Cyber-Extortion: Duties and Liabilities Related to the Elephant in the Server Room


This is a comprehensive analysis of the legal frameworks related to cyber-extortion – the practice of demanding money in exchange for not carrying out threats to commit harm that would involve a victim's information systems. The author hopes it will catalyze an urgently needed discussion of relevant public policy concerns.

Cyber-extortion has, by all accounts, become a common, professionalized and profit-driven criminal pursuit targeting businesses. 17% of businesses in a recent survey indicated having received a cyber-extortion demand. An additional 13% of respondents were not sure if their business had received such a demand.

Awareness of the risks of cybercrime has spread. Advancements have been made in the field of cyber-security. Furthermore, statutes, regulations and recent FTC settlements have begun to articulate a minimum standard of care that businesses should maintain with regard to the security of information systems. Yet not all businesses have taken readily available precautions.

To complicate matters, cyber-extortions often involve a threat to commit a harm using hijacked networks of computers owned by other businesses. Thus, an analysis specifically dedicated to cyber-extortion is required because of the unique web of liabilities that may arise from a typical cyber-extortion scenario.

This article first reviews the available means for prosecuting or recovering damages from a cyber-extortionist. The article then considers the duties and potential liabilities of businesses that are victims of cyber-extortion. For example, an extortionist may follow-through on a threat to disclose or sell private customer data, resulting in the targeted enterprise being liable to its customers. However, a victimized business could conceivably be able to recover damages against a business that failed to take adequate steps to secure its information systems, such that its systems became the tools of the crime. This article reviews current trends and possible theories for recovering damages in such a scenario. The article concludes with a discussion of the public policy implications of finding businesses liable for damages caused by their unsecured information systems.


Computer Law | Consumer Protection Law | Criminal Law | Criminal Procedure | Internet Law | Law and Society | Science and Technology Law | Torts

Date of this Version

January 2007