• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

OFAC Ransomware Advisory Warns Companies of Potential Civil Liability

October 2, 2020 By Alysa Austin and Privacy, Cyber & Data Strategy Team

Yesterday, October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued its “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.” The advisory begins with the observation that “ransomware attacks have become more focused, sophisticated, costly, and numerous,” citing certain FBI statistics, before making clear what was already well known to experienced practitioners, that is, that paying or facilitating ransomware payments to entities designated by OFAC risks civil penalties. The advisory lists several perpetrators of ransomware attacks that OFAC has previously listed. Importantly, OFAC may impose civil penalties for sanctions violations based on strict liability, “meaning that a person may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”

The advisory describes some of the factors OFAC generally considers under its Economic Sanctions Enforcement Guidelines, to determine an appropriate response to an apparent violation, including the amount of civil monetary penalty, if any. These factors include “the existence, nature, and adequacy of a sanctions compliance program.” Generally, OFAC encourages companies “to implement a risk-based compliance program to mitigate exposure to sanctions-related violations,” that “account[s] for the risk that a ransomware payment may involve an [OFAC-listed] person, or a comprehensively embargoed jurisdiction.” Importantly, the advisory explicitly notes that OFAC will consider “a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement” and its “full and timely cooperation with law enforcement both during and after a ransomware attack” as “significant mitigating factor[s]” in determining possible and appropriate enforcement outcomes.

OFAC’s advisory applies to ransomware victims as well as to companies “involved in facilitating ransomware payments on behalf of victims,” such as “cyber insurance, digital forensics and incident response, and financial services” companies, including “depository institutions and money services businesses.” These companies may also have regulatory obligations under Financial Crimes Enforcement Network (FinCEN) regulations. FinCEN issued its own ransomware advisory contemporaneously with OFAC’s. The FinCEN advisory is the subject of a separate blog post.

While companies may apply to pay ransom to listed entities, the advisory warns that such applications “will be reviewed by OFAC on a case-by-case basis with a presumption of denial.” The advisory encourages companies “to contact OFAC immediately if they believe a request for ransomware payment may involve a sanctions nexus.”

For further information please contact your attorney on the Alston & Bird Privacy & Cybersecurity Team.

Filed Under: Advisories, Cyber Risk, Cybersecurity, Data Security, Digital Crimes, Enforcement, Financial Privacy, Privacy

About Alysa Austin

Alysa Austin is an associate with Alston & Bird’s Privacy & Data Security Team and advises clients on cybersecurity compliance, breach investigations and response, online procedures and policies, and vendor contracts.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Belgian Supervisory Authority Sanctions News Media Company for Violating Cookie Rules
  • DOJ Issues New Policy on CFAA Prosecutions
  • EDPB Issues Draft Guidelines on the Calculation of Administrative Fines
  • The California Privacy Protection Agency Solicits Public Input on Forthcoming Privacy Regulations
  • U.S. Department of Commerce Announces the Establishment of a Global CBPR Forum
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.