PTFM? Is It Legal to Pay the Hacker? Canvas, Uber and the Criminal Law of Cyber Extortion

This piece examines the Canvas/Instructure ransomware/data-breach scenario and similar incidents (notably the Uber case) to explain the complex legal risks of paying extortion demands: while ransom payments are not per se illegal, they can trigger OFAC sanctions violations, AML/money-transmission obligations, criminal exposure, breach-notification and contractual duties, and evidentiary and disclosure liabilities; "shred logs" and criminal promises do not negate these obligations.