The Long Tail of Zero Day Vulnerability

Even having backups and being able to successfully restore from backups doesn't prevent that sort of extractive activity. Paying a threat actor to not publish the data that they stole doesn't absolve you from your data breach disclosure obligations or reporting obligations. So if there is a legal or contractual or regulatory reason to disclose an incident, you still have to disclose. But what you're paying for is you're paying to reduce the likelihood of stolen data showing up on the internet and creating harm either to you as an organization or to the actual owners of the data.