New Brainstorming Groups on FRCP Rule 5.2(a) & Legality of Ransomware Payments under U.S. Law

Brainstorming Groups - Overview

(1) Rule 5.2(a) of the Federal Rules of Civil Procedure

WG11 is forming a new brainstorming group to assess whether it’s time to update Rule 5.2(a) of the Federal Rules of Civil Procedure, and, if so, whether a WG11 drafting team should be formed to develop guidance on how Rule 5.2(a) should be updated. Currently, in almost all circumstances, Rule 5.2(a) requires that parties in federal court proceedings redact from filings: 1) all but the last four digits of a social security number or taxpayer ID number; 2) the date and month of an individual’s birth; 3) a minor’s name (substituted with their initials); and 4) all but the last four digits of a financial account number. However, in the almost fifteen years since Rule 5.2 was adopted, multiple federal and state statutes have been enacted that prohibit the public disclosure of numerous other data elements not currently captured by Rule 5.2(a). Given these changes in the legal landscape and the global rise of security incidents, is an update to Rule 5.2(a) overdue? Or should parties in litigation continue to rely more on sections (d) and (e) of Rule 5.2 to reach agreement on the scope of redaction and sealing to provide sufficient protection on a tailored basis for each case? The brainstorming group should consider whether a drafting team, if formed, would be likely to reach consensus on the scope of individual data elements that should be included in an updated Rule 5.2(a).

(2) When are ransomware payments illegal under current U.S. law?

WG11 is forming a new brainstorming group to explore the development of a legal standard and/or factors by which to determine whether a threat actor to whom one is considering making a ransomware payment either is itself, or is acting for the benefit of, an organization/entity listed on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), such that making a ransomware payment to that threat actor would be prohibited.

The International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) make it illegal, “for any person in the United States, except with the license of the President . . . to trade, or attempt to trade, either directly or indirectly, with, to, or from, or for, or on account of, or on behalf of, or for the benefit of, any other person, with knowledge or reasonable cause to believe that such other person is an enemy or ally of enemy [i.e., is an organization/entity listed on the SDN List], or is conducting or taking part in such trade, directly or indirectly, for, or on account of, or on behalf of, or for the benefit of, an enemy or ally of enemy [i.e., an organization/entity listed on the SDN List].” A violation of these laws can result in civil and/or criminal penalties.

Unfortunately, there is currently no legal authority that guides determination of whether a security threat actor that is demanding a ransomware payment is itself listed, or even if not listed is nonetheless acting for the benefit of an entity that is listed, on the SDN List. As a result, ransomware victims and the organizations that assist them in communicating with such threat actors are left to guess at the answers to these questions and are at risk of violating the law if they guess wrong.  They therefore have little independent third-party guidance in determining whether their ransomware payment to a specific threat actor violates the law. The lack of clarity has also led to differing conclusions as to whether a specific threat actor is listed, or acting on behalf of someone else who is listed, on the SDN List.  

WG11 seeks to leverage its diverse membership of legal, technology, and threat intelligence experts to create a brainstorming group to consider whether WG11 should seek to develop an independent standard and/or factors that would provide guidance on this issue. The brainstorming group will be expected to evaluate how issues of this sort have been handled in other legal contexts and draw from those contexts in developing any standard or factors for consideration.

Brainstorming Groups - Member Expectations

Brainstorming group members will be expected to actively participate in regularly scheduled phone conferences to brainstorm on work product ideas. Members will also be expected to participate in the drafting of a detailed outline that allows a subsequent drafting team to prepare work product consistent with standards of The Sedona Conference.

Brainstorming Groups - Selection

In order to apply for the brainstorming group(s), you must be a member of WG11. If you are interested in applying for the brainstorming group(s), but are not yet a member of WG11, please become a member by signing up for a  Working Group Series (WGS) membership. Once a WGS member, one is eligible to take part in the activities of all Working Groups, including WG11. If you have any questions about how to sign up for a membership or encounter any difficulties while doing so, please contact our office at [email protected] or +1(602) 258-4910.

In order to be considered for the brainstorming group(s), please provide separate answers to each of the questions below, and submit to Michael Pomarico at [email protected] no later than COB EST on Thursday, February 17, 2022. Please be brief when answering the questions – no more than 50 words per answer to a question. When applying, please note which brainstorming group(s) you are applying for. If you are applying for both brainstorming groups, please be sure to answer the fourth question for each brainstorming group.

  • (1) What is your profession and expertise?
  • (2) How many years of experience do you have?
  • (3) What organization do you work for?
  • (4) What qualifications or experiences make you particularly qualified to serve on this brainstorming group, and why?
Announcement Date: 
Friday, February 4, 2022