with an enemy of the U.S., certain related parties, and specified parties subject to U.S. sanctions or embargoes.
OFAC has published two advisories in recent years on the subject of ransomware payments, both of which suggest that U.S. persons may be held strictly liable under TWEA and IEEPA when they make a ransomware payment to a sanctioned person or engage with an embargoed country or region. Contrary to OFAC’s advisories, TWEA and IEEPA and their regulations do not impose a strict-liability standard in all cases where a victim makes a ransomware payment to a threat actor on the Specially Designated Nationals and Blocked Persons list. However, OFAC’s interpretation of these statutes and regulations as imposing a strict-liability regime creates substantial uncertainty and unnecessary chilling effects when victims are forced to make ransomware payments.
The 32-page Primer (available here for free download) aims to address this uncertainty through: (1) engaging in a thorough analysis of TWEA and IEEPA, OFAC’s recent guidance, and the purported strict-liability standard; (2) proposing a Framework for assisting organizations in identifying the source of an attack and likely recipient of a ransom, and evaluating organizations’ level of risk from OFAC if the organizations elect to pay; and (3) providing suggestions for a more reasoned basis for determining circumstances under which a ransomware payment might be made without the threat of OFAC sanctions.
The Sedona Conference Commentary on U.S. Sanctions-Related Risks for Ransomware Payments is open for public comment through September 23, 2024. Questions and comments may be sent to comments@sedonaconference.org. The drafting team will carefully consider all comments received, and determine what edits are appropriate for the final version. You know the drill. 😉
So, what do you think? Has your organization made ransomware payments to cyber hackers? If so, I don’t expect you to actually tell me. 😉 Please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.