Should Companies Pay Data Hacking Ransoms?
11 Jul, 2016
Kidnapping in the 21st century has taken a new form – companies’ valuable data. Hackers gain access to data through a company’s server or emails and either threaten to disclose it – known as data ransoming – or make it inaccessible with ransomware, a type of malware that can quickly infiltrate and lock down a server. And companies are now paying exorbitant amounts of money to get it back.
Data hacking is cheap and you can do it from a different country, so there are few risks for the people involved,” explains Karl Kronenberger, Partner at Internet-focused law firm Kronenberger Rosenfeld. “For companies, the first solution is to have state-of-the-art technology defences, which involves getting experts to look at your network, analysing it for risks of intrusion and educating employees.
In addition to securing their networks, it’s essential that companies back up their data and store it in multiple locations and formats. In cases of ransomware, Mr. Kronenberger explains that having a backup gives companies more negotiating power and protects them from being forced to pay hackers out of necessity. With few legal solutions currently available, being proactive against hackers is the best strategy.
Mr. Kronenberger, who represented three individuals in relation to the widely publicized anonymous theft, following a ransom demand, of private consumer data from the adultery website and dating service, Ashley Madison, answers the question – should companies pay data hacking ransoms?
Why prohibiting or discouraging companies from paying ransoms is one of the best-but least likely-solutions for data hacking.
The career of a data ransomer is entirely dependent on the willingness of victims of theft to pay money in exchange for the return of their property. In fact, market forces dictate the average breaking point for victims, which is a financial demand that is just high enough for a victim to refuse to pay, as well as the sweet spot for ransomers, which is the range from zero dollars up to the point where the average victim will refuse to pay. Thus, if all victims act together and uniformly reject to pay any money at all to ransomers, then all data ransoming will end, and the scourges of data ransoming will be permanently out of business, assuming data ransomers act like rational economic actors and stop their theft and ransoming if there is no way to make money from it.
Unfortunately, the self-interests of individual victims, and the business interests of business victims, is much more powerful than these victims’ interests in helping future victims by refusing to pay a ransom. When data is held ransom, it can result in damages in the thousands to tens of thousands per day for victims. And the ability to obtain the return of the ransomed data, for amounts that are often much less than the losses that would otherwise be suffered by holding out, is almost always the best business decision.
There are also certain industries where paying ransoms may be even more compelling. For example, if a hospital’s data is encrypted and held ransom, then it’s not just hospital profits that factor into the decision-making, but it’s the impact on patients, especially if vital patient data needed for treatment is encrypted.
How financial regulations and other actions by governments may be a solution.
One way to decrease the incentives for businesses to pay ransoms is for governments to institute sanctions regimes that prohibit companies from paying ransoms. The potential financial sanction will factor into the economic decision-making of any business that has received a ransom demand, which may result in the less costly route being resorting to a backup in lieu of paying a ransom, even if the backup is days or weeks old.
If governments can identify individuals or governments that are involved in making ransom demands, governments can place restrictions on money transfers to these individuals or governments. For example, the US Treasury’s Office of Foreign Assets Controls could put restrictions on any money transfers to known data ransomers.
Generally raising the transaction costs for all the parties in data ransoming transactions will, in the end, discourage persons from engaging in this practice.
Essentially, what solutions are navigable.
In the short term, the best solution is for businesses to maintain backups that are kept in real time or virtually in real time, and that will not be subject to encryption malware. In the longer term, the best solution is concerted action by victims of data ransoming, perhaps incentivized through government sanctions regimes.
(Source: Kronenberger Rosenfeld)