Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Four States Propose Laws to Limit or Ban Ransomware Payments

June 30, 2021

CSO Online reported on June 28 that four states have five pending pieces of legislation that would either ban paying a ransom or restrict paying it. In New York, Senate Bill S6806A “prohibits governmental entities, business entities, and health care entities from paying a ransom in the event of a cyber incident or a cyber ransom or ransomware attack.”

Another New York Senate bill, Senate Bill S6154, provides money so that local governments can upgrade and protect their networks. But it also “restricts the use of taxpayer money in paying ransoms in response to ransomware attacks.”

New York is alone in banning private sector businesses from paying a ransom. Legislatures in North Carolina (House Bill 813), Pennsylvania (Senate Bill 726), and Texas (House Bill 3892) are all considering bills that would forbid the use of state and local taxpayer money or other public money to make a ransom payment. This public money prohibition would no doubt make it hard for local governments to pay a ransom.

Pennsylvania Republican State Senator Kristin Phillips-Hill told CSO she introduced her “Safeguarding the Commonwealth from Ransomware Attacks” bill to discourage at least some ransomware attacks, those aimed at public agencies, by removing the attackers’ financial incentives. If cybercriminals are rewarded for their efforts, they will simply continue launching ransomware attacks, she says.

Phillips-Hill’s bill also aims to develop guidelines agencies should follow in shoring up their preparedness to respond to ransomware attacks. The bill does not appropriate any funds to help agencies strengthen their ransomware response capabilities.

In spite of some federal support, most administration officials don’t seem to be in favor of a full outright ban. “Typically, that is a private-sector decision, and the administration has not offered further advice at this time,” Anne Neuberger, deputy national security adviser for cybersecurity, told reporters at a White House press briefing in May. No member of Congress or the Senate has yet introduced legislation banning ransom payments.

It is a thorny issue, but I think an outright ban is a mistake. Having seen the desperation of those who have been hit by ransomware, any such legislation is not likely to be well received.

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email:  Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson