While no member of Congress has introduced federal legislation banning ransomware payments (i.e., payment to “unlock” data that has been encrypted by hackers), at least four states are considering doing so: New York, Texas, North Carolina, and Pennsylvania. The proposed legislation in Texas, North Carolina, and Pennsylvania would ban the use of taxpayer funds for cyber ransoms, whereas a proposal introduced in the New York Legislature (NY S 8606A) would broadly prohibit businesses and health care entities from making ransomware payments.
The goal of these bills is to reduce, if not eliminate altogether, the financial incentive behind the recent surge in ransomware attacks.
These bills are highly controversial, though, as many organizations have determined that a steep ransom amount—however unpleasant—may be preferable to the operational damage caused by losing access to critical network data or the risk of having sensitive customer information (including potentially information about patient health) made publicly available.
Nixon Peabody’s Cybersecurity and Privacy Team will continue to monitor these legislative developments.