Should organizations be able to pay a hacker's ransom after a successful ransomware attack?
We've heard a lot of debate on that topic from the SecureWorld stage each year.
But some state legislatures are taking it upon themselves to answer this question when taxpayer money is involved.
The State of North Carolina is the latest state to pass ransomware payment-related legislation.
The state's governor recently signed a budget bill that banned ransomware payments by a long list of government and closely related entities.
The ransomware payment ban includes:
"all agencies, departments, institutions, boards, commissions, committees, divisions, bureaus, officers, officials, and other entities of the executive, legislative, or judicial branches, as well as including the University of North Carolina System and any other entity over which the state government has oversight responsibility."
This also applies to local government entities, such as cities, counties, local school districts, and community colleges.
This is perhaps the result of the state's 2019 law, which requires cyber incident reporting. It revealed the scope of the ransomware problem. Here is a brief excerpt from Governing:
"In North Carolina, cyber criminals have struck nearly two dozen local governments, school districts, and public colleges with ransomware attacks since the beginning of 2020.
North Carolina cybersecurity officials only know that — and who got hit and how — because a 2019 state law requires that all public agencies report such incidents to the state."
The new restrictions in North Carolina prohibit government organizations from both paying and/or communicating with ransomware actors.
Could ransomware payment bans work on a national or global basis to turn off profits for ransomware groups? Watch our LinkedIn Livestream for more on this idea, where the topic was, "Should ransomware payments be outlawed?"
In 2019, the City of Baltimore refused to pay a ransom of roughly $76,000. After refusing and then analyzing the cost of the ransomware attack, its budgeting office estimated the incident ultimately cost $18.2 million in direct and indirect losses.
While this is only one incident, for some organizations the cost of paying the ransom would be much less than refusing and having their operations and revenue take a significant hit.
North Carolina is not the only state that has recently passed bills related to the reporting of cyber incidents.
Earlier this year, the state of Indiana unanimously passed requiring all public agencies to report cyberattacks to the state after a ransomware attack shutdown a local library.
North Dakota is another state that passed a law this year requiring government entities to report all types of cyberattacks.
West Virginia passed a law requiring government entities to report any cyberattack that substantially affects the ability of an agency to conduct business.
And the state of Washington now requires all state agencies to report a major cybersecurity incident to the state office of cybersecurity.
As of now, all 50 states have some variation of a data breach notification law that requires organizations to report cyber incidents if the personal information of its users or consumers is compromised.