July 25, 2022

Ransomware: To Pay or Not to Pay? It Just Got More Complicated

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

When an organization experiences a ransomware attack, it must address significant—and sometimes competing—challenges under pressing deadlines. These challenges include the following: evicting the threat actor from the network environment; restoring affected systems; recovering encrypted data, where viable backups exist; conducting a forensic investigation to determine the intrusion vector and scope of compromise; and communicating with an array of stakeholders (such as customers, vendors, insurers, employees, law enforcement, regulators and the media).

Organizations also must evaluate notice obligations amid a patchwork of laws and regulations, as well as under the contracts they hold. There are sector-specific reporting requirements for regulated industries.[1] Every US state has its own data breach notification law. And public companies must take "all required actions" to inform investors about material cybersecurity risks and incidents.[2]

When it comes to making a ransom payment, the primary legal hurdle to clear has been the US Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctions regime.[3] That hurdle is now getting higher. A burgeoning body of state law is restricting how organizations—specifically, public sector entities—can respond to ransomware incidents and pay demands.

On July 1, 2022, Florida joined North Carolina to become the second US state to prohibit state and local government agencies from complying with or paying ransomware demands. Florida's law also imposes hair-trigger notification requirements on those agencies. While at first blush the impact of the Florida and North Carolina laws appears limited to ransomware attacks on state and local government entities, these new laws create a number of novel questions with potentially broader application.

Florida and North Carolina may not be the end of the line in this area of law. There also are ransomware-related bills currently pending in Arizona, New York, Pennsylvania and Texas,[4] as well as federal bills introduced in Congress.[5] These statehouse developments could soon result in a balkanized compliance framework akin to data breach notification laws.

This article provides an overview of the new ransomware laws and previews some of the pending state and federal legislation. The article also explores implications the ransomware prohibitions may have beyond the public sector agencies to which they facially apply. At bottom, responding to ransomware attacks has always been a high-stakes, complex undertaking, and with these new laws, it has now gotten even more challenging for organizational victims.



Florida CS/HB 7055 amends the State Cybersecurity Act to impose new cybersecurity requirements on Florida state, county and local government agencies, including forthcoming guidelines and processes for cataloging and managing IT systems, conducting risk assessments, cybersecurity standards, data recovery, incident response, cybersecurity training and reporting cybersecurity and ransomware incidents.[6]

With respect to a ransomware incident, which is defined broadly under the Act:[7]

  • State and local government agencies are prohibited from paying "or otherwise comply[ing]" with a ransom demand;[8]
  • State and local government agencies must notify the Florida Cybersecurity Operations Center, Cybercrime Office of the Department of Law Enforcement and for local government agencies, the sheriff who has jurisdiction over the agency, within 12 hours of discovery,[9] and such notice must contain specific details about the incident and its impact;[10]
  • The Cybersecurity Operations Center must notify the President of the Florida Senate and Speaker of the Florida House of Representatives regarding high, severe and emergency-level cybersecurity incidents, which are defined in the Act,[11] within 12 hours of receiving a report;[12] and
  • Local government agencies must submit an after-action report to the Florida Digital Service within one week of remediation summarizing the incident, its resolution and "any insights gained as a result of the incident."[13]

The Act also requires guidelines, processes and standards be issued and adopted over the next two years, including the following:

  • Cybersecurity standards for local government agencies, which are "consistent with generally accepted best practices for cybersecurity," including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (between January 1, 2024 and January 1, 2025, depending on the jurisdiction's size);[14] and
  • Guidelines and processes for the after-action reports required of local government agencies (by December 1, 2022).[15]

These forthcoming materials are sure to create additional obligations on Florida state and local government agencies, as well as have cascading effects on other entities.


Florida's law follows on the heels of North Carolina, the first state to enact a law prohibiting state agencies and local government entities from negotiating with ransomware actors or paying a ransomware demand. North Carolina's notification provision is not as stringent as the Florida law, as it simply requires an agency or entity to "consult" the North Carolina Department of Information Technology when there is a ransomware incident.[16]

Similar and more expansive statutes are being considered across the US, including Arizona, New York, Pennsylvania and Texas.

  • Notably, New York SB 6806 would prohibit not only government entities but any business operating in New York from paying a ransom (or having a ransom paid on its behalf) with civil penalties for violations of up to $10,000.
  • Pennsylvania SB 726 would prohibit the use of taxpayer or other public money for ransomware payments and would require IT-managed service providers of state agencies to notify an "appropriate official" of a ransomware incident within one hour of discovering the incident.
  • Arizona HB 2145 would prohibit any state or local government agency from making a payment "to remove or decrypt ransomware from the system files," as well as require the affected agency to "immediately notify" the Arizona Department of Homeland Security of such attacks.
  • Texas HB 3892 contains a similar payment prohibition as Arizona but has a more forgiving notification requirement ("as soon as practicable after discovering").

At the federal level, there have been a number of bills introduced in this Congress. The proposed Ransomware and Financial Stability Act would prohibit US financial institutions from making a ransom payment greater than $100,000 unless given explicit authorization by a federal law enforcement agency. And the proposed Ransom Disclosure Act would require public and private entities to report any ransom payments within 48 hours to the US Department of Homeland Security (DHS) through a DHS-created portal.


For public sector victims in Florida and North Carolina, the options for responding to ransomware incidents just became much more limited. Recognizing the public policy rationale against negotiating with and paying criminal actors, as a practical matter, the new laws place government agencies in a very difficult position where critical data is encrypted, backups are not accessible, and payment is the only viable path to restoration and recovery. Yes, over the long term, enhanced cybersecurity will reduce the likelihood of such a predicament, but it will not resolve near-term needs. More broadly, where a ransomware incident affects data belonging to multiple states' data being held by a single entity, will the new laws restrict the ability to negotiate and/or pay a demand? The forthcoming Florida guidelines, processes and standards likely will create additional compliance questions for government agencies, as well as the entities that access data and systems belonging to those agencies. And if New York's pending bill is any indication, the reaches of this new wave of legislation may extend far beyond organizations with access to government data. Thus, businesses would be wise to monitor developments in these states and others that take up ransomware-related legislation and seek legal advice as questions inevitably arise.

John Ying, a Summer Associate in the Atlanta office, also contributed to this article. 

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From McDermott Will & Emery

Supreme Court Denies Certiorari in Whirlpool

By Andrew R. Roberson McDermott Will & Emery November 21 , 2022

On November 21, 2022, the Supreme Court of the United States denied certiorari in Whirlpool Financial Corp., et al., Petitioners v. Commissioner of Internal Revenue, No. 22-9.

Antitrust M&A Snapshot | Q3 2022

By Marisa E. Poncia McDermott Will & Emery November 17 , 2022

The US Department of Justice (DOJ) and the Federal Trade Commission (FTC) lost four merger challenges (Illumina/GRAIL, UnitedHealth/Change Healthcare, U.S. Sugar/Imperial Sugar and Booz Allen/EverWatch) in September.

Not So Clean: Federal Circuit Upholds Trade Dress Preliminary Injunction, Finds Defenses Improperly Plead

By Kat Lynch McDermott Will & Emery November 17 , 2022

The US Court of Appeals for the Federal Circuit upheld a “narrow” preliminary injunction in a trade dress case, finding that the opponent of a registered configuration mark failed to prove its lack of secondary meaning and functionality defenses.

More From Cybersecurity

Can a business require a consumer to submit a declaration under penalty of perjury in order to prove their identity?

By David A. Zetoony Greenberg Traurig November 22 , 2022

The regulations implementing the CCPA require that a business verify the identity of a consumer that submits a specific-information access request to a “reasonably high degree of certainty.”

What is the difference between a category-level access request and a specific-information access request?

By David A. Zetoony Greenberg Traurig November 21 , 2022

The CCPA and its implementing regulations identify six types of information requests that a consumer can submit to a business.

CPRA's effective date is around the corner… but how many businesses actually updated their privacy policies the first time for the CCPA?

By David A. Zetoony Greenberg Traurig November 18 , 2022

In order to help businesses understand and benchmark industry practice, Greenberg Traurig attorneys analyzed the publicly available privacy policies of companies within the Fortune 500.

Featured Stories