LifeLabs: The Ethics of Responding to a Ransomware Cyber Attack
Abstract
This teaching case describes a ransomware cyber attack in 2019 at LifeLabs, a Canadian health diagnostic company. During the attack, LifeLabs decided to pay a ransom amount to the attackers. This case explores the pros and cons of making that decision and asks the reader to consider the implications of the decision. The case describes the chronology of the attack, which began in 2018 and was discovered one year later. The case describes the investigations by privacy commissioners in Ontario, British Columbia, and Saskatchewan; the latter investigation being the only public document fully available. LifeLabs, through court orders, has prohibited the full publication of investigation reports by privacy commissioners in Ontario and British Columbia. Court documents created during the class action lawsuit provide detailed information about what LifeLabs did and did not do in responding to the cyber attack. The key case question to be answered is this: Is it ethical and appropriate to pay ransom in a cyber attack?