Skip to content
Article

Between ransom and legality: The legal handling of ransomware attacks

Data protection law IT Law IT Security

When companies fall victim to a ransomware attack, they face a difficult question: Should they pay the ransom demanded to recover encrypted data, or should they refuse, as recommended by Swiss authorities? Our analysis shows how to make legally responsible decisions, what risks exist, and how companies can weigh up the risks and legal certainty.

Initial situation: Ransomware attacks in Switzerland

Ransomware attacks are among the most pressing cyber risks for companies in Switzerland. Perpetrators encrypt business-critical data and demand a ransom for the release of the decryption keys. According to the Federal Office for Cybersecurity (FOC), such attacks are widespread and often involve the exfiltration and possible publication of sensitive data.

Authorities such as the FOC and international initiatives such as the Counter Ransomware Initiative (CRI) warn urgently about the consequences of such attacks and provide recommendations for action for affected companies. A key recommendation is to never pay the ransom, as this perpetuates criminal activity, finances further attacks, and offers no guarantee of success.

The challenge for companies

Affected companies face a difficult strategic decision. The authorities clearly recommend not paying the ransom. At the same time, companies must examine all available options to minimize losses, especially if no current or complete backups are available, the data is essential for business operations, and a prolonged outage could have existential consequences.

In such extreme situations, paying a ransom may be considered, although this decision involves risks and is characterized by a high degree of uncertainty.

Legal assessment in Switzerland

A) No general criminal liability

The basic principle is that, according to the Swiss Criminal Code (SR 311.0), paying a ransom is not a criminal offense per se. There is no explicit criminal provision that refers solely to the payment. However, various criminal offenses may still be indirectly applicable, namely support for a criminal organization (Art. 260ter StGB), support for a terrorist organization or financing of terrorism (Art. 260quinquies StGB), aiding and abetting (Art. 305 StGB) or money laundering (Art. 305bis SCC). As a rule, however, a payment made by the victim directly affected or in their interest is not punishable.

However, a case-by-case examination of the facts is always decisive in criminal law:

  • In particular, in the case of Art. 260ter SCC (supporting a criminal organization), it must be examined whether the payment could be classified as an “act of support.” The prevailing doctrine requires conscious promotion of the organizational structure or activities of the organization. A purely coerced payment to limit damage would not normally meet this requirement, as there is no intention to promote the organization.
  • For criminal liability for terrorist financing, the necessary intention to specifically promote terrorist activities is also lacking.
  • Typically, there is also no aiding and abetting in such cases, as the payment neither thwarts nor hinders prosecution; on the contrary, payment flows, especially in the case of cryptocurrencies, can contribute to the identification of the perpetrators.
  • Money laundering is also generally ruled out, as the ransom money comes from the legal assets of the company concerned or the paying person. Dogmatically, money laundering under Art. 305bis StGB requires that the assets originate from a crime. In the case of a ransom payment, however, there is no prior predicate offense on the part of the paying company. However, there is critical debate as to whether deliberate participation in the concealment of payment flows (e.g., through structured cryptocurrency transactions) could constitute criminal involvement. Such constellations have not yet been clarified by the highest courts.

It is also worth noting that a ransom payment could also violate national and international sanctions and measures in the fight against terrorist financing or imposed embargoes. The Swiss Embargo Act (Federal Act on the Implementation of International Sanctions, Embargo Act [EmbG], SR 946.231) and the Federal Council ordinances based on it are particularly relevant here, especially in the case of sanctioned states, organizations, or individuals. Paying a ransom to a sanctioned group or a person on a sanctions list can have criminal consequences. Companies are therefore obliged to carry out a careful sanctions screening before making a payment. Failure to do so can have liability and regulatory consequences.

B) Emergency as justification

There is debate as to whether a ransom payment can be justified in the context of an emergency (Art. 17 StGB) or an excusable emergency (Art. 18 StGB), for example to avert an immediate, unavoidable danger to higher-value legal interests such as the existence of the company or the maintenance of critical infrastructure.

Art. 17 StGB requires that there be an immediate and unavoidable danger to an individual legal interest and that the protected interest significantly outweighs the impaired interest. This therefore requires a concrete, case-by-case weighing of interests. Purely economic disadvantages, loss of revenue, or damage to reputation are generally not sufficient for this. Even the mere threat to a company’s market position does not usually carry the necessary weight. If reasonable alternatives are available—in particular, functioning backup restorations or technical recovery measures—these should be used as a priority, even if this means that not all data can be completely restored.

The situation may be assessed differently if the attack endangers fundamental legal interests such as life and limb, or if critical infrastructure is affected, the failure of which would pose a significant threat to public safety. In such constellations, the protected interest may be given significantly greater weight in the weighing of interests.

Art. 18 StGB, on the other hand, concerns excusable emergencies. Here, the act is not justified, but the perpetrator’s guilt is waived or mitigated if, under the circumstances, he could not reasonably be expected to avert the danger in any other way. The decisive factor is not primarily an objective weighing of interests, but the reasonableness of lawful alternative behavior. Even if the requirements of Art. 17 StGB are not fully met, in extreme pressure situations – such as scenarios that threaten one’s existence without realistic alternatives – a mitigating or exculpatory effect under Art. 18 StGB may be considered.

However, it should be emphasized that both provisions must be interpreted restrictively. They do not provide a general “legal basis” for ransom payments, but only apply in exceptional and narrowly defined cases. A blanket reference to economic hardship is generally not sufficient. It should also be noted that legal entities cannot invoke fault-related excuses in the same way as natural persons, so that the practical significance of Articles 17 and 18 of the Swiss Criminal Code must be assessed differently in a corporate context.

Data protection obligations

In practice, ransomware attacks are often not limited to mere data encryption, but are accompanied by prior or simultaneous exfiltration of personal data (“double extortion”). This gives rise to direct data protection obligations under the Swiss Data Protection Act (Federal Act on Data Protection, Data Protection Act [DSG], SR 235.1) .

A) Obligation to report to the FDPIC

According to Art. 24 para. 1 DSG, the controller must report a data security breach to the Federal Data Protection and Information Commissioner (FDPIC) if it is likely to result in a high risk to the privacy or fundamental rights of the data subjects. Such a risk may exist in particular if:

  • particularly sensitive personal data (Art. 5 lit. c DSG) is affected,
  • extensive data sets have been compromised,
  • there is a risk of identity theft, discrimination, or financial damage,
  • or sensitive business or employee data is affected.

The report must be made “as soon as possible,” although the law does not specify an explicit deadline. A culpable delay may result in regulatory consequences.

B) Duty to inform affected persons

If necessary, the affected persons must also be informed (Art. 24 para. 4 DSG), in particular if this is necessary for their protection or if the EDÖB so requires. Objective, transparent, and proportionate communication is crucial in this regard. However, uncoordinated or hasty communication can trigger additional reputational or liability risks, which is why a legally coordinated communication strategy is advisable.

C) Criminal and regulatory risks

The revised Data Protection Act provides for criminal provisions (Art. 60 ff. DSG) that are primarily directed against natural persons, in particular in the case of intentional violations of information, disclosure, or due diligence obligations. However, failure to report to the FDPIC in accordance with Art. 24 DSG is not expressly defined as a separate criminal offense. Nevertheless, late or failure to report may have regulatory consequences. Under Art. 51 ff. DSG, the FDPIC has far-reaching investigative and decision-making powers and may, for example, order the adjustment of organizational or technical measures. Failure to report or insufficient reporting may be viewed negatively in the context of an investigation and may be considered an indication of inadequate compliance structures.

In addition, there are potential liability risks: if a data protection breach is not properly handled or documented, this may be considered a breach of organizational duties of care in the event of damage. This can result in civil liability risks for the responsible decision-makers.

D) Technical and organizational measures

Art. 8 DSG obliges controllers and processors to take appropriate technical and organizational measures (TOMs) to protect personal data. In the context of ransomware, this includes in particular:

  • regular and tested backups,
  • network segmentation,
  • multi-factor authentication,
  • access restrictions,
  • logging and monitoring,
  • emergency and recovery plans.

If such measures are lacking or are obviously insufficient, this can have consequences not only under data protection law but also under liability law.

E) Documentation obligation

In addition, a data breach should always be documented in a structured manner. Art. 24 para. 1 DSG requires a comprehensible assessment of whether there is a “high risk” in connection with the reporting obligation. Companies should therefore record which data was affected, which risks were assessed, and why, if applicable, no report was made. Such documentation serves as accountability to the FDPIC and may be decisive in the context of a subsequent investigation. Although failure to document is not expressly defined as a separate sanctionable offense, it can be considered an indication of inadequate data protection organization.

Practical aspects of the decision

A) Prospects of success

Payment does not guarantee that perpetrators will provide the decryption key or refrain from publishing the data. Many perpetrator groups act unreliably or use the payment as further leverage to extort even more money. A strategy based solely on payment is therefore highly risky, both legally and practically.

B) Alternative data recovery

Before making any payment, it is essential to check whether recovery is possible via backups or other technical means. This option has priority from a legal and economic point of view and should be part of a predefined emergency plan.

C) Cyber insurance

Many companies have cyber insurance that provides professional support in the event of an emergency. In individual cases, policies also cover ransom payments, but usually under strict contractual conditions. Insurance coverage does not apply, for example, in the event of violations of international sanctions or legal obligations.

D) Negotiation options

Practical experience shows that targeted and professional negotiation can reduce the amount originally demanded. This illustrates that negotiation strategies can be an important tool for minimizing damage, provided they are structured and carried out with the appropriate expertise. Such an approach also buys valuable time to give law enforcement agencies a head start in investigating the perpetrators.

Recommendations for companies

Immediately after an attack is discovered, quick immediate measures are necessary:

  • Damage limitation: Infected systems should be removed from the network immediately.
  • Identification of infected systems: Log files and metadata can help to identify infected systems.
  • Detection: The extent of the infection can be determined by evaluating logs from email servers, proxy servers, firewalls, and other security software. This also allows the attackers’ URL and IP addresses to be identified and blocked on the relevant security systems.
  • Criminal complaint: It is recommended that a criminal complaint be filed with the relevant cantonal police. Contacting legal experts at an early stage also allows for professional advice on how to proceed and how to communicate with the perpetrators. Reporting the incident can also have a mitigating effect in terms of liability, as it documents that the company is acting cooperatively and does not tolerate criminal acts. In regulated industries (e.g., the financial market), failure to report the incident may also have regulatory implications.
  • Back up encrypted data: Encrypted data should be backed up and stored, even if recovery is not initially possible. This may enable decryption at a later date if the appropriate keys or tools become available.
  • Reinstall the affected systems: Before restoring data, the infected systems must be completely reinstalled. The operating system should only be installed from a trusted source.

Companies should be prepared not only after, but also before a possible attack, and develop cybersecurity contingency plans at an early stage that include clear decision-making processes for dealing with ransom demands. Before making a decision, it is advisable to seek specialized legal advice.

From a corporate law perspective, management has a non-delegable duty of supervision (Art. 716a CO). Decisions on ransom payments can have significant financial and legal implications and are therefore subject to the duty of care of the members of the executive body. A decision that is insufficiently documented or not carefully reviewed can have liability consequences. Structured decision documentation is therefore essential.

Conclusion

Ransomware attacks pose significant legal, economic, and strategic challenges for companies in Switzerland. Although authorities strongly advise against ransom payments, affected companies are under considerable pressure to act in exceptional situations.

The legal assessment shows that payment is not fundamentally punishable, but nevertheless involves considerable risks.

A structured, legally compliant decision-making process, thorough preparation, robust backups, and the involvement of experts are crucial in order to be able to act appropriately and in accordance with the law in crisis situations. The aim must be to minimize risks and make responsible use of the legal scope for action to secure corporate assets.

Sources