The Sedona Conference and its Working Group 11 on Data Security and Privacy Liability (WG11) are pleased to announce that the Commentary on U.S. Sanctions-Related Risks for Ransomware Payments ("Commentary") has been published for public comment. In the United States, no federal laws have been enacted specifically to limit the payment of cyber ransoms. However, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) has explained that such payments may subject ransomware victims to liability under the Trading With The Enemy Act (TWEA) and/or the International Emergency Economic Powers Act (IEEPA). Generally, those laws prohibit U.S. persons from transacting or attempting to transact with an enemy of the U.S., certain related parties, and specified parties subject to U.S. sanctions or embargoes. OFAC has published two advisories in recent years on the subject of ransomware payments, both of which suggest that U.S. persons may be held strictly liable under TWEA and IEEPA when they make a ransomware payment to a sanctioned person or engage with an embargoed country or region. Contrary to OFAC’s advisories, TWEA and IEEPA and their regulations do not impose a strict-liability standard in all cases where a victim makes a ransomware payment to a threat actor on the Specially Designated Nationals and Blocked Persons list. However, OFAC’s interpretation of these statutes and regulations as imposing a strict-liability regime creates substantial uncertainty and unnecessary chilling effects when victims are forced to make ransomware payments. The Commentary aims to address this uncertainty through: (1) engaging in a thorough analysis of TWEA and IEEPA, OFAC’s recent guidance, and the purported strict-liability standard; (2) proposing a Framework for assisting organizations in identifying the source of an attack and likely recipient of a ransom, and evaluating organizations’ level of risk from OFAC if the organizations elect to pay; and (3) providing suggestions for a more reasoned basis for determining circumstances under which a ransomware payment might be made without the threat of OFAC sanctions. The Commentary is open for public comment through September 23, 2024. Questions and comments may be sent to [email protected]. The drafting team will carefully consider all comments received, and determine what edits are appropriate for the final version. The Sedona Conference Working Group 11 on Data Security and Privacy LiabilityThe mission of Working Group 11 is to identify and comment on trends in data security and privacy law, in an effort to help organizations prepare for and respond to data breaches, and to assist attorneys and judicial officers in resolving questions of legal liability and damages. . To become a member of The Sedona Conference Working Group Series (WGS) and WG11, pelase visit our membership page. |