I don't think my point way conveyed correctly to you. Getting hacked is not a choice and should not be criminalized. Paying ransomes to hackers is a choice and there are good reasons to prohibit that to disincentivize hacking.

Giving a wallet over while being mugged is the analogy to paying the ransom here. Having the knife brandished in your face is the analogy to the hack.

Not saying I agree with it either way, just pointing out that y'all appear to be talking past each other.

Its not really a good analogy.

If you get mugged you are coerced to give your wallet, on pain of _much_ greater punishment, usually the greatest there is - death.

If your company’s data is cryptolocked, you are coerced to give money on pain of getting that data lost.

The difference is that the punishment for non compliance is much different.

If you made paying a ransom in this case illegal you would actually promote better backup/restore/security practices, at the cost of sometimes loosing data.

If it was vital for that data not to be lost then not having adequate backups is a _much more_ serious problem as that data could be lost for different reasons. And you’re funding organized crime which has very bad downstream effects.

If you had to make a more adequate analogy, imagine someone stealing your personal documents then demanding money to get them returned - you should have a strategy to restore those in other events like fires and stuff, so you might pay money, or not. But if you do you encourage future theft like that for you and others, and that money might be used for some other, usually nefarious stuff.

That personal document could be life and death for some people. How do you determine what is the value of data being hacked. E.g. For a hospital if patient data is hacked it could mean life and death situation.

Nobody's life is ended by the leak or destruction of any document. How does a hospital patient record getting leaked or destroyed kill anyone? A leak means private data is being divulged and that's not good but it's nowhere remotely close to murder. Deleting medical data means that the doctors need to get that data from the patient redundantly, which causes a drain on hospital resources but again it's not remotely close to murder.

If, say, the mafia threatens to assassinate someone if a document is leaked and a hacker obtains and leaks it the hacker still didn't kill anyone - the hitman sent by th mafia is the killer. And regardless that this kind of situation seems very far fetched.

I think the question then becomes if it's a life or death document why would you only have one copy and store it in a relatively insecure space?

No, because getting hacked does not threaten your life. Getting mugged does, th victim is acting under threat of injury or death.

Someone getting hacked is only acting under the threat of information or access to systems being released or eliminated. There is no immediate threat if force. Sure, if you want to get pedantic someone might hack a power plant and threaten to blow it up, but I've never heard of that happening and it's far, far different from the overwhelming majority of hacks.