• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

State Legislatures Consider Bans on Ransomware Payments

June 18, 2021 By Privacy, Cyber & Data Strategy Team

As ransomware attacks continue to dominate the news cycle, legislation has recently been introduced in several states that would place limits on certain entities’ ability to pay a ransom payment in the event of a ransomware attack. Although the proposed limits would generally apply to state agencies and other local governmental authorities, certain state proposals may also apply to state agencies’ IT service providers, entities that receive public funds, and/or business entities more broadly. The following summary provides an overview of five pending bills in New York, North Carolina, Pennsylvania, and Texas.

New York

NY S 6806 would broadly prohibit business entities and healthcare entities, in addition to governmental entities within the state, from paying a ransom in the event of a ransomware attack. The proposed legislation would also create a new notification requirement for governmental entities, which would be required to report any cyber incidents, as defined in the law, and to report ransomware attacks to the New York State Division of Homeland Security and Emergency Services. “Business entity” is defined as any legal entity that conducts business in the state of New York, and “health care entity” is defined as any health care facility that is regulated by the New York Department of Health.

Another pending proposal in New York, NY S 6154, would create a Cyber Security Enhancement Fund to be used for the purpose of upgrading cybersecurity in local governments throughout New York state, including but not limited to cities with a population of one million or less. The legislation would also prohibit the use of local and state taxpayer funds to pay ransoms in response to ransomware attacks, beginning on January 1, 2024.

North Carolina

NC H 813 would prohibit state agencies and local government entities from paying a ransom payment or otherwise communicating with an entity that has engaged in a ransomware incident. Local government entities would also be required to consult the state Department of Information Technology if they receive a ransom demand.

Pennsylvania

PA S 726 would prohibit the use of state and local taxpayer money or other public money to pay a ransom payment. The one exception to this ban would be if the governor of Pennsylvania has declared a disaster emergency and authorizes a state agency to pay a ransom payment in connection with the emergency. Notably, in addition to creating a new notification requirement for state agencies, the bill would also require IT managed service providers of state agencies to notify the relevant agencies within one hour of discovery of a ransomware incident.

Texas

In addition to enhancing broad cybersecurity and emergency preparedness measures for state agencies, TX 3892 would prohibit local government entities or “political subdivisions” from making ransom payments related to a ransomware attack. The law would also require political subdivisions to report ransomware attacks to both the attorney general and the Department of Information Resources.

Filed Under: Cybercrime, Digital Crimes, Legislation Tagged With: ransomware

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Recent Exploits of Blockchain Bridges Highlight Need for Cybersecurity in Crypto and Risk of Liability
  • Germany’s Cyber Threat Landscape – Top 3 Lessons from the BKA Situation Report
  • CPPA Board Opposes American Data Privacy and Protection Act
  • SEC Settles Enforcement Actions with Broker-Dealers and Investment Advisors for Identity Protection Deficiencies
  • UK Information Commissioner’s Office Issues Warning on Ransomware Payments
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.