In this year’s state legislative sessions, no fewer than four states have considered proposals to ban ransomware payoffs. In a ransomware attack, hackers access sensitive data then threaten to release the information unless they are paid a ransom.
In 2021, hackers have targeted the Colonial Pipeline and JBS, the world’s largest meat processing company. Colonial paid over $4 million to recover its stolen data, and JBS paid $11 million. However, hackers are also targeting state and local governments. One hundred thirteen governmental entities were impacted by hacking in 2020, and almost 1,700 schools, colleges, and universities were affected.
As such, state lawmakers are considering banning ransomware payoffs to discourage such behavior, and the White House recently announced a ransomware task force.
Lawmakers in the Empire State introduced Senate Bill S6154, which provides financial assistance to certain local governments for upgrading their cybersecurity and bans ransomware payoffs.
Specifically, the bill creates the Cyber Security Enhancement Fund, making villages, towns, and cities with no more than one million residents eligible for grants and financial assistance. Funds would be used to upgrade the local government’s cybersecurity.
The North Carolina House passed H 813 unanimously (114-0) in May and advanced to the Senate for their consideration. The bill would ban state agencies or local government entities from paying or communicating with an entity engaged in a cybersecurity incident involving data decryption in exchange for a ransom. Such governmental entities would be required to consult with the state Department of Information Technology.
The bill defines a local government entity as a local political subdivision, including a city, a county, a local school administrative unit, or a community college.
Lawmakers in the Pennsylvania state Senate introduced Senate Bill 726 in May, which would prohibit a person from extorting money or other consideration from another person or a Commonwealth agency to remove a computer containment or lock, restore access to a computer, computer system, computer network, or data, or otherwise remediating the impact of a computer contaminant or lock.
The bill further prohibits a person from knowingly possessing ransomware, using ransomware without the authorization of the owner of a computer, computer system, or computer network, selling, transferring, or developing ransomware, and from threatening to use ransomware against another person or a Commonwealth agency if the threat is made expressly or impliedly, and is transmitted in person, by mail, e-mail, the Internet, a telecommunication device, or other electronic means.
The bill defines a Commonwealth agency as the Governor’s office, a department, board, commission, authority, or other agency subject to the supervision and control of the Governor, Office of the Lieutenant Governor, an independent department, an independent agency, a municipality, a school district, an intermediate unit, an area career, and technical school, a charter school or cyber charter school, a community college, a state-owned institution, a state-related institution, a court or agency of the unified judicial system, and the General Assembly or agency of the General Assembly.
SB 726 passed the Senate Judiciary Committee and is awaiting consideration by the full Senate.
Two pieces of cybersecurity legislation to ban ransomware payoffs were introduced and died in the Texas legislature this year.
HB 3743 would prohibit a local government or open-enrollment charter school from making a ransomware payoff related to a ransomware cyber-attack. The bill also would have stipulated that as soon discovering a ransomware cyber-attack, a local government or open-enrollment charter school would be required to report the attack to the Attorney General’s office.
HB 3892 would also ban ransomware payoffs. Expressly, the bill stipulated that a political subdivision would be prohibited from making a ransomware payment related to a ransomware cyber-attack. Similar to HB 3743, a political subdivision would be required to report the attack to the Attorney General’s office as soon as practicable after discovering such an attack.