The data that property management companies collect can be extremely valuable on the black market, and with ransomware attacks becoming increasingly common, it’s even more important to manage this risk.
Disclaimer: The information supplied in this article is for educational purposes only. The purpose of this information is only to provide food for thought. There is no intention to give, and nothing written here should be taken as, legal advice. The information provided in this article is general in nature and is not intended to address a specific legal issue.
A ransomware attack is one of the most debilitating cyberattacks that an organization can face. Ransomware is a form of malicious software (“malware”) designed to block access to computer systems or data. Used to extort ransom payments from victims in exchange for access to an internal system or data, ransomware attacks have halted operations of some of the country’s most prominent companies—and the frequency of such attacks (and the sums demanded) is only growing.
Ransomware attacks can come from anywhere. A scenario unfolds like this: Employer, Inc. hires John Employee. Employer, Inc. is in the business of providing consumer goods. John Employee receives and opens an email on his work computer that contains malware. Employer, Inc. is subjected to a ransomware attack of its network, which stops production of the consumer goods. The hackers now demand that Employer, Inc. pay $400 million to move its consumer goods again. Employer, Inc. is faced with a decision: Should they pay the ransom?
These scenarios are becoming more common. More companies are now paperless, and their data is increasingly stored in the cloud. Employees can work remotely and access the company’s information from several devices. Remote work is also more common today due to the pandemic.
Companies have begun to recognize the implications of ransomware attacks and the importance of data protection. The multifamily housing industry is particularly attractive to bad actors because of the type of data that is collected from residents. From social security numbers to credit cards to birthdates, the data that property management companies collect can be extremely valuable on the black market.
However, considering whether to pay a ransom after an attack can be a complicated matter. Companies must balance different considerations when deciding whether to pay, including whether paying the ransom might violate federal regulations or open the business up to sanctions by the Office of Foreign Asset Control (OFAC).
Multiple Considerations
OFAC, a subdivision of the United States Department of the Treasury, is tasked with administering and enforcing economic and trade sanctions based on U.S. foreign policy and national security goals. Generally, U.S. businesses are prohibited from conducting business with entities or persons that appear on the Specially Designed Nationals and Blocked Persons List (SDN List) or other lists maintained by OFAC. The list of SDNs is updated frequently on OFAC’s website in a searchable format. Prohibited conduct is broad and can include providing “funds, goods, or services” for the benefit of targeted entities. Prohibited conduct may also include renting a unit to someone on a list maintained by OFAC, hiring an employee or entity on a list maintained by OFAC, importing/exporting physical materials to/from someone on a list maintained by OFAC and in some cases – paying a ransom to a company that has taken your data hostage. Penalties for violations can be steep. In the appendix to the rule, (Appendix A to Part 501, Title 31 (B)(a)(1)), civil penalty amounts for a non-egregious case could be capped at an amount that exceeds $100,000.
OFAC has provided guidance on what to do if faced with a ransomware attack. In “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” from the Department of the Treasury, OFAC asks companies to “account for the risk that a ransomware payment may involve an SDN or blocked person or a comprehensively embargoed jurisdiction.” OFAC’s guidance also states that a company should make a “self-initiated, timely, and complete report” to law enforcement following a ransomware attack. Interestingly, OFAC’s advisory suggests that such reporting may be considered a mitigating factor “in determining an appropriate enforcement outcome” if sanctions become necessary.
While OFAC is one consideration when deciding whether to pay a ransom after an attack, there are many others. For instance, ransomware hackers often claim that they will grant a victim access to their stolen system files. But in some cases, hackers never intend to provide the victim with access, even after the ransom is paid. The first ransom payment might be the beginning of a prolonged extortion scam. Some cybersecurity professionals argue that ransoms should not be paid at all. Many of these experts also agree that paying a ransom incentivizes other bad actors to join in on the ransomware game.
Response Planning
The National Apartment Association (NAA) suggests working with in-house legal and risk-management teams, and if needed, outside legal counsel to discuss a cyberattack response plan. Legal counsel can assist in several ways. For example, they can:
- Help balance the risks and benefits of paying a ransom
- Help consider what possible legal implications exist if you do decide to pay a ransom
- Help ensure full compliance with data privacy laws in other areas of your business such as employment and resident screening; and
- Help determine whether an SDN search is needed and provide guidance on what to do if a match is found in the search.
By working with in-house legal teams, risk management and outside counsel, you can develop forward-thinking data protection and OFAC compliance policies. It is best to be prepared in advance for a cyberattack such as ransomware. Consider what your plan is now and review the strategy with your team. With a response plan in place, you will be better able to protect your company.
Brittany Wood and Mark Russell Jr. are NAA Staff Attorneys.