I feel the argument this article lays out fails to account for the fact that the data most likely has value for the attacker outside of the organization being ransomed. Banning ransomware payments will only force the attacker to utilize other revenue generating avenues instead. Maybe it’s selling PII to other people directly, maybe its selling trade secrets to a competitor or the highest bidder or maybe its just outright using the stolen data for personal gain (think stolen CC numbers) or maybe they just resort to straight up blackmail of each individual person. It maybe easy to get a quick lump sum payment from an organization, but I don’t think its much harder for them to target the individuals of the data they collected.