Instructor’s Manual Abstracts
Vol. 1, Issue 2 IM Abstract: LifeLabs: The Ethics of Responding to a Ransomware Cyber Attack
Ron Babin
Case Overview
This teaching case describes a ransomware cyber attack in 2019 at LifeLabs, a Canadian health diagnostic company. During the attack, LifeLabs decided to pay a ransom amount to the attackers. This case explores the pros and cons of making that decision and asks the reader to consider the implications of the decision.
The case describes the chronology of the attack, which began in 2018 and was discovered one year later. The case describes the investigations by privacy commissioners in Ontario, British Columbia, and Saskatchewan; the latter investigation being the only public document fully available. LifeLabs, through court orders, has prohibited the full publication of investigation reports by privacy commissioners in Ontario and British Columbia.
Court documents created during the class action lawsuit provide detailed information about what LifeLabs did and did not do in responding to the cyber attack. The key case question to be answered is this: Is it ethical and appropriate to pay ransom in a cyber attack?
Learning Objectives
By working through this case, students should be able to
- Identify the influences on decision making following a cyber attack when there is no clear beneficial solution.
- Practice legal and ethical decision making following a cyber attack when there is no clear beneficial solution.
- Describe management responsibility to stakeholders related to a cybersecurity incident.
Course Suitability
The case is appropriate for courses that are focused on legal and ethical issues related to information security, privacy, and cybersecurity. The case may be used in a graduate program where the instructor can challenge learners for depth of insight. For example, an MBA course on digital transformation could use this case to discuss the cybersecurity challenges and risks to organizations as they increase their digital capabilities. The case may also be used in an undergraduate program where the case will introduce students to fundamental issues regarding cybersecurity and ethical decision making.
This case has been used by the author in teaching several professional classes on ethics in cybersecurity.
A modified version of this case has been used in undergraduate classes to teach first-year students about cybersecurity issues in a foundations of information systems course.
Recommended Reading
Some of the court documents referenced in the case are available publicly at the Superior Court of Ontario but are not published online. Instructors are invited to contact the author of this case if they need a copy of these court documents. Links to other documents referenced in the case are included in the case text.
Read the LifeLabs: The Ethics of Responding to a Ransomware Cyber Attack case.
Request the instructor’s manual (IM) for this case.
Note that requesting faculty must be vetted before OATCJ can distribute this IM. The IM is copyrighted by its author and all rights are reserved. Case IMs are for teaching purposes and may not be shared or republished in any form.