In this episode Matt Kelly and I take a deep dive into the question of whether a company has a duty to disclose ransomware attacks. We consider it from the regulatory, legal, ethical, law enforcement, business, PR and some other angles. What may seem to be a straight-forward answer to a regulatory obligations turns out to be anything but.

For additional research, see Matt Kelly’s blogpost, “Ransomware: To Disclose or Not“.