Last month, reports surfaced that fitness technology company Garmin may have made a multimillion dollar payment in response to a ransomware attack with reported links to Evil Corp, a Russian hacking group subject to U.S. sanctions.  This incident and other recent reports of ransomware attacks against large companies highlights that companies should consider potential civil and criminal liability under U.S. sanctions laws when responding to ransomware attacks.
Continue Reading Ransomware and Sanctions Compliance: Considerations for Responses to Attacks

U.S. authorities take an expansive view of their jurisdiction when it comes to sanctions. They cannot, however, directly restrict persons outside U.S. jurisdiction from dealing with sanctioned persons. They therefore exert pressure on persons outside U.S. jurisdiction by threatening to designate them as sanctioned persons if they engage in certain activities contrary to U.S. sanctions policy (“Target Activities”). Sanctions imposed in such circumstances are known as ‘secondary sanctions’, and were the topic of the September 2019 judgment of the High Court of England and Wales in Lamesa Investments v. Cynergy Bank. In a ruling that will surprise many, the Court found that the risk of incurring secondary sanctions could be invoked by a party seeking to be excused from its contractual obligations under an illegality clause. While the Court’s interpretation of secondary sanctions appears questionable in several respects, parties will nonetheless need to take it into account when drafting contractual provisions.
Continue Reading High Court of England: U.S. Secondary Sanctions can Trigger Illegality Clauses