Are you liable if you infect someone else’s computer?

John Lande, Iowa Cybersecurity Law, Iowa Banking Law, Dickinson Law Firm, Des Moines Iowa

Posted on 06/30/2017 at 12:00 AM by John Lande

The New York Times recently reported that fraudsters are adapting the old-fashion Ponzi scheme to the ransomware-era.  The new ransomware, dubbed “Popcorn Time,” infects users’ computers as any other ransomware does. Once infected, Popcorn Time encrypts users’ data and offers users a choice to get their data back. First, users can agree to pay the fraudsters 1 bitcoin, worth about $2,290.34 as of June 27, 2017. Alternatively, users can agree to help fraudsters spread the ransomware to others.

If users agree to the second option, fraudsters will send emails on behalf of the user to the user’s contacts. This will spread the malware effectively, because people are more likely to click on links from known senders.

If an organization’s data are encrypted, some organizations may be tempted to agree to the fraudsters’ offer to spread the malware. However, doing so could cause the organization more trouble in the end if the organization incurs liability by sending malware-laced emails.

For example, if an organization is a service provider, then the service contracts may include indemnity clauses. These clauses could require an organization to reimburse the expenses associated with a third-party becoming infected with malware.

Another source of liability could be data breach notifications. If an organization forwards malware-laced email to a third party, it’s possible that the third-party may later have to send data breach notices. Data breach notice requirements are triggered when an entity has reason to suspect that personally identifiable information has been compromised. This probably means that a data breach notice will need to go out if malware takes over an organization’s system. If you are the one who is responsible for sending the email, then you may have to help pay for the cost of the data breach notices.

Finally, there could be claims for fraud, civil theft, and negligence brought against your organization if you knowingly forward malware-laced email. Anyone who brings these tort claims could potentially recover the costs of cleaning the malware up, lost revenue resulting from downtime during the malware infection, and even punitive damages.

While it may seem like an easy way out, forwarding malware-laced email to retrieve your own data will probably only create more problems for your organization. The better route remains having a proper incident response plan, and being prepared to restore your organization’s systems from backups in the event of a ransomware attack. Nevertheless, fraudsters deserve credit for creating ransom options for organizations that are hard-up for cash.

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.

- John Lande


Questions, Contact us today.

Contact Us


The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm.  Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys.  If specific legal information is needed, please retain and consult with an attorney of your own selection.