Ransom payment: how it works and its consequences
“They have all our data. Clients will sue us if it is published. Perhaps we should pay…” This is an understandable thought when under the pressure of a ransomware attack.
However, the issue is more complex than it appears.
According to Europol, paying the ransom contributes to funding further criminal activities and does not necessarily guarantee the recovery of data, with a success rate of around 65%. On the other hand, a categorical refusal to negotiate can result in the permanent loss of critical information if adequate backups are not available.
The costs associated with ransomware attacks can be devastating. An emblematic case involves a law firm that, following an attack, suffered losses of nearly $700,000 in billing to clients, in addition to the undisclosed ransom cost. The firm was forced to initially pay Bitcoin in advance to the hackers, then negotiate further Bitcoin payments later, leaving the firm in difficulty and its employees unproductive for several months.
From a legal perspective, it is important to highlight that in some jurisdictions, paying the ransom may constitute potential violations of anti-money laundering regulations or provisions regarding the financing of terrorism. In the United States, the Office of Foreign Assets Control (OFAC) has issued guidelines explicitly discouraging ransom payments to sanctioned groups, with potential legal consequences for those who violate them.
In Europe, while there are currently no explicit bans, the issue is receiving increasing attention from regulators: the Parliament recently adopted a resolution calling for consideration of restrictions on ransom payments in cryptocurrencies.
Therefore, decisions must be made considering not only the immediate costs but also the legal, reputational, and ethical implications. This is a matter worth reflecting on before one finds themselves in an emergency.
Key takeaways about cybersecurity for law firms
The increasing sophistication of attacks and the evolving regulatory framework compel us to significantly elevate our approach to cybersecurity. This is no longer merely a technical issue to be delegated to IT; it has become a professional responsibility that lies at the heart of our practice.
The next phase of regulatory evolution is likely to witness greater interaction among various international legal regimes, with attempts at harmonising security standards and breach notification mechanisms. For law firms with international clients, this means preparing to navigate increasingly complex and interconnected compliance requirements. Additionally, we can expect a further strengthening of security obligations, particularly regarding the implementation of emerging technologies such as artificial intelligence for anomaly detection and blockchain for certifying document integrity.
Concurrently, we are likely to see a legal evolution towards expanding professional liability in the event of incidents. In this context, it is crucial for us, as legal professionals, to foster a culture of security that permeates all organisational levels, moving beyond the traditionally reactive approach to embrace a proactive strategy grounded in continuous risk assessment.
Absolute security does not exist, but resilience does: the capacity to prevent many threats and to respond effectively to those that manage to breach our defences. In a world where data is considered "the new oil," protecting our clients' information is not only a legal or ethical obligation; it is the very foundation of the trust upon which our profession is built. And, as we well know, trust, once lost, is exceedingly difficult to regain.
Lawyer and professor Marco Martorana
Doctor of Law Gaja Nutini
