As ransomware attacks continue to dominate the news cycle, legislation has recently been introduced in several states that would place limits on certain entities’ ability to pay a ransom payment in the event of a ransomware attack. Although the proposed limits would generally apply to state agencies and other local governmental authorities, certain state proposals may also apply to state agencies’ IT service providers, entities that receive public funds, and/or business entities more broadly. The following summary provides an overview of five pending bills in New York, North Carolina, Pennsylvania, and Texas.
NY S 6806 would broadly prohibit business entities and healthcare entities, in addition to governmental entities within the state, from paying a ransom in the event of a ransomware attack. The proposed legislation would also create a new notification requirement for governmental entities, which would be required to report any cyber incidents, as defined in the law, and to report ransomware attacks to the New York State Division of Homeland Security and Emergency Services. “Business entity” is defined as any legal entity that conducts business in the state of New York, and “health care entity” is defined as any health care facility that is regulated by the New York Department of Health.
Another pending proposal in New York, NY S 6154, would create a Cyber Security Enhancement Fund to be used for the purpose of upgrading cybersecurity in local governments throughout New York state, including but not limited to cities with a population of one million or less. The legislation would also prohibit the use of local and state taxpayer funds to pay ransoms in response to ransomware attacks, beginning on January 1, 2024.
NC H 813 would prohibit state agencies and local government entities from paying a ransom payment or otherwise communicating with an entity that has engaged in a ransomware incident. Local government entities would also be required to consult the state Department of Information Technology if they receive a ransom demand.
PA S 726 would prohibit the use of state and local taxpayer money or other public money to pay a ransom payment. The one exception to this ban would be if the governor of Pennsylvania has declared a disaster emergency and authorizes a state agency to pay a ransom payment in connection with the emergency. Notably, in addition to creating a new notification requirement for state agencies, the bill would also require IT managed service providers of state agencies to notify the relevant agencies within one hour of discovery of a ransomware incident.
In addition to enhancing broad cybersecurity and emergency preparedness measures for state agencies, TX 3892 would prohibit local government entities or “political subdivisions” from making ransom payments related to a ransomware attack. The law would also require political subdivisions to report ransomware attacks to both the attorney general and the Department of Information Resources.