New WG11 Drafting Teams – Ransomware Payments and Pandemic Response

Drafting Teams – Overview

  1. Ransomware Payments

The Trading With The Enemy Act (TWEA) and International Emergency Economic Powers Act (IEEPA) prohibit U.S. persons from trading or attempting to trade with an enemy or ally of an enemy of the United States. A violation of these laws can result in civil and/or criminal penalties. But there appears to be a conflict as to whether strict liability applies to a violation of the law. The TWEA states that the violator must have “knowledge or reasonable cause to believe that [the party on the other side of a transaction] is an enemy or ally of enemy, or is conducting or taking part in such trade, directly or indirectly, for, or on account of, or on behalf of, or for the benefit of, an enemy or ally of enemy.” 50 U.S.C. § 1705 (emphasis added). In contrast, the IEEPA does not include similar “knowledge or reasonable cause to believe” language. Additionally, liability under the IEEPA appears to be limited to a violation of a specific order or regulation issued pursuant to its grant of authority.   See 50 U.S.C. § 1705. Many of those orders and regulations do not have a specific mes rea requirement. Current OFAC guidance disregards the inconsistency and the IEEPA’s limited application.

The drafting team should consider whether, and under what circumstances, ransomware victims and organizations that assist them are subject to strict liability under the legislation in question. The drafting team should analyze OFAC’s guidance in light of the potential contradictory language between the TWEA and the IEEPA, and the IEEPA’s limitation to orders and regulations issued pursuant to the IEEPA’s grant of authority. Based on this analysis, the drafting team should discuss the deference OFAC’s guidance should be afforded in the context of enforcing either the TWEA or the IEEPA against an entity that made a ransomware payment.

Additionally, the drafting team will explore the development of a model framework or test by which a court can determine whether a threat actor to whom one made an extortion or ransomware payment either was itself, or was acting for the benefit of, an organization/entity on OFAC’s SDN List, and whether one had knowledge or reasonable cause to believe that fact, such that making a ransomware payment to that threat actor would be legally liable for having made that payment.  In addition to being of value to courts and litigants in the context of efforts to enforce these statutes and the regulations thereunder, such a framework or test would assist parties that are considering making an extortion or ransomware payment evaluate their risk of being found to have violated these statutes and such regulations by so doing. 

In carrying out this mandate, the drafting team should evaluate how issues of this sort have been handled in other legal contexts and draw from those contexts in developing any standard or factors for consideration.

  1. Impact of Pandemic Response on Global Privacy

In response to the COVID-19 pandemic, governments and private companies around the globe collected significant amounts of personal information including health and tracing information in the name of public health. The response has engendered significant controversy, with some asserting that privacy protections and personal freedoms have been unduly and too quickly sacrificed in support of public health initiatives, and others arguing that privacy laws in some cases unduly hampered common sense solutions. In addition to the challenges arising specifically from the pandemic, these circumstances highlight more generally the potential conflict between privacy rights and other public goods that can arise in the context of health emergencies and other types of crises that require immediate government intervention and government/private sector collaboration to solve.  

Following the work of a brainstorming group that explored these topics, WG11 has determined that it will move forward with the formation of a drafting team to prepare a Commentary addressing this subject.  The Commentary, which will focus primarily on the United States, will explore the conflict between privacy interests and government and private entity efforts to solve the pandemic including in the context of vaccine passports, contact tracing, and other areas where such conflicts arose.  Topics that may be addressed in the Commentary include:  (1) whether current privacy and public health laws provide an adequate framework for resolving conflicts between public health aims and privacy concerns; (2) what steps should be taken to mitigate the long-term impact of any undue sacrifices to privacy protections during the pandemic response; (3) what steps should be taken to mitigate privacy risks in the context of public-private partnerships to promote use of technology in response to a health crisis.  The Commentary may also explore broader themes of the conflict between privacy and public interest in the event of a crisis/emergency, drawing on lessons from the pandemic, and identifying an approach or framework that could help mitigate such concerns.

Drafting Teams - Member Expectations

  • Drafting team members are expected to make the following commitments:
    • Total time commitment is 12-15 hours per month, including actual drafting, review and drafting team meetings
    • Drafting team members are expected to regularly participate in drafting team meetings – drafting team leaders will take attendance for all meetings, and track meeting participation and contributions during drafting team meetings
    • Drafting team members will be expected to draft or assist in drafting portions of the document and/or perform research as needed – drafting team leaders will track contributions to the drafting and/or research
    • Drafting team members are expected to review all team drafts that are circulated, and comment and edit as necessary
  • It is critical that all team members are active, engaged participants in the drafting efforts, in order to produce high-quality work product in a limited timeframe. If the participation requirements outlined above are not something that you can commit to at this time, we recommend that you postpone pursuing a spot on a drafting team until you are able to make these commitments. There will be more WG11 drafting efforts in the near future. Additionally, we will likely have more well-qualified, well-rounded applicants than we have spaces available for this drafting team. As a result, we may have a ranked waiting list. If during the drafting effort, a team member is not able to maintain the commitment required of team members, we will replace that member, if necessary.

Drafting Teams - Selection

In order to apply for the drafting team, you must be a member of WG11. If you are interested in applying for the drafting team, but are not yet a member of WG11, please become a member by signing up for a Working Group Series (WGS) membership. Once a WGS member, one is eligible to take part in the activities of all Working Groups, including WG11. If you have any questions about how to sign up for a membership or encounter any difficulties while doing so, please contact our office at [email protected] or +1(602) 258-4910.

As the drafting team will only have 8-10 members, the Steering Committee will need to be very selective. But all WG11 members, however, will have a chance to review and comment on the draft that the team produces.

Factors in Drafting Team Selection

  • Expertise
  • Years of Experience
  • Participation on the corresponding brainstorming group
    • Did you join - and contribute - to the preceding brainstorming group?
  • Balance
    • As we work to achieve consensus-based documents, it is important that a wide range of perspectives and backgrounds are represented. Accordingly, in selecting drafting team members the Steering Committee will work to ensure these perspectives are fairly represented. Please keep in mind, however, we do not seek differing perspectives so that one may advocate on behalf of a particular perspective or constituency. We seek differing viewpoints, backgrounds and experiences in order to build a consensus-based document that is beneficial to all stakeholders
    • Perspectives we seek to have represented on the drafting teams include, among others:
      • In-house counsel
      • Outside counsel
      • Counsel for consumers
      • Jurists
      • Regulators
      • Technologists
      • Experts
      • Corporate decision-makers
      • Service providers
    • Should you ultimately not be selected for the drafting team, it may simply be the result of too many applicants representing a particular perspective, and not at all based on a lack of qualifications

In order to be considered for the drafting team(s), please provide separate answers to each of the questions below, and submit to Michael Pomarico at [email protected] by Wednesday, August 24, 2022. Please be brief when answering the questions – no more than 50 words per answer to a question, please. When applying, please note which drafting team(s) you are applying for. If you are applying for both drafting teams, please be sure to answer the fourth question for each drafting team.

  1. What is your profession and expertise?
  2. How many years of experience do you have?
  3. What organization do you work for?
  4. What qualifications or experiences make you particularly qualified to serve on the drafting team, and why?
Announcement Date: 
Tuesday, August 9, 2022