After the attacks on JBS and Colonial Pipeline, the U.S. Treasury Department will likely consider increasing its enforcement of anti-money-laundering laws and adopt new reporting requirements for cryptocurrency transactions.

In ransomware attacks, hackers demand payments after locking victims out of their computer networks; de-anonymizing payments could create a disincentive for these hackers to continue pushing such ransomware extortion schemes. Currently, hackers use digital currencies as a way to avoid regulations within the traditional financial system. If the Treasury Department applies many of the same anti-money-laundering laws to cryptocurrency transactions, it could assist in identifying the cyber criminals (and perhaps lessen the number of attacks).

What would help make these regulations effective? Well, requiring disclosure of who is using the digital wallet and where the crypto-currency ransom is being sent would be a start. Lawmakers may also want to consider oversight of the exchange of cryptocurrencies for other currencies (such as the U.S. dollar). The problem? U.S. regulations of cryptocurrency would not reach overseas, which is often where cyber criminals cash out their funds. Of course, U.S. authorities could use sanctions to prevent exchanges from transacting in U.S. dollars unless all participants agree to utilize a crypto-reporting system.

Of course, this is not the first time that this oversight has been discussed. Late last year, the Treasury Department proposed a rule to require banks and exchanges to report transactions over $10,000 using digital wallets NOT hosted by a financial institution. This is similar to the existing rules for cash withdrawals over that amount. This type of reporting rule would assist law enforcement in tracking money flows for cyber crime.

Crypto exchanges already have to report on customers’ suspicious transactions. The proposed rule would add reporting for when unhosted wallets are involved, regardless of whether the transaction is considered suspicious. Unhosted wallets are similar to anonymous bank accounts.

This proposed rule came after U.S. companies were warned that paying ransoms to hackers could violate U.S. sanctions. That warning encouraged companies to cooperate with law enforcement in order to protect themselves from liability for erroneously paying a ransom to an entity on the sanction list.

A Treasury Department spokeswoman said that the proposed rule for reporting crypto- transactions “is actively moving through the rulemaking process” after receiving thousands of comments in response.

When cyber-attacks on large businesses like JBS and Colonial Pipeline affect consumers’ gas prices and the availability of meat at the grocery store, it likely will lead to increased public scrutiny and a call for action on cryptocurrency and other issues tied to ransomware.

Of course, the underlying issue in these ransomware attacks is the lax (or lack of) security safeguards to protect data housed at these companies that have been (and will be) under attack. Businesses should focus on security and prevention to stop these attacks from happening, and from having to negotiate and pay a ransom at all.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.