Sara Melhuish/EyeEm/Getty Images

One day I got a call from Sarah*, the in-house counsel at a large financial institution. “Our [information security] team was doing a routine search and found a list of our employee passwords for sale on the dark web,” she told me. “The business folks want to buy it back. What should we do? Should we buy it ourselves? Are there any downsides?”

I get calls like this frequently, and the short answer is that in most cases, the legal and reputational risks far outweigh the benefits of purchasing the information. Cybercriminals frequently use the dark web — a hub of criminal and illicit activity — to sell data from companies that they have gained unauthorized access to through credential stuffing attacks, phishing attacks, hacking, or even leaks from a company insider.

The legal and reputational risks include:

It drives up the price of your company data and puts a target on your back.

If you purchase your company’s data, it could not only make the data itself more expensive — you also risk getting a reputation as a company that will pay up, making you an even more desirable target for future cyber extortion and ransom attacks.

Even if cybercriminals are unaware that your company is the purchaser, they will still note that the data is selling. If they do know your company is the buyer, they may publicize this in their own circles, putting your company at further reputational risk.

You don’t know what you’re getting with or in that data.

It’s inherently risky to purchase data from the dark web, as you’re invariably buying it from untrustworthy characters — either threat actors or someone who has purchased it illicitly from the hackers. The data may have malicious code within it and/or contain a Trojan horse that potentially could provide cybercriminals with unauthorized access to company systems.

The data may contain confidential or proprietary information from other companies.

Sellers may be offering your company’s data in combination with data from other sources, including your competitors or business partners. You won’t know this until it’s too late. The owners of that data could then claim your company has breached confidentiality agreements or other laws (misappropriation of trade secrets or worse, receipt of stolen property).

Your purchase could trigger notification obligations and increase regulatory risk.

Purchasing the data could provide you with evidence that your data had been exfiltrated, which would trigger reporting requirements to consumers and regulators, opening you up to the risk of litigation and enforcement actions. At best, you’re put in the difficult position of determining whether regulatory notices are triggered or taking the chance that a regulator later will claim that it should have been notified.

Your purchase might even violate U.S. sanctions.

Because it’s difficult to be sure of the seller’s identity, purchasing the data may open your company up to liability for violating Treasury Department rules if the threat actors are associated with sanctioned countries. The U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) brings enforcement actions against businesses that make payments to threat actors when those payments constitute U.S. sanctions violations.

Even if you use a third-party purchaser, your company still may have exposure.

A third-party service will then have access to your company’s customer, vendor, and employee data, putting that data at additional risk. And you may still be open to liability for directing the payment.

You may be sued by individuals whose data was exposed.

You may be legally obligated to provide notice to individuals that you’ve found their data on the dark web. These individuals may accuse your company of not properly safeguarding their data, perhaps unfairly assuming the breach was of company systems or as a result of company fault. This could lead to a loss of business and possible lawsuits.

The information may still live on the dark web.

Given that you’re dealing with cybercriminals or their associates, there’s no guarantee that the purchase will lead to the data being completely safeguarded. The seller may not have possession or control of all copies of your stolen data and would therefore be unable to prevent further sale or dissemination. Or they might continue to sell your data to others themselves.

Purchasing data unrelated to your company’s business from the dark web is inadvisable for many of the same reasons discussed above. Your company would be exposing itself to the risk of receiving stolen information or even trade secrets of competitors, creating both legal and reputational risk. There is no scenario under which this would be advisable.

We recognize that there may be certain circumstances in which your company would still consider purchasing information off the dark web. These purchases should be very rare and made with extreme caution. In these circumstances, an OFAC analysis should be done as well to decrease the risk that you are purchasing data from a sanctioned country or individual.