The Hawaiʻi Community College has admitted that it paid a ransom to ransomware actors to prevent the leaking of stolen data of approximately 28,000 people.
So are the institutions that are breached only criminally or civilly liable if the hackers leak protected data? Otherwise, why would they pay the ransom. It seems like they should have some liability because they didn’t safeguard their data properly. I suppose they could be attempting to save their clients’ trust even without a monetary penalty. If the hackers leak the data after being paid, does that matter legally? Does the amount paid or demanded affect how much of a penalty is applied?
For paying both US and EU deem it illegal. In US it seems to apply to all businesses, in EU they have a list of “essential services”. EU can impose fines, US seems to discourage it, but only a few states adopted a law that allows imposing fines over certain amount paid.
Paying can be part of doing business especially if the data is related to the business itself and not customer data (most businesses don’t care about customer data). Hacker groups rely on their reputation so they are likely to not leak if they are paid the ransom. If they would to lose that reputation by leaking the data even after they got paid nobody would pay anymore and their attacks would stop being effective.
So are the institutions that are breached only criminally or civilly liable if the hackers leak protected data? Otherwise, why would they pay the ransom. It seems like they should have some liability because they didn’t safeguard their data properly. I suppose they could be attempting to save their clients’ trust even without a monetary penalty. If the hackers leak the data after being paid, does that matter legally? Does the amount paid or demanded affect how much of a penalty is applied?
For paying both US and EU deem it illegal. In US it seems to apply to all businesses, in EU they have a list of “essential services”. EU can impose fines, US seems to discourage it, but only a few states adopted a law that allows imposing fines over certain amount paid.
Paying can be part of doing business especially if the data is related to the business itself and not customer data (most businesses don’t care about customer data). Hacker groups rely on their reputation so they are likely to not leak if they are paid the ransom. If they would to lose that reputation by leaking the data even after they got paid nobody would pay anymore and their attacks would stop being effective.