Ransomware attacks
Ransomware attacks are one of the most common forms of cybercrime, in which attackers use malware to encrypt company’s IT systems and thus make them inaccessible. The data is usually not released until a ransom is paid. These ransom payments pose an immense challenge to organizations, requiring not only economic and strategic calculations, but also entailing significant legal risks.
Not only are the perpetrators of a ransomware attack liable to criminal prosecution, but the victims can also face significant legal risks if they make the ransom payment. The focus here is on the actions of the managing director, particularly with regard to compliance with their duty of care and the difficult balance between limiting potential damage and the associated legal risks. The question often arises as to whether a ransom payment can be regarded as a justified measure to avert major damage to the company or third parties under certain circumstances. A key consideration is whether, and to what extent, the mitigation of damage can provide a legal justification for the payment of a ransom.
Companies are required to develop clear action plans and communication strategies in advance in the event of a crisis, which not only take into account the legal and economic perspective, but also minimize any potential negative impact on the company’s reputation. The contact details of trustworthy specialists should also be noted down in advance. After all, in the event of a cyberattack, it is crucial that all decisions can be made quickly and professionally.
Possible criminal offense for ransom payments
- Offense of embezzlement (Sec 153 of the Austrian Criminal Code, StGB): The offense of embezzlement is committed if someone knowingly abuses their authority to dispose of another´s property or to engage another person, thereby causing a financial loss to the other person. Accordingly, there is no offense of embezzlement if the ransom payment is – after weighing up all the advantages and disadvantages – in the interest of the company as a whole. There is no abuse of authority if the decision is based on a comprehensible weighing up of benefits. The question of whether cyber insurance covers the ransom payment must also be considered in the assessment. Finally, the consent of all shareholders prior to the payment of the ransom as “consent of the person giving the power” also excludes an abuse of authority, so that in this case criminal liability for the offense of embezzlement is ruled out. Such expertise should be correctly applied to the specific case before a ransom demand is carelessly paid.
- Criminal association (Sec 278 StGB): The offense of criminal association is committed when someone founds or participates as a member in a criminal association. A criminal association is a long-term affiliation of more than two people with the aim that one or more of its members commit one or more felonies. If ransomware attacks are perpetrated by a criminal association, “participation” could be affirmed as a financial contribution to the criminal association in the event of a ransom payment if there is corresponding intent.
- Terrorist association (Sec 278b StGB) and financing of terrorism (Sec 278d StGB): Criminal participation in such an act requires that the victim of the ransomware attack knows that the payment of the ransom demand will go to a terrorist association or that the ransom demand is dedicated to the commission of a terrorist offense. As a rule, this can only be affirmed if the cyber attackers reveal a corresponding connection.
Justification and excuses
If one of the above-mentioned offenses is fulfilled when submitting a ransom payment, the criminal liability can be waived by justification or excuse. From a criminal law perspective, either the justifiable state of emergency or the excusable state of emergency (Sec 10 StGB) can be considered:
In contrast to self-defense, the justifiable state of emergency also allows interventions in the legal interests of uninvolved third parties. The legal interest that is to be saved must clearly be of a higher value than the impaired legal interest. In addition, only the least intrusive means of defense may be chosen. In the case of ransom demands, the value of the encrypted data or data obtained by the perpetrators and other possibilities for recovering the data as well as the threatened conduct in the event of non-payment must be taken into account.
In practice, the excusable emergency (Sec 10 StGB) is most relevant for ransom payments. In order for a criminal act to meet the requirements of an excusable emergency, it must have been committed in order to avert an imminent and substantial disadvantage. In addition, the excuse only applies if the damage caused by the defensive act is not disproportionately more serious than the disadvantage to be averted and no other behavior could have been expected from a reasonable person in the position of the perpetrator who is in touch with the legal values.
In general, this classification requires a qualified and detailed legal assessment by experts.
Business Judgement Rule and ransom payments
In addition to the criminal law assessment of ransom payments, the question of liability also arises as to whether a ransom payment is in the interests of the company and to what extent a managing director can be held liable. The Business Judgement Rule is of central importance here, as it enables an assessment of the managing director’s decision-making behavior. The decisive factor is whether the managing director has fulfilled his duty of care and acted in accordance with the diligence of a prudent and conscientious businessman.
A managing director or Management Board member acts in accordance with the due care and diligence of a prudent businessman if he is not guided by extraneous interests when making a business decision and may assume, on the basis of appropriate information, that he is acting for the benefit of the company (Sec 25 para 1a of the Austrian Act on Limited Liability Companies (GmbHG); Sec 84 para 1a of the Austrian Stock Corporation Act (AktG)).
In particular, the advantages and disadvantages of a ransom payment must be carefully examined and weighed up and documented accordingly. As the Business Judgement Rule offers considerable scope for discretion and interpretation, its application in exceptional circumstances such as a cyberattack should be carefully inspected by experts in order to minimize potential risks for the managing director and the company.
The role of the lawyer
When deciding whether a company should pay a ransom after a cybercrime attack, it is advisable to consult an experienced cybercrime lawyer, as the cyberattack, which is often perceived as a disaster, has not only strategic but also legal dimensions that many companies are understandably overwhelmed by.
A specialized lawyer can assess the criminal and liability risks of the ransom payment and provide an expert opinion on which the company can rely. They can also help to carefully assess the long-term consequences of a ransom payment – such as potential liability risks or reputational damage – and integrate them into the overall crisis management strategy.
Criminal charrges against the perpetrators and private party connection
Whether a company reports a cyberattack with a ransom demand is an important decision that should be made as early as possible. In principle, there is no general obligation for victims of a crime to report it to the criminal prosecution authorities. However, there may be a duty of disclosure for the acting bodies of the company: In the context of manager liability, the management is obliged to avert damage to the company and pursue claims. The necessary clarification of the facts of the case cannot usually be completed without the involvement of the prosecution authorities. In addition, many insurance conditions for cyber insurance policies require the facts of the case to be reported (duty of disclosure).
On the other hand, there are other issues to consider, such as potential negative publicity or loss of customers, or the threat of further attacks if a criminal complaint is filed. Based on these and other criteria, management needs to weigh these factors, which often results in strong pressure to press charges.
In practice, the report is usually made in the form of a criminal complaint to the police or a statement of facts to the competent public prosecutor’s office. In order to ensure that the investigators act as quickly as possible, the facts of the case should be presented in writing, in a structured manner and with the relevant written evidence. Civil law claims can also be asserted against the perpetrators as part of a related private party connection. Careful strategic planning, the right timing and the clarification of key legal issues play a decisive role in this context.
