Ransomware: To Pay or Not to Pay? It Just Got More Complicated
Free Article Limit This Month
When an organization experiences a ransomware attack, it must address significant—and sometimes competing—challenges under pressing deadlines. These challenges include the following: evicting the threat actor from the network environment; restoring affected systems; recovering encrypted data, where viable backups exist; conducting a forensic investigation to determine the intrusion vector and scope of compromise; and communicating with an array of stakeholders (such as customers, vendors, insurers, employees, law enforcement, regulators and the media).
Organizations also must evaluate notice obligations amid a patchwork of laws and regulations, as well as under the contracts they hold. There are sector-specific reporting requirements for regulated industries. Every US state has its own data breach notification law. And public companies must take "all required actions" to inform investors about material cybersecurity risks and incidents.
When it comes to making a ransom payment, the primary legal hurdle to clear has been the US Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctions regime. That hurdle is now getting higher. A burgeoning body of state law is restricting how organizations—specifically, public sector entities—can respond to ransomware incidents and pay demands.
On July 1, 2022, Florida joined North Carolina to become the second US state to prohibit state and local government agencies from complying with or paying ransomware demands. Florida's law also imposes hair-trigger notification requirements on those agencies. While at first blush the impact of the Florida and North Carolina laws appears limited to ransomware attacks on state and local government entities, these new laws create a number of novel questions with potentially broader application.
Florida and North Carolina may not be the end of the line in this area of law. There also are ransomware-related bills currently pending in Arizona, New York, Pennsylvania and Texas, as well as federal bills introduced in Congress. These statehouse developments could soon result in a balkanized compliance framework akin to data breach notification laws.
This article provides an overview of the new ransomware laws and previews some of the pending state and federal legislation. The article also explores implications the ransomware prohibitions may have beyond the public sector agencies to which they facially apply. At bottom, responding to ransomware attacks has always been a high-stakes, complex undertaking, and with these new laws, it has now gotten even more challenging for organizational victims.
WHAT FLORIDA'S NEW LAW REQUIRES
Florida CS/HB 7055 amends the State Cybersecurity Act to impose new cybersecurity requirements on Florida state, county and local government agencies, including forthcoming guidelines and processes for cataloging and managing IT systems, conducting risk assessments, cybersecurity standards, data recovery, incident response, cybersecurity training and reporting cybersecurity and ransomware incidents.
With respect to a ransomware incident, which is defined broadly under the Act:
- State and local government agencies are prohibited from paying "or otherwise comply[ing]" with a ransom demand;
- State and local government agencies must notify the Florida Cybersecurity Operations Center, Cybercrime Office of the Department of Law Enforcement and for local government agencies, the sheriff who has jurisdiction over the agency, within  and such notice must contain specific details about the incident and its impact; of discovery,
- The Cybersecurity Operations Center must notify the President of the Florida Senate and Speaker of the Florida House of Representatives regarding high, severe and emergency-level cybersecurity incidents, which are defined in the Act, within of receiving a report; and
- Local government agencies must submit an after-action report to the Florida Digital Service within  of remediation summarizing the incident, its resolution and "any insights gained as a result of the incident."
The Act also requires guidelines, processes and standards be issued and adopted over the next two years, including the following:
- Cybersecurity standards for local government agencies, which are "consistent with generally accepted best practices for cybersecurity," including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (between January 1, 2024 and January 1, 2025, depending on the jurisdiction's size); and
- Guidelines and processes for the after-action reports required of local government agencies (by December 1, 2022).
These forthcoming materials are sure to create additional obligations on Florida state and local government agencies, as well as have cascading effects on other entities.
OTHER LEGISLATION GOVERNING RANSOMWARE RESPONSE
Florida's law follows on the heels of North Carolina, the first state to enact a law prohibiting state agencies and local government entities from negotiating with ransomware actors or paying a ransomware demand. North Carolina's notification provision is not as stringent as the Florida law, as it simply requires an agency or entity to "consult" the North Carolina Department of Information Technology when there is a ransomware incident.
Similar and more expansive statutes are being considered across the US, including Arizona, New York, Pennsylvania and Texas.
- Notably, New York SB 6806 would prohibit not only government entities but any business operating in New York from paying a ransom (or having a ransom paid on its behalf) with civil penalties for violations of up to $10,000.
- Pennsylvania SB 726 would prohibit the use of taxpayer or other public money for ransomware payments and would require IT-managed service providers of state agencies to notify an "appropriate official" of a ransomware incident within one hour of discovering the incident.
- Arizona HB 2145 would prohibit any state or local government agency from making a payment "to remove or decrypt ransomware from the system files," as well as require the affected agency to "immediately notify" the Arizona Department of Homeland Security of such attacks.
- Texas HB 3892 contains a similar payment prohibition as Arizona but has a more forgiving notification requirement ("as soon as practicable after discovering").
At the federal level, there have been a number of bills introduced in this Congress. The proposed Ransomware and Financial Stability Act would prohibit US financial institutions from making a ransom payment greater than $100,000 unless given explicit authorization by a federal law enforcement agency. And the proposed Ransom Disclosure Act would require public and private entities to report any ransom payments within 48 hours to the US Department of Homeland Security (DHS) through a DHS-created portal.
TAKEAWAYS FROM THE NEW LAWS
For public sector victims in Florida and North Carolina, the options for responding to ransomware incidents just became much more limited. Recognizing the public policy rationale against negotiating with and paying criminal actors, as a practical matter, the new laws place government agencies in a very difficult position where critical data is encrypted, backups are not accessible, and payment is the only viable path to restoration and recovery. Yes, over the long term, enhanced cybersecurity will reduce the likelihood of such a predicament, but it will not resolve near-term needs. More broadly, where a ransomware incident affects data belonging to multiple states' data being held by a single entity, will the new laws restrict the ability to negotiate and/or pay a demand? The forthcoming Florida guidelines, processes and standards likely will create additional compliance questions for government agencies, as well as the entities that access data and systems belonging to those agencies. And if New York's pending bill is any indication, the reaches of this new wave of legislation may extend far beyond organizations with access to government data. Thus, businesses would be wise to monitor developments in these states and others that take up ransomware-related legislation and seek legal advice as questions inevitably arise.
John Ying, a Summer Associate in the Atlanta office, also contributed to this article.
ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.