payment to try to determine whether the payment will go to a person or entity subject to sanctions promulgated by the US government. Since cybercriminals are almost universally anonymous and cannot be easily identified in any way, such a search may be unavailing. Anyone demanding payment of a ransom is, by definition, a criminal. That does not mean that they are on a relevant sanctions list, however. For example the developer of ransomware software may be an OFAC target but the software has been sold to others who seek to profit by its use but are not themselves under sanction. Where an inquiry does not immediately show that the recipient is such a person or entity, the payor should not decide that all is well. Documenting all that is known about the recipient may help justify the decision to make a payment.
Second, any cybercrime, including ransomware, should be reported to relevant government agencies, certainly including the FBI and other federal departments depending on the circumstances. The OFAC advisory includes contact information for several federal agencies that may be able to help. If nothing else, reporting can avoid or lessen civil penalties if ultimately the company finds no alternative to paying a ransom.
Third, good backups and other technological solutions can minimize the impact of a ransomware attack.
When ransomware has frozen or limited a company’s activities, hearing that a payment cannot be made to a bad actor because of this OFAC guidance will provide no comfort to the victim. This advisory adds yet another challenge to what is already often the most stressful experience to befall a company’s management. To my knowledge, OFAC has not yet publicly announced sanctions against anyone related to payments made in response to ransomware demands, but we can expect that this will change. Stay tuned for news and guidance once these penalties begin to be enforced.
 Amanda Cialkowski is an FDCC Defense Counsel Member and along with FDCC Defense Counsel Member Sean Griffin, are both Co-Chairs of the FDCC’s Data Breach & Cyber Insurance Substantive Law Section.
Amanda is a Shareholder and Chair of the Product Liability & Complex Torts at Nilan Johnson & Lewis in Minneapolis, MN. Contact her at: acialkowski@nilanjohnson.com.
Sean is a Partner with the Dykema law firm in Washington, DC. He is also an IAPP Certified Information Privacy Professional (CIPP/US), helping clients establish and maintain data security, respond to data breaches, and litigate privacy cases. Contact him at: sgriffin@dykema.com.
       Insights SPRING2021 87