The Right to Defy Criminal Demands: Negligence and Ransom Demands

I've just finished up a rough draft of my The Right to Defy Criminal Demands article, and I thought I'd serialize it here, minus most of the footnotes (which you can see in the full PDF). I'd love to hear people's reactions and recommendations, since there's still plenty of time to edit it. You can also see previous posts (and any future posts, as they come up), here.

[* * *]

A robber's demand, "Give me the money or I'll kill/rape/injure your coworker/customer" (see this post), is closely linked to a ransom demand. Surprisingly, there appears to be no caselaw on whether an employer has the duty to pay ransom if an employee is kidnapped (or else risk negligence liability). Nor is there any caselaw on whether a company has the duty to pay ransom if hackers break into its computers and threaten to release customer data. (Assume the defendants took reasonable care in protecting their employees and securing their computers at the outset, so the company isn't liable for its failure to prevent the hack at the outset, but the kidnapping or hacking took place despite that reasonable care.)

The logic of the Kentucky Fried Chicken decision suggests that there too the target of the ransom demand wouldn't have a duty to comply. Indeed, the concern that "[r]ecognition of a duty to comply with an unlawful demand would be contrary to public policy as it would encourage similar unlawful conduct" may be especially apt in ransom cases.

A typical robber of a fast-food restaurant may often not engage in careful risk-benefit balancing, and may likely be unaware of the legal pressures under which such businesses are laboring. But kidnappers and ransomware hackers are more likely to be sophisticated planners, so encouraging ransom payments may well increase the incentive to commit such crimes.

For this reason, some countries outlaw ransom payments. Some U.S. states are considering doing the same, and the FBI Director has likewise urged companies to stop paying ransom to hackers. But even if ransom payments aren't legally forbidden, the law shouldn't in essence demand them.

And to the extent that such crimes are committed by criminal organizations, paying ransom can help fund future crimes, including in some instance terrorism. Indeed, some such ransom payments are already outlawed by American law if they are known to go to entities that are subject to various governmental sanctions.

There are two other possible distinctions between the ransom situation and KFC that might point in different directions. On one hand, robberies, as even the KFC dissent noted, "are stressful and unpredictable encounters, frequently fast paced, in which those being robbed are forced to decide and act, often instantaneously, upon necessarily incomplete information about the situation that confronts them." This may call for more latitude in judging which reactions are "reasonable" under the circumstances; perhaps ransom demand targets have enough time for reflection that they don't require such extra latitude. On the other hand, ransom demands can be for millions of dollars, not just the likely small amount of cash in the till. On balance, I don't think these distinctions should make a legal difference.