BlogLine

We Do Not Negotiate With Terrorists – How Several States are Prohibiting Ransomware Payments 

9/28/23

By: Alexander A. Schindler 

In 2022 in the United States, 106 local governments, 44 universities and colleges, 45 school districts operating 1,981 schools, and 25 healthcare providers operating 290 hospitals, disclosed they were victimized by ransomware attacks. In recent years, these types of public entities increasingly have found themselves the target of such attacks, with the result sometimes being that public funds are used to pay ransom payments to cybercriminals. 

In response to this continuing trend, state legislatures have started to put their foot down. In an effort to curtail these attacks and leave the bad actors’ pockets empty, legislatures in five states have proposed or passed laws that restrict a government agency’s ability to parlay with these cybercriminals.  

For example, New York Senate Bill S6154 aims to combat the problem by establishing that no local or state taxpayer funds shall be used to pay ransoms for ransomware attacks after January 1, 2024. The bill also creates a cyber security enhancement fund to be used for the purpose of upgrading cyber security in small local governments. Pennsylvania Bill SB726 and Texas Bill HB3892 also have been introduced and similarly aim to require that local taxpayer money or other public money may not be used to pay an extortion attempt involving ransomware.  

Meanwhile, the states of North Carolina and Florida have already enacted such legislation. Florida’s Cyber Security Act prohibits a county or a municipality experiencing a ransomware incident from paying or otherwise complying with a ransomware demand. The North Carolina statute not only disallows payments to ransomware criminals, but also prohibits communications with them.  

Another proposed bill in New York now wants to take things a step further but extending these prohibits not just to public entities, but private businesses as well. Specifically, New York Senate Bill S6806A seeks to authorize civil penalties of up to $10,000 against any governmental, business, or health care entities that make a ransomware payment. 

The thinking behind these bills is clear: “If you ignore the bully, he will leave you alone.” There may be merit to this argument, but it also is not without risk. Ransom payments are often made out of necessity because victims have no other option to restore than by purchasing a decryptor from ransomware criminals. If ransom payments are not allowed, there could be unintended business and economic impacts because of entities not being able to recover from an attack and restore important data and services to the public.  

Regardless of the outcome of the public policy debate, proactive and preventative practices remain the best defense to ransomware attacks. Public and private entities alike should be sure they employ up-to-date technology solutions for network segmentation, round the clock network monitoring and maintaining secure, viable, and current system backups. Without those key protections, legal prohibitions against negotiations with cybercriminals and payment of ransom demands cannot even attempt to be successful.    

FMG’s Data Security & Privacy attorneys advises clients on these and other legal issues in the areas of data security and privacy, including compliance, prevention, and incident response. For additional information or questions, please contact Nicholas Jajko at nicholas.jajko@fmglaw.com, Alex Schindler at alexander.schindler@fmglw.com, or your local FMG attorney.