North Carolina has become the first state to prohibit its agencies and local governments from paying ransomware.
As part of its 2021-2022 appropriations legislation, state agencies and local government entities may not submit payments to — or even communicate with — someone who has encrypted their IT systems. The legislation applies to any “agency, department, institution, board, commission, committee, division, bureau, officer, official, or other entity of the executive, judicial, or legislative branches of State government” as well as the University of North Carolina “and any other entity for which the State has oversight responsibility.”
Rather than communicate with attackers, agencies must consult with the Department of Information Technology as described in this statute, which requires reporting cybersecurity incidents to the DoIT within 24 hours.
Private sector entities are encouraged, but not required, to report cybersecurity incidents to the state’s IT Department.
Other states have considered similar legislation.
In January, Pennsylvania’s Senate approved a bill that would ban the use of taxpayer funds to pay ransoms following cyberattacks, except in cases where the governor has declared a disaster emergency and authorized the payment.
Agencies hit with ransomware have two hours to report their discovery to state officials and 24 hours to report it to the FBI. The bill also requires IT managed service providers that have discovered ransomware or received a ransom demand to notify the commonwealth within an hour.
The Pennsylvania bill allows agencies to buy ransomware insurance policies, but they are prohibited from using money designated for insurance to pay a ransom.
New York is also pursuing legislation banning ransomware payments by both public agencies and private companies. The Senate bill bans ransom payments in cyber incidents involving government, business or health care entities. That includes New York state agencies, cities, towns, bureaus and school districts as well as state universities, the judiciary and state and local legislatures.
The New York bill also appears to ban the use of cyber insurance to pay ransomware: “No … entity within the state shall pay, or have another entity pay on their behalf, ransom in the event of a cyber incident or a cyber ransom or ransomware attack.”
The justification in the bill text suggests that rather than rewarding hackers, the funds “would be better-used securing sensitive data, encrypting and backing up data, conducting regular cyber-security audits, and training staff to avoid exposing networks.”
According to a National Law Review article, lawmakers in North Carolina and Pennsylvania have suggested that hackers will have no financial incentive to attack agencies that are prohibited from paying ransoms and will look for victims in other states. This strategy would put under-resourced agencies at a disadvantage, the article suggested, as they may be unable to restore or rebuild their systems after an attack.