North Carolina Passes Law Banning Ransomware Payments
Author: Alliant
In November of 2021, North Carolina’s legislature passed the first law in the nation prohibiting state and local government entities from using public funds to pay ransomware demands of cyber criminals.i The law is broad in scopeii and includes provisions forbidding public entities from even communicating with malicious actors following ransomware attacks. Instead, the law requires public attack victims to consult with the North Carolina Department of Information Technology.iii The law also facilitates this consultation by making security information shared by public entities with the Department as a part of the required reporting exempt from disclosure under state public records laws.
The North Carolina law builds on and may be a result of a 2019 state law requiring cyber incident reporting.iv According to statistics obtained from the law’s required reporting, over 2 dozen local governments, school districts and public colleges were the subjects of ransomware attacks in early 2020.v
Passage of this bill, and consideration of similar laws by other states discussed below, comes on the heels of bad news regarding the frequency and cost of global ransomware attacks in recent years, leading to sharp increases in the cost of cyber insurance. Ransomware is currently the go-to method of cyber-attack by cyber criminals. According to reports studying this issue, global costs caused by such attacks have been on the rise since at least 2017, increasing from $325 million in 2015 to $5 billion in 2017. The costs of ransomware attacks in 2018 were estimated at $8 billion and for 2019 at $11.5 billion. The same reports predicted global ransomware costs would reach $20 billion by the end of 2021, 57 times what they were in 2015.vi 2021 statistics reported by a leading network security company reveal that in the first six months of 2021, there were an unprecedented 304.7 million ransomware attacks globally which is higher than the total number of such attacks in 2020. According to these statistics the number of Q2 ransomware attacks were the highest ever recorded.vii
Brian Dunphy, Alliant Insurance Service’s Senior Vice President/Managing Director, Management Professional Solutions, advises that “ransomware attacks have become big business for cyber criminals. The payment of any ransom is often just the beginning for an affected organization. Any resultant business interruption losses and data restoration efforts are extremely costly, and largely have been covered by insurance policies. These extensions are what have really roiled the insurance markets in the past 10-plus months.”
Similar laws prohibiting payment of ransomware demands are pending in New York and Pennsylvania.viii In Pennsylvania, the proposed bill provides for criminal penalties for possessing, using, or transferring ransomware, with varying degrees of punishment provided for violations depending on the amount of the ransom demand. In addition, the proposed bill prohibits the use of state and local taxpayer funds to pay ransoms unless authorized by the governor as part of a disaster emergency declaration.
In New York, two bills are pending, one of which prohibits the use of taxpayer funds to pay cyber ransom demands beginning in 2024 after implementation of a $5 million grant program for local governments to fund upgrades to their cyber security. The second bill would prohibit payment of cyber ransom demands by all private businesses and health care entities along with government entities.
The underlying policy supporting the North Carolina law and other similar proposed laws is expressed well by a North Carolina lawmaker as follows: “The main objective is to take a target off of North Carolina’s back,” said Republican State Rep. Jake Johnson, chair of the House Information Technology Appropriations Committee and one of the bill’s primary sponsors. “We’re saying we cannot negotiate with you. It’s not legal for us to pay anything. You need to stay away from North Carolina."ix
Some cybersecurity experts disagree with the laws and the policy supporting them, however. While the laws’ purpose may be well-intentioned, they say smaller local governments will be unable to restore or rebuild their computer networks if unpaid ransoms lead to data destruction. In addition, they suggest that the costs and the time delays involved in restoration may well be more destructive to these governments than making ransom payments.x An example of such a situation occurred in Tulsa, Oklahoma in 2021. There, a cyber-attack resulted in the posting on the dark web of some 18,000 city files including police charges and internal files, with cyber criminals gaining access to citizen social security numbers in some instances. The city refused to pay the ransom demand and as a result was forced to shut down its computer network. Finally, 8 months later at a cost of over $2 million the city was able to restore its network and get back up and running.xi
Cyber insurance experts will face coverage and payment questions in states with laws such as the one in North Carolina. If not within the confines of the state’s law, companies and vendors would be unlikely to pay ransoms even if they are covered under the cyber policy. In that event, policy coverage for rebuilding rather than coverage for ransom payments, if in effect, may help public entities that lose data due to nonpayment of ransom. However, this coverage will not speed up the process of data recovery or rebuilding which is usually much faster if ransom is paid. While laws prohibiting public entity payment of ransom demands may serve to reduce the cost of cyber insurance since there can be no insurance response to cyber demands for money, the shifting of the expense for recovery from the attack to the public entity is a financial burden many cannot afford without insurance help.
[i] https://www.ncleg.gov/Sessions/2021/Bills/House/PDF/H813v2.pdf.
[ii] The law applies to all local governments, including cities and counties, local administrative units, and community colleges. It applies to all state agencies including boards, commissions, bureaus, officials and executives of the executive, legislative and judicial branches of state government including the University of North Carolina.
[iii] Ransomware is malware that infects computers and mobile devices (usually via a phishing email) by shutting down access to data contained on the devices and threatening permanent data destruction unless ransom is paid by the victim.
[iv] https://www.ncleg.gov/EnactedLegislation/Statutes/HTML/BySection/Chapter_143B/GS_143B-1379.html.
[v] https://www.governing.com/security/states-to-require-companies-to-report-cyber-attacks.
[vi] https://cybersecurityventures.com/ransomware-damage-report-2017-5-billion/; https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-exceed-8-billion-in-2018/; https://cybersecurityventures.com/ransomware-damage-report-2017-part-2/; https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-20-billion-usd-by-2021/.
[vii] https://www.sonicwall.com/medialibrary/en/white-paper/mid-year-2021-cyber-threat-report.pdf.
[viii] https://www.legis.state.pa.us/cfdocs/billInfo/billInfo.cfm?sYear=2021&sInd=0&body=S&type=B&bn=0726; https://www.nysenate.gov/legislation/bills/2021/S6154; https://www.nysenate.gov/legislation/bills/2021/s6806.