Alperovitch says that these regulations could be applied to bitcoin exchanges more rigorously, but individuals can take other defensive measures, including being cautious when clicking on suspicious links or attachments and keeping thorough backups of personal data. However, the question of how much individual users can and should do to protect against these sorts of breaches raises the larger issue of who is responsible for them when they occur—and who should be footing the bill.

In many cases when victims buy back their own data, they are the ones responsible for the breach, perhaps because they clicked on an email attachment containing ransomware. So it often seems fair for the victims to bear these costs. But that means that the companies who are best equipped to tackle these threats effectively at scale—the operating-system and browser developers that could flag suspicious downloads, or email providers that could block suspicious attachments, or internet service providers that could quarantine the machines being used to deliver those emails en masse—have relatively little incentive to do so. Instead, the burden falls primarily on individual users and companies, whose best options are to learn to be a little more careful and to make a lot more backups.

Of course, backing up personal data only protects against certain types of attacks. “I expect in the future that we’ll see more attacks along the lines of targeting a manufacturing company, finding their formulas and blueprints, and then telling the company, ‘I’m going to send this to your competitor tomorrow if you don’t pay me today,’” says Ben Johnson, the co-founder of and chief security strategist at Carbon Black, a cybersecurity firm.

Agreeing to that arrangement comes with its own set of concerns. “In almost every case, the criminals still have the data,” Joffe points out. “There’s nothing to buy back—you’re buying the silence of whoever has stolen it. There’s a much clearer case historically for buying back stolen goods that belong to you than there is for buying the silence of someone who’s committed a crime. It’s much more of a gray area.”

Indeed, deciding whether or not to pay for access to stolen data is complicated by the possibility of dealing with a dishonest seller. “If you pay there’s no guarantee that you will get the actual decryption key,” says Chris Stangl, a section chief at the FBI's Cyber Division. “The latest trend we’re seeing is a company will attempt to negotiate with the criminal and then they pay and the next day the criminals want more money.”

So, just like sellers in legal marketplaces such as Amazon and eBay, sellers of stolen information are now focusing on their online reputations, which can signal to victims that they are “trustworthy” criminals, Krebs says. “Thieves at the end of the day are dependent on their reputation in the underground, and if they have a reputation for ripping people off then they won’t get customers,” he explains. Recently, as more criminals have entered the market, “Good criminals’ reputations are being ruined by bad criminals,” Joffe says.