A law firm may now advise a client to pay a Ransomware demand, then both the law firm and client organization face a Federal conviction with penalties of a fine up to $1,000,000 or twice the ransom for each organization.
Individuals participating in the transaction (including the client officers and law firm members or employees) may also face individual fines of up to $250,000 each and imprisonment of up to 20 years. The Office of Foreign Asset Control has regulations that will require all of the above plus forfeiture of "Any property, funds, securities, papers, or other articles or documents, or any vessel, together with its tackle, apparel, furniture, and equipment, concerned in a violation of TWEA may upon conviction be forfeited to the United States Government." 31 CFR 501.701 Penalties. (Code of Federal Regulations (2020 Edition) Read on for more gory details on how laws with initials you never saw and regulations from a body you never knew existed have changed everything you knew about ransomware criminals and the ease of just giving in and getting the awkward situation behind you. Many situations turned on "let's just make the pain stop, and I''ll beef up cyber security before the next attack." This reasoning may not work anymore for clients or their law firms. Paying more for cyber protection in advance sounds less expensive when compared to saving your organization, but reading reports for the next 20 years from the federal prison library as you serve your sentence. Prosecutors seeking enforcement only of civil penalties do not have to show your intent to violate OFAC's Enforcement Guidelines because there is strict liability. Knowledge of the applicable law(s) or regulations is not required.
